Skip to content

Latest commit

 

History

History
59 lines (53 loc) · 3.71 KB

9-Security-in-Cloud-Computing.md

File metadata and controls

59 lines (53 loc) · 3.71 KB
Raw

Security in Cloud Computing

Cloud Computing Basics

  • Three Types
    • Infrastructure as a Service (IaaS)
      • Provides virtualized computing resources
      • Third party hosts the servers with hypervisor running the VMs as guests
      • Subscribers usually pay on a per-use basis
    • Platform as a Service (Paas)
      • Geared towards software development
      • Hardware and software hosted by provider
      • Provides ability to develop without having to worry about hardware or software
    • Software as a Service (SaaS)
      • Provider supples on-demand applications to subscribers
      • Offloads the need for patch management, compatability and version control
  • Deployment Models
    • Public Cloud - services provided over a network that is open for public to use
    • Private Cloud - cloud solely for use by one tenant; usually done in larger organizations
    • Community Cloud - cloud shared by several organizations, but not open to public
    • Hybrid Cloud - a composition of two or more cloud deployment models
  • NIST Cloud Architecture
    • Cloud Carrier - organization with responsibility of transferring data; akin to power distributor for electric grid
    • Cloud Consumer - aquires and uses cloud products and services
    • Cloud Provider - purveyor of products and services
    • Cloud Broker - manages use, performance and delivery of services as well as relationships betwen providers and subscribers
    • Cloud Auditor - independent assessor of cloud service and security controls
  • FedRAMP - regulatory effort regarding cloud computing
  • PCI DSS - deals with debit and credit cards, but also has a cloud SIG

Cloud Security

  • Problem with cloud security is what you are allowed to test and what should you test
  • Another concern is with a hypervisor, if the hypervisor is compromised, all hosts on that hypervisor are as well
  • Trusted Computing Model - attempts to resolve computer security problems through hardware enhancements
    • Roots of Trust (RoT) - set of functions within TCM that are always trusted by the OS
  • Tools
    • Core CloudInspect - pen-testing application for AWS EC2 users
    • CloudPassage Halo - instant visibility and continuous protection for servers in any cloud
    • Dell Cloud Manager
    • Qualys Cloud Suite
    • Trend Micro's Instant-On Cloud Security
    • Panda Cloud Office Protection

Threats and Attacks

  • Data Breach or Loss - biggest threat; includes malicious theft, erasure or modification
  • Shadow IT - IT systems or solutions that are developed to handle an issue but aren't taken through proper approval chain
  • Abuse of Cloud Resources - another high threat (usually applies to Iaas and PaaS)
  • Insecure Interfaces and APIs - cloud services can't function without them, but need to make sure they are secure
  • Service Oriented Architecture - API that makes it easier for application components to cooperate and exchange information
  • Insufficient due diligence - moving an application without knowing the security differences
  • Shared technology issues - multitenant environments that don't provide proper isolation
  • Unknown risk profiles - subscribers simply don't know what security provisions are made in the background
  • Others include malicious insiders, inadequate design and DDoS
  • Wrapping Attack - SOAP message intercepted and data in envelope is changed and sent/replayed
  • Session riding - CSRF under a diferent name; deals with cloud services instead of traditional data centers
  • Side Channel Attack - using an existing VM on the same physical host to attack another
    • This is more broadly defined as using something other than the direct interface to attack a system