Cloud Computing Security
Malicious VM creation
An attacker who creates a valid account can create a VM image containing malicious code such as a Trojan horse and store it in the provider repository.
Customer Relationship Management
The overall process of building and maintaining profitable customer relationships by delivering superior customer value and satisfaction
VMs located on the same server can share ___, ____, ___, and others.
VMs located on the same server can share CPU, memory, I/O, and others.
VMM
Virtual Machine Monitor
Countermeasures for Data Leakage
1. Fragmentation-redundancy-scattering 2. Digital signatures 3. Homomorphic encryption 4. Encryption
3 non technology-based vulnerabilities
1. Lack of employee screening 2. Lack of customer background checks 3. Lack of security education
Sniffing/Spoofing virtual networks
A malicious VM can listen to the virtual network or even use ARP spoofing to redirect packets from/to other VMs.
Cloud Security Alliance
A non-profit organization that promotes the use of best practices in order to provide security in cloud environments.
Threat
A potential attack that may lead to a misuse of information or resources.
Account or service hijacking
An account theft can be performed by different ways such as social engineering and weak credentials. If an attacker gains access to a user's credential, he can perform malicious activities such as access sensitive data, manipulate data, and redirect any transaction.
As with SaaS and IaaS, PaaS depends on a ____ and ______ ______ and _____ ___ ______.
As with SaaS and IaaS, PaaS depends on a secure and reliable network and secure web browser.
Cloud Computing appears as a ______ paradigm as well as a distribution architecture and its main objective is to provide _____, _____, convenient ______ _______ and _______ _______ service, with all computing resources _______ as ________ and delivered over the Internet
Cloud Computing appears as a computational paradigm as well as a distribution architecture and its main objective is to provide secure, quick, convenient data storage and net computing service, with all computing resources visualized as services and delivered over the Internet
Cloud Computing enables ubiquitous, convenient, on-demand network access to a shared pool of configurable _________ _________(e.g., _____, ______, ________, _________, and ________) that can be rapidly provisioned and released with minimal _________ effort or ________ ________ interaction.
Cloud Computing enables ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
CSA
Cloud Security Alliance
Compared to traditional technologies, the cloud has many specific features, such as its ____ ____ and the fact that resources belonging to cloud providers are completely ______, ________ and totally __________.
Compared to traditional technologies, the cloud has many specific features, such as its large scale and the fact that resources belonging to cloud providers are completely distributed, heterogeneous and totally virtualized.
CRM
Customer Relationship Management
Data leakage
Data leakage happens when the data gets into the wrong hands while it is being transferred, stored, audited or processed.
ERP
Enterprise Resource Planning
Countermeasure for VM escape. List 3.
HyperSafe TCCP (Trusted cloud computing platform) Trusted virtual datacenter
Vulnerabilities in Hypervisors. What Layer?
I
Vulnerabilities in Virtual Machine Images. Which Layer?
I
Vulnerabilities in Virtual Machines. Which Layer?
I
Vulnerabilities in Virtual Networks. What Layer? List the 1.
I Sharing of virtual bridges by several virtual machines
Account or Service Hijacking. Countermeasures.
Identity and access management guidance Dynamic credentials
In the first maturity model, each customer has his own _____ ______ of the software. This model has drawbacks, but ______ ______ are not so bad compared with the other models.
In the first maturity model, each customer has his own customized instance of the software. This model has drawbacks, but security issues are not so bad compared with the other models.
In the ______ maturity model, the vendor also provides different instances of the applications for each customer, but all instances use the same application code. In this model, customers can change some configuration options to meet their needs.
In the second maturity model, the vendor also provides different instances of the applications for each customer, but all instances use the same application code. In this model, customers can change some configuration options to meet their needs.
In the _____ maturity model multi-tenancy is added, so a single instance serves all customers. This approach enables more efficient use of the resources but scalability is limited.
In the third maturity model multi-tenancy is added, so a single instance serves all customers. This approach enables more efficient use of the resources but scalability is limited.
In the world of SaaS, the process of compliance is complex because data is located in the provider's datacenters, which may introduce regulatory compliance issues such as ____ ______, _______, and _______, that must be enforced by the provider.
In the world of SaaS, the process of compliance is complex because data is located in the provider's datacenters, which may introduce regulatory compliance issues such as data privacy, segregation, and security, that must be enforced by the provider.
Unlimited allocation of resources. Name the 1 vulnerability.
Inaccurate modeling of resource usage can lead to overbooking or over-provisioning.
Name the vulnerability and the threat. An attacker can use the victim's account to get access to the target's resources.
Insecure interfaces and APIs Account or service hijacking
VM hopping
It happens when a VM is able to gain access to another VM (i.e. by exploting some hypervisor vulnerability).
VM escape
It is designed to exploit the hypervisor in order to take control of the underlying infrastructure.
Denial of Service
It is possible that a malicious user will take all the possible resources. Thus, the system cannot satisfy any request from other legitimate users due to resources being unavailable.
Mirage (Image Management System)
It provides the following security management features: access control framework, image filters, provenance tracking system, and repository maintenance services.
Mashups
Mashups combine more than one source element into a single integrated unit
Countermeasures for malicious virtual machine creation.
Mirage
Misuse patterns
Misuse patterns describe how a misuse is performed from the point of view of the attacker.
