Summer -16

a) Explain security concerns in cloud computing? 6

b) Explain how data security and application security is maintained in cloud
computing? 7

OR
a) Explain the importance of Authentication and Authorization in cloud computing? 6
b) Explain various technologies used for data security in cloud computing? 7

Winter -16

a. Write short note on Infrastructure security in cloud computing? 7

b. Explain Identity Access management? 6

OR
a. Explain application security and virtual Machine security? 6
b. Describe in detail about cloud contracting model? 7

Qu. What are the different challenges for security in cloud computing?

1: Data Security

Our recent Insider Threat Report – Cloud/Big Data edition featured survey results indicating
the locations of where the largest volumes of sensitive data are stored:

 Databases (49%)
 File servers (39%)
 Cloud service environments (36%)

Cloud trails closely behind databases and file servers as a top location for the storage of
sensitive data. Much of that data is sensitive, regulated or legally controlled information.
Needless to say, a lot has changed in the past few years.

Ensuring that data is secure when deploying a cloud environment can be a daunting task.
Naturally, as the adoption of cloud resources continues to grow, the risk of data breaches
grows with it. The fear of a new data breach is so high, that preventing them tops the list as
the number one spending priority, trumping compliance in our survey for the first time.

But, there are common sense strategies for protecting data. Implementing and designing a
proper cloud security database structure can help mitigate the risk. This includes protecting
data at the file level or application level through transparent and application level encryption.
Additional methods of encryption can involve tokenization and dynamic data masking. In his
latest blog, Vormetric’s CEO Alan Kessler breaks down the “when” and “why” behind these
approaches.

2: Navigating Global Trust Issues

We think it’s fair to say the Edward Snowden/NSA revelations have seriously impacted
global trust levels. An increasing number of enterprises (and their governments) are unwilling
to put their data in the hands of U.S.-based cloud service providers (CSPs). This anxiety has
manifested itself on the policy level; for example, many data-and-privacy-focused countries,
such as Germany and Japan, have tightened up their data residency requirements even
further.

For CSPs to increase their footprint in the enterprise, they must address enterprise
requirements around security, data protection and data management. More specifically, CSPs
need to provide better protection and visibility to their customers.

One company taking a proactive approach to assuaging customer fears is Amazon. In October
of 2014, Amazon AWS announced it would open new data centers in Germany to ensure
compliance with both EU and German privacy laws. In theory, this will allow German AWS
customers to keep their data physically inside Germany and in compliance with German law.

3: Shadow IT

Businesses are evolving quickly and, via shadow IT, internal business units and operating
groups are often bypassing IT and IT security controls altogether in order to get things done.
While this might speed things up, it can open the door for security vulnerabilities that are
expensive to fix. Keeping stock of, and tamping down on, shadow IT endeavors is vital,
especially when it comes to the cloud.

One of the best ways to prevent against leakage of sensitive data due to shadow IT is to a)
encrypt data and b) implement an intelligent key management model. Key management
basically allows for access control, which means limiting access to encrypted data to only
those whose work requires it.

When it comes to key management, there’s basically two models to consider for encrypted
data. Either the enterprise owns and manages the key, or allows the CSP to own and manage
the key on its behalf. Each model has its own risks, so the final decision should depend on the
level of risk and cost the enterprise is prepared to take on. As a best practice, as the owner of
the data, we recommend enterprises own and manage their own keys.

Vormetric Cloud Encryption, for example, includes encryption key management within the
solution and is completely transparent to applications and users. This allows for existing
processes and usage to continue with no changes. Thus, enterprises can protect any data file
within cloud environments simply, easily and efficiently.

4: Advanced Attacks & Cyber Conflicts

In 2014, I predicted there would be a major cloud or SaaS provider data breach in 2015.
Threat actors are gaining in sophistication, and attacks are becoming more complex. While
we can’t predict the future, we can take steps to prevent cybersecurity attacks and create a
safer environment.

