SECURITY CONCERNS WITH

CLOUD COMPUTING

PRESENTED BY :-
ACHRAJ REVOO
2013UCP1252 (1ST YEAR)
DEPARTMENT OF COMPUTER ENGINEERING
MALAVIYA NATIONAL INSTITUTE OF TECHNOLOGY,
JAIPUR
 WHAT IS CLOUD
•Network-basedCOMPUTING
environment that focuses on sharing
computations or resources
•Cloud providers use virtualization technologies combined with
self-service abilities for computing resources via network
infrastructure.
•Three types of cloud environments:
1. Public
2. Private
3. Hybrid clouds

Public:
Standard model which providers make several resources,
such as applications and storage, available to the public.
Private:
An architecture that provides hosted services to particular
group of people behind a firewall

Hybrid:
Cloud provider has a service that has private cloud part which
is only accessible by certified staff and protected by firewalls
from outside accessing and a public cloud environment which
external users can access to it.

There are three major types of service in the cloud

environment:
•SaaS (Software as a Service)
•PaaS (Platform as a Service)
•laaS (Infrastructure as a Service).
 IaaS:
•In IaaS cloud service providers offers physical or virtual
machines and other resources.
•Hypervisor runs the virtual machine as guests.
•Cloud users install operating system images and their
application software on the cloud infrastructure

PaaS:
•In PaaS providers deliver a computing platform, typically
including operating system, programming language execution
environment, database and web server.

SaaS:
•In SaaS users are provided access to application software and
databases.
Providers manage the infrastructure and platforms that runs
the applications.
 SECURITY CONCERNS WITH
CLOUD

•Is my data secure on cloud?

•Can others access my confidential data?

•Compliance with government regulations?

•What if an attacker brings down my app hosted on cloud?

 Multi factor authentication:
•Consider multiple factors together for authentication
1. Password
2. Secret key generated by physical token in possession of
user
3. Biometric signature
•Access is granted only when all the specified factors are
validated

Encryption:
Process of converting data to a form that cannot be used in
any meaningful manner without special knowledge.

Defense in depth:
A mechanism which uses multiple security measures, to
reduce the risk of security threats if one component of the
protection gets compromised.
 CLOUD SECURITY - CONCERNS

•Multitenancy

•Velocity of attack

•Information assurance

•Data privacy and ownership

 Multitenancy:
•Is a concept where multiple VMs are located in a single infrastructure.
Each VM co-located in single cloud.
•For cloud clients:
1. VMs in a single server and sharing same resources increases the
attack surface
• For cloud service providers:
1. Enforcing uniform security controls and measures is difficult
because underlying infrastructure is same

Velocity-of-attack:
•Security threats amplify and spread quickly in a cloud – known as
“Velocity-Of-Attack” (VOA) factor
•Cloud infrastructure is comparatively larger.
•Similarity in the platforms/components employed by a CSP increases
the speed at which an attack can spread.
•Effects of high VOA:
1. Potential loss due to an attack is comparatively higher
2. It is comparatively difficult to mitigate the spread of the attack
3. To counter the challenge of VOA, CSPs need to adopt more robust
security enforcement mechanisms. For example: defense-in depth
 Information assurance and data ownership:
•In cloud, data belonging to a client is maintained by a CSP,
who has access to the data, but is not the legitimate owner of
it. This raises concern of potential unauthorised data access
and misuse.
•Data should be protected using encryption and access
control mechanisms.

Data privacy:
•Potential for unauthorised disclosures of private data of a
cloud client.
•A CSP needs to ensure that private data of its clients is
protected from unauthorised disclosure
•Both collection and dissemination of the private data requires
protection.
•A CSP needs to deploy data privacy mechanisms, which are
 CLOUD SECURITY - THREATS

•VM theft and VM escape

•Hyperjacking

•Data leakage

•Denial of service (DOS) attack

 VM theft:
•A vulnerability that enables an attacker to copy or move a VM in an
unauthorised manner.
•Copy and move restrictions are essential to safeguard against VM theft
•These restrictions bind a VM to a specific physical machine
•A VM with copy and move restriction cannot run on a hypervisor installed
on any other server.
•These restrictions use a combination of virtualization management and
storage management services for effective enforcement.
•Limit applying such restrictions to critical/sensitive VMs only

Hyperjacking:
•It enables an attacker to install a rogue hypervisor or Virtual machine
monitor (VMM) that can take control of the underlying server resources.
•An attacker can run unauthorised applications on a guest OS without the
OS realizing it.
•An attacker could control the interaction between the VMs and underlying
server.
•Regular security measures are ineffective against hyperjacking.
•Measures against hyperjacking include:
 Data Leakage:
•Confidential data stored on a third party cloud is potentially
vulnerable to unauthorised access or manipulation.
•Attacks on service provider’s control systems (e.g password
lists) could make all the clients’ data vulnerable.
•Cloud users must evaluate end-to-end data protection
measures by all the concerned parties who have any level of
access on the data
•Side channel attacks (SCA) can be used for data leakage in
cloud
•An SCA extracts information by monitoring indirect activities.
For example cache data
•Could reveal information of a client to another malicious client
that runs its VMs on the same server.
•Protection against cross VM SCA requires placing only those
clients that have no conflicts with one another on the same
 Denial-of-service attacks :
•It is an attempt to prevent legitimate users from accessing a
resource or service.
•DoS attacks might affect software applications and network
components.
•A DoS attack involves
1. Exhausting resources, e.g network bandwidth or CPU
cycles
2. Exploiting weaknesses in communication protocols, e.g
resetting TCP sessions, corrupting domain name server’s
cache
•A malicious client VM might be used to launch a DoS attack
against the hypervisor or other VMs running on the same
hypervisor.
•As a protective measure, resource consumption of a VM
needs to be restricted.
 CLOUD SECURITY
MECHANISMS
•Compute and network security

