Cloud Security

Presented To: Presented By:

Ms Mala Kalra Jaswinder Kour(111411)
Assistant Prof. Neha(111419)
NITTTR,CHD M.E Modular CSE
Table of contents
 Securing the cloud
 Security boundary
 Security mapping
 Brokered cloud storage access
 Storage location and tenancy
 Encryption
 Auditing and compliance
 Establish identity and presence
 References
 CLOUD COMPUTING
Cloud computing is a type of computing
that relies on sharing computing resources
rather than having local servers or
personal devices to handle applications.
 Securing the Cloud

Assessment of the Security Risks of Cloud Computing

(in a report by Jay Heiser and Mark Nicolett) highlighted
the following areas of cloud computing that they felt were
uniquely troublesome:

Auditing : Auditing is the ability to monitor the

events to understand performance
Data integrity: Data has not been tampered
e-Discovery for legal compliance: process in
which data is sought, located,secured and
searched with the intention of using it as
evidence. 4
Privacy: it means protection of personal data.
Recovery: action or process of regaining
posession of lost data
Regulatory compliance:
compliance means the ability to act according
to an order, set of rules or request.
Risks in any cloud deployment are
dependent on:
 Chosen cloud service model
 IaaS
 PaaS
 SaaS
 Chosen cloud deployment model
 Private: a cloud infrastructure operated solely for an
organisation
 Public: a publicly accessible cloud infrastructure
 Community: a cloud infrastructure shared by
several organisations
 Hybrid: a composition of two or more clouds that
remain
 Cloud Security Risk Evaluation
To evaluate risk perform following analysis:
1. Determine which resources (data,
services, or applications) you are planning to
move to the cloud.
2. Determine the sensitivity of the resource
to risk.(e.g. Data-risk-loss of data)
3. Determine the risk associated with the
particular cloud type for a resource. (you
need to consider where data and
functionality will be maintained.)
7
 Cloud Security Risk Evaluation contd..

4. Take into account the particular cloud

service model that you will be using.
(Different models require their customers to
be responsible for security at different levels
of the service stack.)
5.If you have selected a particular cloud
service provider, you need to evaluate its
system to understand how data is
transferred, where it is stored, and how to
move data both in and out of the cloud. 8
 The Security Boundary

The cloud computing security provides a

framework for understanding the following:

 What security is already built into the system?

 Who has responsibility for a particular security
mechanism?
 And where the boundary between the responsibility
of the service provider is separate from the
responsibility of the customer?

9
Two models (reference architectures are available
for cloud computing):
 NIST (U.S. National Institute of Standards and
Technology)
 CSA (Cloud Security Alliance)—this is used as
the cloud reference model.
The difference between the two
NIST CSA

Donot require virtualization to pool Require virtualization to pool

resources resources

Donot require the multitenancy Requires multitenancy support

support
 Security Service Boundary
CSA Reference Model
 IaaS is the lowest level service, with PaaS and SaaS the next two services above.
 As you move upward in the stack, each service model inherits the capabilities of the model beneath it,
as well as all the inherent security concerns and risk factors.

11
 Security Service Boundary Contd..
CSA Reference Model
 Each different type of cloud service delivery model creates a security boundary at which the cloud service provider's responsibilities end and the customer‘s
responsibilities begin.
 In SaaS model vendor provides security as a part of SLA ,in PaaS security boundary defined by the vendor to include s/w framework and customer will be
responsible for the security of the application.
 We get the least amt. of security in IaaS and the most with SaaS.

12
Security Mapping is:
Perform a mapping of the particular cloud
service model to the particular application the
customer is deploying.

There is also a need to adhere to a compliance

standard e.g. PCI-DSS, HIPPA etc. that requires
to operate in a certain way and keep records.

13
 Securing Data

Which data needs to be secured?

 Data Stored
 Data Sent to
 Data Received from
As cloud is the part of distributed networks so the
data being exchanged is vulnerable to attacks
and thus can be intercepted or modified.

14
Key mechanisms for protecting the data in the
cloud

Access control: determine who will be able

to access what
Auditing: ability to monitor the events to
understand performance
Authentication: validate the identity of end
user
Authorization: what privileges do you have
 Brokered cloud storage access
In client-sever system we use a firewall to serve
as a network security perimeter and provide all the
security services.

However, in cloud there is no physical system that

serves the purpose.

To protect cloud storage assets, we have to find a

way to isolate the data from direct client access.
Solution: create layered access to the
data.
16
Brokered cloud storage access
Two services are created
• Broker: having full access to storage
• Proxy: no access to storage but access to
both client and the broker
Client make a request for data,Here is what
happen

18
 Storage location and tenancy

The following are the points of concern:

The storage location and processing of the data
is predetermined at times of the contract and is
part of SLA and it should conform to local privacy
laws.
Data is stored in cloud from multitenant and each
vendor has its own method for segregating one
customer's data from another. Thus it is important
to understand how your specific service provider
maintain data segregation
Customer should also have information about
who is provided privileged access to storage. 19
Cloud service provider stores data in
encrypted form.So, it is worth considering
what type of encryption the cloud provider
uses.
The customer should know how disaster
recovery affects your data and how long it
takes to do a complete restoration.
 Encryption
Encryption protects data in the cloud that is
either
 Stored
 Sent to
 Received from
Goal of encrypted cloud storage is to create a
virtual private storage system that maintains
 confidentiality
 data integrity
Note: Encryption protect data from un authorized
access but it does nothing about data loss.
21
 Concept of keys
 Keys provide access to the data
 Keys have a defined period of time
 Lose of keys causes loss of encrypted data
 Thus key management should be approached
seriously.
 Can have separate key management from cloud
provider that hosts your data
 OASIS key management Interoperability protocol
covers both encryption and key management for
shared data.
 Logging and Auditing

Logging is the recording of events into a repository.

