SlideShare a Scribd company logo

On technical security issues in cloud computing

Download as PPT, PDF
S
sashi799

This document discusses technical security issues in cloud computing. It begins with an introduction to cloud computing and outlines some of the main security concerns when relying on external companies to store and process data in the cloud. These concerns include data confidentiality, safety and privacy. The document then surveys related work on web service and transport layer security. It proceeds to examine specific security issues in cloud computing like XML signature issues, browser security vulnerabilities, risks of cloud integrity and binding failures, and flooding attacks. It concludes by noting that improving cloud security requires strengthening the security of both web browsers and web service frameworks.

1 of 26
On Technical Security Issues in Cloud Computing Presented by: Sashikanta Taorem 1RV09SCS16 M.Tech – CSE, 2 nd Semester
Outline Introduction Literature Survey Cloud computing security issues Conclusion and Future works
Introduction What is Cloud Computing? Security concerns in Cloud Computing.
What is Cloud Computing? C - Common Platform L – Location Independent O – Online Services U – Utility D – On Demand
Cloud Layers and Access Technology SaaS –  Fortiva's email archiving service PaaS – Google app engine IaaS – Amazon’s Elastic Compute Cloud (EC2)
Cloud Computing Security Concern Relying the own data and execution tasks to an external company. Different country with a different regulatory. Focus – Data Confidentiality, Data Safety, Data Privacy
Literature Survey Web Service Security Transport Layer Security
Web Service Security For a SOAP (Simple Object Access protocol) message, It defines how to provide Integrity Confidentiality Authentication WSS defines a SOAP header – carries WSS security extensions Defines XML security standards which apply to SOAP messages, like XML signature XML Encryption
XML Signature
Transport Layer Security TLS – Secure Sockets Layer Cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end. Use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).
Cloud Computing Security Issues XML Signature Browser Security Cloud Integrity and Binding Issues Flooding Attacks
XML Signature Issue: XML Signature Element Wrapping In 2008 it was discovered that Amazon’s EC2 services were vulnerable to wrapping attacks.
SOAP message with signed SOAP body SOAP message after attack
Browser Security The Legacy Same Origin Policy (SOP) Attacks on Browser-based Cloud Authentication Secure Browser-based Authentication Future Browser Enhancements
Same Origin Policy Allows Read/Write operation from the same origin. Where Origin is define by the Tuple (domain name, protocol, port) Problems: DNS caches can easily be filled with bogus data. Since DNS heavily relies on caching, domain names become unreliable.
Attacks on Browser-based Cloud Authentication Since the browser itself is unable to generate cryptographically valid XML tokens to authenticate against the cloud, this is done with the help of a trusted third party. Federated Identity Management (FIM) protocols, eg: Microsoft’s Passport
Attacks on Browser-based Cloud Authentication Current browser-based authentication protocols for the Cloud are not secure, because the browser is unable to issue XML based security tokens by itself, and Federated Identity Management systems store security tokens within the browser, where they are only protected by the (insecure) SOP
Secure Browser-based Authentication Is done by integrating TLS and SOP, and securing FIM protocols. 4 ways: TLS federation – uses X.509 client certificate SAML 2.0 holder-of-key assertion profile Strong Locked same origin policy – uses server’s public key instead of DNS TLS session binding
Future Browser Enhancements By adding two enhancement to the browser security API 1. XML Encryption 2. XML Signature In addition the API should be powerful enough to support all standard key agreement methods specified in WS-security family of standards
Cloud Integrity and Binding Issues Cloud Malware Injection Attack Metadata Spoofing Attack
Cloud Malware Injection Attack Injecting a malicious service implementation or virtual machine into the cloud system Requires to create its own malicious service implementation module (SaaS/PaaS/IaaS) and add it to cloud system Solution: A service instance integrity check prior to using a service instance for incoming requests. This can be done by storing a hash value on the original service instance’s image file.
Metadata Spoofing Attack Aims at maliciously reengineering a web services metadata descriptions. Example: Modifying a WSDL (Web Service description document) so that a call to a deleteUser operation syntactically looks like a call to another operation, say setAdminRights Solution: Hash based integrity verification of the metadata description file prior to usage is required.
Flooding Attack Direct Denial of Service Indirect Denial of Service Accounting and Accountability
Conclusion and Future Work Improving Cloud Computing security consists in strengthening the security capabilities of both Web browsers and Web Service frameworks, at best integrating the latter into the first.
References On technical security issue in cloud computing – Meiko, jorg, Nils, Luigi, IEEE 2009 M. Jensen and J. Schwenk, "The accountability prob­lem of flooding attacks in service-oriented architec­tures," in Proceedings ofthe IEEE International Con­ference on Availability, Reliability and Security (ARES), 2009. N. G uschka and L. Lo Iacono, "Vulne able Cloud: SOAP Message Security Validation Revisited," in ICWS '09: Proceedings of the IEEE International Conference on Web Services. Los Angeles, USA: IEEE, 2009. Google, "Browser security handbook," 2009. [Online]. Available: http://code.google.com/p/browsersec/ ] M. Jensen, N. Gruschka, and N. Luttenberger, "The Im­pact of Flooding Attacks on Network-based Services," in Proceedings ofthe IEEE International Conference on Availability, Reliability and Security (ARES), 2008. http:// en.wikipedia.org/wiki/WS -Security http:// en.wikipedia.org/wiki/Soap http:// en.wikipedia.org/wiki/XML_Signature http:// en.wikipedia.org/wiki/Transport_layer_security
Thank You

