09-Security in Cloud Computing
Last updated
Last updated
On-demand self service
Distributed storage
Rapid elasticity
Automated management
Broad network access
Resource pooling
Measure service: pay-per-use
Virtualization technology
Organizations have limited control and flexibility
Prone to outages and other technical issues
Security, privacy, and compliance issues
Contracts and lock-ins
Depending on network connections
On-Premises
IasS
PasS
SaaS
App
x
Data
x
Runtime
x
x
Middleware
x
x
O/S
x
x
Virtualization
x
x
x
Servers
x
x
x
Storage
x
x
x
Networking
x
x
x
IaaS (Infrastructure as a Service)
Providing virtualized computing resources
Third party hosts the servers with hypervisor running the VMs as guests
Subscribers usually pay on a per-use basis
PaaS (Platform as a Service)
Geared towards software development
Hardware and software hosted by provider
Providing ability to develop without having to worry about hardware or software
SaaS (Software as a Service)
Provider supplies on-demand applications to subscribers
Offloading the need for patch management, compatibility and version control
Public Cloud: services provided over a network that is open for public to use
Private Cloud: cloud solely for use by one single tenant; usually done in larger organizations
Community Cloud: cloud shared by several organizations, but not open to public
Hybrid Cloud: a composition of two or more cloud deployment models
Cloud Consumer: acquiring and uses cloud products and services
Cloud Provider: purveyor of products and services
Cloud Carrier: organization with responsibility of transferring data; akin to power distributor for electric grid
Cloud Auditor: performing independent examination of cloud service control
Cloud Broker: managing use, performance and delivery of services as well as relationships between providers and subscribers
Problem with cloud security is what you are allowed to test and what should you test
Another concern is if the hypervisor is compromised, all hosts on that hypervisor are as well
Tools
Qualys Cloud Platform: end-to-end IT security solution
CloudPassage Halo: instant visibility and continuous protection for servers in any cloud
Core CloudInspect: pen-testing application for AWS EC2 users
Data Breach or Loss: biggest thraet
Abuse of Cloud Resources
Insecure Interfaces and APIs
Insufficient due diligence: moving an application without knowing the security differences
Shared technology issues: multi-tenant environments that don't provide proper isolation
Unknown risk profiles: subscribers simply don't know what security provisions are made in the background
Others including malicious insiders, inadequate design and DDoS
Service Hijacking
Using Social Engineering Attacks
Using Networking Sniffing
Session Hijacking
Using XSS Attack
Using Session Riding: basically CSRF
DNS Attacks
DNS Poisoning
Cybersquatting: conducting phishing scams by registering a domain name that is similar to a cloud service provider
Domain Hijacking: stealing a cloud service provider's domain name
Domain Snipping: registering an elapsed/past domain name
Side Channel Attack or Cross-guest VM Breach
Using an existing VM on the same physical host to attack another
This is more broadly defined as using something other than the direct interface to attack a system
SQL Injection Attack: targeting SQL servers running vulnerable database applications
Cryptanalysis Attack: weak or broken encryption, weak random number generation
Wrapping Attack: SOAP message intercepted and data in envelope is changed and sent/replayed
DoS and DDoS Attack
Man-in-the-Cloud (MITC) Attack: carried out by abusing cloud file synchronization services, plants attacker's synchronization token on victim's drive to gain access of victim's files