Рекомендуемая категория для самостоятельной подготовки:
Дипломная работа*
| Код |
186672 |
| Дата создания |
2014 |
| Страниц |
108
|
| Источников |
36 |
Мы сможем обработать ваш заказ (!) 27 апреля в 12:00 [мск] Файлы будут доступны для скачивания только после обработки заказа.
|
Содержание
Оглавление
Глава 1. Введение 3
Глава 2. Предпосылки и связанные работы 3
2.1. Проблемы и уязвимости систем облачных вычислений 3
2.2. Деятельность организаций в области стандартизации систем защиты облачных вычислений 3
2.3. Краткий анализ состояния исследований 3
2.4. Отношение к безопасности облачных технологий с точки зрения доверия пользователей 3
Глава 3. Виртуализация 3
3.1. Введение 3
3.2. Гипервизор 3
3.2.1. Переполнение буфера и вызов произвольного кода 3
3.2.2. Повышение прав пользователя внутри виртуальной машины 3
3.2.3. Отказ в обслуживании 3
3.2.4. Способы защиты гипервизора 3
3.3. Уязвимости виртуальных машин 3
3.3.1. VM Escape. Выход за периметр виртуальной машины 3
3.3.2. Мониторинг виртуальной машины из хоста 3
3.3.3. Атака виртуальной машины из другой виртуальной машины 3
3.3.4. Атака, направленная на отказ в обслуживании 3
3.3.5. Внешнее воздействие на виртуальную машину 3
3.3.6. Обеспечение безопасности 3
3.4. Виртуальные Сети 3
3.4.1. Основные уязвимости виртуальных сетей 3
3.4.2. Уязвимости криптографических алгоритмов 3
3.4.3. Уязвимости криптографических ключей 3
3.4.4. Датчики случайных чисел 3
3.4.5. Уязвимости процедуры аутентификации 3
3.4.6. Уязвимости в реализации 3
3.4.7. Уязвимости на уровне пользователя 3
3.4.8. Обеспечение безопасности 3
3.5. Выводы 3
Глава 4. Множественная аренда 3
4.1. Введение 3
4.2. Атаки по сторонним каналам 3
4.2.1. Классификация атак по сторонним каналам 3
4.2.2. Распространенные атаки по сторонним каналам 3
4.2.2.1. Атака зондированием 3
4.2.2.2. Атака по времени 3
4.2.2.3. Атаки по ошибкам вычислений 3
4.2.2.4. Атаки по энергопотреблению 3
4.2.2.5. Атаки по электромагнитному излучению 3
4.2.2.6. Атаки по видимому излучению 3
4.2.3. Методы противодействия атакам по сторонним каналам 3
4.2.3.1. Экранирование 3
4.2.3.2. Добавление шума 3
4.2.3.3. Уравнивание времени выполнения операций 3
4.2.3.4. Балансировка энергопотребления 3
4.2.3.5. Устранение условных переходов 3
4.2.3.6. Независимость вычислений от данных 3
4.3. Совместное использование физических ресурсов 3
4.3.1. Атака типа DDoS 3
4.3.2. Механизмы защиты от DDoS-атак 3
4.4. Защита от утечки данных 3
4.5. Выводы 3
Глава 5. Аутентификация и Авторизация (Authentication and Authorisation) 3
5.1. Аутентификация и авторизация 3
5.1.1. Введение 3
5.1.2. Аутентификация по многоразовым паролям 3
5.1.3. Аутентификация на основе одноразовых паролей 3
5.1.4. Аутентификация по предъявлению цифрового сертификата 3
5.1.5. Использование смарт-карт и USB-ключей 3
5.1.6. Угрозы авторизации и аутентификации и их решение 3
5.2. Транспортное SSL шифрование (Transport SSL Encryption)( Heartbleed vulnerability) 3
5.2.1. Использование SSL 3
5.2.2. Угрозы SSL и их решение 3
5.3. Управление доступом (Access control) 3
5.4. Выводы 3
Глава 6. Дискуссия и обсуждение 3
Глава 7. Вывод 3
Список литературы 3
Фрагмент работы для ознакомления
In a cloud computing model, where users have access to cloud-based services from any terminal device that has access to the Internet, the role of network access control is significantly reduced. The reason is that the standard network access control is focused on protecting resources against unauthorized access based on the attributes of the terminal devices, which in most cases are defective, are not unique for different users and may cause incorrect evaluation. In cloud computing, network access control policy is manifested in the form of cloud firewalls.In contrast to the network access control, user access control should be given greater attention in cloud computing as it relates to the identification of the user to access resources in the clouds. User access control includes strict authorization, single sign-on technology (SSO), privilege management, recording and monitoring of cloud computing resources, playing a significant role in protecting the confidentiality and integrity of information in the cloud computing(Meghanathan, 2013).In SaaS delivery model, CSP (cryptoprovider) is responsible for managing all aspects of the network infrastructure, servers and applications. In such a model, where the application is delivered as a service to end users, usually via web-browser,network oriented control systems are becoming less relevant and are replaced with the use access control, for example, one-time passwords are used for authorization. Thus, we should pay attention to the user access control (authentication, association, privilege management, deinitialization, etc.) to protect the information stored in SaaS. For example, access control in Salesforce.com is organized through a set of filters, which at first seem simple, but this impression is deceptive. Each of the filters can