In our opinion, the best way to do this is to encrypt, encrypt, encrypt. As Alan noted back in
October, very people at very smart companies have come to the conclusion that encrypting a
vast majority of their data is one of the best things they can do to reduce risk and assuage
customer fears. While no company or CEO wants to discuss a data breach, having a broad-
based strategy to make data protection a priority plays well from both a security and
marketing perspective.

5: Service Provider Visibility & Translating Enterprise Requirements into the Cloud

Nurturing a safe, compliant environment is an ongoing concern, particularly as business

continue to expand their global networks. According to our 2015 Insider Threat Report –
Cloud/Big Data edition, enterprise clients say that adoption levels would be even higher and
involve more key enterprise applications if the service providers did more to assail their fears
on security, data protection, and data management issues. Specifically, the top three concerns
about data safety for cloud services include:

 Lack of control of the location for data (69% globally)

 Privileged user abuse at the cloud provider (67% globally)
 Vulnerabilities from shared infrastructure (66% globally

Qu. what are the different level of security in cloud computing?

A multilevel classification of security concerns in cloud computing

Cloud systems have a layered architecture of different services and control levels for
users. Fig. 1 illustrates the classification model of security problems at each layer of the cloud
system. SaaS, PaaS and IaaS layers are considered for associated security risks and problems.
3.1. Security concerns for Software as a Service (SaaS)
SaaS is exposed by attacks on API’s, publishers, web portals and interfaces. The attacks on
the SaaS are categorized into two broad groups: attacks on development tools and attacks on
management tools. Most popular services on SaaS are web services, web portals and APIs.
Intruders’ attempt un-authorized access and gain of services by attacking web portals and
APIs. These attacks affect data privacy. Intruders try to extract the sensitive information of
API Keys, private keys, and credentials of publishers via different kinds of attacks and
automated tools. Another possibility of attack on this layer is exposure of secure shell for
extracting key credentials.

Data protection
In cloud computing applications are deployed in shared resource environments; therefore,
data privacy is an important aspect. Data privacy has three major challenges: integrity,
authorized access and availability (backup/ replication). Data integrity ensures that the data
are not corrupted or tampered during communication. Authorized access prevents data from
intrusion attacks while backups and replicas allow data access efficiently even in case of a
technical fault or disaster at some cloud location. Data are shared and communicated at the
common network backbone. Hence malicious attackers or intruders can deploy hidden proxy
applications between the cloud provider and consumer to scavenge information of login
credentials and session details [4]. An intruder can also perform packet sniffing or IP-
spoofing as a middle-party and can access and/or alter the restricted or sensitive information.
One possible solution for the data privacy in cloud computing is Cisco Secure Data Center
Framework that provides multi-layer security mechanism [4].

Attacks on interfaces
A successful attack on the cloud interfaces can result in a root level access of a machine
without initiating a direct attack on the cloud infrastructure. Two different kinds of attacks
are launched on authentication mechanism of clouds. The control interfaces are vulnerable to
signature wrapping and advanced cross site scripting (XSS) techniques. First kind of attack is
referred to as signature wrapping attack or XML Signature Wrapping attacks. Single signed
SOAP message or X.509 certificate can be used to compromise security of customers?
accounts through operations on virtual machines or resetting of passwords. Second type of
attacks exploits the vulnerability in XSS. The particular vulnerability attack steals username
and password pair information.

Attacks on SSH (Secure Shell)

Attacks on Secure Shell (SSH), the basic mechanism used to establish trust and connection
with cloud services, are the most alarming threat that compromises control trust. According
to Ponemon 2014 SSH security Vulnerability Report [15], 74 percent organizations have no
control to provision, rotate, track and remove SSH keys. Cybercriminals take full advantage
of these vulnerabilities and use cloud computing to launch different attacks. An organizationś
cloud workload can be used host botnets if SSH access has been compromised. Attackers
have hosted the Zeus botnet and control infrastructure on Amazon EC2 instances [16]. The
different types of attack on SSH include attacks on API keys, attacks on user credentials, and
attacks on publisher credentials.

