Skip to main content

CEH v10: 19 Cloud Computing

Certified Ethical Hacker v10 Chapter 19: Cloud Computing.

Cloud computing is shared pools of configurable computer system resources and higher-level services that can be rapidly provisioned with minimal management effort, often over the Internet. Third-party clouds enable organizations to focus on their core businesses instead of expending resources on computer infrastructure and maintenance. Advocates note that cloud computing allows companies to avoid or minimize up-front IT infrastructure costs. Proponents also claim that cloud computing allows enterprises to get their applications up and running faster, with improved manageability and less maintenance.

Characteristics of Cloud Computing

  • Increase users flexibility
  • Cost reduction
  • Device and location independence
  • Distributed storage
  • Automated management
  • Virtualization
  • Measured services

Cloud Computing Service Models

Infrastructure as a Service (IaaS)

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications and possibly limited control of select networking components (e.g., host firewalls).

Platform as a Service (Paas)

The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

Software as a Service (SaaS)

The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Cloud Computing Deployment Module

Private Cloud

The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

Community Cloud

The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

Public Cloud

The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

Hybrid Cloud

The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

NIST Cloud Computing Reference Architecture

  • National Institute od Standards and Technology (NIST) presented a high-level conceptual reference architecture
  • Identifies the major components and their functions in cloud computing
  • Intended to facilitate the understanding of the requirements, uses, characteristics and standards of cloud computing

Actors

  • Cloud Consumer : A person or organization that maintains a business relationship with, and uses services from cloud providers.
  • Cloud Provider : A company or individual that delivers cloud computing based services and solutions to businesses and/or individuals.
  • Cloud Auditor : A party that can conduct an independent assessment of cloud services.
  • Cloud Broker : An entity that manages the use, performance and delivery of cloud services, negotiates relationships between providers and consumers.
  • Cloud Carrier : An intermediary that provides connectivity and transport of cloud services from providers to consumers.

Cloud Computing Threads

  • Data loss / breach
  • Abusing cloud services
  • Insecure interfaces / APIs
  • Inadequate infrastructure design
  • Virtualization level attacks
  • Service termination and failure
  • Malicious insider
  • Hardware failure
  • Weak authentication
  • Privilege escalation
  • Loss of logs

Cloud Computing Attacks

  • Social engineering attacks (password guessing, ...)
  • XSS attacks
  • DNS attacks (DNS poisoning, domain hijacking, ...)
  • SQL injection
  • Network sniffing (obtain credentials, cookies, ...)
  • Session hijacking (cookie stealing, ...)
  • Cryptanalysis (weak encryption, ...)
  • DoS / DDoS

Side Channel Attacks or Cross-Guest Virtual Machine Breaches

  • Deploy a malicious virtual machine on the same host
  • Take advantage of sharing resources (processor cache, keys, ...)
  • Installation can be done by a malicious insider or an impersonated legitimate user

Cloud Security

Application Layer

  • Application firewall (filter and observe traffic)
  • Systems Development Life Cycle (SDLC)
  • Binary Code Analysis
  • Script analysis
  • Transactional security

Network Layer

  • Next Generation IPS / IDS (NGIPS / NGIDS)
  • Firewalls
  • DNSSec
  • Anti-DDoS

Information

  • Provide confidentiality and integrity
  • Data Loss Prevention (DLP)
  • Content Management Framework (CMF)

Trusted Computing

  • Root of Trust (RoT) is established by validating each component of hardware and software to ensure that only trusted hardware and software can be used

Computer and Storage

  • Host-based IPS / IDS (HIDS/HIPS)
  • Integrity check
  • File system monitoring
  • Log file analysis
  • Connection analysis
  • Storage encryption

Physical Security

  • Physical protection is priority
  • Protect against theft, unauthorized physical access, environmental impact (rain, earthquake, power failure, ...)

Responsibilities in Cloud Security

Cloud Service Provider

  • Web Application Firewall (WAF)
  • Real Traffic Grabber (RTG)
  • Firewall
  • Data Loss Prevention (DLP)
  • Intrusion Prevention System (IPS)
  • Secure Web Gateway (SWG)
  • Application Security (App Sec)
  • Virtual Private Network (VPN)
  • Load Balancer
  • CoS / QoS
  • Trusted Platform Module
  • Netflow

Cloud Service Consumer

  • Public Key Infrastructure (PKI)
  • Security Development Life Cycle (SDLC)
  • Firewall
  • Encryption
  • Intrusion Prevention System (IPS)
  • Application Security
  • Virtual Private Network (VPN)

Countermeasures and Security Considerations

  • Software Configuration Management (SCM)
  • Disaster Recovery Plan
  • Load Balancing
  • Data Integrity
  • Patching and updates
  • SSL
  • Cryptography implementation
  • Reliability
  • Quality of Service (QoS)
  • Monitoring
  • Service Level Agreement (SLA)