Security in cloud computing

3/11/2013 Security in Cloud Computing 1

SECURITY IN CLOUD COMPUTING

ABHISHEK KUMAR SINHA
MIT,Manipal University


Content
Introduction to Cloud Computing

Cloud Storage

Cloud Services

Who Consume Cloud Services?

Why protection against Cloud?

Cloud computing and Security

Privacy in Cloud Computing

Survey on Cloud Infrastructure

Cloud Cryptography

Examine the IBM Security Framework

Guide to implementing a secure cloud

Conclusion


Introduction to Cloud Computing
• Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool
of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be
rapidly provisioned and released with minima
management effort or service provider interaction [1].


Cloud computing and Security [3]
• Cloud computing presents an added level of risk because

essential services are often outsourced to a third party.

• The externalized aspect of outsourcing makes it harder to

maintain data integrity and privacy, support data and ser-
vice availability, and demonstrate compliance.

• Inside the cloud, it is difficult to physically locate where

data is stored.


Cloud computing and Security…
• In addition, the massive sharing of infrastructure with
cloud computing creates a significant difference between
cloud security and security in more traditional IT
environments.
• Users spanning different corporations and trust levels
often interact with the same set of compute resources.
• At the same time, workload balancing, changing service-
level agreements (SLAs) and other aspects of todays
dynamic IT environments create even more opportunities
for misconfiguration, data compromise and malicious
conduct.

3/11/2013 12

Privacy in Cloud Computing

• Search history (Google, Yahoo, AOL)

• Emails (Yahoo, Microsoft, Google)

• Documents, Medical history! (Google)

• Photos (Flickr, Google)

• Video watching history (YouTube, Google)

• Web browsing history (DoubleClick, Google)

• Social networks (Facebook, MySpace, Google)

3/11/2013 14

Cloud Cryptography
• Homomorphic encryption

• Searchable/Structured encryption

• Proofs of storage

• Server-aided secure computation

3/11/2013 15

Homomorphic encryption
• Homomorphic encryption is a form of encryption which
allows specific types of computations to be carried out on
ciphertext and obtain an encrypted result which is the
ciphertext of the result of operations performed on the
plaintext.
• E.g.one person could add two encrypted numbers and
then another person could decrypt the result, without
either of them being able to find the value of the individual
numbers.

3/11/2013 17

Searchable Encryption
• Encryption that supports search on encrypted text
Symmetric key [SWP01,Goh03,CM05,CGKO06]
Public key [BDOP06, BKOS07,…]
• Guarantees that:
Cloud never sees documents
Cloud never sees search keywords
• Pros
Symmetric variant is very efficient!
• Cons
Reveals access and search patterns
Shows how to hide this but it is expensive

3/11/2013 19

Proofs of Storage

•Tamper detection without knowing original file:
Symmetric-key
Public-key
•Guarantees that:
Cloud will be caught if it tampers with data
• Pros
Symmetric variant is efficient!
Verification does not require copy of original data

3/11/2013 21

Server-aided secure computation

• Joint computation w/o revealing inputs
(plain) secure computation
•Guarantees that:
Parties will not learn each other’s inputs
Cloud will not learn parties’ inputs
• Pros
General-purpose (e.g., data mining,voting,negotiations,…)
Efficient


Examine the IBM Security Framework [3]
• The IBM Security Framework was developed to describe
security in terms of the business resources that need to
be protected, and it looks at the different resource
domains from a business point of view.
• Based on the IBM Security Framework and informed by
extensive discussions with IBM clients,IBM provide a host
of major security requirements in enterprise-class cloud
computing.


Cont’d…
• People and identity: Cloud environments usually support
a large and diverse community of users, so these controls
are even more critical. In addition, clouds introduce a new
tier of privileged users: administrators working for the
cloud provider.
Privileged-user monitoring, including logging activities,
becomes an important requirement. This monitoring
should include physical monitoring and background
checking.


Cont’d…
• Data and information: Most organizations cite data protection as their

most important security issue. Typical concerns include the way in
which data is stored and accessed, compliance and audit
requirements, and business issues involving the cost of data
breaches, notification requirements, and damage to brand value.

