Download Security Issues in Cloud Computing PowerPoint Presentation

Iframe embed code :

<iframe src='https://www.slidesfinder.com/embedpresentation/NTcz' width='630' height='570' frameborder='0' marginwidth='0' marginheight='0' scrolling='no' allowfullscreen></iframe>

Presentation url :

Home / Computers & Web / Computers & Web Presentations / Security Issues in Cloud Computing PowerPoint Presentation

Security Issues in Cloud Computing PowerPoint Presentation

PowerPoint is the world's most popular presentation software which can let you create professional Security Issues in Cloud Computing powerpoint presentation easily and in no time. This helps you give your presentation on Security Issues in Cloud Computing in a conference, a school lecture, a business proposal, in a webinar and business and professional representations.

The uploader spent his/her valuable time to create this Security Issues in Cloud Computing powerpoint presentation slides, to share his/her useful content with the world. This ppt presentation uploaded by onlinesearch in Computers & Web ppt presentation category is available for free download,and can be used according to your industries like finance, marketing, education, health and many more.

About This Presentation

onlinesearch

Description : View and free download Security Issues in Cloud Computing powerpoint presentation which is uploaded by search an active user in belonging ppt presentation Computers & Web category.

Tags : Security Issues in Cloud Computing

Published on : Feb 10, 2014
Views : 2488 | Downloads : 2

Download Now

Share on Social Media

Security Issues in Cloud Computing Presentation Transcript

Slide 1 -

Security Issues in Cloud Computing Anya Kim Naval Research Lab anya.kim@nrl.navy.mil

Slide 2 -

Talk Objectives Present cloud issues/characteristics that create interesting security problems Identify a few security issues within this framework Propose some approaches to addressing these issues Preliminary ideas to think about

Slide 3 -

Cloud Computing Background Features Use of internet-based services to support business process Rent IT-services on a utility-like basis Attributes Rapid deployment Low startup costs/ capital investments Costs based on usage or subscription Multi-tenant sharing of services/ resources Essential characteristics On demand self-service Ubiquitous network access Location independent resource pooling Rapid elasticity Measured service “Cloud computing is a compilation of existing techniques and technologies, packaged within a new infrastructure paradigm that offers improved scalability, elasticity, business agility, faster startup time, reduced management costs, and just-in-time availability of resources” Source: NIST

Slide 4 -

Cloud Models Delivery Models SaaS PaaS IaaS Deployment Models Private cloud Community cloud Public cloud Hybrid cloud We propose one more Model: Management Models (trust and tenancy issues) Self-managed 3rd party managed (e.g. public clouds and VPC) Source: NIST

Slide 5 -

Cloud Computing: A Massive Concentration of Resources Also a massive concentration of risk expected loss from a single breach can be significantly larger concentration of “users” represents a concentration of threats “Ultimately, you can outsource responsibility but you can’t outsource accountability.” From John McDermott, ACSAC 09

Slide 6 -

Cloud Computing: who should use it? Cloud computing definitely makes sense if your own security is weak, missing features, or below average. Ultimately, if the cloud provider’s security people are “better” than yours (and leveraged at least as efficiently), the web-services interfaces don’t introduce too many new vulnerabilities, and the cloud provider aims at least as high as you do, at security goals, then cloud computing has better security. From John McDermott, ACSAC 09

Slide 7 -

Problems Associated with Cloud Computing Most security problems stem from: Loss of control Lack of trust (mechanisms) Multi-tenancy These problems exist mainly in 3rd party management models Self-managed clouds still have security issues, but not related to above

Slide 8 -

Loss of Control in the Cloud Consumer’s loss of control Data, applications, resources are located with provider User identity management is handled by the cloud User access control rules, security policies and enforcement are managed by the cloud provider Consumer relies on provider to ensure Data security and privacy Resource availability Monitoring and repairing of services/resources

Slide 9 -

Lack of Trust in the Cloud A brief deviation from the talk (But still related) Trusting a third party requires taking risks Defining trust and risk Opposite sides of the same coin (J. Camp) People only trust when it pays (Economist’s view) Need for trust arises only in risky situations Defunct third party management schemes Hard to balance trust and risk e.g. Key Escrow (Clipper chip) Is the cloud headed toward the same path?

