Security concerns with SaaS layer of cloud computing
Post on 04-Jul-2015
1461 Views
Preview:
Transcript
Security concerns with SaaSlayer of Cloud computing
Clinton D Souza
CSE486
01/29/2013
Cloud computing.
Service and Deployment.
SaaS layer.
Cloud security structure.
SaaS possible exploits.
Security breaches.
SaaS solution criteria.
Conclusion.
Outline
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
http://ieeexplore.ieee.org.ezproxy1.lib.asu.edu/stamp/stamp.jsp?tp=&arnumber=5704104
http://cloud.trendmicro.com/data-breach-at-microsoft-highlights-security-problem-in-saas/
http://cylaw.info/panda-security-hacked-by-antisec/
http://news.softpedia.com/news/Zero-Day-Vulnerability-Found-in-McAfee-s-SaaS-Products-247051.shtml
References
A model for enabling :
ubiquitous,
convenient,
on-demand network access
to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management.
Cloud computing
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
http://en.wikipedia.org/wiki/File:Cloud_computing.svg
Infrastructure as a Service (IaaS).
Platform as a Service (PaaS).
Software as a Service (SaaS).
Service models
http://lh6.ggpht.com/-t0mXLnfOQnM/ThMyEzI34LI/AAAAAAAAALU/6OLqERfVAu8/cloud-delivery-models_thumb%25255B4%25255D.png
Public cloud.Provisioned for open use by general public.
Owned, managed and operated by business, academic or government organization or a combination.
Exists on premises of cloud provider.
Private cloud.Exclusive use by a single organization with multiple business units.
Hybrid cloud. Composition of two or more cloud infrastructures.
Deployment models
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
Software applications which are loaded in a cloud platform made accessible to consumers from various client devices.
Consumer doesn’t manage or consume underlying cloud infrastructure.
SaaS layer
Hardware Infrastructure (IaaS)
System Infrastructure (IaaS)
Data ServiceTenant
Management
Platform Business Service (PaaS)
Service App (SaaS)
Service App (SaaS)
Service App (SaaS)
http://ieeexplore.ieee.org.ezproxy1.lib.asu.edu/stamp/stamp.jsp?tp=&arnumber=5704104
Cloud security structure
Tipton,Harold F. ; Nozaki, Micki Krause , Information Security Management Handbook. 6th ed. USA: CRS Press. 2012
SaaS possible exploits
Two main points of entry into SaaS layer:User Point of Entry o Most common point of attack in a SaaS model
Provider Point of Entry
An example query that exploits the vulnerability in most database servers like PostgresSQL and MySQL, which will grant the attacker administrator privileges could be:
<?php
// $uid: ' or uid like '%admin%
$query = "UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%admin%';"
;
// $pwd: hehehe', trusted=100, admin='yes
$query = "UPDATE usertable SET pwd='hehehe', trusted=100, admin='yes' WHERE
...;";
?> http://php.net/manual/en/security.database.sql-injection.php
SaaS attack types
The most common attacks associated with SaaS model in a public cloud infrastructure.
They are divided into the following four groups:
•Denial of Service
•Account lockout
•Buffer-overflow Availability
•Cross-site scripting
•Access control weakness
•Privilege escalationData Security
•Network Penetration
•Session Hijacking
•Data Packet InterceptionNetwork Security
•Authentication Weakness
•Insecure Trust Identity Management
SaaS (Software as a Service) vulnerabilities
Data breach at Microsoft highlights security problem in SaaS .
Panda Security hacked by Antisec.
Zero-Day vulnerability found in McAfee’s SaaS products.
Recent security breaches
McAfee Security breach
Zero-Day Vulnerability Found in McAfee’s SaaS Products ( April 2011) Attacker can execute arbitrary code by exploiting the flaw if victim visits a malicious page or open the file.
Common Vulnerability Scoring System score it to be 9 out of 10 maximum.
Method will accept commands that are passed to a function that simply executes them without authentication.
McAfee SaaS includes:
Email Protection (Protection against viruses and spam)
McAfee Integrated Suites (Protection against viruses, web threats, etc…)
Patch released in August 2011.
http://news.softpedia.com/news/Zero-Day-Vulnerability-Found-in-McAfee-s-SaaS-Products-247051.shtml
Reliability.
Effectiveness.
Performance.
Flexibility.
Control.
Privacy and Security.
Total Cost of Ownership (TCO).
SaaS solution criteria
http://www.websense.net/assets/white-papers/whitepaper-seven-criteria-for-evaluation-security-as-a-service-solutions-en.pdf
Cloud computing models are relatively new and are thus susceptible to vulnerabilities.
SaaS layer in a public cloud is more vulnerable to attacks due to access by users.
The type of attacks on SaaS products remain the same but the intensity of the breach increases.
A number of sercuity criteria needs to be considered while developing a SaaS application.
Conclusion
top related