Home » Cloud Security

Cloud Security

Cloud computing is not a new term and derives from something knows as grid computing.

Cloud characteristics

On-Demand Self-Service
Users have the capability to customize and configure services to meet there needs
Broad Network Access
Designed to be accessed from anywhere
Resource Pooling
Resources assigned from resource pool based on multi-tenant setup
Rapid Elasticity
Can be expanded as needed upon users demand.
Measured Service
Usage monitored and reported.

Types of cloud

Public cloud
Also know as external cloud is hosted by a third party. They have there own resources that manage and secure the cloud and user can requests resources on demand. The downside of being in public cloud us that your data controlled.
Private cloud
Private cloud is the type of cloud that was build by internal IT or contractors and build for internal use only. This type of deployment offers organization full control over there data.
Hydrid cloud
With hydrid cloud you could potentially enjoy benefits from both private and public cloud. You could store less sensitive applications and data in public cloud while more sensitive data can be stored in private cloud.
Community cloud
This type of cloud deployed when individual parties share common goals , security needs and resources.

Cloud services
  • Software as a Service – SaaS
  • Platform as a Service – PaaS
  • Infrastructure as a Service – IaaS
Threats to cloud Security
  • Data loss
  • Service and account traffic hijacking
  • Insecure API
  • Denial of Service Attacks
  • Extra billing for unused resources
  • Inside threats
  • Poor security from service provider
  • Multi-tenancy related breaches
Cloud Computing Attacks

Session Riding (Cross-Site Request Forgery)

This attack geared mostly twards web servers. It works by enticing a victum to submit a request, whoich is malicious in nature. Request is executed by the victum and response will come to them. In case of stored CSRF attack the forget request is stored on the server by finding site that accepts html , img or xss.

Simple CSRF attack steps

  1. Building an exploit URL or script
  2. Trick victom into executing it
  3. Executing GET command

The key to make this attack successful is to trick a victim into executing this request when they actually logged in the account

Side Channel Attacks

This type of attack attempts to breach the confidentiality of a victim indirectly by exploiting the fact that they are using shared resources in the cloud.

You will need the following in place:

  1. VM placed in the same physical location as the victim
  2. VM please on the same physical server as the victim

The attacker executes scripts to attack victim and determine if sensitive information can be exploited. Fortunately this sort of attacks rarely successful

Signature Wrapping Attacks

Signature Wrapping Attack word by exploiting of technology used in web services. Good example is SOAP. In SOAP requests can be signed using XML signature. An XML signature wrapping attack exploits the fact that the signature element does not convey any information as to where the referenced elements are in the document tree. It works as follows. A malicious user takes a valid request, copy the SOAP body and insert it as part of a header in the request.

The result of this attack is that as attacker could alter a message without invalidating it. This means that system and application would accept the message as correct even though it has been altered.

Some other Cloud attacks
  • Service hijacking using network sniffing
  • Session hijacking using XSS attacks
  • DNS attacks
  • SQL injection attacks
  • Cryptanalysys attack
  • DOS attacks
Tools for testing cloud security
Tool Link
SOASTA CloudTest http://www.soasta.com
LoadStorm http://loadstorm.com
BlazeMeter https://www.blazemeter.com
Nexpose http://sectools.org/tool/nexpose
Jenkins Dev@Cloud https://www.cloudbees.com/products/jenkins-cloud
Response to cloud threats
  • Secure design and architecture
  • Identity and access manager
  • Governance
  • Risk Management
  • Compliance
  • Availability

This is just a basic overview of cloud computing security. At TEKYHOST we specialize in securing cloud based deployments and eliminating possibility of data loss or hacking.