Enhancing Availability of Microservice Architecture : A Case Study on Kubernetes Security Configurations

Habbal, Nadin

January 2020

No description available.

Cloud Computing

Microservices

Microservices Architecture

Availability

Critical Systems

Kubernetes

Cloud Security

Monitoring

IT-security

Övrig annan teknik

Information security, privacy, and compliance models for cloud computing services

Alruwaili, Fahad F.

13 April 2016

The recent emergence and rapid advancement of Cloud Computing (CC) infrastructure and services have made outsourcing Information Technology (IT) and digital services to Cloud Providers (CPs) attractive. Cloud offerings enable reduction in IT resources (hardware, software, services, support, and staffing), and provide flexibility and agility in resource allocation, data and resource delivery, fault-tolerance, and scalability. However, the current standards and guidelines adopted by many CPs are tailored to address functionality (such as availability, speed, and utilization) and design requirements (such as integration), rather than protection against cyber-attacks and associated security issues. In order to achieve sustainable trust for cloud services with minimal risks and impact on cloud customers, appropriate cloud information security models are required. The research described in this dissertation details the processes adopted for the development and implementation of an integrated information security cloud based approach to cloud service models. This involves detailed investigation into the inherent information security deficiencies identified in the existing cloud service models, service agreements, and compliance issues. The research conducted was a multidisciplinary in nature, with detailed investigations on factors such as people, technology, security, privacy, and compliance involved in cloud risk assessment to ensure all aspects are addressed in holistic and well-structured models. The primary research objectives for this dissertation are investigated through a series of scientific papers centered on these key research disciplines. The assessment of information security, privacy, and compliance implementations in a cloud environment is described in Chapters two, three, four, and five. Paper 1 (CCIPS: A Cooperative Intrusion Detection and Prevention Framework for Cloud Services) outlines a framework for detecting and preventing known and zero-day threats targeting cloud computing networks. This framework forms the basis for implementing enhanced threat detection and prevention via behavioral and anomaly data analysis. Paper 2 (A Trusted CCIPS Framework) extends the work of cooperative intrusion detection and prevention to enable trusted delivery of cloud services. The trusted CCIPS model details and justifies the multi-layer approach to enhance the performance and efficiency of detecting and preventing cloud threats. Paper 3 (SOCaaS: Security Operations Center as a Service for Cloud Computing Environments) describes the need for a trusted third party to perform real-time monitoring of cloud services to ensure compliance with security requirements by suggesting a security operations center system architecture. Paper 4 (SecSLA: A Proactive and Secure Service Level Agreement Framework for Cloud Services) identifies the necessary cloud security and privacy controls that need to be addressed in the contractual agreements, i.e. service level agreements (SLAs), between CPs and their customers. Papers five, six, seven, and eight (Chapters 6 – 9) focus on addressing and reducing the risk issues resulting from poor assessment to the adoption of cloud services and the factors that influence such as migration. The investigation of cloud-specific information security risk management and migration readiness frameworks, detailed in Paper 5 (An Effective Risk Management Framework for Cloud Computing Services) and Paper 6 (Information Security, Privacy, and Compliance Readiness Model) was achieved through extensive consideration of all possible factors obtained from different studies. An analysis of the results indicates that several key factors, including risk tolerance, can significantly influence the migration decision to cloud technology. An additional issue found during this research in assessing the readiness of an organization to move to the cloud is the necessity to ensure that the cloud service provider is actually with information security, privacy, and compliance (ISPC) requirements. This investigation is extended in Paper 7 (A Practical Life Cycle Approach for Cloud based Information Security) to include the six phases of creating proactive cloud information security systems beginning with initial design, through the development, implementation, operations and maintenance. The inherent difficulty in identifying ISPC compliant cloud technology is resolved by employing a tracking method, namely the eligibility and verification system presented in Paper 8 (Cloud Services Information Security and Privacy Eligibility and Verification System). Finally, Paper 9 (A Case Study of Migration to a Compliant Cloud Technology) describes the actual implementation of the proposed frameworks and models to help the decision making process faced by the Saudi financial agency in migrating their IT services to the cloud. Together these models and frameworks suggest that the threats and risks associated with cloud services are continuously changing and more importantly, increasing in complexity and sophistication. They contribute to making stronger cloud based information security, privacy, and compliance technological frameworks. The outcomes obtained significantly contribute to best practices in ensuring information security controls are addressed, monitoring, enforced, and compliant with relevant regulations. / Graduate / 0984 / 0790 / fahd333@gmail.com

