###-### title - PI - area Overview of Security Madhuri Revalla, Ajay K. Gupta, College of Engineering and Applied Sciences Western Michigan University, Kalamazoo, MI - 49008 WESTERN MICHIGAN UNIVERSITY

1. Overview 4. Threats in 6. Data privacy Cloud computing is the most significant shift in Information Technology. Cloud Specific Threats The two issues lead to many privacy and security concerns:

1. User does not have control over the Characteristics data

2. Dependence on the cloud provider

Abuse & Account / Unknown Insecure Malicious Data Loss/ Service Models Nefarious Service Risk APIs Threats Insiders Leakage Solution: Data , but should Hijacking Profile Use consider the facts Deployment Ø How to encrypt the data Models Ø Who is responsible for encryption

Visual Model of Cloud Computing [NIST] u Choose a strong encryption mechanism to secure data in cloud computing. Service Isolation VM Sprawl Interruption Compromise Injection Failure u To ensure privacy, data should be 2. Motivation encrypted by the user. • Cloud provider - provides resources/services that can be accessed from anywhere in the world by the user. Next Question: How to authenticate the Side-Channel Inter VM DoS DDoS Eavesdropping VM Escape user? • Cloud user - can be either a single person or any Attacks Attacks organization. ü Use Public Key Infrastructure (PKI) PKI provides Authentication, • Cloud computing has many benefits, but security is a Integrity, Confidentiality. big concern. Spoofing • Cloud provider should provide privacy and security to Attacks the user’s data and applications. 7. Authentication PKI is the strong authentication system, 3. Threat Model but does not replace the need for authentication. Examine Assets, 5. Shared Technology Vulnerabilities

Vulnerabilities, and Attackers Cloud computing provides scalable services with shared Use two-factor authentication – In Identify Threats infrastructure, computational power, storage, and cost- combination with the other factors such effectiveness over the on user’s demand basis. as Smart cards or Biometrics, PKI can S – Spoofing Identity create solution for authentication Analyze the threats using T – Tampering With Data • Virtualization plays a major role in cloud computing STRIDE threat model R – Repudiation - Normal virtualization security techniques are not enough 8. Conclusions I – Information Disclosure to handle virtualization security in cloud computing Traditional security techniques are not - Applying virtualization to cloud computing may cause D – Denial of Service capable enough to handle cloud Assess the risks associated additional security risks such as isolation failure, service E – Elevation of Privilege specific threats. with the threats and rank them interruption

To secure cloud, cloud specific security • Multiple users share the cloud infrastructure mechanisms need to be investigated - This co-tenancy also introduce vulnerabilities such as and developed. Select mitigation techniques performing side-channel attacks to get another user’s confidential and build solutions information via information leakage

Wireless Sensornets (WiSe) Lab, Western Michigan University, Kalamazoo, MI 49008-5466 www.cs.wmich.edu/wise