More Related Content

On technical security issues in cloud computing

  • 1. On Technical Security Issues in Cloud Computing Presented by: Sashikanta Taorem 1RV09SCS16 M.Tech – CSE, 2 nd Semester
  • 2. Outline Introduction Literature Survey Cloud computing security issues Conclusion and Future works
  • 3. Introduction What is Cloud Computing? Security concerns in Cloud Computing.
  • 4. What is Cloud Computing? C - Common Platform L – Location Independent O – Online Services U – Utility D – On Demand
  • 5. Cloud Layers and Access Technology SaaS –  Fortiva's email archiving service PaaS – Google app engine IaaS – Amazon’s Elastic Compute Cloud (EC2)
  • 6. Cloud Computing Security Concern Relying the own data and execution tasks to an external company. Different country with a different regulatory. Focus – Data Confidentiality, Data Safety, Data Privacy
  • 7. Literature Survey Web Service Security Transport Layer Security
  • 8. Web Service Security For a SOAP (Simple Object Access protocol) message, It defines how to provide Integrity Confidentiality Authentication WSS defines a SOAP header – carries WSS security extensions Defines XML security standards which apply to SOAP messages, like XML signature XML Encryption
  • 10. Transport Layer Security TLS – Secure Sockets Layer Cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end. Use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).
  • 11. Cloud Computing Security Issues XML Signature Browser Security Cloud Integrity and Binding Issues Flooding Attacks
  • 12. XML Signature Issue: XML Signature Element Wrapping In 2008 it was discovered that Amazon’s EC2 services were vulnerable to wrapping attacks.
  • 13. SOAP message with signed SOAP body SOAP message after attack
  • 14. Browser Security The Legacy Same Origin Policy (SOP) Attacks on Browser-based Cloud Authentication Secure Browser-based Authentication Future Browser Enhancements
  • 15. Same Origin Policy Allows Read/Write operation from the same origin. Where Origin is define by the Tuple (domain name, protocol, port) Problems: DNS caches can easily be filled with bogus data. Since DNS heavily relies on caching, domain names become unreliable.
  • 16. Attacks on Browser-based Cloud Authentication Since the browser itself is unable to generate cryptographically valid XML tokens to authenticate against the cloud, this is done with the help of a trusted third party. Federated Identity Management (FIM) protocols, eg: Microsoft’s Passport
  • 17. Attacks on Browser-based Cloud Authentication Current browser-based authentication protocols for the Cloud are not secure, because the browser is unable to issue XML based security tokens by itself, and Federated Identity Management systems store security tokens within the browser, where they are only protected by the (insecure) SOP
  • 18. Secure Browser-based Authentication Is done by integrating TLS and SOP, and securing FIM protocols. 4 ways: TLS federation – uses X.509 client certificate SAML 2.0 holder-of-key assertion profile Strong Locked same origin policy – uses server’s public key instead of DNS TLS session binding
  • 19. Future Browser Enhancements By adding two enhancement to the browser security API 1. XML Encryption 2. XML Signature In addition the API should be powerful enough to support all standard key agreement methods specified in WS-security family of standards
  • 20. Cloud Integrity and Binding Issues Cloud Malware Injection Attack Metadata Spoofing Attack
  • 21. Cloud Malware Injection Attack Injecting a malicious service implementation or virtual machine into the cloud system Requires to create its own malicious service implementation module (SaaS/PaaS/IaaS) and add it to cloud system Solution: A service instance integrity check prior to using a service instance for incoming requests. This can be done by storing a hash value on the original service instance’s image file.
  • 22. Metadata Spoofing Attack Aims at maliciously reengineering a web services metadata descriptions. Example: Modifying a WSDL (Web Service description document) so that a call to a deleteUser operation syntactically looks like a call to another operation, say setAdminRights Solution: Hash based integrity verification of the metadata description file prior to usage is required.
  • 23. Flooding Attack Direct Denial of Service Indirect Denial of Service Accounting and Accountability
  • 24. Conclusion and Future Work Improving Cloud Computing security consists in strengthening the security capabilities of both Web browsers and Web Service frameworks, at best integrating the latter into the first.
  • 25. References On technical security issue in cloud computing – Meiko, jorg, Nils, Luigi, IEEE 2009 M. Jensen and J. Schwenk, "The accountability prob­lem of flooding attacks in service-oriented architec­tures," in Proceedings ofthe IEEE International Con­ference on Availability, Reliability and Security (ARES), 2009. N. G uschka and L. Lo Iacono, "Vulne able Cloud: SOAP Message Security Validation Revisited," in ICWS '09: Proceedings of the IEEE International Conference on Web Services. Los Angeles, USA: IEEE, 2009. Google, "Browser security handbook," 2009. [Online]. Available: http://code.google.com/p/browsersec/ ] M. Jensen, N. Gruschka, and N. Luttenberger, "The Im­pact of Flooding Attacks on Network-based Services," in Proceedings ofthe IEEE International Conference on Availability, Reliability and Security (ARES), 2008. http:// en.wikipedia.org/wiki/WS -Security http:// en.wikipedia.org/wiki/Soap http:// en.wikipedia.org/wiki/XML_Signature http:// en.wikipedia.org/wiki/Transport_layer_security