Cloud Computing

Intrusion Prevention

Cyber Attacks/Threats

Security Operations Centre (SOC)

Service Level Agreement (SLA)

Cloud Security Services

Cloud Governance

Cloud Compliance

Cloud Forensics

Cloud Community

Risk Management

Eligibility and Verification

Trust

Monitoring

Virtualization

Searching over encrypted data / Recherches sur des données chiffrées

Moataz, Tarik

05 December 2016

Les services cloud offrent des coûts réduits, une élasticité et un espace de stockage illimité qui attirent de nombreux utilisateurs. Le partage de fichiers, les plates-formes collaboratives, les plateformes de courrier électroniques, les serveurs de sauvegarde et le stockage de fichiers sont parmi les services qui font du cloud un outil essentiel pour une utilisation quotidienne. Actuellement, la plupart des systèmes d'exploitation proposent des applications de stockage externalisées intégrées, par conception, telles que One Drive et iCloud, en tant que substituts naturels succédant au stockage local. Cependant, de nombreux utilisateurs, même ceux qui sont disposés à utiliser les services susmentionnés, restent réticents à adopter pleinement le stockage et les services sous-traités dans le cloud. Les préoccupations liées à la confidentialité des données augmentent l'incertitude pour les utilisateurs qui conservent des informations sensibles. Il existe de nombreuses violations récurrentes de données à l'échelle mondiale qui ont conduit à la divulgation d'informations sensibles par les utilisateurs. Pour en citer quelques-uns : une violation de Yahoo fin 2014 et annoncé publiquement en Septembre 2016, connue comme la plus grande fuite de données de l'histoire d'Internet, a conduit à la divulgation de plus de 500 millions de comptes utilisateur ; une infraction aux assureurs-maladie, Anthem en février 2015 et Premera BlueCross BlueShield en mars 2015, qui a permis la divulgation de renseignements sur les cartes de crédit, les renseignements bancaires, les numéros de sécurité sociale, pour des millions de clients et d'utilisateurs. Une contre-mesure traditionnelle pour de telles attaques dévastatrices consiste à chiffrer les données des utilisateurs afin que même si une violation de sécurité se produit, les attaquants ne peuvent obtenir aucune information à partir des données. Malheureusement, cette solution empêche la plupart des services du cloud, et en particulier, la réalisation des recherches sur les données externalisées.Les chercheurs se sont donc intéressés à la question suivante : comment effectuer des recherches sur des données chiffrées externalisées tout en préservant une communication, un temps de calcul et un stockage acceptables ? Cette question avait plusieurs solutions, reposant principalement sur des primitives cryptographiques, offrant de nombreuses garanties de sécurité et d'efficacité. Bien que ce problème ait été explicitement identifié pendant plus d'une décennie, de nombreuses dimensions de recherche demeurent non résolues. Dans ce contexte, le but principal de cette thèse est de proposer des constructions pratiques qui sont (1) adaptées aux déploiements dans les applications réelles en vérifiant les exigences d'efficacité nécessaires, mais aussi, (2) en fournissant de bonnes assurances de sécurité. Tout au long de notre recherche, nous avons identifié le chiffrement cherchable (SSE) et la RMA inconsciente (ORAM) comme des deux potentielles et principales primitives cryptographiques candidates aux paramètres des applications réelles. Nous avons identifié plusieurs défis et enjeux inhérents à ces constructions et fourni plusieurs contributions qui améliorent significativement l'état de l'art.Premièrement, nous avons contribué à rendre les schémas SSE plus expressifs