The Cloud Computing concept offers dynamically scalable resources provisioned as a service over the Internet. Economic benefits are the main driver for the Cloud, since it promises the reduction of capital expenditure (CapEx) and operational expenditure (OpEx). In order for this to become reality, however, there are still some challenges to be solved. Amongst these are security and trust issues, since the user's data has to be released to the Cloud and thus leaves the protection-sphere of the data owner. Most of the discussions on this topics are mainly driven by arguments related to organizational means. This paper focuses on technical security issues arising from the usage of Cloud services and especially by the underlying technologies used to build these cross-domain Internet-connected collaborations.

https://askcypert.org/sites/default/files/on%20technical%20isssues%20in%20cloud%20security.pdf

On Technical Security Issues in Cloud Computing

In the last few years, the appealing features of cloud computing have been fueling the integration of cloud environments in the industry, which has been consequently motivating the research on related technologies by both the industry and the academia. The possibility of paying-as-you-go mixed with an on-demand elastic operation is changing the enterprise computing model, shifting on-premises infrastructures to off-premises data centers, accessed over the Internet and managed by cloud hosting providers. Regardless of its advantages, the transition to this computing paradigm raises security concerns, which are the subject of several studies. Besides of the issues derived from Web technologies and the Internet, clouds introduce new issues that should be cleared out first in order to further allow the number of cloud deployments to increase. This paper surveys the works on cloud security issues, making a comprehensive review of the literature on the subject. It addresses several key topics, namely vulnerabilities, threats, and attacks, proposing a taxonomy for their classification. It also contains a thorough review of the main concepts concerning the security state of cloud environments and discusses several open research topics.

/pdf/security-issues-in-cloud-environments-a-survey-1t9z0if3y4.pdf

Security issues in cloud environments: a survey

Cloud Computing resources are handled through control interfaces. It is through these interfaces that the new machine images can be added, existing ones can be modified, and instances can be started or ceased. Effectively, a successful attack on a Cloud control interface grants the attacker a complete power over the victim's account, with all the stored data included.In this paper, we provide a security analysis pertaining to the control interfaces of a large Public Cloud (Amazon) and a widely used Private Cloud software (Eucalyptus).Our research results are alarming: in regards to the Amazon EC2 and S3 services, the control interfaces could be compromised via the novel signature wrapping and advanced XSS techniques. Similarly, the Eucalyptus control interfaces were vulnerable to classical signature wrapping attacks, and had nearly no protection against XSS. As a follow up to those discoveries, we additionally describe the countermeasures against these attacks, as well as introduce a novel "black box" analysis methodology for public Cloud interfaces.

All your clouds are belong to us: security analysis of cloud management interfaces

Cloud Computing is the newly emerged technology of Distributed Computing System. Cloud Computing user concentrate on API security & provide services to its consumers in multitenant environment into three layers namely, Software as a service, Platform as a service and Infrastructure as a service, with the help of web services. It provides service facilities to its consumers on demand . These service provided can easily invites attacker to attack by Saas ,Paas, Iaas. Since the resources are gathered at one place in data centers in cloud computing, the DDOS attacks such as HTTP & XML in this environment is dangerous & provides harmful effects and also all consumer will be affected at the same time. These attacks can be resolved & detected by a proposed methodology, “Securing cloud from DDOS attacks using intrusion detection system in virtual machine”.In this methodology, this problem can be overcome by using proposed system. The different kinds of vulnerabilities are detected in proposed system. The SOAP request makes the communication between the client and the service provider. Through the Service Oriented Traceback Architecture the SOAP request is send to the cloud. In this architecture service oriented trace back mark is present which contain proxy within it. The proxy that marks the incoming packets with source message identification to identify the real client. Then the SOAP message is travelled via XDetector. The XDetectors used to monitors and filters the DDoS attacks such as HTTP and XML DDoS attack. Finally the filtered real clinet message is transferred to the cloud service provider and the corresponding services is given to the client in secured manner .

http://ijreat.org/papers 2013/volume1/ijreatv1i1138.pdf

Securing cloud from ddos attacks using intrusion detection system in virtual machine

The service-oriented architecture paradigm is influencing modern software systems remarkably and Web Services are a common technology to implement such systems. However, the numerous Web Service standard specifications and especially their ambiguity result in a high complexity which opens the door for security-critical mistakes.This paper aims on raising awareness of this issue while discussing a vulnerability in Amazon’s Elastic Compute Cloud (EC2) services to XML wrapping attacks, which has since been resolved as a result of our findings and disclosure. More importantly, this paper discusses the verification steps required to effectively validate an incoming SOAP request. It reviews the available work in the light of the discovered Amazon EC2 vulnerability and provides a practical guideline for achieving a robust and effective SOAP message security validation mechanism.

