Week 6: Security Concerns and Legal Aspects Flashcards
Drawbacks of cloud security
Significant investments are required
Regardless of the delivery and deployment model, some degree of control is transferred to the cloud provider
Overview of Security Concerns - Network Availability
The value of cloud computing can only be realized when network connectivity and bandwidth meet certain minimum needs
Overview of Security Concerns - Cloud Provider Viability
–Since cloud providers are relatively new to the business, there are questions about their viability and commitment
–This concern deepens when a provider requires tenants to use proprietary interfaces, thus leading to tenant lock-in
Overview of Security Concerns - Disaster Recovery and Business Continuity
Tenants and users require confidence that their operations will continue if the cloud provider’s production environment is subject to a disaster
Overview of Security Concerns - Security Incidents
Tenants and users need to be informed by the provider when an incident occurs and may require provider support to respond to audit findings
Overview of Security Concerns - Transparency
If providers do not expose details of their internal policy or technology implementation, tenants or users must trust the provider’s security claims
Overview of Security Concerns - New Risks, New Vulnerabilities
There is concern that cloud computing brings new risks and vulnerabilities
•The actual exploits will largely be a function of a provider’s implementation
•Although all software, hardware, and networking equipment are subject to vulnerabilities, by applying layered security and well-conceived operational processes, a cloud may be protected from common types of attacks
Overview of Security Concerns - Loss of Physical Control
Loss of physical control over data and applications results in a range of concerns
•With public or community clouds, data may not remain in the same system, raising multiple legal concerns
•Data may be comingled in various ways with data belonging to others
•A tenant administrator has limited control scope and accountability
•Tenants need confidence that the provider will offer appropriate controls, while recognizing that they need to lower their expectations for how much control is reasonable within these models
Overview of Security Concerns - Legal and Regulatory Compliance
–It may be difficult or unrealistic to utilize public clouds if the data is subject to legal restrictions or regulatory compliance
–Achieving certifications to address the needs of regulated markets may be challenging due to the current stage of general cloud knowledge
A virtual machine (VM) is
standard operating system (OS) instance captured in a fully configured and operationally ready system image
A hypervisorrepresents itself to the VM as
the underlying hardware, thus supporting the operation of the VM
Vendor implementations of virtualization vary, but in general they can be classified as follows
Type 1 or native virtualization is implemented by a hypervisor running directly on bare hardware
Type 2or hosted virtualization has a hypervisor running as an application within a host OS
OS implemented virtualizationis implemented by the OS itself taking the place of the hypervisor
Type 1 Virtualization
native virtualization
implemented by a hypervisor running directly on bare hardware
Guest OSs run on top of the hypervisor
Microsoft Hyper-V, Oracle VM, LynxSecure, VMware ESX, and IBM z/VM
Type 2 Virtualization
hosted virtualization
has a hypervisor running as an application within a host OS - VMs also run above the hypervisor
Oracle VirtualBox, Parallels, Virtual PC, VMware Fusion, VMware Server, Xen, and XenServer
OS implemented virtualization
implemented by the OS itself taking the place of the hypervisor
Solaris Containers, BSDjails, OpenVZ, Linux-VServer, and Parallels VirtuozzoContainers
Network-based IDSs do/do not work well with virtual servers
do not
The management tools used in a physical server-based deployment will /will not suffice in a highly dynamic virtualized one
will not
In a physical server deployment model, provisioning automation is generally
not heavily used
In a heavily virtualized environment, whether it be a cloud or not, OS provisioning will rapidly transition toward being
highly automated
compromise of hypervisor
it will become primary target if vulnerable, and have broad impact
hypervisor protection
network isolation and security monitoring
use of local storage in public cloud - Solution?
If during the operation of a VM, data is written to physical media, or to memory, and it is not cleared before those resources are reallocated to the next VM, then there is a potential for information exposure
Solution. Assume control over your use of storage and memory when using a public cloud by clearing data yourself
potential for undetected network attacks between VMs co-located on a server - Solution?
Unless the traffic from each VM can be monitored, you cannot detect attacks between VMs
•Solution.Invoke OS-based traffic filtering or firewalling
•Solution. Use segregationto isolate different classes of VMs
A hypervisor is ___and ____focused than a general purpose operating system, and ___exposed
smaller more less
A hypervisor____undergo frequent change and____run third-party applications
does not does not
The guest operating systems, which may be vulnerable, ___ have direct access to the hypervisor
do not
The hypervisor is ___ to network traffic with the exception of traffic to/from ____
completely transparent
a dedicated hypervisor management interface
Are there any documents attacks against hypervisor?
No
The prime advantage of automated provisioning in clouds is
the predictability, and speed of constituting a resource for a customer
Other advantages to provisioning in cloud
Enhancing availability by
•provisioning multiple instances of a service
•provisioning a service across multiple data centers