Slide 10 -

Multi-tenancy Issues in the Cloud Conflict between tenants’ opposing goals Tenants share a pool of resources and have opposing goals How does multi-tenancy deal with conflict of interest? Can tenants get along together and ‘play nicely’ ? If they can’t, can we isolate them? How to provide separation between tenants?

Slide 11 -

Security Issues in the Cloud In theory, minimizing any of the issues would help: Loss of Control Take back control Data and apps may still need to be on the cloud But can they be managed in some way by the consumer? Lack of trust Increase trust (mechanisms) Technology Policy, regulation Contracts (incentives): topic of a future talk Multi-tenancy Private cloud Takes away the reasons to use a cloud in the first place VPC: its still not a separate system Strong separation

Slide 12 -

Minimize Lack of Trust: Policy Language Consumers have specific security needs but don’t have a say-so in how they are handled What the heck is the provider doing for me? Currently consumers cannot dictate their requirements to the provider (SLAs are one-sided) Standard language to convey one’s policies and expectations Agreed upon and upheld by both parties Standard language for representing SLAs Can be used in a intra-cloud environment to realize overarching security posture Create policy language with the following characteristics: Machine-understandable (or at least processable), Easy to combine/merge and compare Examples of policy statements are, “requires isolation between VMs”, “requires geographical isolation between VMs”, “requires physical separation between other communities/tenants that are in the same industry,” etc. Need a validation tool to check that the policy created in the standard language correctly reflects the policy creator’s intentions (i.e. that the policy language is semantically equivalent to the user’s intentions).

Slide 13 -

Minimize Lack of Trust: Certification Certification Some form of reputable, independent, comparable assessment and description of security features and assurance Sarbanes-Oxley, DIACAP, DISTCAP, etc (are they sufficient for a cloud environment?) Risk assessment Performed by certified third parties Provides consumers with additional assurance

Slide 14 -

Minimize Loss of Control in the Cloud Monitoring Utilizing different clouds Access control management

Slide 15 -

Minimize Loss of Control: Monitoring Cloud consumer needs situational awareness for critical applications When underlying components fail, what is the effect of the failure to the mission logic What recovery measures can be taken (by provider and consumer) Requires an application-specific run-time monitoring and management tool for the consumer The cloud consumer and cloud provider have different views of the system Enable both the provider and tenants to monitor the the components in the cloud that are under their control Provide mechanisms that enable the provider to act on attacks he can handle. infrastructure remapping (create new or move existing fault domains) shutting down offending components or targets (and assisting tenants with porting if necessary Repairs Provide mechanisms that enable the consumer to act on attacks that he can handle (application-level monitoring). RAdAC (Risk-adaptable Access Control) VM porting with remote attestation of target physical host Provide ability to move the user’s application to another cloud

Slide 16 -

Minimize Loss of Control: Utilize Different Clouds The concept of ‘Don’t put all your eggs in one basket’ Consumer may use services from different clouds through an intra-cloud or multi-cloud architecture Propose a multi-cloud or intra-cloud architecture in which consumers Spread the risk Increase redundancy (per-task or per-application) Increase chance of mission completion for critical applications Possible issues to consider: Policy incompatibility (combined, what is the overarching policy?) Data dependency between clouds Differing data semantics across clouds Knowing when to utilize the redundancy feature (monitoring technology) Is it worth it to spread your sensitive data across multiple clouds? Redundancy could increase risk of exposure