Auditing is the ability to monitor the events to

understand performance.

Logging and auditing is an important function

necessary for:
 Evaluation performance
 Investigate security features and
 Detect when illegal activity has been
perpetrated.
23
Logging and auditing(contd..)
Cloud service providers often have proprietary
log formats that one need to be aware of these
logs and analysis tools we use need to be
aware of these logs and work with them.
Logging activity and data for different clients may
not be co-located so investigation will not be
provided unless it is part of your Service Level
Agreement.
 Regulatory Compliance
 All regulations were written without keeping
Cloud Computing in mind.
 Clients are held responsible for compliance
under the laws that apply to the location
where the processing or storage takes
place.
 Security laws that requires companies
providing sensitive personal information
have to encrypt data transmitted and stored
on their systems 25
 Compliance contd..
Therefore, the following points should be
considered:
 Which regulations apply to your use of a
particular cloud computing service?
 Which regulations apply to the cloud service
provider and where the demarcation line falls for
responsibilities?
 How your cloud service provider will support
your need for information associated with
regulation?
 How to work with the regulator to provide the
information necessary regardless of who had the
responsibility to collect the data?
26
The following things must be ensured:
 You have contracts reviewed by your legal staff.
 You have a right-to-audit clause in your SLA.
 You collect and maintain the evidence of your
compliance with regulations.
 You review any third parties involved who are
service providers and assess their impact on
security and regulatory compliance.
 You understand the scope of the regulations that
apply to your cloud computing applications and
services.

27
 Establishing Identity and Presence

 Identity and Parameters

 Identities are used to authenticate client requests
for services in a distributed network system such
as cloud computing services.

 Identity management is a primary mechanism

for:
 controlling access to data in the cloud
 preventing unauthorized uses
 maintaining user roles and
 complying with regulations. 28
 Establishing Identity and Presence
Contd..

Cloud computing requires the following:

 That you establish an identity

 That the identity be authenticated

 That the authentication be portable

 That authentication provide access to cloud

resources

29
Identity protocol standards
 OpenID2.0

 This is the standard associated with creating

an identity.
 After the identity is created a third-party
service authenticate the use of that digital
identity.(e.g. Challenge and Response
Protocol (CHAP))
 It is the key to creating Single Sign-On
(SSO) systems.

31
Another third party service is OpenIDL.
 The authentication procedure has the following steps:
1. The end-user uses a program like a browser that is called a
user agent to enter an OpenID identifier, which is in the
form of a URL or XRI. (An OpenID might take the form of
name.openid.provider.org.)
2. The OpenID is presented to a service that provides
access to the resource that is desired.
3. An entity called a relaying party queries the OpenID identity
provider to authenticate the veracity of the OpenID
credentials.
4. The authentication is sent back to the relaying party from
the identity provider and access is either provided or
denied.
32
 OAuth
 Similar to OpenID
 Provides a different mechanism for shared
access
 Allows clients to present credentials that
contain no account information(userID or
password)
 Tokens come with a defined period of time
after which it can no longer be used
 Difference between OpenID and OAuth
OpenID OAuth

It is a protocol for authentication. It is a protocol for authorization.

It provides pseudo authentication.

In OpenID, authentication is delegated: In OAuth, authorization is delegated: entity

server A wants to authenticate user U, but A obtains from entity B an "access right"
U's credentials (e.g. U's name and which A can show to server S to be
password) are sent to another server, B, granted access; B can thus deliver
that A trusts (at least, trusts for temporary, specific access keys to A
authenticating users). Indeed, server B without giving them too much power. You
makes sure that U is indeed U, and then can imagine an OAuth server as the key
tells to A: "ok, that's the genuine U". master in a big hotel; he gives to
employees keys which open the doors of
the rooms that they are supposed to enter,
but each key is limited (it does not give
access to all rooms); furthermore, the keys
self-destruct after a few hours.
 Presence
 Presence is a fundamental concept in computer
science and is used on networks to indicate the
status of available parties and their location.
 E.g. WHO command in Linux --list users
logged into the network.
 Presence provides:
 Identity
 Status
 Location(part of status)

35
 Example Cloud Computing services
relying on presence:

 Telephony systems such as VoIP

 Instant messaging services (IM) and
 Geo-location-based systems such as GPS.
 Also Presence is playing an important role in cell
phones, particularly smart phones.

36
Example iPhone App- AroundMe

37
 References
 Cloud Computing Bible, “Barrie Sosinsky” Chapter-12
 Network Security in Virtualized Data Centers For
DUMMIES, Lawrence C. Miller, John Wiley& Sons
 Research paper - Security and Privacy Challenges in
Cloud Computing Environments, Hassan Takabi and
James B.D. Joshi, University of Pittsburgh
Thank You

39