Professional Documents
Culture Documents
Security
Presented by
Y Vijay Kumar(197)
Vivek V Reddy(195)
Vivek V Nimje(196)
Vivek Prakash(194)
Vivek Gautam(193)
Basics of the “cloud”
• “Cloud computing” refers to the shared software and information
that users access via the web. Rather than storing information on
their own physical servers or computer hard drives, users rely on
servers that are maintained by the cloud computing software
provider (like Apple’s iCloud offering).
• Cloud computing is an umbrella that covers both the applications
that are delivered as services in a “Software as a Service” (SaaS)
model via the web and the hardware and systems software
(together known as the actual “cloud”) used to run those
applications that companies access and use online.
• There are no servers to maintain, no IT infrastructures to set up, no
upfront licensing fees, and no software programs to install and
maintain on premise.
Not without challenges
• Cloud computing also comes with its own set of
challenges
16
From [6] Cloud Security and Privacy by Mather and Kumaraswamy
Cloud Deployment Models
Public Cloud
• The cloud infrastructure is made available to the general
public or large industry group and is owned by an
organization selling cloud services.
• Public cloud provides an elastic, cost-effective way to
deploy IT solutions.
• Public cloud involves applications such as customer
relationship management (CRM), messaging and office
productivity
• The main risk associated with the public cloud option is
workload segmentation. An organization opting for the
public cloud model is placing their data in the hands of a
third party. Because of that, the organization needs
assurances its workload is separated from that of other
customers.
Private Cloud
• The cloud infrastructure is operated entirely for a single
organization.
• It may be managed by the organization or a third party,
and may exist on-premises or off-premises.
• In private cloud there are no additional security
regulations, legal requirements or bandwidth
limitations that can be present in a public cloud
environment.
• The clients have optimized control of the infrastructure
and improved security.
• The main risk associated with private cloud is exposing
sensitive information to internet or unwanted access.
Community Cloud
• The cloud infrastructure is shared by several
organizations and supports a specific community.
• It may be managed by the organizations or a third
party, and may exist on-premises or off-premises.
• Community cloud offers higher level of privacy,
security and policy compliances.
• Examples of community clouds include Google’s
“Gov Cloud”.
Hybrid Cloud
• The cloud infrastructure is a composition of two
ormore clouds (private, community or public)
that are bound together by standardized or
proprietary technology that enables portability of
data and application.
• Organizations may host critical applications on
private clouds and applications with relatively
less security concerns on the public cloud.
• The main risk associated is with data
communication. A secure channel has to be
ensured between the private and public clouds.
Hybrid cloud
Problems
• Abuse and Unallowed Use of Cloud Computing
• Insecure Application Programming Interfaces
• Malicious Insiders
• Shared Technology Vulnerabilities
• Data Loss and Leakage
• Account, Service and Traffic Hijacking
• Unknown Risk Profile.
Auditing, monitoring and risk
management
• How can organizations provide assurance to
relevant stakeholders that privacy requirements
are met when their PII is in the cloud?
• Are they regularly audited?
• What happens in the event of an incident?
• If business-critical processes are migrated to a
cloud computing model, internal security
processes need to evolve to allow multiple cloud
providers to participate in those processes, as
needed.
24 From [6] Cloud Security and Privacy by Mather and Kumaraswamy
Common Risks
• The cloud provider takes responsibility for information
handling which is a critical part of the business. Failure to
perform to agreed service levels can impact not only
confidentiality but also availability.
• The dynamic nature of cloud computing may result in
confusion as to where information actually resides. This
may create delays when information retrieval is required.
• Third-party access to sensitive information creates a risk
of compromise to confidential information. This can pose
a significant threat to ensuring the protection of
intellectual property and trade secrets.
Common Risks
• Due to the dynamic nature of the cloud, information may
not be located in the event of a disaster immediately.
Business continuity and disaster recovery plans must be
well documented and tested. Recovery time objectives
should be stated in the contract.
• Transparency - Service providers must provide for the
existence of effective and robust security controls, assuring
customers that their information is properly secured
against unauthorized access, change
• Privacy – Privacy controls should demonstrate their ability
to prevent, detect and react to breaches in a proper
manner. Information and reporting communication lines
need to be organized and agreed before service
provisioning starts. These communication channels should
be tested periodically during operations.
Common Risks
• Compliance - Most organizations must comply with a wide
set of laws, regulations and standards. There are concerns
with cloud computing that data may not be stored in one
place and may not be easily retrievable. Audits completed
by legal, standard and regulatory authorities demonstrate
that there can be plenty of problems. When using cloud
services there is no guarantee that a certain company can
get its information when needed, and even some providers
are reserving the right to withhold information from
authorities.
• Transborder information flow - When information can be
stored anywhere in the cloud, the physical location of the
information can become an issue. Physical location rules
jurisdiction and legal obligation. Country laws governing
personally identifiable information may vary significantly.
Cloud Computing: who should use it?
IaaS · OWASP Top 10 · OWASP Top 10 · Testing apps and API for OWASP
· Data leakage (inadequate ACL) · Data theft (insiders) Top 10 vulnerabilities
· Privilege escalation via management console · Privilege escalation via · Hardening of VM image
misconfiguration management console · Security controls including
· Exploiting VM weakness misconfiguration encryption, multi-factor
· DoS attack via API authentication, fine granular
· Weak protection of privileged keys authorization, logging
· VM Isolation failure · Security automation - Automatic
provisioning of firewall policies,
privileged accounts, DNS,
application identity (see patterns
below)
Ensuring confidentiality
Ensuring proper access
organization’s data-in-
control of resources
transit to and from a
used at public cloud
public cloud provider
service by provider
Ensuring availability of
Replacing the
internet-facing
established model of
resources in a public
network zones and tiers
cloud that are used by
with domains
an organization
Infrastructure Security – The Host Level
1. Authn request
3. Resource request (XACML Request) + SAML assertion IDP
2. SAML Assertion
. access requests
from all client 7. Send signed and encrypted ticket
for cloud
resource
ACM
. domains) on Domain A
(XACML
policies)
User on Amazon
Cloud
1. Name
2. E-mail
3. Password
4. Billing Address 1. Name
5. Shipping Address 2. Billing Address
6. Credit Card 3. Credit Card
1. Name
2. E-mail
3. Password
4. Billing Address
5. Shipping Address
6. Credit Card
1. Name
2. E-mail
3. Shipping Address
1. Name
2. E-mail
3. Shipping Address
Minimize Multi-tenancy
– Increase isolation between tenants
• Strong isolation techniques (VPC to some degree)
• QoS requirements need to be met
• Policy specification
GLIMP provides corporate and end- users with the specific data, security,
alerts and reporting capability for exception management, audit and
analytics information, and operating system integration (ERP, TOS, TMS)
Cloud Computing, Logistics & Supply Chains
Intra-company (fleet management)
• Web Services implement the abstraction of physical devices (temperature,
pressure, position) placed on the container of dangerous goods (and not on
the truck)
• Web services as resources that provide information on the status of the
container
Inter-company
• Interoperable exchange of data among companies and risk management
agency
• Web services for seamless integration of Enterprise Information Systems
• Better coordination among companies
Joint and efficient schedule of routes
Provide updated information to customers
• Better coordination with goods and risk managers
Centralized (inter-company) monitoring systems
Timely detection of emergencies
Easier collection of information about damaged containers and detection of
accidents
Glimp Platform Services is a Cloud enabled Solution that support the Containerization -
Intermodal freight transport using standard intermodal containers as prescribed by the
International Organization for Standardization (ISO), planes, ships, railroad cars, and trucks.
Thank You