be applied to groups or classes of user accounts.1.The rights of users class to view a table, an object, or functional area are defined with profiles.2. The rights of users class to view a table column (object attribute) are defined with profiles.3. The rights of users class to view the record (row or instance) are defined with roles.4. Types of records determine what profiles are allowed to view individual cells within the record, and can be used to restrict access to almost any function or object class.These filters have modifiers that allow delegating rights and extending the area of access to privileged users. However, for most users, the opportunities provided by the filtering mechanism are quite enough. Sometimes it even makes them discontent. Blocking and filtering can be implemented in the context of the current state and depending on the specific needs of the business. Thus, the system allows you to set exceptions in defining the data sharing schema at both the individual and group level.In PaaSmodel, CSP is responsible for managing control of the access to network infrastructure, servers and platform applications(Meghanathan, 2013). However, customers are responsible for access control of applications deployed on PaaS platform. Application access control manifests as end-user access control, which includes backuping and user authentication.In IsaS model of delivery, customers are fully responsible for the management of all aspects of control access to their resources on the cloud. Access to virtual servers, virtual networks, virtual storage, and applications that are hosted on IsaS platform should be designed and organized by customers.In the IsaS delivery model access control management is divided into 2 types:Access control at the infrastructure level of CSP (control management of access to the network, hosting and management of applications, which are owned and controlled by the CSP);Access control at the level of the virtual client (control management of access to your virtual server (virtual machine or VM), virtual storage, virtual networks and applications hosted on virtual servers).Taking into account the following aspects in the management of access control of infrastructure in the cloud, we as a rule, consider: network access control, virtual control of access to the server, the cloud control station and web-console.Access control is the most important function of safety management in such cloud models as SPI (SaaS, PaaS, IaaS) and the standard model of cloud deployment (public, private and hybrid). Access control is an important aspect for information protection in information systems that are based on cloud computing and can be a primary mean of security management in the absence of encryption and other data management tools.At the moment, access control capabilities offered by CPS, are not sufficient for corporate clients for several reasons:access control mechanisms, standards and processes are not standardized by the CSP. In order to effectively control access to the virtual cloud infrastructure customers need to do more to understand the CSP access control parameters and their settings;lack of unified standardization makes access control very difficult for several clouds. For example, support for SAML is not carried out from any of the major CSP;control over user access to the resources of the cloud is implemented at a low level. Access control from the CSP usually maintains control at the network level, except for control user access. User access issues are related to authentication. In my opinion, we should offer a flexible access control based on the principles of least privilege and separation of duties (e.g., the console-manager, network access, host-manager).From the perspective of corporate users access control is the basic process of security assurance to protect the confidentiality, integrity and availability of information located in the cloud. Reliable access control program should include backuping, deinitializationtime, flexible authentication, privilege management, resource accounting, auditing, and support of appropriate management. Cloud clients must understand CSP-specific features of access control for networks, systems and applications.5.4. ConclusionsAuthentication and authorization tools are classified as classical means which allow controlling access and information security, both in business and in the global communication networks. Very often traditional methods of data protection are focused on building a centralized network and security perimeter with the help of such tools as firewalls and intrusion detection systems. This approach does not provide sufficient protection against such attacks as APT (advanced persistent threat), which are characterized by the fact that the hacker (usually a group of hackers) masks his activity on the target host for the daily operations, in connection with which they are difficult to detect.Many companies