•Secure data at rest

•Identity and access management

•Risk analysis and compliance

 Security at compute level:
•Securing a compute system includes:
1. Securing physical server
2. Securing hypervisor
3. Securing VMs
VM isolation
VM hardening
•Security at guest OS level
Guest OS hardening
•Security at application level
Application hardening
Physical server security – considerations:
•Identifying physical server application details including:
1. Whether server will be used for specific applications or for
general purpose
2. The network services provided on the server
3. Users and/or user groups who can operate the server and their
access privileges
Deciding protection measures includes:
•Determining authentication and authorization mechanisms.
•Disabling unused hardware such as NICs, USB ports or drives.
 Hypervisor security:
Security measures:
•Install hypervisor updates
•Harden VMs to prevent attacks
•Can be achieved by
1. Configuring strong security on the firewall between the
management system and the network
2. Providing direct access only to administrators to management
server
3. Disable access to management console to prevent
unauthorized access

VM Security: isolation and hardening:

•VM isolation helps prevent a compromised guest OS and
applications running on it from impacting other VMs.
•VM hardening
Hardening is a process of changing the default configuration
in order to achieve greater security.
•Limit the resources that VM can consume to prevent DoS attacks.
•Disable unused functions and devices on VM
•Use a directory service for authentication
 Guest OS and application security:
•Deleting unused files and applying the latest patches
•Disallowing a vulnerable application from
•Launching any untrusted executable file
•Creating or modifying executable files
•Modifying sensitive areas of guest OS e.g Windows registry.
•Sandboxing is another important measure for guest OS and
application security.

Security at network level: Virtual firewall:

•Securing VM-to-VM traffic running on a server is difficult
•Normal firewall takes care of communication between the virtual
infrastructure and outside world, but what about the VM to VM
communication.
•Virtual firewall is a firewall service running on the hypervisor
Security at network level: Demilitarised zone:
•It is a physical or logical network that limits the exposure of the
nodes in the internal network from external networks.
•Adds additional layer of security against external attacks
•An attacker has access only to the DMZ, rather than any other
part of network.
•For practical purposes, services provided to users on the external
 Securing data-at-rest:
•Data-at-rest: data which is not being transferred over a network
•Encryption of data-at-rest
•Provides confidentiality and integrity services
•Reduces legal liabilities of a CSP due to an unauthorised
disclosure of data on its cloud.
•Full disk encryption is a key method to encrypt data-at-rest
residing on a disk.

Security at network level: Securing data-in-flight:

•Data-in-flight: Data which is being transferred over a network i.e,
“moving”
•Encryption of data-in-flight:
1. Application level
2. Network level
• Key measure against “sniffing” attacks.

Data shredding:
•Data which is deleted by a cloud client or a process, but leaves
traces on the system, can be a potential source of attacks.
•Data shredding permanently removes all the traces of the deleted
 Intrusion detection:
•It is a process of detecting events and/or entities that
could possibly compromise the security of the system.
•Types:
1. Server based IDS: analyses activity logs, system
logs, application logs etc.
2. Network based IDS: analyses network traffic and
communicating nodes
3. Integrated IDS: combination of server and network
based approaches.

Role based access control:

•Resource access is given to users based upon their
roles.
•Role based access control (RBAC) can be enabled for
cloud clients by importing user groups using directory
services of the clients organisation.
 Identity management (IM) in cloud:
•One time passwords
•Every new access request requires new password
•Federated Identity Management
1. Enables organisations to authenticate their users of cloud
services using the chosen identity provider
2. User identities across different organisations can be managed
together to enable collaboration on cloud

Governance, risk and compliance (GRC):

•Governance refers to the policies, processes, laws and institutions
that define the structure by which companies are directed and
managed.
•Risk refers to the effect of uncertainty on business objectives, risk
management is a coordinated activity to direct and control an
organization and to realise business potential while managing
negative events.
•Compliance refers to the act of adhering to and demonstrating
adherence to external laws and regulations as well as corporate
policies and procedure.
 CONCLUSION
•Optimize and secure application performance in a cost
effective manner

•New set of challenges and security problems that must be

considered before transferring data to a cloud
environment.

•Cloud providers often have several powerful servers and

resources in order to provide appropriate services for their
users but cloud is at risk similar to other Internet-based
technology.

•As a result, moving toward cloud computing require to

consider several parameters and most important of them is