Cloud Secuirty : Major Vulnerabilities

So I will be at c0c0n : The annual information security day conference here at India. As part of cloud technology research, I would love to take up session on "Security and Privacy risks in Cloud". Below is the content highlights. Please spread this news and make the event a great success.

1-   Agenda
Agenda of the session is to paper presentation and demo on cloud computing and its security risks and privacy issues around cloud service models. High level topics which paper will discuss are as below.
1-      Introduction to cloud
2-      Understanding Cloud Architecture
3-      Microsoft’s Cloud Offering and Road Map
4-      Solution envisioning with Microsoft Cloud Offering - Windows Azure
5-      Key areas of Cloud security
6-      Privacy concern Identity and Access Management
 
Later it will be followed by two demos:
 
1-      Exploitation of Azure Storage vulnerability and remediation
2-      Implementation of Access Control Service for Authentication and Authorization
 
2-   Key Security Risks:
Paper will explain the impact and remediation of below security risk attributes.
Auditing and Logging
• Disclosure of confidential information
• Denial of service (DoS)
Authentication
• Network eavesdropping
• Brute force attacks
• Cookie replay attacks
Authorization
• Elevation of privilege
• Disclosure of confidential data
• Token stealing
Communication
• Failure to encrypt messages
• Session replay
• Data tampering
Configuration Management
• Unauthorized access to configuration stores
• Retrieval of clear text configuration secrets
Cryptography
• Encryption cracking
• Loss of decryption keys
Input and Data Validation
• SQL injection.
·         Cross-site scripting.
•     XPath injection.
Sensitive Data
• Memory dumping.
• Network eavesdropping.
• Configuration file sniffing.
 
a.    Demo
We will explain SQL and XML Injection vulnerabilities of Microsoft’s cloud storage called Windows Azure Storage and how we can exploit them.
 
3-   Key Privacy issues:
1-      Concern on Datacenter privacy issue
2-       Access Control Service for stronger Authentication and Authorization(Identity and Access management)
a.    Demo
The demo will explain how to set up Claims Based Identity using Access Control for various Identity Providers (IdPs) like Windows Live, Google Accounts, Facebook, Twitter and ADFS 2.0. It will later explain how the Azure Service Bus is used to facilitate the communication between our on-premise application and a WCF service hosted on premise/on cloud.
 
4-   Result
The audience will understand
1-    Risks and privacy issues about the cloud computing and can leverage this knowledge for the betterment.
2-    Access Control Services for authentication/authorization and for Claims Based Authentication.
 A pdf copy of the paper and C# code will be shared with the audiences.
 
posted @ Tuesday, August 30, 2011 8:14 PM
Print