have also introduced database audit, control of access to the directory (DAP - Directory Access Protocol) and system for the analysis of incoming information from third-party systems (SIEM - Security Information and Event Management) to collect information about the operation and processes, but events monitoring and correlation by themselves do not provide information security.It is very important to provide comprehensive protection, which should primarily include a system of early warning of the onset of attack, display of suspicious incoming requests and detailed continuous incoming data analytics etc. Also it is necessary to provide data encryption, but it is important not to lose sight of weaknesses: the encryption keys, access control, and monitoring and data access. If encryption keys are not adequately protected, they are vulnerable to theft, if the keys are well protected, but the access control is not reliable enough, it is possible to gain access to sensitive data, "posing" as authorized user.Encryption should be implemented on the basis of robust key solutions on access management to provide guaranteed keys protection. Encryption works in conjunction with other data protection technologies and provides additional information about security for the construction of a comprehensive multi-layered approach to the protection and confidentiality of data, in order to reduce the risks of hacking in the cloud and beyond.For authentication the following decisionscan be used:Table. Solutions for authenticationSolutionsAuthentication methodDescriptionLAN Manager (LM), NT LAN Manager (NTLM), NT LAN Manager version 2,Kerberos,RADIUSAuthentication with reusable passwordsUser accounts include the user ID or username and password. To make a login the user enters his username and password, which enter the authentication service. According to the results of this pair comparison with account reference value,the user becomes authorized.SecurID, ActivCard Token, комбинированный USB-ключ Aladdin eToken NG-OTPSafewordAuthentication based on one-time passwordsFor remote access to resources reliable systems using one-time passwordshave been developed. System based on one-time passwords uses different passwords for each new request for access (Paterson, 2009). A one-time password is valid for only one login.SSLAuthentication with digital certificateThe authentication server sends a request packet to the user, and the client software to generate the response generates a digital signature to the request from the authentication server using the user's private key. The process of identity proof consists of the following stages:1. receiving the public key (single process)2. obtaining user’s public key certificate via some insecure channel.Thus, an effective solution on the information security of cloud infrastructure should include:1. Closed access to the data. It is necessary to provide reliable management of cryptographic keys.2. Access Policies. Only authorized users should have access to confidential information.3. Intelligent system. The system should collect information to analyze user behavior and to notify in case of suspicious activity.Ensuring information security in the cloud is not a trivial task; however, with the appropriate approach you get the perfect balance of all the benefits of the cloud model and a high level of protection, security and availability of your data and information systems.This chapter contains the description of the main problems encountered in the implementation of access control systems, as well as their solution. In addition, we have considered data encryption protocol SSL, the problems of its use in the cloud infrastructure and have analyzed the ways of their solution.
Список литературы [ всего 36]
Список литературы
1. Top Threats to Cloud Computing V1.0, Cloud Security Alliance, 2010.
2. S. Chen, R. Wang, X. Wang and K. Zhang, “Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow”, IEEE Symposium on Security and Privacy, 2010, pp.191 – 206.
3. D. Harnik, Benny Pinkas and A. Shulman-Peleg, “IBM Haifa Research Lab, Side Channels in Cloud Services”, IEEE Security & Privacy, 2010, pp. 41-47.
4. P. You, Y. Peng, W. Liu and S. Xue, “Security Issues and Solutions in Cloud Computing Security Issues and Solutions in Cloud Computing”, 32nd International Conference on Distributed Computing Systems Workshops, 2012.
A. Jasti, P. Shah, R. Nagaraj and R. Pendse, “Security in Multi-Tenancy Cloud”, IEEE, 2010.
5. H. Takabi, J. Joshi, “Security and Privacy Challenges in Cloud Computing Environments”, IEEE Security & Privacy, 2010, pp. 24-31.
6. H. AlJahdali, A. Albatli, P. Garraghan, P. Townend, L. Lau, J. Xu, “Multi-Tenancy in Cloud Computing”, IEEE 8th International Symposium on Service Oriented System Engineering, 2014, pp. 344-351.
7. E.G. Amoroso, “From the Enterprise Perimeter to a Mobility-Enabled Secure Cloud”, IEEE Computer and Reliability Societies, September 2013, pp. 23-31.