en permettant des requêtes booléennes, sémantiques et de sous-chaînes. Cependant, les praticiens doivent faire très attention à préserver l'équilibre entre la fuite d'information et le degré d'expressivité souhaité. Deuxièmement, nous améliorons la bande passante de l'ORAM en introduisant une nouvelle structure récursive de données et une nouvelle procédure d'éviction pour la classe d'ORAM ; nous introduisons également le concept de redimensionnabilibté dans l'ORAM qui est une caractéristique requise pour l'élasticité de stockage dans le cloud. / Cloud services offer reduced costs, elasticity and a promised unlimited managed storage space that attract many end-users. File sharing, collaborative platforms, email platforms, back-up servers and file storage are some of the services that set the cloud as an essential tool for everyday use. Currently, most operating systems offer built-in outsourced cloud storage applications, by design, such as One Drive and iCloud, as natural substitutes succeeding to the local storage. However, many users, even those willing to use the aforementioned cloud services, remain reluctant towards fully adopting cloud outsourced storage and services. Concerns related to data confidentiality rise uncertainty for users maintaining sensitive information. There are many, recurrent, worldwide data breaches that led to the disclosure of users' sensitive information. To name a few: a breach of Yahoo late 2014 and publicly announced on September 2016, known as the largest data breach of Internet history, led to the disclosure of more than 500 million user accounts; a breach of health insurers, Anthem in February 2015 and Premera BlueCross BlueShield in March 2015, that led to the disclosure of credit card information, bank account information, social security numbers, data income and more information for more than millions of customers and users. A traditional countermeasure for such devastating attacks consists of encrypting users' data so that even if a security breach occurs, the attackers cannot get any information from the data. Unfortunately, this solution impedes most of cloud services, and in particular, searching on outsourced data. Researchers therefore got interrested in the fllowing question: how to search on outsourced encrypted data while preserving efficient communication, computation and storage overhead? This question had several solutions, mostly based on cryptographic primitives, offering numerous security and efficiency guarantees. While this problem has been explicitly identified for more than a decade, many research dimensions remain unsolved. The main goal of this thesis is to come up with practical constructions that are (1) suitable for real life deployments verifying necessary efficiency requirements, but also, (2) providing good security insurances. Throughout our reseach investigation, we identified symmetric searchable encryption (SSE) and oblivious RAM (ORAM) as the two potential and main cryptographic primitives' candidate for real life settings. We have recognized several challenges and issues inherent to these constructions and provided a number of contributions that improve upon the state of the art. First, we contributed to make SSE schemes more expressive by enabling Boolean, semantic, and substring queries. Practitioners, however, need to be very careful about the provided balance between the security leakage and the degree of desired expressiveness. Second, we improve ORAM's bandwidth by introducing a novel recursive data structure and a new eviction procedure for the tree-based class of ORAM contructions, but also, we introduce the concept of resizability in ORAM which is a required feature for cloud storage elasticity.

