Understanding Cloud Computing Vulnerabilities
This paper appears in: Security & Privacy, IEEE
Issue Date : March-April 2011
Volume : 9 , Issue:2
On page(s): 50
ISSN : 1540-7993
INSPEC Accession Number: 11903410
Digital Object Identifier : 10.1109/MSP.2010.115
Date of Publication : 17 June 2010
Date of Current Version : 28 March 2011
Speaker : Siou
Overview
Abstract
Vulnerability: An Overview
Cloud Computing
Cloud-Specific Vulnerabilities
Architectural Components and Vulnerabilities
Conclusion
Abstract
Amazon
Gmail
News
Plurk
Cloud Computing
Google Map Facebook
Twitter
Blog
Vulnerability: An Overview
ISO 27005 defines risk as
“the potential that a given threat will exploit
vulnerabilities of an asset or group of assets
and thereby cause harm to the organization”
EX:DB Server SQL injection
EX:Sony PSN
Vulnerability: An Overview
Defining Vulnerability
According to the Open Group’s risk taxonomy,
Vulnerability is the probability that an asset will
be unable to resist the actions of a threat
agent.
EX: Intranet V.S. Extranet
Cloud Computing
Core Cloud Computing Technologies
Cloud Computing
Essential Characteristics of Cloud Computing
(NIST) description
On-demand self-service.
Ubiquitous network access.
Resource pooling.
Rapid elasticity.
Measured service.
Cloud-Specific Vulnerabilities
Core-Technology Vulnerabilities
virtual machine escape
EX:VM attack
session riding and hijacking
EX: Cross-site Request Forgery
insecure or obsolete cryptography.
EX:Password attack
Cloud-Specific Vulnerabilities
Essential Cloud Characteristic Vulnerabilities
Unauthorized access to management interface.
EX: Azure management
Internet protocol vulnerabilities.
EX: Scan Host Protocol
Data recovery vulnerability.
EX: Natural disasters
Metering and billing evasion.
EX: Pay Money
Cloud-Specific Vulnerabilities
Defects in Known Security Controls - IaaS
virtualized networks offer insufficient network-based controls.
EX: vulnerability scanning is invalid
poor key management procedures.
EX: many different kinds of keys
security metrics aren’t adapted to cloud infrastructures.
EX: cloud customers can’t monitor resources
Architectural Components and Vulnerabilities
Architectural Components and Vulnerabilities
Cloud Software Infrastructure and Environment -PaaS
 a development and runtime environment
EX: more supported languages;
 storage services
EX: database interface
 communication infrastructure
EX: Azure AppFabric Service Bus
Architectural Components and Vulnerabilities
Computational Resources
concerns how virtual machine images are handled
EX: VM is not a Free Resources
EX: image can be taken from an untrustworthy source
Architectural Components and Vulnerabilities
Storage
obsolete cryptography and poor key management
EX: physical disk destruction can’t be carried out
Architectural Components and Vulnerabilities
Communication
vulnerabilities of shared network infrastructure components
Architectural Components and Vulnerabilities
Cloud Web Applications
an application component operated somewhere in the cloud.
a browser component running within the user’s browser.
EX: session riding and hijacking vulnerabilities and injection
vulnerabilities.
Architectural Components and Vulnerabilities
Services and APIs
application URL would only give the user a
browser component
Architectural Components and Vulnerabilities
Management Access
management access is often realized using a
Web application or service
Architectural Components and Vulnerabilities
Identity, Authentication, Authorization,
and Auditing Mechanisms
Denial of service by account lockout.
EX: Lock Account
Weak credential-reset mechanisms.
EX: not using federated authentication
Insufficient or faulty authorization checks.
EX: root cause of URL-guessing attacks
Coarse authorization control.
EX: duty separation
Insufficient logging and monitoring possibilities.
EX: no standards to logging and monitoring
Architectural Components and Vulnerabilities
Provider
users’ inability to control cloud infrastructure
Conclusion
Cloud computing is in constant development
Any Question?