Vulnerable Cloud: SOAP Message Security Validation Revisited

SOAP message exchange is one of the core services required for system integration in Service Oriented Architecture (SOA) environments. One key concern in a SOA is thus to provide Message Level Security (as opposed to point to point security). We observe that systems are communicating with each other in a SOA over SOAP messages, often without adequate protection against XML rewriting attacks.We have already provided a solution to protect the integrity of SOAP messages in earlier work [1]. This solution was based on the usage of messagestructure information (SOAP Account) for preservation of message integrity. However, this earlier work did not discuss the issue of forging the SOAP Account itself. In this paper, we discuss the integrity feature of a SOAP Account within a more general context of the current web service security state of the art.

/pdf/towards-secure-soap-message-exchange-in-a-soa-4xl4v9qfr1.pdf

Towards secure SOAP message exchange in a SOA

In accordance with aspects of the disclosure, systems and methods are provided for managing forensic investigations of client assets associated with a client based on a forensic service agreement between the client and a cloud service provider, including establishing the forensic service agreement between the client and the cloud service provider for servicing the forensic investigations of the client assets associated with the client, acquiring forensic data related to each client asset associated with the client, and generating one or more client inventory records for each client asset based on the forensic data related to each client asset, and generating one or more client evidence records for each client asset based on each client inventory record generated for each client asset.

Forensic software investigation

Web services in different trust boundaries interact with each other via SOAP messages to realize functionality in a collaborative environment. Exchanging SOAP messages for remote service invocation has gained wide acceptance among web service developers. Several web service security standards are widely deployed aiming at securing exchanges of a single SOAP message and a conversation of SOAP messages among partners in a collaborative environment. Concerns have been raised about the possibility of XML rewriting attacks within this context and their early detection. In this paper, we demonstrate such possible attacks with respect to WS* policy based scenarios to set a security context and to use a security context for conversations of SOAP messages. We show how our proposed SOAP Account [21] solution could be applied for early detection of XML rewriting attacks, specifically regarding secure SOAP-based conversations. A simulation-based performance analysis and comparison of our SOAP Account approach vs. a WS* policy based approach complements our observations.

/pdf/soap-based-secure-conversation-and-collaboration-4bdzdf23w9.pdf

SOAP-based Secure Conversation and Collaboration

Intrusion detection systems (IDS) look for digital patterns mainly over the network or host traffic. Increasing complexity of todays enterprise information systems (EIS) obliges enterprises to deploy multiple but yet isolated IDSs in their IT boundaries, namely in, network (NIDS), host (HIDS), DMZs and application (appIDS). Modern exploits being able to disguise may appear innocent from an individual IDS perspective, however, its maliciousness could be detected from an end to end application perspective. One of the core problems in this regard is the inability of detecting such end to end targeted attacks whose functional scopes may stretch across IT boundaries. In this paper, we first argue that complex end to end intrusions can be detected in real time by analyzing application level logs originating from various IT boundaries (network, proxy, web server, OS, application etc.). We propose an attack pattern framework for EIS that enables an appIDS, such as SAP Enterprise Threat Detection (ETD) [1], to perform log analysis simultaneously from multiple sources. The framework includes a reference architecture and its prototypical implementation can be the core engine of anappIDS. It also provides an attack pattern specification language and associated methodology for managing attack pattern lifecycle and appropriate alert mitigation response.

An Attack Pattern Framework for Monitoring Enterprise Information Systems

This paper introduces a distributed and fine grained access control mechanism based on encryption for XML document centric collaborative applications. This mechanism also makes it possible to simultaneously protect the confidentiality of a document and to verify its authenticity and integrity, as well to trace its updates. The enforcement of access control is distributed to participants and does not rely on a central authority. Novel aspects of the proposed framework include the adoption of a decentralized key management scheme to support the client-based enforcement of the access control policy. This scheme is driven by the expression of access patterns of interest of the participants over document parts to determine the keys required. A lazy rekeying protocol is also defined to accommodate the delegation of access control decisions that in particular reduces rekeying latency when faced with the addition and removal of participants.

/pdf/distributed-access-control-for-xml-document-centric-4tzurk2mjm.pdf

Mohammad Ashiqur Rahaman

Papers

Towards secure SOAP message exchange in a SOA

Forensic software investigation

SOAP-based Secure Conversation and Collaboration

An Attack Pattern Framework for Monitoring Enterprise Information Systems

Distributed Access Control For XML Document Centric Collaborations