Slide 17 -

Minimize Loss of Control: Access Control Many possible layers of access control E.g. access to the cloud, access to servers, access to services, access to databases (direct and queries via web services), access to VMs, and access to objects within a VM Depending on the deployment model used, some of these will be controlled by the provider and others by the consumer Regardless of deployment model, provider needs to manage the user authentication and access control procedures (to the cloud) Federated Identity Management: access control management burden still lies with the provider Requires user to place a large amount of trust on the provider in terms of security, management, and maintenance of access control policies. This can be burdensome when numerous users from different organizations with different access control policies, are involved Consumer-managed access control Consumer retains decision-making process to retain some control, requiring less trust of the provider (i.e. PDP is in consumer’s domain) Requires the client and provider to have a pre-existing trust relationship, as well as a pre-negotiated standard way of describing resources, users, and access decisions between the cloud provider and consumer. It also needs to be able to guarantee that the provider will uphold the consumer-side’s access decisions. Should be at least as secure as the traditional access control model. Facebook and Google Apps do this to some degree, but not enough control Applicability to privacy of patient health records

Slide 18 -

PEP (intercepts all resource access requests from all client domains) PDP for cloud resource on Domain A Cloud Consumer in Domain B ACM (XACML policies) . . . resources Cloud Provider in Domain A IDP 1. Authn request 2. SAML Assertion 3. Resource request (XACML Request) + SAML assertion 4. Redirect to domain of resource owner 7. Send signed and encrypted ticket 5. Retrieve policy for specified resource 6. Determine whether user can access specified resource 7. Create ticket for grant/deny 8. Decrypt and verify signature 9. Retrieve capability from ticket 10. Grant or deny access based on capability Minimize Loss of Control: Access Control

Slide 19 -

Minimize Multi-tenancy in the Cloud Can’t really force the provider to accept less tenants Can try to increase isolation between tenants Strong isolation techniques (VPC to some degree) C.f. VM Side channel attacks (T. Ristenpart et al.) QoS requirements need to be met Policy specification Can try to increase trust in the tenants Who’s the insider, where’s the security boundary? Who can I trust? Use SLAs to enforce trusted behavior

Slide 20 -

Last Thoughts: Local Host Security Are local host machines part of the cloud infrastructure? Outside the security perimeter While cloud consumers worry about the security on the cloud provider’s site, they may easily forget to harden their own machines The lack of security of local devices can Provide a way for malicious services on the cloud to attack local networks through these terminal devices Compromise the cloud and its resources for other users With mobile devices, the threat may be even stronger Users misplace or have the device stolen from them Security mechanisms on handheld gadgets are often times insufficient compared to say, a desktop computer Provides a potential attacker an easy avenue into a cloud system. If a user relies mainly on a mobile device to access cloud data, the threat to availability is also increased as mobile devices malfunction or are lost Devices that access the cloud should have Strong authentication mechanisms Tamper-resistant mechanisms Strong isolation between applications Methods to trust the OS Cryptographic functionality when traffic confidentiality is required

Slide 21 -

Conclusion Cloud computing is sometimes viewed as a reincarnation of the classic mainframe client-server model However, resources are ubiquitous, scalable, highly virtualized Contains all the traditional threats, as well as new ones In developing solutions to cloud computing security issues it may be helpful to identify the problems and approaches in terms of Loss of control Lack of trust Multi-tenancy problems

Slide 22 -

References NIST (Authors: P. Mell and T. Grance), "The NIST Definition of Cloud Computing (ver. 15)," National Institute of Standards and Technology, Information Technology Laboratory (October 7 2009). J. McDermott, (2009) "Security Requirements for Virtualization in Cloud Computing," presented at the ACSAC Cloud Security Workshop, Honolulu, Hawaii, USA, 2009. J. Camp. (2001), “Trust and Risk in Internet Commerce,” MIT Press T. Ristenpart et al. (2009) “Hey You Get Off My Cloud,” Proceedings of the 16th ACM conference on Computer and communications security, Chicago, Illinois, USA