Chiffrement cherchable

RAM inconsciente

Chiffrement structuré

Cryptographie appliquée

Vie privée et confidentialité

Externalisation

Cloud computing

Searchable encryption

Oblivious RAM

Structured encryption

Applied cryptography

Privacy and confidentiality

Outsourced storage

Cloud security

004

Řízení projektů v cloudu / Project management in cloud

Šťastný, Jan

January 2014

Goal of this thesis is to provide a summary of information connected to cloud project management. The thesis describes, what cloud is, what types of cloud there are and also describes project management methodologies and their specifics. In the practical part of this thesis one of the methodologies is applied to a practical project. The thesis contains also a summary of practical information about cloud projects and risks associated with cloud projects.

HackerGraph : Creating a knowledge graph for security assessment of AWS systems

Stournaras, Alexios

January 2023

With the rapid adoption of cloud technologies, organizations have benefited from improved scalability, cost efficiency, and flexibility. However, this shift towards cloud computing has raised concerns about the safety and security of sensitive data and applications. Security engineers face significant challenges in protecting cloud environments due to their dynamic nature and complex infrastructures. Traditional security approaches, such as attack graphs that showcase attack vectors in given network topologies, often fall short of capturing the intricate relationships and dependencies of cloud environments. Knowledge graphs, essentially a knowledge base with a directed graph structure, are an alternative to attack graphs. They comprehensively represent contextual information such as network topology information and vulnerabilities, as well as the relationships between all of the entities. By leveraging knowledge graphs’ inherent flexibility and scalability, security engineers can gain deeper insights into the complex interconnections within cloud systems, enabling more effective threat analysis and mitigation strategies. This thesis involves the development of a new tool, HackerGraph, specifically designed to utilize knowledge graphs for cloud security. The tool integrates data from various other tools, gathering information about the cloud system’s architecture and its vulnerabilities and weaknesses. By analyzing and modeling the information using a knowledge graph, the tool provides a holistic view of the cloud ecosystem, identifying potential vulnerabilities, attack vectors, and areas of concern. The results are compared to modern stateof-the-art tools, both in the area of attack graphs and knowledge graphs, and we prove that more information and more attack paths in vulnerable by-design scenarios can be provided. We also discuss how this technology can evolve, to better handle the intricacies of cloud systems and help security engineers in fully protecting their complicated cloud systems. / Organisationers snabba anammande av molnteknologier har låtit dem dra nytta förbättrad skalbarhet, kostnadseffektivitet och flexibilitet. Däremot har detta skifte också lett till nya säkerhetsproblem, speciellt gällande applikationer och behandlingen av känslig information. Molnmiljöers dynamiska natur och komplexa problem skapar markanta problem för de säkerhetstekniker som ansvarar för att skydda miljön. Den typ av invecklade förhållanden som finns i molnet fångas däremot sällan av traditionella säkerhetsmetoder, såsom attackgrafer. Ett alternativ till attackgrafer är därför kunskapsgrafer som utförligt kan representera kontextuell information, förhållanden och domänspecifik kunskap. Genom kunskapsgrafernas naturliga flexibilitet och skalbarhet skulle säkerhetsteknikerna kunna få djupare insikter kring de komplexa förhållanden som råder i molnmiljöer för att på ett mer effektivt sätt analysera hot och hur de kan förebyggas. Det här arbetet involverar därför utvecklingen av ett nytt verktyg specifikt designat för att använda kunskapsgrafer, nämligen HackerGraph. Verktyget integrerar data från flera andra verktyg som samlar information om molnmiljöers arkitektur samt deras sårbarheter eller svagheter. Genom att analysera och modellera informationen som en kunskapsgraf skapar verktyget en holistisk bild av molnekosystemet som kan identifiera potentiella sårbarheter, attackvektorer eller andra problemområden. Resultaten jämförs sedan med moderna verktyg inom både attack- och kunskapsgrafer. Vi bevisar därmed både hur mer information och fler attackvägar kan tillhandahållas från scenarion som är sårbara per design. Vi diskuterar också hur den här teknologin kan utvecklas för att bättre hantera molnmiljöers komplexitet samt hur den kan hjälpa säkerhetstekniker att skydda sina komplicerade molnmiljöer.

Cloud security

Knowledge graph

Attack graph

Vulnerability ssessment

Attack paths

Vulnerable-by-design systems

Cloudgoat

Molnsäkerhet

Kunskapsgraf

Attackgraf

Sårbarhetsanalysis

Sårbara miljöer

Cloudgoat

Elektroteknik och elektronik

A Process Framework for Managing Quality of Service in Private Cloud

Maskara, Arvind

01 August 2014

As information systems leaders tap into the global market of cloud computing-based services, they struggle to maintain consistent application performance due to lack of a process framework for managing quality of service (QoS) in the cloud. Guided by the disruptive innovation theory, the purpose of this case study was to identify a process framework for meeting the QoS requirements of private cloud service users. Private cloud implementation was explored by selecting an organization in California through purposeful sampling. Information was gathered by interviewing 23 information technology (IT) professionals, a mix of frontline engineers, managers, and leaders involved in the implementation of private cloud. Another source of data was documents such as standard operating procedures, policies, and guidelines related to private cloud implementation. Interview transcripts and documents were coded and sequentially analyzed. Three prominent themes emerged from the analysis of data: (a) end user expectations, (b) application architecture, and (c) trending analysis. The findings of this study may help IT leaders in effectively managing QoS in cloud infrastructure and deliver reliable application performance that may help in increasing customer population and profitability of organizations. This study may contribute to positive social change as information systems managers and workers can learn and apply the process framework for delivering stable and reliable cloud-hosted computer applications.

Cloud

Cloud Computing

cloud security

cloud research

cloud frameworks

Quality of Service

QoS

Cloud Operations

disruptive innovation

cloud computing business model

cloud computing infrastructure

cloud database

private cloud

public cloud

cloud process framework

Business

Computer Engineering

Technology and Innovation