Security concerns for Infrastructure as a Service (IaaS) and Platform as a Service (PaaS)
IaaS and PaaS layers are overlapped in the model due to their interdependency on each other.
The attacks on these layers are grouped into three types: attacks on cloud services, attacks on
virtualization, and attacks on utility computing. The security concerns for IaaS and PaaS are
discussed below.

Hardware virtualization
The VMs interconnectivity is the biggest security concern in the designing of cloud
computing platform. VMs are linked using bridge and route virtual network configuration
modes. The bridge mode works as a virtual hub shared among all the VMs, which may result
in sniffing the virtual network by a compromised VM. In the route mode, where route works
as a virtual switch, each VM is connected using a dedicated virtual interface. Any network
intruder in a LAN segment of a network can access virtual environments by address
resolution protocol (ARP) spoofing and MAC spoofing. ARP spoofing alters the ARP tables
and management interfaces and systems. On the other hand, an intruder can mimic another
host through MAC spoofing and also change address of host or guest Virtual Machine (VM)
to gain access of restricted resources [13]. The attacks and exploitation of virtual
environments are very diversified and they will increase in future since platforms are growing
in number and complexity. Therefore, a mechanism for detecting attacks along with
preventions is necessary.

Software virtualization
A software virtualization attack may examine the VM images to launch an attack or steal of
information, especially targeting development images, which are accidentally released [21]. It
is also possible to provide a VM image having malware to cloud computing system resulting
in theft and corruption of data. For example, cloud consumers are enticed to run tainted VM
images contributed to image repository manipulating the registration process for first page
listing.

Cloud softwares
Multi-tenancy in clouding computing requires multiplexing the execution of VMs from
different consumer on the same physical server [17]. Softwares deployed on guest VM
remain susceptible to attack and compromise. A malicious code in VM may interfere with the
hypervisor or other VMs. Shortcomings in programming interfaces and processing of
instructions are the main targets to uncover vulnerabilities [18]. This security concern also
includes indirect attacks such as man-in-the-middle during a live VM migration; insertion
VM based rootkit during memory modification; a zero-day exploit in HyperVM; side-channel
attack to gain information.

Utility computing
Utility computing is the concept that emerged from grid computing, and it combines
computation, storage and bandwidth to provide services on the demand through payment by
the customer. It also provides two basic advantages of cost reduction and scalability. Security
risk associated with utility computing is access by attackers who want to utilize resources
without paying [8]. Majority of hackers and crackers use the computing power or storage for
the illegal use. The common use of public cloud includes e-commerce, web-application and
Web site hosting making these services vulnerable to variety of attacks on possession,
authenticity, integrity and utility. A compromised client may perform a Fraudulent Resource
Consumption (FRC) attack by using the metered bandwidth of web-based service that results
in a financial burden on the cloud consumer [19].

Service Level Agreement (SLA)

SLA is an optimal way for ensuring security and trust. The implementation of SLA results in
a well-designed contract of responsibilities between parties that can enhance security level. In
cloud environment, SLA can be combined with the web service level agreement (WSLA) for
mitigating security risks [8]. SLA defines the different levels of security and their complexity
based on the services for the better understanding of the security policies to a cloud
consumer. The existing cloud storage systems do not provide security guarantees in their
SLAs effecting the adaptation of cloud services. A cloud storage service may leak private
data, return inconsistent data or modify the data due to bugs, hacking, crashes, or
misconfigurations.

Qu. How security achieve for virtual machine security in cloud computing?

Types of protective features

There is no single unified threat management tool for the virtual world; anyone seriously
invested in a VM collection is going to need more than one protection product. There are
roughly four different functional areas that these products cover:

 Compliance and auditing. This includes the ability to produce reports on various

compliance requirements, such as Payment Card Initiative standards, and the ability to
audit access and administrative logs.

