You are on page 1of 28

A

SEMINAR ON

SECURITY THREATS AND MODEL ON
CLOUD COMPUTING

OVERVIEW  Introduction  Key attributes of cloud  Cloud deployment model  Security issue in cloud computing  Case study – Secure Cloud computing platform  Security features in Nebula  Conclusion  Reference

3  . servers. three service models. This cloud model promotes availability and is composed of five essential characteristics. and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.g.INTRODUCTION OF CLOUD COMPUTING  Cloud computing is a model for enabling convenient. applications.. on-demand network access to a shared pool of configurable computing resources (e. and four deployment models. storage. networks.

Cloud Computing Conventional Cloud       Dedicated Hardware  Fixed Capacity  Pay for Capacity  Capital & Operational Expenses  Self-provisioned Shared Hardware Elastic Capacity Pay for Use Operational Expenses Managed via APIs .Conventional Computing vs.

4.INTRODUCTION Key Cloud Attributes: 1. 2. 3. Shared / pooled resources Broad network access On-demand self-service Metered by use .

Shared / Pooled Resources: Resources are drawn from a common pool  Common resources build economies of scale  Common infrastructure runs at high efficiency  .

and REST  Available from anywhere with an internet connection  . HTTP.Broad Network Access: Open standards and APIs  Almost always IP.

On-Demand Self-Service: Completely automated  Users abstracted from the implementation  Near real-time delivery (seconds or minutes)  Services accessed through a self-serve web interface  .

Metered by Use: Services are metered. like a utility  Users pay only for services used  Services can be cancelled at any time  .

including OS and applications PaaS: Platform as Service Consumer can create custom applications using programming tools supported by the provider and deploy them onto the provider's cloud infrastructure SaaS: Software as Service Consumer uses provider‟s applications running on provider's cloud infrastructure • Virtual Machines • Virtual Networks • Auto Elastic • Continuous Integration • Built for Cloud • Uses PaaS IaaS PaaS SaaS .Three Service Delivery Models IaaS: Infrastructure as a Service Consumer can provision computing resources within provider's infrastructure upon which they can deploy and run arbitrary software.

Service Delivery Model Examples Amazon Google Microsoft Salesforce SaaS PaaS IaaS Products and companies shown for illustrative purposes only and should not be construed as an endorsement .

SECURITY ISSUE IN CLOUD COMPUTING         Need for isolation management Logging challenges Data ownership issues Quality of service guarantees Attraction to hackers Security of virtual OSs in the cloud Identity Management Data Stealing .

 Open and Public APIs.CASE STUDY . apps.SECURE CLOUD COMPUTING PLATFORM NEBULA  Nebula is an open-source cloud computing model and service developed to provide an alternative to the costly construction of additional data centers in NASA. and data  Full transparency  Open source code and documentation releases . everywhere  Open-source platform.

terminate. and access instances  Image library of instances .Security is Maintain into Nebula User Isolation from Nebula Infrastructure Users only have access to APIs and Dashboards  No user direct access to Nebula infrastructure Project-based separation  A project is a set of compute resources accessible by one or more users  Each project has separate: VLAN for project instances VPN for project users to launch.

Public IP Space External Scanner I N T E R N E T B R I D G E Project A (10. Hydra.2/24) .Security Groups IN NEBULA Combination of VLANs and Subnetting Can be extended to use physical network/node separation . SOC Tap Event Correlation Engine S M W RFC1918 (LAN_X) Project B (10.1/24) DMZ Services C L O U D A P I S Operations Console (custom) Security Scanners (Nessus.1.1. etc) Log Aggregation.

Offer scientists services to address the gap Desktop Server-based compute resources TARGET COMPUTE PLATFORM High-end Compute Vast Storage High Speed Networking Super Computer .

SECURITY FEATURES IN NEBULA Firewalls  Multiple levels of firewalling Hardware firewall at site border  Firewall on cluster network head-ends  Host-based firewalls on key hosts  Project based rule sets based on Amazon security groups  Remote User Access Remote access is only through VPN (openVPN)  Separate administrative VPN and user VPNs  Each project has own VPN server  .

Intrusion Detection  Open source Host-based Intrusion Detection Mirror port to NASA SOC tap  Vulnerability Scanning Nebula uses both internal and external vulnerability scanners   Correlate findings between internal and external scans .

Incident Response Procedures for isolating individual VMs. and clusters. including memory dump  Quarantining a VM within a compute node  Disabling VM images so new instances can‟t be launched  Isolate a compute node within a cluster  Isolate a cluster  . including:  Taking snapshot of suspect VMs. compute nodes.

INNOVATION .SECURITY GATES API calls can be intercepted and security gates can be imposed on function being called When an instance is launched. it can be scanned automatically for vulnerabilities  Long term vision is to have a pass/fail launch gate based on scan/monitoring results  .

SECURITY ACCHITECTURE OF NEBULA .

CLOUD NODE IN MEDULA LDAP Data Store Redis KVS Puppet RabbitMQ PXE Ubuntu OS Nova Cloud Node .

It is a tool for open stack cloud.It is open source message broker software (messageoriented middleware) that implements the Advanced Message Queuing Protocol (AMQP) standard. Network Controller. PUPPET  NOVA COMPUTING NODE –   RabbitMQ. Volume Controller. Nova is a messaging-based architecture.TOOLS PXE  Preboot Execution Environment is an environment to boot a computer using a network interface in cloud data storage. Open stck is open source computing management infrastructure. . It is follow DHCP model. Major components are Compute Controller.

NOVA NODE .

with a strong focus on high concurrency. POP3 and IMAP protocols.OBJECT NODE Nginx Puppet Nova Object Node PXE Ubuntu OS Ngnix – It is an open source Web server and a reverse proxy server for HTTP. performance and low memory usage . SMTP.

A bridge is a device used to connect different networks.NETWORK NODE Project VLAN Public Internet Brctl Puppet 802.1(q) PXE IP Tables Nova Network Node Ubuntu OS brctl is set up. inspect the network bridge configuration in the linux kernel. .

 Nebula is open source so it cost effective.  .  User can store their sensitive data on cloud.  We can use Nebula for high security . high availability on the internet.CONCLUSION Security Threats are in the cloud are hurdle of adaption of cloud computing.

“Revisiting Route Caching: TheWorld Should Be Flat. ACM SIGCOMM. April 2010. Byung-Gon Chun.. In Proc. Kye Hyun Kim. Matthew Caesar. Matthew Caesar. ASIACCS„10. “Floodless in SEATTLE: A Scalable Ethernet for Large Enterprises”.CIT 16. ACMSE 2010. Andrey Ermolinskiy. “A data-oriented (and beyond) network architecture”. 6 . and Ion Stoica. 2. Firat Kiyak. Jennifer Rexford. Passive and Active. Jennifer Rexford. August 2008. IEEE ICNP. Beijing. Teemu Koponen.REFERENCE        1. La„Quata Sumter. Journal of Computing and Information Technology . ―Cloud Computing Issues. 2008. Oxford.HardwareAmenable Internet Routing”. Brent Mochizuki. ―Cloud Computing: Security Risk Classification‖. Mohit Chawla. August 2007. Changhoon Kim. China. Vouch. ACM SIGCOMM. Changhoon Kim. Alex Gerber. 235–246 . October 2009. Research and Implementations‖. R. Eric Keller. Scott Shenker.” Measurement Conference. “Better by a HAIR -. 3. USA 7 . 4. ―Secure Provenance: The Essential Bread and Butter of Data Forensics in Cloud Computing‖. 5. Mladen A. 4. Matthew Caesar. Rongxing et al.