Week 5 exercise PDF

Preview

Summary

Week 5 exercise...

Description

1.Explain the differences between public, private, and community clouds. What are some of the factors to consider when choosing which of the three to use?



Public cloud

A public cloud refers to a cloud infrastructure that is owned by an organization that sells cloud services to the public. The cloud is thus available to the general public.



Private cloud

Refers to cloud infrastructure that is owned and operated by an organization. The cloud services are exclusively for the organization thus aren’t leased out. However, the management of the cloud can be leased to a third-party company.



Community cloud

Refers to cloud infrastructure that is shared by different organizations with a similar goal in mind. The organizations decide on the security requirements, policies and other issues that running the cloud might involve.

When choosing a public, private or community cloud its imperative that one considers:

•

The security and governance requirements for a specific system/data store.

•

The authorization of access needed for the data stored.

•

How vulnerable is the system to attacks?

•

Compatibility with other applications.

•

The scalability

SECURITY IN COMPUTING: CLOUD COMPUTING 2.How do cloud threats differ from traditional threats? Against what threats are cloud services typically more effective than local ones?

Cloud is real-time virtual storage that has data stored on a different server. Cloud threats differ from traditional threats in the sense that they are vulnerable to the threats posed by the infrastructure they use if it is a shared infrastructure or private one. Cloud services are better than the traditional IT infrastructure as they defend from single points of failure and Dos attacks.

3. You are opening an online store in a cloud environment. What are three security controls you might use to protect customers’ credit card information? Assume that the information will need to be stored.

To protect credit card credentials, one could issue a relatively unique password derived encryption key that encrypts both the credentials and the data stored. Thus, the data and credentials will be inaccessible without the encryption key derived from the username password.

4.Define TNO. Name three types of data for which one should want TNO encryption.

TNO refers to trust no one philosophy. Data that would a TNO encryption module include:

1.

Passwords

2.

Encryption keys

3.

Log in details

2

SECURITY IN COMPUTING: CLOUD COMPUTING 5. How do cloud services make DLP more difficult? How can customers wishing to enforce DLP mitigate this issue?

Cloud services make DLP measure difficult as the typical DLP measures require that various appliances are placed in areas where they can monitor and block traffic at network boundaries. However, cloud services bypass these appliances and allow access to data directly. This means that the access to the network data isn’t monitored and thus steps can’t be taken by the appliances to prevent loss of data.

To mitigate this issue:

•

Companies can force users to go through the company network and thus be able to monitor the access to the data.

•

Installation of the DLP measures at the network boundaries in the cloud environment will also help.

6.You run a website in an IaaS environment. You wake up to discover that your website has been defaced. Assume you are running a web server and an FTP server in this environment and that both an application proxy and a firewall sit between those servers and the Internet. All of your VMs are running SSH servers. What logs might help you determine how the website was defaced? What kind of information would you look for?

When a website is hacked or defaced, one can check the following to try and identify the culprits behind the hacking/defacing:

•

FTP logs that are easy to check. (/var/log/messages)

•

cPanel access logs. (The access log in /usr/local/cpanel/logs/).

3

SECURITY IN COMPUTING: CLOUD COMPUTING •

4

Domains apache domlogs

To try and identify who defaced your website, one can look at the IP addresses available in the website logs to show who made the changes.

7. Sidebar 8-2 shows that personal biographical information—addresses, phone numbers, email addresses, credit card numbers, etc.—can not only be used by attackers to hijack accounts but can also be collected from one hijacked account to help an attacker gain access to the next. How can you protect yourself against this kind of attack? What can cloud providers change to mitigate such attacks?

The use of TNOs is one way that one can protect themselves from an attack that emanates from a single point

•

Use of different log in details for different sectors is also advised

To mitigate such attacks:

•

Backing up data in an unlinked account is one way.

•

Ensuring that important appliances are kept offline.

8. Describe an FIdM authentication system for which you have been a Subject. What organization acted as the IdP? What service acted as the SP? With FIdM a system maintains the user’s identity while the other queries the system to identify if the credential details are correct. An example is the storage of an organizations file in cloud storage. The data might be that of employee records that are only accessible to a few. When the HR manager, for instance, tries to access this information, they’ll use the same credentials that they use in the company logins. The cloud server then sends a query to the

SECURITY IN COMPUTING: CLOUD COMPUTING

5

identity management system that provides the answer as to where the credentials are accurate or not. The HR login details were verified by the company servers thus the IdP and the cloud server was the SP

9. Name three security benefits of FIdM over requiring users to use a new set of credentials.

A FIdM authentication system is beneficial because:

•

Users can use same credentials they use the company to access cloud information

•

Provides a way to identify who accessed what information

•

Allows for an account to be disabled when there’s no need for it

10. Why is it important to sign SAML Assertions? Why is it not important to sign OAuth Access Tokens? A signed SAML assertion allows the system that queried for authentication to know that it is okay to allow authorization and also provide the required data set for the signed authentication.

OAuth, on the other hand, deals with authorization only and as such doesn’t require signed tokens for authentication as the user is only required to authorize the request being made or refute it. Thus, a token doesn’t need signing as the SAML will complete authentication as it normally would when alone.

SECURITY IN COMPUTING: CLOUD COMPUTING

6

11. In OAuth, what attack does the Client Secret mitigate? Why do you think the Client Secret is optional for Public Clients?

The client secret helps verify the authenticity of an app. In case someone sets up a rogue app the client secret is supposed to notice before the app steals data. The client secret is optional for public clients because OAuth 2.0 reduced the use of the client secret significantly with the secret being of no use if the OAuth server doesn’t need it which is the case for most public clients.

12. Name four services that might allow you to control a VM in an IaaS environment. What entity controls each service?

These include:

•

A hypervisor

•

An operating system

•

Storage devices

•

Networking equipment

The entities that control each of the above include, the cloud computing platform.

13. What are some characteristics of systems in which you would expect application white listing to work well? What about systems in which you would expect it to not work well?

Characteristics of systems in which whitelisting could work include:

•

Systems must have a singular file path

•

The application file name must be able to be recognized by the system

SECURITY IN COMPUTING: CLOUD COMPUTING •

The system must be able to handle the file size

•

The system should either be managed or have an SSLF function.

A system cannot use whitelisting if its:

•

A standalone system

•

Lacks a centralized management system

7

SECURITY IN COMPUTING: CLOUD COMPUTING

References Dinh, H. T., Lee, C., Niyato, D., & Wang, P. (2013). A survey of mobile cloud computing: architecture, applications, and approaches. Wireless communications and mobile computing, 13(18), 1587-1611. Pfleeger, C. P., &Pfleeger, S. L. (2015). Security in computing. Prentice Hall Professional Technical Reference. Pieprzyk, J., Hardjono, T., &Seberry, J. (2013). Fundamentals of computer security. Springer Science & Business Media.

8...