Chapter 8 Cloud Computing

differences between public IaaS and traditional networks

1. Shared infrastructure in IaaS incurs new threats that you need to address 2. there are typically more ways to access and control IaaS hosts than traditional hosts, including via APIs 3. IaaS removes many of the traditional constraints on network security by making new VMs and private networks easy and cheap to deploy

general threats that come up as a result of the cloud computing paradigm

1. attacks against shared resources 2. insecure APIs

two steps of assessing cloud providers

1. determining your cloud service needs 2. determining which providers meet the list of requirements you created in the first step

security tools that fit nicely in the cloud paradigm

1. email filtering 2. DDoS protection 3. network monitoring

how does cloud computing mitigate the risk of single points of failure?

1. geographic diversity 2. platform diversity 3. infrastructure diversity

The cloud has five defining characteristics...

1. on-demand self-service 2. broad network access 3. resource pooling 4. rapid elasticity 5. measured service

four basic offerings described by cloud providers

1. private clouds 2. community clouds 3. public clouds 4. hybrid clouds

three major types of cloud computing

1. software as a service (SaaS) 2. platform as a service (PaaS) 3. infrastructure as a service (IaaS)

cloud computing

The provision of computing resources, including applications, over the Internet, so customers do not have to invest in the computing infrastructure needed to run and maintain the resources

benefits of FIdM

allows cloud customers to use cloud resources without requiring an extra set of login credentials allows all login credentials and authentication options to be managed centrally by the customer organization

federated identity management (FIdM)

allows one organization or system to attest to another a user's identity and authority one system maintains a user's identity information and other systems query that one system when needed

infrastructure as a service (IaaS)

cloud offers processing, storage, network components that enable customers to run any kind of software; complex and customizable

resource pooling

cloud provider can put together a large number of multiple and varied resources to provide your requested services

software as a service (SaaS)

cloud provider gives a customer access to applications running in the cloud; customer has no control over infrastructure or most application capabilities

cryptographic side-channel attack

complex mathematical operation in which an attacker infers a victim's cryptographic key by carefully observing the cryptographic operation's side effects

hybrid cloud

composed of two or more types of clouds

platform as a service (PaaS)

customer has own applications, but the cloud provides the languages and tools to support application development; no control over infrastructure that underlies tools but some say in infrastructure configuration

the most obvious way that cloud services can be valuable security tools:

excellent at mitigating single points of failure

private cloud

has infrastructure that is operated exclusively by and for the organization that owns it

benefit of specialization

having every VM be as specialized as possible is an excellent security practice

on-demand self service

if you are a cloud customer, you can automatically ask for computing resources as you need them

vendor lock-in

occurs when customers must continue buying a certain type of product from the same vendor they have already been using because the upfront cost of migrating to a different vendor's product line would be significantly higher than the short-term cost of continuing with the existing vendor inhibits your witching providers

public cloud

owned by an organization that sells cloud services

OAuth

prevailing FIdM standard for API authorization primary purpose is authorizing 3rd party applications to access APIs on a user's behalf

Security Assertion Markup Language (SAML)

prevailing FIdM standard for authentication XML-based standard that defines a way for systems to securely exchange user identity and privilege information handles authentication, authorization, and single sign-on for users and systems

problem with encrypting large quantities of data using a single key

re-encrypting gigabyte of data with a new key is time consuming (problematic if a user wants a password-change)

OIDC

relatively new standard for FIdM goal is to allow users to access every site on the internet with a single set of credentials, supports both browsers and native applications

community cloud

shared by several organizations and usually intended to accomplish a shared goal

cloud computing platform

software system that provisions, monitors, and manages workload on a shared computing infrastructure

rapid elasticity

storage, network bandwidth, and computing capacity can be increased or decreased immediately, allowing for optimal scalability

master and user key protocol

to encrypt local hard drives, cloud providers might generate a strong, random "master" key that is used to encrypt and decrypt the data, and use a different, changeable "user" key to encrypt and decrypt the master key

measured service

use of resources in the cloud can be monitored, controlled, and reported, allowing for better management...

broad network access

you can access these services with a variety of technologies

risk of public cloud service

your data are stored on the same set of storage devices as that of countless other customers - involves a threat of access from sharing neighbors