Week 3 Assignment

Every cloud service and application today offers application programming interfaces (APIs). APIs are used to manage and interact with the cloud services and the security and availability of general cloud services (authentication, access control, encryption, activity monitoring, etc.) is dependent upon the security of the APIs. Third parties that rely on APIs and build on these interfaces introduce the complexity of a new layered API, which increases risk as organizations may need to expose more services and credentials. Security issues related to confidentiality, integrity, availability and accountability may arise.

Examples of poorly secured APIs are anonymous access and/or reusable tokens or passwords, clear-text authentication or transmission of content, inflexible access controls or improper authorizations, limited monitoring and logging capabilities, unknown service or API dependencies. In January 2014, insecure APIs were connected to a Snapchat data breach that affected approximately 4.6 million users. While APIs weren't directly to blame, they allowed hackers to match Snapchat users' phone numbers with usernames on a massive scale.

The Cloud Security Alliance (CSA) recommends analyzing the security model of cloud provider interfaces; implementing strong authentication, access control and encryption; understanding APIs dependencies; and penetration testing.

Organizations often put speed of development first, neglecting attention to detail. Developers should take the time to fully understand the security implications associated with using, managing and monitoring APIs and the potential risks of sharing user data.

Resources:

Top Threats to Cloud Computing V1.0 (March 2010), prepared by the Cloud Security Alliance, retrieved from https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

Fahmida Y. Rashid (2016, March 11) The dirty dozen: 12 cloud security threats, retrieved from http://www.infoworld.com/article/3041078/security/the-dirty-dozen-12-cloud-security-threats.html

Michael Cobb (n.d.) API security: How to ensure secure API use in the enterprise, retrieved from: http://searchsecurity.techtarget.com/tip/API-security-How-to-ensure-secure-API-use-in-the-enterprise  

Week 2 Assignment

When analyzing cloud computing security threats one approach provides the following classification:

·         Infrastructure and host–related threats that affect the entire cloud infrastructure

(Natural disasters,  Unauthorized physical access, Deficient training/negligence of employees, Dumpster diving, Password guessing, Unauthorized data access, Security logs compromisation, Network breaks, Privilege escalation, Ineffective data deletion, Malicious scanning/observation, Insecure/obsolete cryptography, EDoS and resources exhaustion, Isolation malfunction, Billing fraud, Insufficient logging/monitoring, Cloud service failure/termination, Third-party suppliers’ failure, Lock-in, Compliance problems, Data provenance and jurisdiction, Infrastructure modifications, Data processing, Administrative/ownership changes, DoS to cotenants)

·         Service provider–related threats that may affect the customers who seek a service in the cloud

(Replay, Data interception, Browser security, XML signature element wrapping, Injection vulnerabilities, Customer’s negligence and cloud security, Management interface exposure, Loss of governance)

·         Generic threats that may affect both the infrastructure and the service providers/customers

(Social engineering, DDoS, Encryption key exposure/loss, Service engine exposure, Malware and Trojan horses, Malicious insider of cloud provider)

 In this second post I will focus on the Economic Denial of Service (EDoS) as a threat specific to Cloud Computing environments. In EDoS the attacker may steal the account of a customer and gain free access to certain services while the victim is being charged for these services . The surplus of available resources in the cloud poses a threat of a EDDoS where large botnets are generating seemingly legitimate requests for service overloading the cloud. The victim may be able to sustain business operations but the cost to do so threatens economic sustainability.

EDoS and EDDoS can be mitigated by deploying monitoring tools to detect and locate the attack and appropriate countermeasures to diminish it. While the former are reactive mitigation strategies, there are also proactive mitigation strategies, i.e.  ingress filtering, which rejects packets with spoofed source address at the ingress of a network.

One of the biggest challenges for potential cloud customers is the feeling of insecurity and privacy violation. Building a trustworthy cloud service and maintaining its good reputation should be of highest priority for every cloud provider.

Resources:

CRS Press: Cloud computing security : foundations and challenges / editor, John R. Vacca

http://ieeexplore.ieee.org/document/6375171/

Welcome to my Blog

This is my first blog ever and I chose the Cloud Computing Security as a theme since it's something I'm really interested in learning more about personally.
We've all heard about Cloud Computing before but how much do we actually know about it and what security risks it poses for us and our organization?
Cloud Computing is becoming a money-saving solution, widely considered by companies that want to share some of the burden associated with managing and administering network and computer infrastructure within their organization. There are different models of cloud services defined by the National Institute of Standards and Technology (NIST), providing different level of involvement and investment between the provider and the consumer:

• Infrastructure as a Service (IaaS) - servers, storage and network are provided to the customer on-demand; the customer chooses the operating system and deploys applications.
• Platform as a Service (PaaS) - great solution for software developers. The only responsibility the consumer has is deploying applications; the management of the underlying cloud infrastructure (servers, network, OS or storage) remains with the cloud provider.
• Software as a Service (SaaS) - an application is provided to the consumer as a service on demand (e.g. web-based email), the consumer only manages user-specific application configuration settings.

To me one of the major difficulties a company needs to overcome when choosing a Cloud Computing Service is finding the balance between available budget and how much control the company is willing to allow to the cloud provider. The less management and administrative work you want the more control you put in the provider's hands. 

Through this blog I will introduce you to some of the security risks to consider with Cloud Computing and how to mitigate them. I hope you enjoy!

Resources:

https://support.rackspace.com/white-paper/understanding-the-cloud-computing-stack-saas-paas-iaas/