Article Summary of: Understanding Cloud Computing Vulnerabilities. Michael R. Eldridge

Similar documents
C1: Define Security Requirements

Copyright

Guide to Network Defense and Countermeasures Second Edition. Chapter 2 Security Policy Design: Risk Analysis

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Essential Cloud Security Features in Windows Azure

Securing Cloud Computing

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

Security for an age of zero trust

Ken Agress, Senior Consultant PlanNet Consulting, LLC.

Introduction to Cloud Computing. [thoughtsoncloud.com] 1

Cloud Computing and Service-Oriented Architectures

Cloud-Security: Show-Stopper or Enabling Technology?

Bank Infrastructure - Video - 1

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

10 FOCUS AREAS FOR BREACH PREVENTION

Network Services, Cloud Computing and Virtualization

Information Security Policy

Version 1/2018. GDPR Processor Security Controls

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Wireless LAN Security (RM12/2002)

In this unit we are going to look at cloud computing. Cloud computing, also known as 'on-demand computing', is a kind of Internet-based computing,

Cloud Essentials for Architects using OpenStack

Managing SaaS risks for cloud customers

Cloud Customer Architecture for Securing Workloads on Cloud Services

Whitepaper. Endpoint Strategy: Debunking Myths about Isolation

Ellie Bushhousen, Health Science Center Libraries, University of Florida, Gainesville, Florida

INFS 214: Introduction to Computing

Benefits of Cloud Computing

EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

ALI-ABA Topical Courses ESI Retention vs. Preservation, Privacy and the Cloud May 2, 2012 Video Webcast

Why the cloud matters?

Protect Your Organization from Cyber Attacks

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

CompTIA Security+ Study Guide (SY0-501)

Automating the Top 20 CIS Critical Security Controls

Chapter 4. Fundamental Concepts and Models

Achieving End-to-End Security in the Internet of Things (IoT)

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

CLOUD Virtualization. Certification. Cloud Virtualization. Specialist

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Introduction To Cloud Computing

WHITE PAPER. Vericlave The Kemuri Water Company Hack

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Conducting Risk Assessment Cloud Provider Perspective

SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY

Cloud Computing and Service-Oriented Architectures

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

Contents. Contents (ix) Chapter 1 EVOLUTION OF CLOUD COMPUTING. Chapter 2 INTRODUCTION TO CLOUD COMPUTING. (ix)

International Journal of Computer Engineering and Applications, Volume XIII, Issue II, Feb. 19, ISSN STUDY ON CLOUD COMPUTING

Computer Security Policy

Title: Planning AWS Platform Security Assessment?

CLOUD SECURITY SPECIALIST Certification. Cloud Security Specialist

Aguascalientes Local Chapter. Kickoff

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

Moving to computing are auditors ready for the security challenges? Albert Otete CPA CISA ISACA Uganda Workshop

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

the SWIFT Customer Security

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

RSA DISTRIBUTED CREDENTIAL PROTECTION

Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

The Business of Security in the Cloud

RBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Requirements for IT Infrastructure

Announcements. me your survey: See the Announcements page. Today. Reading. Take a break around 10:15am. Ack: Some figures are from Coulouris

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

MIS5206-Section Protecting Information Assets-Exam 1

Effective Strategies for Managing Cybersecurity Risks

Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Symbolic Links 4. Deploy A Firewall 5

Risk Identification: Vulnerability Analysis

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Forensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud

SoftLayer Security and Compliance:

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

Next Generation Privilege Identity Management

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

Authentication Security

CLOUD COMPUTING. Lecture 4: Introductory lecture for cloud computing. By: Latifa ALrashed. Networks and Communication Department

Cloud Computing and Its Impact on Software Licensing

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Cloud Computing: Is it safe for you and your customers? Alex Hernandez DefenseStorm

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

LEXICON. An introduction to basic cybersecurity terminology and concepts THE (ISC) 2 CYBERSECURITY LEXICON 1

CLOUD GOVERNANCE SPECIALIST Certification

Transcription:

Article Summary of: Understanding Cloud Computing Vulnerabilities Michael R. Eldridge April 14, 2016

2 Introduction News stories abound about the almost daily occurrence of break-ins and the stealing of information from cloud computing data centers. Most times, these episodes are caused by bad user practices regarding safeguarding user login credentials. But other times, they suggest a fundamental weakness in the design or management of cloud computing resources. How can we classify and assess the risks and vulnerabilities in cloud computing and determine the necessary security controls to be implemented? In their article, Understanding Cloud Computing Vulnerabilities (Grobauer, et al, 2010), the authors differentiate between the wide-ranging security issues within general computing to those associated with cloud computing. In doing so, they define cloudspecific vulnerabilities called indicators which can be used to spotlight security controls that are frequently successful in general computing, but ineffective in the cloud. Vulnerability The Open Group s risk taxonomy describes risk factors in terms of the potential that a threat can exploit a vulnerability (loss event frequency) and the effects (probable loss magnitude) of such an attack. Loss magnitude is further divided into loss factors such as the value of lost assets, lost time and productivity, organization credibility, etc. Event frequency is driven by several factors including a threat agent s motivations (gains) versus risk to the agent and their ability to drive an attack. An attack agent s capabilities compared with the strengths of security controls define vulnerabilities which are factors in loss event frequency. This leads to the definition of vulnerability by the Open Group as the probability that an asset will be unable to resist the actions of a threat agent. The ability to resist in this case means the presence or lack of adequate security controls and implementation of security policies. For example, not applying current Operating System (OS) updates undermines a systems ability to resist attack. It s interesting to note that from a customer s standpoint, cloud computing does not really change the probable loss magnitude, as the cloud does not force a customer to have any more or less resources (data, users, etc.) that could be exploited. However, from a cloud service provider perspective, the loss impact could be significantly bigger. With this refined definition of vulnerability, a detailed review of how cloud computing can influence the loss event frequency, either by affecting security controls, or the motivations and capabilities of an attacker, can be obtained. Indicators of Cloud-Specific Vulnerabilities Cloud computing utilizes several, basic technologies to provide services to many customers via the internet and through service providers. These core technologies include web applications and services, virtualization and cryptography. The basis of cloud computing is the ability to provide pay-as-you-go services which are implemented using web based applications. The service models include Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). To make these offerings cost effective for customers and profitable for providers, they must be able to scale in order to support, yet isolate many customers without incurring a per customer cost in facilities, hardware, power and support. This is done by virtualization of hardware and software which gives the appearance to customers that they are alone in using the service(s). Lastly, cryptography is used to solve other security requirements. Along with core technologies, cloud computing has several attributes which allow delivery and use of services in a cost effective