 Intrusion detection (IDS) and firewall features. These are the features most people
think of when thinking about VM-themed security.
 Access controls. This includes being able to restrict users from stopping or changing VMs
on any protected host machine. Some products have the ability to tie access control roles
to particular Active Directory users, making policy deployments easier and more
powerful.

 Antivirus/anti-malware protection. Similar to antivirus tools in the physical world,

these provide protection against exploits inside a VM.

Figure 1: Reflex Systems' Virtualization Management Center has a nice topo map that shows
you how your VMs are arranged. As you mouse over each icon, status information appears in
in the top right corner of the screen.

Available VM protection options

Over the past year, the pace of mergers and acquisitions has picked up as the major
virtualization and security vendors try to augment their offerings and integrate products.
VMware purchased Blue Lane Technologies and incorporated its software into its vShield
line; Juniper Networks purchased Altor Networks; and Third Brigade is now part of Trend
Micro's Deep Security line. There are a number of other smaller players, too.

Here is a list of typical VM protection products:

• Beyond Trust Power Broker Servers for Virtualization

• Catbird vSecurity
• CA Virtual Privilege Manager
• Centrify Direct Authorize
• Fortinet FortiWeb VM
• HyTrust Appliance
• Juniper/Altor Virtual Firewall
• Precise for the Cloud
• Reflex Systems Virtualization Management Center
• Splunk for Virtualization 
• Third Brigade/Trend Micro Deep Security
• The VMware/Blue Lane vShield family

Qu. How identity and access management in cloud computing?

b) Explain how data security and application security is maintained in cloud computing? 7

Explain the importance of Authentication and Authorization in cloud computing? 6

Identification, Authentication and Authorization

Whether users know it or not, their concerns about e-commerce security are fundamentally
those of remote access controls. Any time someone needs to transact business, whether online
or face-to-face, the client and the merchant must both provide identification, authentication
and authorization. Users need to be sure that they know exactly who is running the Web
server with which they intend to transact business. Merchants need identification of their
clients to be sure they get paid for their products and services.

In a startling case of breach of identification, authentication and authorization in 1996 and

1997, viewers of pictures on several Web sites were in for a surprise when they got their next
phone bills. Victims who downloaded a "special viewer" were actually installing a Trojan
program that silently disconnected their connection to their normal ISP and reconnected them
(with the modem speaker turned off) to a number in Moldova in central Europe. The phone
call was then forwarded to an ISP in North America which continued the session. The long-
distance charges then ratcheted up until the user disconnected the session -- sometimes hours
later, even when the victims switched to other, perhaps less prurient, sites. In New York City,
a federal judge ordered the scam shut down; however, the site persists on the Web and
includes warnings that law enforcement officials and those intending to bring legal action
against the owners are not to log in (we do NOT recommend that you risk connecting to it).
Later in 1997, the FCC ordered $2.6M in fraudulently obtained charges to be refunded to the
embarrassed victims.

2.1 Identification

Identification, according to a current compilation of information security terms, is "the

process that enables recognition of a user described to an automated data processing system.
This is generally by the use of unique machine-readable names"15. In human terms, client
and merchant engage in mutual identification when they -- for example -- tell each other their
names over the phone. In the Moldovan Trojan case, the violation of identification occurred
when there was no provision at all for ascertaining the identity of the company running the
scam.

2.2 Authentication
 Authentication is "A positive identification, with a degree of certainty sufficient for
permitting certain rights or privileges to the person or thing positively identified." In simpler
terms, it is "The act of verifying the claimed identity of an individual, station or
originator"16. In a human contact by phone, the client and merchant might recognize
(authenticate) each other by their familiar voices. The Moldovan Trojan fraudulently violated
the principle of authentication by claiming that its software was a file-viewer when it was
actually an ISP-switcher as well. 