8. G. Peterson, “Don’t Trust. And Verify”, IEEE Computer and Reliability Societies, September 2010, pp. 83-86.
9. “CLOUDBURST”, Immunity, Inc., 2008-2009.
10. J. Viega, “Cloud Security: Not a Problem”, IEEE Computer and Reliability Societies, July 2012, p. 3.
11. E. Grosse, J. Howie, J. Ransome, J. Reavis and S. Schmidt, “Cloud Computing Roundtable”, IEEE Computer and Reliability Societies, November 2010, pp. 17-23.
12. N. Zhang, D. Liu, Y. Zhang, “A Research on Cloud Computing Security”, International Conference on Information Technology and Applications, 2013.
13. L.M. Kaufman, “Can Public-Cloud Security Meet Its Unique Challenges”, IEEE Computer and Reliability Societies, July 2010, pp. 55-57.
14. J.S. Reuben, “A Survey on Virtual Machine Security”, TKK T-110.5290 Seminar on Network Security, 2007.
15. F. Sabahi, “Virtualization-Level Security in Cloud Computing”, IEEE, 2011.
16. B. Grobauer, T. Walloschek and Elmar Stucker, “Understanding Cloud Computing Vulnerabilities”, IEEE Computer and Reliability Societies, July 2010, pp. 50-57.
17. J.Weis, 2011. Securing Database as a Service. IEEE Security and Privacy, 49-55.
18. М.AlZain, B.Soh, & E.Pardede, 2012. A New Approach Using Redundancy Technique to Improve Security in Cloud Computing. IEEE.
19. A.Behl, 2012. An Analysis of Cloud Computing Security Issues. IEEE, 109-114.
20. B.Purushothama, & B.Amberker, 2013. Efficient Query Processing on Outsourced Encrypted Data in Cloud with Privacy Preservation.
21. T. Andrei, “Cloud computing challenges and related security issues”, 2009.
22. R. Buyya, “Market-Oriented Cloud Computing: Vision, Hype, and Reality for Delivering IT Services as Computing Utilities”, Proceedings of the 10th IEEE International Conference on High Performance Computing and Communications, Keynote Paper, 2008.
23. D. Catteddu, “Cloud Computing Information Assurance Framework”, European Network and Information Security Agency, 2008.
24. A. Khajeh-Hosseini, Research challenges for Enterprise Cloud Computing, 2010.
25. B. Schneir, The Psychology of Security, 2008.
26. A. Williams, Top 5 Cloud Outages of the Past Two Years, Rea- dWriteWeb, 2010.
27. S. J. Bigelow, Pro and Cons of Moving to the Cloud, Virtual Data Center, 2010.
28. T. Greene, Cloud security stokes concerns at RSA, Network World, 2009.
29. S. P. Marsh, Formalising Trust as a Computational Concept, Computing Science and Mathematics, 1994.
30. D. Gambetta, Can We Trust Trust, 2000.
31. J. Audun, A survey of trust and reputation systems for online service provision, Decis. Support Syst, 2007.
32. D. Mcknight, The meanings of trust, Trust in CyberSocieties-LNAI, 1996.
33. T. Grandison, A survey of trust in internet applications, IEEE Communications Surveys and Tutorials, 1996.
34. N. Santos, Towards Trusted Cloud Computing, Max Planc Institute for Soft- ware Systems, 2009.
35. S. Boeyen, Liberty Trust Models Guidelines, Liberty Alliance Project, 2003.
36. D. Andert, Trust Modeling for Security Architecture, Santa Clara, CA, Sun Microsystems INC, 2002.
Пожалуйста, внимательно изучайте содержание и фрагменты работы. Деньги за приобретённые готовые работы по причине несоответствия данной работы вашим требованиям или её уникальности не возвращаются.
* Категория работы носит оценочный характер в соответствии с качественными и количественными параметрами предоставляемого материала. Данный материал ни целиком, ни любая из его частей не является готовым научным трудом, выпускной квалификационной работой, научным докладом или иной работой, предусмотренной государственной системой научной аттестации или необходимой для прохождения промежуточной или итоговой аттестации. Данный материал представляет собой субъективный результат обработки, структурирования и форматирования собранной его автором информации и предназначен, прежде всего, для использования в качестве источника для самостоятельной подготовки работы указанной тематики.
bmt: 0.00479