One of the most significant barriers to adoption is ______, followed by issues regarding ______, ______ and ____ _____.
One of the most significant barriers to adoption is security, followed by issues regarding compliance, privacy and legal matters.
OWASP
Open Web Application Security Project
PaaS application security comprises two software layers: Security of the ____ _____ itself, and Security of _______ _______ deployed on a ____ _____.
PaaS application security comprises two software layers: Security of the PaaS platform itself, and Security of customer applications deployed on a PaaS platform.
____ as well as ____ are hosted on top of ____.
PaaS as well as SaaS are hosted on top of IaaS.
Data-related vulnerabilities. Which Layers?
SPI
Insecure interfaces and APIs. Which Layers?
SPI
Unlimited allocation of resources. Which Layers?
SPI
SPI model
SaaS (Software), PaaS (Platform) and IaaS (Infrastructure)
Security concerns relate to risk areas such as _____ ____ _____, dependency on the ____ ____ , ____ __ ______, ___________ and ______ with ______ security.
Security concerns relate to risk areas such as external data storage, dependency on the "public" internet, lack of control, multi-tenancy and integration with internal security.
Data scavenging
Since data cannot be completely removed from unless the device is destroyed, attackers may be able to recover this data.
SCM
Supply Chain Management
SDLC
System Development Life Cycle
Supply Chain Management
Systems that can help a firm manage aspects of its value chain, from the flow of raw materials into the firm, through delivery of finished products and services at the point-of-consumption.
The cloud enhances ______, ______,______, ________, ability to _____ __ _______ according to demand, ______ development work, and provides potential for ____ _____ through ______ and _______ computing.
The cloud enhances collaboration, agility, scalability, availability, ability to adapt to fluctuations according to demand, accelerate development work, and provides potential for cost reduction through optimized and efficient computing.
Dynamic credentials
The dynamic credential changes its value once a user changes its location or when he has exchanged a certain number of data packets.
Vulnerability
The flaws in a system that allows an attack to be successful.
Traditional security mechanisms such as _____, _____, and _______ are no longer enough for clouds in their current form.
Traditional security mechanisms such as identity, authentication, and authorization are no longer enough for clouds in their current form.
Unlike physical servers, VMs have two boundaries: _______ and _____.
Unlike physical servers, VMs have two boundaries: physical and virtual.
Customer-data manipulation
Users attack web applications by manipulating data sent from their application component to the server's application. For example, SQL injection, command injection, insecure direct object references, and cross-site scripting.
VM image
VM image is a prepackaged software template containing the configurations files that are used to create VMs.
Virtualization
Virtualization allows users to create, copy, share, migrate, and roll back virtual machines, which may allow them to run a variety of application.
Virtualized environments are vulnerable to all types of attacks for _____ __________; however, security is a greater challenge as virtualization adds more _____ __ ____ and more _____________ ________.
Virtualized environments are vulnerable to all types of attacks for normal infrastructures; however, security is a greater challenge as virtualization adds more points of entry and more interconnection complexity.
Countermeasures for Customer Data Manipulation. List 1.
Web application scanners
With IaaS, cloud users have better control over the _____ compared to the other models as long there is no ______ _____ in the _____ _____ _______.
With IaaS, cloud users have better control over the security compared to the other models as long there is no security hole in the virtual machine monitor.
Enterprise Resource Planning
a suite of applications called modules, a database, and a set of inherent processes for consolidating business operations into a single, consistent, computing platform
Insecure VM migration. Live migration of virtual machines exposes the contents of the VM state files to the network. An attacker can do which 3 actions?
a) Access data illegally during migration b) Transfer a VM to an untrusted host c) Create and migrate several VM causing disruptions or DoS
Vulnerabilities in Hypervisors. List 2.
a) Complex hypervisor code b) Flexible configuration of VMs or hypervisors to meet organization needs can be exploited.
Data-related vulnerabilities. List 6.
a) Data can be colocated with the data of unknown owners (competitors, or intruders) with a weak separation. b) Data may be located in different jurisdictions which have different laws. c) Incomplete data deletion - data cannot be completely removed . d) Data backup done by un-trusted third-party providers. e) Information about the location of the data usually is unavailable or not disclosed to users. f) Data is often stored, processed, and transferred in clear plain text.
Vulnerabilities in Virtual Machines. List 6
a) Possible covert channels in the colocation of VMs b) Unrestricted allocation and deallocation of resources with VMs c) Uncontrolled Migration - VMs can be migrated from one server to another server due to fault tolerance, load balance, or hardware maintenance. d) Uncontrolled snapshots - VMs can be copied in order to provide flexibility, which may lead to data leakage. e) Uncontrolled rollback could lead to reset vulnerabilities - VMs can be backed up to a previous state for restoration, but patches applied after the previous state disappear. f) VMs have IP addresses that are visible to anyone within the cloud - attackers can map where the target VM is located within the cloud (Cloud cartography)
Vulnerabilities in Virtual Machine Images. List 2.
a) Uncontrolled placement of VM images in public repositories b) VM images are not able to be patched since they are dormant artifacts
Insecure interfaces and APIs. List 4 vulnerabilities.
a) Weak credential b) Insufficient authorization checks c) Insufficient input-data validation d) Also, cloud APIs are still immature which means that are frequently updated. A fixed bug can introduce another security hole in the application.