When analyzing cloud computing security threats one approach
provides the following classification:
(Natural disasters, Unauthorized physical access, Deficient
training/negligence of employees, Dumpster diving, Password guessing, Unauthorized
data access, Security logs compromisation, Network breaks, Privilege escalation,
Ineffective data deletion, Malicious scanning/observation, Insecure/obsolete
cryptography, EDoS and resources exhaustion, Isolation malfunction, Billing
fraud, Insufficient logging/monitoring, Cloud service failure/termination, Third-party
suppliers’ failure, Lock-in, Compliance problems, Data provenance and
jurisdiction, Infrastructure modifications, Data processing, Administrative/ownership
changes, DoS to cotenants)
(Replay, Data interception, Browser
security, XML signature element wrapping, Injection vulnerabilities, Customer’s
negligence and cloud security, Management interface exposure, Loss of
governance)
(Social engineering, DDoS, Encryption key
exposure/loss, Service engine exposure, Malware and Trojan horses, Malicious
insider of cloud provider)
In this second post I will focus on the
Economic Denial of Service (EDoS) as a threat specific to Cloud Computing
environments. In EDoS the attacker may steal the account of a customer and gain
free access to certain services while the victim is being charged for these
services . The surplus of available resources in the cloud poses a threat of a
EDDoS where large botnets are generating seemingly legitimate requests for service
overloading the cloud. The victim may be able to sustain business operations
but the cost to do so threatens economic sustainability.
EDoS and EDDoS can
be mitigated by deploying monitoring tools to detect and locate the attack and
appropriate countermeasures to diminish it. While the former are reactive
mitigation strategies, there are also proactive mitigation strategies, i.e. ingress filtering, which rejects packets with
spoofed source address at the ingress of a network.
One of the biggest
challenges for potential cloud customers is the feeling of insecurity and
privacy violation. Building a trustworthy cloud service and maintaining its
good reputation should be of highest priority for every cloud provider.
Resources:
CRS Press: Cloud
computing security : foundations and challenges / editor, John R. Vacca
http://ieeexplore.ieee.org/document/6375171/
No comments:
Post a Comment