• All sensitive or regulated data needs to be properly segregated on

the cloud storage infrastructure, including archived data.

• Encrypting and managing encryption keys of data in transit to the

cloud or data at rest in the service provider's data center is critical to
protecting data privacy and complying with compliance mandates.


Cont’d…
• Application and process: Clients typically consider cloud

application security requirements in terms of image
security.

• All of the typical application security requirements still

apply to the applications in the cloud,but they also carry
over to the images that host those applications

• The cloud provider needs to follow and support a secure

development process.


Cont’d…
• Network, server, and endpoint: In the shared cloud
environment, clients want to ensure that all tenant domains are
properly isolated and that no possibility exists for data or
transactions to leak from one tenant domain into the next.
• To help achieve this, clients need the ability to configure
trusted virtual domains or policy-based security zones.
• As data moves further from the client's control, they expect
capabilities like Intrusion
• Detection and Prevention systems to be built into the
environment.


Cont’d…
• Physical infrastructure: The cloud's infrastructure,

including servers, routers, storage devices, power
supplies, and other components that support operations,
should be physically secure.

• Safeguards include the adequate control and monitoring

of physical access using biometric access control
measures and closed circuit television (CCTV) monitoring.


Guide to implementing a secure cloud
• Implement and maintain a security program:

• A security program can provide the structure for

managing information security, and the risks and threats
to the target environment.

• In the event of a security breach, the security program can

provide crucial information as to how the cloud is
protected, responses to threats, and a line of
accountability for management of events.


Cont’d…
• Build and maintain a secure cloud infrastructure:

• A secure infrastructure helps provide cloud resiliency and the

confidence that the information stored in the cloud is
adequately protected.

• Organizations must ensure that the vendor can meet all

business requirements, demonstrates an understanding of all
legal, regulatory, industry, and customer specific requirements,
and has the capacity to meet those requirements in a
satisfactory manner.


Cont’d…
• Ensure confidential data protection:

• Data protection is a core principle of information security. All of

the prevalent information security regulations and standards,
as well as the majority of industry best practices, require that
sensitive information be adequately protected in order to
preserve confidentiality.

• Confidentiality of such data is required no matter where that

data is resident in the chain of custody, including the cloud
environment.


Cont’d…
• Implement strong access and identity management:

• Access and identity management are critical to cloud security.

• They limit access to data and applications to authorized and appropriate

users.

• Establish application and environment provisioning:

• In a centrally managed cloud environment, it is essential to have automated

provisioning functionality in place.


Cont’d…
• Implement a governance and audit management

program:

• To be prepared for regulatory or internal audits, you need

to have a program in place that defines when, how, and
where to collect log and audit information.


Cont’d…
• Implement a vulnerability and intrusion management
program:
• In a trusted cloud environment, you have to implement a
strict vulnerability management program and mechanisms
such as intrusion detection systems (IDS) and intrusion
prevention systems (IPS) to ensure that IT resources
(servers, network, infrastructure components, and
endpoints) are constantly monitored for vulnerabilities and
breaches.


Cont’d…
• Maintain environment testing and validation:
• In order to maintain an intact cloud IT environment, you
have to employ different mechanisms
• for testing and validation.


Conclusion
• Cloud computing provides an efficient, scalable, and cost-

effective way for today’s organizations to deliver business
or consumer IT services over the Internet.

• Cloud computing is often provided as a service, so control

over data and operations is shifted to third-party service
providers, requiring their clients to establish trust
relationships with their providers and develop security
solutions that take this relationship into account.


Reference
[1] “The NIST Definition of Cloud Computing”, Reports on
Computer Systems Technology, National Institute of
Standards and Technology Special Publication 800-
145,September 2011.

[2] “IBM Point of View: Security and Cloud Computing”,
Cloud computing White paper, November 2009.

[3] “Cloud Security Guidance IBM Recommendations for
the Implementation of Cloud Security”, IBM RedBooks.

Security in cloud computing

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Security in cloud computing (20)

Recently uploaded (20)

Security in cloud computing