On Technical Security Issues in Cloud Computing

The Cloud Computing concept offers dynamically scalable resources provisioned as a service over the Internet. Economic benefits are the main driver for the Cloud, since it promises the reduction of capital expenditure (CapEx) and operational expenditure (OpEx). In order for this to become reality, however, there are still some challenges to be solved. Amongst these are security and trust issues, since the user's data has to be released to the Cloud and thus leaves the protection-sphere of the data owner. Most of the discussions on this topics are mainly driven by arguments related to organizational means. This paper focuses on technical security issues arising from the usage of Cloud services and especially by the underlying technologies used to build these cross-domain Internet-connected collaborations.

[1]  Aviel D. Rubin,et al.  Risks of the Passport single signon protocol , 2000, Comput. Networks.

[2]  Thomas Groß,et al.  Security analysis of the SAML single sign-on browser/artifact profile , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[3]  Michael McIntosh,et al.  XML signature element wrapping attacks and countermeasures , 2005, SWS '05.

[4]  Andreas Schaad,et al.  Towards secure SOAP message exchange in a SOA , 2006, SWS '06.

[5]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[6]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[7]  Markus Jakobsson,et al.  Drive-By Pharming , 2007, ICICS.

[8]  Jörg Schwenk,et al.  Breaking and fixing the inline approach , 2007, SWS '07.

[9]  Jörg Schwenk,et al.  TLS-Federation - a Secure and Relying-Party-Friendly Approach for Federated Identity Management , 2008, BIOSIG.

[10]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[11]  Jörg Schwenk,et al.  Stronger TLS bindings for SAML assertions and SAML artifacts , 2008, SWS '08.

[12]  Sebastian Gajek,et al.  On the Insecurity of Microsoft's Identity Metasystem , 2008 .

[13]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[14]  Nils Gruschka,et al.  The Impact of Flooding Attacks on Network-based Services , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[15]  Nils Gruschka,et al.  Flooding Attack Issues of Web Services and Service-Oriented Architectures , 2008, GI Jahrestagung.

[16]  Tibor Jager,et al.  A Browser-Based Kerberos Authentication Scheme , 2008, ESORICS.

[17]  Nils Gruschka,et al.  Vulnerable Cloud: SOAP Message Security Validation Revisited , 2009, 2009 IEEE International Conference on Web Services.

[18]  Jörg Schwenk,et al.  The Accountability Problem of Flooding Attacks in Service-Oriented Architectures , 2009, 2009 International Conference on Availability, Reliability and Security.

[19]  Jörg Schwenk,et al.  Risks of the CardSpace Protocol , 2009, ISC.

[20]  Nils Gruschka,et al.  A survey of attacks on web services , 2009, Computer Science - Research and Development.