Maharishi Arvind College Of Engineering

& Research Centre, J aipur

SUBMITEED TO:

Mrs. SHRADDHA CHAUDHARY
(HOD OF C.S.E.)

Ms. RITU SHUKLA
(SEMINAR INCHARGE)
SUBMITTED BY:

NIKHIL BHUTA

B.TECH. FINAL Yr.

8
th
SEM.
Storage
Message
Queuing
Storage
Message
Queuing
What if you get all of this
?

Lower cost
Access
Sharing Possibility
Speed
More Storage
Control
Easy to Use
Compatibility
Privacy
Locked Out


Private Cloud Operated and managed solely by the organization
Public Cloud is available to all, is owned by an org selling cloud service.
Hybrid Cloud Composition of two or more clouds
DEPLOYMENT MODELS
Hybrid
Cloud
Private Cloud Public Cloud
DEPLOYMENT MODELS
Hybrid
Cloud
Private Cloud Public Cloud
DEPLOYMENT MODELS
Hybrid
Cloud
Private Cloud Public Cloud
Architectural Layers of
Cloud Computing
If cloud computing is so great,
why isnt everyone doing it?
The cloud acts as a big black box, nothing inside the
cloud is visible to the clients
Clients have no idea or control over what happens
inside a cloud
Even if the cloud provider is honest, it can have
malicious system admins who can tamper with the
VMs and violate confidentiality and integrity
Clouds are still subject to traditional data
confidentiality, integrity, availability, and privacy
issues, plus some additional attacks


Companies are still afraid to use clouds
Causes of Problems Associated
with Cloud Computing
Most security problems stem from:
Loss of control
Lack of trust (mechanisms)
Multi-tenancy
These problems exist mainly in 3
rd
party
management models
Self-managed clouds still have security issues, but
not related to above

Threat Model
A threat model helps in analyzing a security
problem, design mitigation strategies, and
evaluate solutions
Steps:
Identify attackers, assets, threats and other
components
Rank the threats
Choose mitigation strategies
Build solutions based on the strategies




16
Threat Model
Basic components
Attacker modeling
Choose what attacker to consider
insider vs. outsider?
single vs. collaborator?
Attacker motivation and capabilities
Attacker goals
Vulnerabilities / threats

17
What is the issue?
The core issue here is the levels of trust
Many cloud computing providers trust their customers
Each customer is physically commingling its data with
data from anybody else using the cloud while logically
and virtually you have your own space
The way that the cloud provider implements security
is typically focused on they fact that those outside of
their cloud are evil, and those inside are good.
But what if those inside are also evil?
18
Attacker Capability: Malicious Insiders
At client
Learn passwords/authentication information
Gain control of the VMs
At cloud provider
Log client communication
Can read unencrypted data
Can possibly peek into VMs, or make copies of VMs
Can monitor network communication, application patterns
Why?
Gain information about client data
Gain information on client behavior
Sell the information or use itself



19
Attacker Capability: Outside attacker
What?
Listen to network traffic (passive)
Insert malicious traffic (active)
Probe cloud structure (active)
Launch DoS
Goal?
Intrusion
Network analysis
Man in the middle
Cartography


20
Challenges for the attacker
How to find out where the target is located?
How to be co-located with the target in the
same (physical) machine?
How to gather information about the target?
21
Part II: Security and Privacy Issues
in Cloud Computing - Big Picture
Infrastructure Security
Data Security and Storage
Identity and Access Management (IAM)
Privacy

And more
22
Infrastructure Security
Network Level
Host Level
Application Level
23
Data Security and Storage
Several aspects of data security, including:
Data-in-transit
Confidentiality + integrity using secured protocol
Confidentiality with non-secured protocol and encryption
Data-at-rest
Generally, not encrypted , since data is commingled with
other users data
Encryption if it is not associated with applications?
But how about indexing and searching?
Then homomorphic encryption vs. predicate encryption?
Processing of data, including multitenancy
For any application to process data, not encrypted

24
Data Security and Storage (cont.)
Data lineage
Knowing when and where the data was located w/i cloud is
important for audit/compliance purposes
e.g., Amazon AWS
Store <d1, t1, ex1.s3.amazonaws.com>
Process <d2, t2, ec2.compute2.amazonaws.com>
Restore <d3, t3, ex2.s3.amazonaws.com>
Data provenance
Computational accuracy (as well as data integrity)
E.g., financial calculation: sum ((((2*3)*4)/6) -2) = $2.00 ?
Correct : assuming US dollar
How about dollars of different countries?
Correct exchange rate?




25
Data Security and Storage
Data remanence
Inadvertent disclosure of sensitive information is possible
Data security mitigation?
Do not place any sensitive data in a public cloud
Encrypted data is placed into the cloud?
Provider data and its security: storage
To the extent that quantities of data from many companies are
centralized, this collection can become an attractive target for
criminals
Moreover, the physical security of the data center and the
trustworthiness of system administrators take on new importance.

26
What is Privacy?
The concept of privacy varies widely among (and sometimes within)
countries, cultures, and jurisdictions.
It is shaped by public expectations and legal interpretations; as
such, a concise definition is elusive if not impossible.
Privacy rights or obligations are related to the collection, use,
disclosure, storage, and destruction of personal data (or Personally
Identifiable InformationPII).
At the end of the day, privacy is about the accountability of
organizations to data subjects, as well as the transparency to an
organizations practice around personal information.

27
What is the data life cycle?
28
Personal information should be
managed as part of the data used by
the organization
Protection of personal information
should consider the impact of the
cloud on each phase