10 Security Concerns for Cloud Computing

Submitted byCharu Sharma (12609160)

25 July 2012

Overview

25 July 2012

What is Cloud Computing?

Delivery of scalable IT resources over the Internet, as opposed to hosting and operating applications and services locally, such as on a college or university network. By deploying IT infrastructure and services over the network, an organization can purchase these resources on an as-needed basis and avoid the capital costs of software and hardware. With cloud computing, IT capacity can be adjusted quickly and easily to accommodate changes in demand.

25 July 2012

Example of Cloud Computing

Yahoo email/ Gmail. No one needs software or a server to use them. All we need is an internet connection and an account to start sending emails. Relating this scenario to cloud computing, the server and email management software is all on the cloud (internet) and is completely managed by the cloud service provider Yahoo, Google etc. We, as consumers, get to use the software alone and enjoy the benefits.
4

25 July 2012

Cloud Computing Models

25 July 2012

Infrastructure as a Service (IaaS)

Provides a pay-for-what-you-use model type of service to cloud users. Services that can be outsourced include virtual servers used for storage, firewalls, load balancers, networks, Hardware. Clients can pay for the type of service needed or acquire more as required. To run their applications, cloud users install operating system images on their machines as well as application software while the service provider owns the equipment and is responsible for housing, running and maintaining it. Example - Amazon Web Services.

25 July 2012

Platform as a Service (PaaS)

In this model, Cloud providers deliver a computing platform including operating system, programming language execution environment, database, and web server. Application developers can develop and run their software solutions on a cloud platform without the cost and complexity of buying and managing the underlying hardware and software layers. Examples of PaaS include: GoogleApps.

25 July 2012

Software as a Service (SaaS)

In this model, applications are hosted by cloud provider and is made available to cloud users by distributing them over the Internet. The cloud providers deploy application software in the cloud where cloud users can access them. The cloud users do not manage the cloud infrastructure and platform on which the application is running e.g. servers and hardware. Pricing model- Fee per use. Example - Google Apps.
8

25 July 2012

Cloud Computing Providers

25 July 2012

Benefits of Cloud Computing

Cheaper and less labor-intensive

There is no need to buy and install expensive software because it is already installed online remotely and the organizations can run it from there.

Increased Storage
Since it is online, it offers virtually unlimited storage compared to server and hard drive limits.

Highly Automated

IT personnel does not need to worry about keeping software up to date.

More Mobility

Employees can access information wherever they are, rather than having to remain at their desks.
25 July 2012 10

Difference between SaaS, IaaS, and PaaS

25 July 2012

11

Cloud Computing Attacks

Denial of Service (DoS) attacks An attacker aims to prevent legitimate users from accessing information or services, ie, when an attacker floods a network with excessive requests to the target server until the server is unable to provide services to normal users. Side Channel attacks An attacker places a malicious virtual machine in close proximity to a target cloud server and then launches a side channel attack. Man-in-the-middle cryptographic attacks The attacker may place himself between two users and can intercept and modify communications.
12

25 July 2012

10 Security Concerns of Cloud Computing

25 July 2012

13

1.

Wheres the data?

Since the data is placed in the cloud, the cloud provider must provide adequate level of security to his customers in writing. Example- In case of India, the service provider should have the data centre within India in a secured location.

2.

Who has access?

Cloud user needs to look at who is managing his data and what type controls are applied to these insiders. This can be achieved by introducing a control mechanism like activity monitoring and data leak prevention suites.

3.

What are regulatory requirements?

Cloud user must ensure that his cloud provider is able to meet regulatory requirements (ISO, Safe Harbor) and has undergone certification, accreditation.

4.

Does the customer/organization have the right to audit?

The cloud provider must agree in writing to the terms of audit. This can be done jointly by the organization and audit authority who can run a periodic audit on the companies who want to be cloud providers.
14

25 July 2012

5.

What type of training does the provider offer their employees? The cloud service provider should have a dedicated training unit for his employees. What type of data classification system does the provider use? Here, the cloud users are concerned about whether their data is classified and is separated from other users. What are the service level agreement (SLA) terms? It is a contract between cloud service provider and customer that specifies what level of services will be provided. What is the long-term viability of the provider? This security concern deals with how long the cloud provider has been in business and his track record.

6.

7.

8.

25 July 2012

15

9.

What happens if there is a security breach?

Cloud based services are an attractive target to hackers and if there is a security breach occurs, cloud provider must provide adequate support to his customers. For this, the cloud service provider can run periodic tests to make sure that the system is robust and this can be done by an in-house team or a third party. What is the disaster recovery/business continuity plan (DR/BCP)? Physical locations face threats such as fire, storms, natural disasters, and loss of power. In case of any of these events, customer/cloud user must ensure how will the cloud provider will respond, and what guarantee of continued services does he promises to provide.

10.

25 July 2012

16

Conclusion

The decision to move to cloud-based services should fit into the organizations overall corporate objectives. Before any services are moved to the cloud, the organizations senior management should ensure such actions are consistent with their strategic plans and meet acceptance criteria that address the ten security concerns of Cloud Computing.

25 July 2012

17

THANK YOU!!!!

25 July 2012

18