The classic methods for correlating virtual and physical identities in cyberspace are parallel
to methods used for authenticating human beings in the physical world. The four categories
of authenticating information are:

 What you know -- the password or passphrase, for example;

 What you do -- e.g., how one signs one's name or speaks;
 What you are -- e.g., one's face or other biometric attributes such as fingerprints;
 What you have -- e.g., a token such as a key or a certificate such as a driver's license.

All of these categories of authentication are used in cyberspace. The last example is
particularly interesting: certificates play a crucial role in authenticating people (or programs
or machines) in the world of e-commerce. The driver's license, for example, if assumed to be
real, tells a merchant that at some time in the past, a certification authority -- the issuing
department of motor vehicles -- has undertaken some measures to ensure that the information
on the license is (or was) correct. In cyberspace, verifying the legitimacy of a certificate can
be easier than in real space.

Authentication leads to an related concept, that of non-repudiation. A formal definition

of non-repudiation is "Method by which the sender of data is provided with proof of delivery
and the recipient is assured of the sender's identity, so that neither can later deny having
processed the data." Non-repudiation, as we shall see in the section below on encryption,
depends on asserting that authenticity has not been violated when identifying the source of
that transaction or message. 

2.3 Authorization

Authorization is "The granting to a user, program, or process the right of access"17. In the
real world, we experience authorization every time a merchant queries our VISA or
MasterCard service to see if we are authorized to spend a certain amount of money at their
establishment.

The Moldovan Trojan violated authorization by fraudulently appropriating the right to

disconnect a phone call and initiate an expensive long-distance call without notification to or
permission from the victim.

In the mainframe environment, authorization depends on the operating system and the level
of security that system administrators have imposed. Identification and authentication (I&A)
begin when a session is initiated. A session is "An activity for a period of time; the activity is
access to a computer/network resource by a user; a period of time is bounded by session
initiation (a form of logon) and session termination (a form of logoff)"18. However, on the
Web, most interactions are sessionless; for example, there is no identification and
authentication when an anonymous user accesses a public page on a Web site. There is no
logon and no logoff under such circumstances. Web interactions require I&A only when the
user and the Web owner agree to establish a secure session. Typically, secure Web
transactions do require some form of logon and logoff even if these steps are not explicitly
labelled as such.

Sessions integrity and authenticity can be violated in a number of ways. Piggybacking is the
unauthorized use of an existing session by unauthorized personnel. This problem is difficult
to imagine in the real world, where it would be unlikely that someone could, say, cut into the
middle of a phone conversation to order goods and services using someone else's good name
and credit card. In cyberspace, though, it is quite commonplace for users to initiate a
transaction on a terminal or workstation and then to walk away from their unprotected session
to go do something else. If a dishonest person sits at their place, it is possible to misuse the
absent person's session. A common problem of piggybacking is the misuse of someone else's
e-mail program to send fraudulent messages in the absent person's name. Another example
might have the thief stepping into a session to change an order or to have goods sent to a
different address but be paid for by the session initiator's credit card. Such examples of fraud
can have disastrous consequences for the victims; in general, every news story about this kind
of abuse reduces confidence in the security of e-commerce.

A more technical attack is called session hijacking: "Hijacking allows an attacker to take over
an open terminal or login session from a user who has been authenticated by the system.
Hijacking attacks generally take place on a remote computer, although it is sometimes
possible to hijack a connection from a computer on the route between the remote computer
and your local computer"19. "Hijacking occurs when an intruder uses ill-gotten privileges to
tap into a system's software that accesses or controls the behavior of the local TCP
[Transmission Control Protocol] . . . . A successful hijack enables an attacker to borrow or
steal an open connection (say, a telnet session) to a remote host for his own purposes. In the
likely event that the genuine user has already [been] authenticated to the remote host, any
keystrokes sent by the attacker are received and processed as if typed by the user"20.

In summary, identification, authentication and authorization are normal components of any

business transaction and must be guaranteed by the communications systems and software
mediating the relationship between supplier and customer.

Explain various technologies used for data security in cloud computing?