Security issues in cloud

Download Security issues in cloud

Post on 11-May-2015




0 download



2. What is CLOUD? Advantages of Cloud Major concerns in Cloud Security Foundations to understand Threats Understanding Threats Governments role SERVICE LEVEL AGREEMENT Conclusion & Future Work 3. In June 2009, a study conducted by VersionOne foundthat 41% of senior IT professionals actually dont knowwhat cloud computing is and two-thirds of senior financeprofessionals are confused by the concept, highlighting theyoung nature of the technology 4. the idea of relying onWeb-based application andstoring data in theCLOUD of the internet.The cloud is a smart,complex, powerfulcomputing system inthe sky that people canjust plug into.It starts with thepremise that the dataservices andarchitecture should beon the servers. We callit Cloud Computing they should be in aCLOUD somewhereCloud computing is Web-basedprocessing, whereby sharedresources, software, and informationare provided to computers and otherdevices (such as smartphones) ondemand over the Internet. 5. Cloud is simply ametaphor for the internet Users do not have or needknowledge, control,ownership in the computerinfrastructure Users simply rent or accessthe software, paying only forwhat they use 6. AuthenticationTrust on vendordata privacy 7. Defines how to provide integrity, confidentiality andintegrity, confidentiality andauthenticationauthentication for SOAP messages Defines a SOAP header (Security) that carries the WS-Security extensions Defines how existing XML security standards like XMLSignature and XML Encryption are applied to SOAPmessages 8. XML Encryption allows XML fragments to be encrypted toensure data confidentiality The encrypted fragment is replaced by an EncryptedDataelement containing the ciphertext of the encrypted fragment ascontent XML Encryption defines an Encrypted- Key element forkey transportation purposes WS-Security defines security tokens suitable fortransportation of digital identities Example: X.509 certificates 9. Also known by the name SECURE SOCKETLAYER(SSL) Consist of two parts: The Record Layer encrypts/decrypts TCP data streams usingthe algorithms and keys negotiated in the TLS Handshake TLS Handshake :used to authenticate the server andoptionally the client Most important cryptographic protocol worldwide,implemented in every web browser 10. TLS configurationFAILS forPHISHINGAttacks 11. A well known type of attacks called: XML Signature Element Wrapping Discovered by McIntosh and Austel in 2005Until 2008, this attacks remained theoretical and noreal-life wrapping attack became public In 2008 it was discovered that Amazons EC2 serviceswas vulnerable to wrapping attacks 12. Web browsers can not directly make use of XMLSignature or XML Encryption: data can only beencrypted through TLS, and signatures are only usedwithin the TLS handshake The Legacy Same Origin Policy:The Legacy Same Origin Policy: Concerned if scripts be allowed/disallowed to runConcerned if scripts be allowed/disallowed to run Attacks on Browser-based Cloud Authentication: Federated Identity Management (FIM) protocols Authentication by THIRD PARTY 13. National Institute of Standards and Technology (NIST),an agency of the Commerce DepartmentsTechnology Administration created a cloud computingsecurity group It promotes the effective and secure use of the technologywithin government and industry by providingtechnical guidance and promoting standards NIST has recently released its draft Guide to Adopting andUsing the Security Content Automation Protocol(SCAP) 14. A service level agreement is a document which definesthe relationship between two parties: the provider andthe recipient Vendors have to provide some assurance in service levelagreements (SLA) to convince the customeron security issues If used properly it should: Identify and define the customers needs Provide a framework for understanding Simplify complex issues Reduce areas of conflict 15. We investigated on going issues with application ofXML Signature and the Web Services securityframeworks Discussed the importance and capabilities of browsersecurity in the Cloud Computing context The threats to Cloud Computing security arenumerous, and each of them requires an in-depthanalysis on their potential impact and relevance to real-world Cloud Computing scenarios 16. Future aspect includes strengthening the securitycapabilities of both Web browsers and Web Serviceframeworks, at best integrating the latter into the first To achieve a recognized and actionable security policy,SCAP recommends that organizations demonstratecompliance with security requirements in mandatessuch as the US Federal Information SecurityManagement Act (FISMA) 17. On Technical Security Issues in Cloud Computing, MeikoJensen, Jorg SchwenkHorst (Gortz Institute for IT Security,Ruhr University Bochum, Germany) and Nils Gruschka,Luigi Lo Iacono(NEC Laboratories Europe,NEC EuropeLtd)-IEEE-2009 Lori M. Kaufman, BAE Systems, IEEE-2009 Cloud Security Issue ,Balachandra Reddy Kandukuri,Ramakrishna Paturi V, Dr. Atanu Rakshit, IEEE-2009 18. QUERIES???QUERIES???