Slide 23 -

References for Cloud Security M. Armbrust, et al., "Above the Clouds: A Berkeley View of Cloud Computing," UC Berkeley Reliable Adaptive Distributed Systems LaboratoryFebruary 10 2009. Cloud Security Alliance, "Security Guidance for Critical Areas of Focus in Cloud Computing, ver. 2.1," 2009. M. Jensen, et al., "On Technical Security Issues in Cloud Computing," presented at the 2009 IEEE International Conference on Cloud Computing, Bangalore, India 2009. P. Mell and T. Grance, "Effectively and Securely Using the Cloud Computing Paradigm," ed: National Institute of Standards and Technology, Information Technology Laboratory, 2009. N. Santos, et al., "Towards Trusted Cloud Computing," in Usenix 09 Hot Cloud Workshop, San Diego, CA, 2009. R. G. Lennon, et al., "Best practices in cloud computing: designing for the cloud," presented at the Proceeding of the 24th ACM SIGPLAN conference companion on Object oriented programming systems languages and applications, Orlando, Florida, USA, 2009. P. Mell and T. Grance, "The NIST Definition of Cloud Computing (ver. 15)," National Institute of Standards and Technology, Information Technology LaboratoryOctober 7 2009. C. Cachin, et al., "Trusting the cloud," SIGACT News, vol. 40, pp. 81-86, 2009. J. Heiser and M. Nicolett, "Assessing the Security Risks of Cloud Computing," Gartner 2008. A. Joch. (2009, June 18) Cloud Computing: Is It Secure Enough? Federal Computer Week.

Slide 24 -

Questions?

Frequently Asked Questions

> About SlidesFinder?

Slidesfinder is a website that allows users to upload and share their PowerPoint presentations online. It provides a platform for individuals and businesses to share their ideas and knowledge through presentations, and for others to view and download these presentations for educational or professional purposes.
Slidesfinder offers a wide range of presentation topics and categories, including business, education, science, technology, health, and more. Users can also search for presentations using keywords, tags, or by category. The website provides tools to create professional presentations with rich media, animations, and graphics.

One of the key features of Slidesfinder is its user-friendly interface, which allows users to easily upload, view, and share presentations. Users can also embed their presentations in their websites or blogs using the website's embed code feature.
Slidesfinder also offers premium services, such as the ability to create private presentations and to download presentations in high-quality formats. However, the basic features of Slidesfinder are free to use, making it accessible to anyone who wants to share their ideas and knowledge through presentations.

> How do I register with SlidesFinder?

Go to registration page (you can see signup link on top of website page) https://www.slidesfinder.com/signup . If you have facebook/gmail account them just click on SIGN IN WITH FACEBOOK OR SIGN IN WITH GOOGLE button, by this you will be a registered member of slidesfinder without filling any form, required detail automatically will be fatch from your account. If you do not a Facebook account, then click on "Signup". Fill all required fields and you will be a registered member of slidesfinder.

> Is slidesfinder account confirmation is mandatory?

Yes it is mandetory to active your account to login.

> Do I need to signup/login on SlidesFinder before uploading a PowerPoint presentation?

Yes, you need to login with your account before uploading presentation. Your username will be displayed on your uploaded presentation. Your registered email id is needed for sending your stats of uploaded presentation.

Slidesfinder is a sharing website for PowerPoint presentations search and share. Find your interest in the form of powerpoint presentations on slidesfinder and save your valuable time . On Slidesfinder you get presentations from our huge library of professional ppt presentations. We believe in making your search INFORMATIVE and FUN. Find your best ppt presentation from a pool of PowerPoint presentations stacked under important industry categories like business & management, heath & Wellness,eduction & training etc. We provide unique informative PowerPoint presentation for marketers, presenters and educationists. These professional PowerPoint presentations are uploaded by professionals from across numerous industry segments.These ppt presentations are available for FREE download.

Not just finding your interest, but facilitate you broadcast your interest. We have created this platform for easy sharing of PowerPoint presentations, ensuring that these presentations get maximum exposure. Create your slidesfinder account and upload PowerPoint presentations for free, share on social media platforms and BUILD YOUR CROWD WITH PRESENTATION !!

The Great Buddha says, "Share your knowledge.It’s a way to achieve immortality"! So, start sharing knowledge and we are here to make that immortal !!

Re-productivity of content are not allowed. Without prior written permission from author, commercial use of any content is illegal.