Te-Shun Chou
International Journal of Computer Science & Information
Technology (IJCSIT) Vol. 5, No 3, June 2013
This paper covers:
• Cloud service models.
• Cloud security risks and threats from three perspectives.
• Related real world cloud exploits were included.
• Countermeasures to cloud security breaches.
• Conclusion and future works
What is Cloud Computing?
 Cloud computing involves delivering computing resources
(hardware and software) as a service over a network (typically
the Internet) by cloud computing service providers.
• A good understanding of cloud security threats is necessary in
order to provide more secure services to cloud users.
CLOUD SERVICE MODELS
Cloud computing includes three layers:
• System layer: known as Infrastructure-as-a-Service (IaaS)
• Platform layer: known as Platform-as-a-Service (PaaS)
• Application layer: known as Software-as-a-Service (SaaS)
Layers of Cloud Computing
SalesForce CRM
LotusLive
TAXONOMY OF CLOUD SECURITY THREATS
• SaaS, PaaS, and IaaS also disclose information security issues
and risks of cloud computing systems.
• Hackers might abuse the forceful computing capability
provided by clouds.
• Data loss is an important security risk of cloud models.
• Traditional network attack strategies can be applied to harass
three layers of cloud systems.
Abuse Use of Cloud Computational
Resources
• Previously, hackers used multiple computers or a botnet to
produce a great amount of computing power in order to
conduct cyber-attacks.
• Now, powerful computing infrastructure could be easily
created using a simple registration process in a cloud
computing service provider.
• Brute force attack
• Denial of Service attack
Brute force attack: Thomas
Roth, a German researcher,
managed to crack a WPA-PSK
protected network by renting a
server from Amazon’s EC2. In
approximately 20 minutes,
fired 400,000 passwords/sec
into the system and the cost
was only 28 cents/minute.
DoS: Bryan and Anderson,
launched cloud-based DoS
attacks to one of their clients in
order to test its connectivity
with the help of Amazon’s EC2;
spent $6 to rent virtual servers,
used a homemade program to
successfully flood their client's
server and made it unavailable.
Data Breaches
Malicious Insider:
• insiders
who
exploit
cloud
vulnerabilities
gaining
unauthorized access to confidential data or carry out attacks
against its own employer’s IT infrastructure
Online Cyber Theft:
• sensitive data stored on clouds have become an attractive
target to online cyber theft.
• Incidents such as Zappos, LinkedIn, Sony Playstation
Cloud Security Attacks
• Malware Injection Attacks:
• hackers exploit vulnerabilities of a web application and
embed malicious codes into it changing the course of its
normal execution. The two common forms are SQL
injection attack and cross-site scripting attack.
• Wrapping Attack:
• use XML signature wrapping (or XML rewriting) to exploit
a weakness when web servers validate signed requests.
An attacker is able to change the content of the signed
part without invalidating the signature.
COUNTERMEASURES
• Security Policy Enhancement: avoid weak registration
systems, credit card fraud monitoring, and block of public
black lists could be applied.
• Access Management: continuous monitoring of physical
computing systems, restricting traffic access to the data
using firewalls and intrusion detection systems, and
controlling access to cloud applications and data using SAML
and XACML.
• Data Protection: data loss prevention systems, anomalous
behavior pattern detection tools, format preserving and
encryption tools, user behavior profiling, decoy technology,
and authentication and authorization.
• Security Techniques Implementation: for malware injection
attacks, use FAT system; also store a hash value on the
original service instance’s image file and perform integrity
check. For XML signature wrapping attacks, use XML Schema
Hardening techniques i.e. a subset of XPath, called FastXPath.
CONCLUSIONS AND FUTURE WORK
• Cloud Computing is in continual development, while people
enjoy the benefits cloud computing brings, security in clouds
is a key challenge.
• Much vulnerability in clouds still exists and hackers continue
to exploit these security holes.
• this paper has examined the security vulnerabilities in clouds
from three perspectives), included related real world exploits,
and introduced countermeasures to those security breaches.
• In the future, further efforts in studying cloud security risks
and the countermeasures to cloud security breaches must
continue.
Thank You!
Any Questions?