3 manner. These essential characteristics as described by the US National Institute of Standards and Technology (NSIT) are, on-demand self-service, ubiquitous network access, resource pooling, rapid elasticity and measured service (Mell & Grance, 2009). With core technologies and essential characteristics of cloud computing as a backdrop, we can use these as indicators as to whether a vulnerability is cloud-specific. Vulnerabilities can be bounded as cloud-specific if, they are inherent in a core cloud computing technology, or have as its origin one of the NISTs essential cloud characteristics. Additionally, a vulnerability is cloud-specific if the technology or implementation limits or prevents security controls from being applied. And lastly, if the vulnerability is widespread in cloud applications. Cloud-Specific Vulnerabilities With the indicators now in hand, it is straightforward to determine which vulnerabilities are specific to cloud computing by looking at vulnerabilities that pertain to those indicators. The indicator for core technologies of web applications and services, virtualization and cryptography have many well-known vulnerabilities including virtual machine escapes, session hijacking and weak cryptography. Essential cloud characteristic vulnerabilities consist of unauthorized access to management and administrative tools, internet protocol exploits, unauthorized access to data via covert channels or by accessing data in memory or storage, and the ability to affect metering which can be used to forge billing records or avoid paying for services. The indicator of when cloud computing technology leads to ineffective or non-existent security controls, presents vulnerabilities which include key management as it pertains to generating keys through hardware in a shared environment, the lack of standard security monitoring and reporting tools for cloud resources, and the fact that many security controls are built for common, network computing and generally do not work well in virtualized, cloud computing environments. Finally, if vulnerabilities associated with the technologies and software used to implement cloud computing services are wide-spread, they are considered cloud-specific. These can include command interception, privilege escalation at the OS level, cross-site scripting and weak authentication mechanisms. An important class to this list is user behavior, i.e.; weak or bad passwords, unattended desktops, or poor security policies. Architectural Vulnerabilities Utilizing the cloud infrastructure reference architecture developed by IBM in conjunction with the University of California, Los Angeles (Youseff, et al, 2008), more detail is provided to the cloud services models which can be used to identify other cloud-specific vulnerabilities associated with the different layers that are used to implement SaaS, PaaS, and IaaS. The architecture has three parts, Supporting (IT) Infrastructure, Cloud Specific Infrastructure and Service Customer. At the center is the Cloud Software Infrastructure which provides access to lower level components such as the OS and HW through abstraction, and the Cloud Software Environment which provides application services. Together they comprise three resource types, Computational Resources, Storage and Communication. The vulnerabilities associated with these three resource types are typical in an environment where users and processes share resources, for which cloud computing depends on. These include virtual machine compromise and data leakage, weak cryptography keys because of shared hardware key generation, data compromise due to remnant data on storage devices or in memeory and network software weakness internal to VMs, such as DNS, DHCP and

4 IP vulnerabilities. Cloud Specific Infrastructure also includes Cloud Web Applications, Services & APIs, and Management Access and Authentication and Authorization processes. Again, the vulnerabilities associated with these components as well as the ones which comprise the Supporting (IT) Infrastructure are common for most computing environments, but considered cloud-specific in this context. Examples include input fuzzing at the browser to either crash applications or get them to operate in unexpected ways, interceding in the communication between client and server (man-in-the-middle), poor authorization checks and insufficient logging and monitoring. Conclusion This article provides a simple, yet comprehensive framework for identifying and understanding cloud-specific vulnerabilities. It does so by taking familiar vulnerabilities associated with noncloud based computing and classifies them into a cloud computing architecture. The result is the ability to move away from the vague fears that cloud computing is just unsafe, to a concrete taxonomy which reveals what and where the real vulnerabilities are, thus providing a practical foundation for a thorough assessment of the risks and threats in cloud computing.

5 References: [1] Brobauer, B., Walloschek, T., Stocker, E. (2010), Understanding Cloud Computing Vulnerabilities. IEEE Security & Privacy, 9(2), 50-57. [2] Mell, P., Grance, T., (2009), Effectively and Securely Using the Cloud Computing Paradigm (v0.25), US Nat l Inst. Standards and Technology presentation. http:// csrc.nist.gov/groups/sns/cloud-computing. [3] Youseff, L., Butrico, M., Da Silva, D., (2008), Towards a Unified Ontology of Cloud Computing. Proc. Grid Computing Environments Workshop (GCE), IEEE Press, doi: 10.1109/GCE.2008.4738443.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback