E-Book, Englisch, 144 Seiten
Wheeler / Winburn Cloud Storage Security
1. Auflage 2015
ISBN: 978-0-12-802931-2
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
A Practical Guide
E-Book, Englisch, 144 Seiten
Reihe: Computer Science Reviews and Trends
ISBN: 978-0-12-802931-2
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
Cloud Storage Security: A Practical Guide introduces and discusses the risks associated with cloud-based data storage from a security and privacy perspective. Gain an in-depth understanding of the risks and benefits of cloud storage illustrated using a Use-Case methodology. The authors also provide a checklist that enables the user, as well as the enterprise practitioner to evaluate what security and privacy issues need to be considered when using the cloud to store personal and sensitive information. - Describes the history and the evolving nature of cloud storage and security - Explores the threats to privacy and security when using free social media applications that use cloud storage - Covers legal issues and laws that govern privacy, compliance, and legal responsibility for enterprise users - Provides guidelines and a security checklist for selecting a cloud-storage service provider - Includes case studies and best practices for securing data in the cloud - Discusses the future of cloud computing
Aaron Wheeler is a Research Scientist at 3 Sigma Research and adjunct faculty at Valencia College. Previously he was a Software Engineer with Modus Operandi and Staff Research Assistant at Los Alamos National Laboratory. His interests include information security, cloud computing, ontologies and knowledge engineering, and intelligence agent applications to defensive cyber-warfare. He has presented his research at the International Conference on Artificial Intelligence, International Conference on Information and Knowledge Engineering and the International Conference on Integration of Knowledge Intensive Multi-Agent Systems and presented at workshops related to cloud computing and cloud computing and data privacy and security. He has developed a number of data security products for the US government through the Small Business Innovative Research Program.
Autoren/Hrsg.
Weitere Infos & Material
Chapter 2 Application Data in the Cloud
This chapter identifies applications that allow users to store and share data in the cloud. Each section includes case studies of specific categories of applications and associated security considerations. Categories include cloud-based email, backup services, social media, and office suites. Data-in-motion, data-at-rest, and information privacy are discussed using case studies. Keywords
Cloud-based email; backup services; social media; office suites; health and fitness apps; data-in-motion; data-at-rest; information privacy The future of computing will no doubt be intertwined with cloud storage. Already, vendors of applications are moving not only their applications (office suites, backup services, email) into the cloud as services, but rely on the cloud for “secure” storage of user-created content. These applications are perhaps the most obvious examples of the cloud being used to store and process information, some of which may be considered sensitive or at least private to the user. There is also a trend for moving what is commonly referred to as social media to the cloud as well. In fact, the cloud is a key component of all social media. It provides a common place to store information that can be shared with friends, groups, and the world. The social media cloud-based service is either delivered through a web browser or as an application (app) downloaded from the cloud and installed on a device, such as a smartphone or tablet. The majority of the content is stored in the cloud. From a security a standpoint, there is plenty of opportunity for mischief. First, if the app is downloaded from an app site such as Apple’s App Store or Google’s Marketplace, the user must trust that what is being downloaded performs as advertised: nothing more, nothing less. The user must also trust that the app has not been modified to perform unwanted actions, contains no backdoors, and has been coded without any flaws that can be exploited and result in a security compromise. Assuming the first two caveats are screened for by the App Store/Marketplace, the third one, “coding flaws that result in a security compromise” is the unknown-unknown that lurks in every piece of code. That may seem like an outrageous or paranoid statement, but a visit to the United States Computer Emergency Readiness Team (US-CERT) website will put the concept of code vulnerability into perspective: The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information. (US-CERT, 2015) What you will find there is a list of the security flaws discovered this past week for applications that are in use by end users, commercial websites, government websites – places you visit and applications and operating systems that you use. While application security is not the main focus of this book, the security of the data created and stored by these applications is. One of the takeaways of this chapter is that if the applications can be compromised, so can your data. The key point, however, is that if you trust your private information to the cloud via service providers, who will have access to that information and what will they use it for? Throughout this chapter we will use a case study methodology to present and analyze various security issues that arise when using the cloud to store information. The case study will follow this basic outline and organization: 1. Begin by asking questions that help focus the security and information privacy analysis associated with each application type. 2. Define the key security concepts and background information to assist the reader in understanding the analysis. 3. Provide a narrative to explain the research methods and results along with questions and problems that were discovered during the analysis. 4. Conclusion that addresses the security question(s). In the following sections, using this case study outline, we will investigate the security of cloud-based email, cloud backup services, social media, and cloud-based password managers. 2.1 Applications
2.1.1 Email
Email, or electronic mail, is a system that allows the exchange of information between one or more users. Email can be used to send text, images, documents, and files of all types to one or more recipients. 2.1.2 Background
Email, one of the original forms of social media, is even older than the web and contains a detailed description of our personal and professional history. The concept of email has been around since the 1960s, where implementations were created and used by a number of university research labs, most notably MIT. This was pre-Internet and operated through dialup lines into an IBM mainframe computing system. The Advanced Research Project Agency (ARPA) took email to the next level with the advent of what is now called the internet. ARPAnet was a digital communication system that connected universities and government research facilities together for the purpose of experimenting and exchanging research information. This provided the test bed for the concepts and protocols for what is now known as the public internet. Email is based on a client–server architecture where email is sent from many clients (users) to a server, which routes the email message to the intended destination where it is stored on a mail server and read by the recipient. There are two server types involved in sending email: the Simple Mail Transfer Protocol (SMTP) server, which receives email from the user’s client and routes it to the destination where it is stored on the recipient’s mail server. In the simplest case, the mail server can be a single computer running an SMTP and mail server service, which is connected to the internet. Email is provided globally through millions of instances of this configuration as businesses and email providers implemented and maintained their individual email systems. As the use of email has increased and internet access became commonplace, that model has given way to large cloud-base mail systems that support millions of users worldwide. Email systems, such as Gmail, Yahoo! Mail, and Outlook.com (formerly Hotmail), provide free cloud-based email to consumers using common web browser technology. Similar web-based email is provided to businesses and individuals who purchase and register domains through service providers, such as GoDaddy and 1and1. There are four major areas of vulnerability in email: 1. The sender’s and receiver’s device (desktop, laptop, phone, tablet) 2. The email client application (web browser, Outlook, Thunderbird, Mail, Mailbox, etc.) 3. Email in transit from client to client (data-in-motion) 4. Storage on the mail server (data-at-rest) 5. End user behavior These five areas of vulnerability are vital components of the overall security posture that could provide vectors for attackers to infiltrate email cloud storage and thereby bypass existing cloud security mechanisms. As an example: 1. Device security – If a user’s device is compromised, it is possible to obtain the username and password that are associated with the email account. That would provide direct and authenticated access to email that is stored in the cloud. 2. Email client – It is also possible that there are security flaws in the email client that can be exploited, or there are flaws in other applications that are running on the device that have vulnerabilities that can be used to access email account information. Applications, including mobile device apps, have been developed that contain backdoors, data harvesting and exfiltration capabilities that users willingly install as free apps on their devices. It is important to read the fine print in the terms of service (TOS) and privacy policy. 3. In transit communication – It is also possible to intercept email data while in transit between the client sending the email and being received at the email server. Until recently, most email was sent in cleartext and could be easily intercepted and read with little effort. Currently most browser-based email is sent using encryption provided as part of the Hypertext Transfer Protocol Secure (HTTPS), which layers HTTP on top of the SSL/TLS security protocol to provide secure transport between client and server. 4. End user behavior – End users can be targeted by attackers using a variety of mechanisms, such as phishing, where the user plays an active role by clicking on an email attachment or on a web link from someone they know. This technique can be used to compromise the user’s security, the security of others on the network, and data stored on local servers and in the cloud. A recent example was publicized where an email was sent to a user in the United States State Department, which resulted in compromising the State Department’s network. This compromise was then used to...
