Composición de las Resinas Compuestas

PARTE I: RESINAS COMPUESTAS

2. Composición de las Resinas Compuestas

The Cloud Security Alliance (CSA 2011) identified 7 top threats in cloud computing:

1) Abuse and nefarious use of cloud computing

The registration process for cloud services (IaaS and PaaS) does not usually need more than a valid credit card and also some service providers offer free trial. This relative anonymity of registration and usage model could be abused by spammers, malicious code authors, and other criminals who have been able to conduct their activities with relative impunity. Areas of concerns in this regards include: password and key cracking, Distributed Denial of Service attack (DDOS), launching dynamic attack points, hosting malicious data, botnet command and control, building rainbow tables, and CAPTCHA solving farms.

2) Insecure interfaces and APIs

Cloud providers rely heavily on a set of software interfaces that allow users to manage and interact with cloud-based services. Therefore, the security of the cloud services is dependent on the security of those interfaces. This requires the interfaces to be designed and protected against accidental and malicious attempts. Moreover, some organisations build upon these interfaces to offer value-added services to their customers. This increases the complexity and risk of the new layered interface,

especially when organisations are required to relinquish their identifications to third- parties to enable their agency.

3) Malicious insiders

Malicious inside is a well-known threat and amplified in the cloud that providers lack transparency about accessibility process and procedure.

4) Shared technology issues

The scalability of the service offered by the cloud is achieved through sharing infrastructure. The underlying components in the cloud infrastructure are not often designed to offer robust isolation properties in a multi-user architecture. To address this, cloud providers utilise a virtualisation hypervisor that mediates access between guest operating systems and the physical components. Though, the virtual machines (hypervisors) have presented weaknesses that enable guest operating systems to inappropriately gain unauthorised access to sensitive data, control, or influence on underlying platforms. This requires a defence strategy that should include resources security enforcement and monitoring. It should also include a robust compartmentalisation to ensure that customers do not affect the operations of other tenants using the same physical resources.

5) Data loss or leakage

The threat of data loss or compromising increases in the cloud environment. This is because of the challenges that are either unique to the cloud, or more risky because of the architectural characteristics of the cloud environment. For example, insufficient authentication, authorization, and audit control and inconsistent use of encryption and software keys.

6) Account or service hijacking

Account or service hijacking such as phishing, fraud, and exploitation of software vulnerabilities were known before cloud computing. Cloud services add a new threat to the landscape. If attackers gain unauthorised access, they can eavesdrop on customers’ activities, manipulate data, return falsified information, and may redirect

clients to illegitimate sites. The attacked account or service may become a new base for the other attacks.

7) Unknown risk profile

The reduction of hardware and software ownership including maintenance that allows enterprises to concentre on their essential business operations is a distinctive financial and operational benefit. However, this feature must be carefully weighed against the contradictory security concerns complicated by the fact that cloud deployments are driven by anticipated benefits, by groups who may lose track of the security ramifications. Versions of software, code updates, security practices, vulnerability profiles, intrusion attempts, and security design, are all important factors for estimating a company’s security postures. Information about who is sharing your infrastructure may be pertinent, in addition to network intrusion logs, redirection attempts and/or successes, and other logs. Security by obscurity may be low effort, but it can result in unknown exposures. It may also impair the in-depth analysis required highly controlled or regulated operational areas (CSA 2011).

Another issue in terms of security is loss of control. Although cloud providers implement up-to-time and a secure IT infrastructure; consumers continue suffering from the loss of control and lack of trust (Almorsy et al. 2011). Moreover, the fact that before data can get to the cloud, it has to progress outside a company’s firewall via an access network, that makes it vulnerable to attacks (Sahandi et al. 2012). Before moving applications outside their firewalls, organisations should be aware of the intrusion risks associated with such environment (Sahandi et al. 2012).

The design of cloud computing architecture comprises of different layers to provide IT resources. These layers are deployed in three different models (IaaS, PaaS, and SaaS). Each model comes with its own security issues. Therefore guaranteeing security of corporate data in the cloud is difficult, if not impossible (Kandukuri et al. 2009).

The IaaS cloud model, for example, is prone to attacks like XML Signature Element Wrapping (McIntosh and Austel 2005). This is a common attack on protocols using XML Signature such as SOAP (that stands for Simple Object Access Protocol)

messages. These protocols are used to provide authentication for messaging through the web.

In the PaaS (Platform as a Service) model, the security of the platform used for development is the service provider’s responsibility, but the security of the applications developed is the responsibility of consumer’s. Concerns about cloud service integrity and binding issues with PaaS’ cloud models should be taken into further consideration. The PaaS model is prone to cloud malware injection attacks and metadata spoofing attack as described by (Jensen et al. 2009).

Security concerns are the most commonly cited reasons that making enterprises not interested in SaaS (Forrester 2009). According to the (CSA 2009), in the SaaS model, service providers’ are responsibility do not only include providing the physical and environmental security capabilities, but also addressing the security control for the infrastructure, applications and data. A major concern of SaaS is unauthorised access due to data being transferred to a remote server through the internet (Sahandi et al. 2012). This might allow adversaries obtain passwords, inspect data, and modify or damage the data. This would be more harmful in case of unauthorised access to sensitive information such as payments details and information on human resources (Sahandi et al. 2012). Denial of service attacks and network failure also present availability concerns of SaaS (Rai et al. 2013).

Another security issue discussed in the literature is the lack of information about the location of datacentres. Cloud computing providers often have multiple data centres at different geographical locations in order to optimally serve consumers’ needs around the world (Sahandi et al. 2013). In many cloud provision scenarios, customers lack information of where their data is stored (Sahandi et al. 2013). In these scenarios legal and regulatory issues may arise which need to be considered because the physical location of data centres defines the law that can govern the management of the systems (Sahandi et al. 2013).

Availability can also be an issue with cloud computing. A number of service-outage incidents occurred, for example, Amazons EC2 users experienced service-outage several times (Miller 2012).

Security measures may be developed to tackle the above security issues. For example, implementing a robust authentication mechanism, encrypted protocols, secure backup applications and secure physical resources can improve security (Sahandi et al. 2012). Access control can be enhanced by incorporating security measures to the network layers. Web Services Security (WSS) is a security technique that can be incorporated to SOAP messages to assure the integrity and confidentiality by signing and encrypting their context (NIST 2007). The confidentiality and integrity can also be improved by incorporating cryptographic protocols such as Transport Layer Security (TLS), and Secure Socket Layer (SSL) to the transport layer. Moreover, it is highly recommended that cloud providers protect the integrity of consumers’ data by complying with relevant standards including Payment Card Industry – Data Security Standards (Jansen 2011). To improve access control, Al Morsy (2011) recommended the adoption of standards for identifying and accessing management such as SPML, SAML, OAuth, and XACML. Securing of VMs is critically important to avoid unauthorised access, so it is vital to consider security practices that may ensure the security of VMs. The use of secure protocols such as HTTPS would also increase the confidentiality by encrypting data while transferring them through the cloud. Other security practises maybe considered such as implementing file integrity checks and maintaining backups. Cloud vendors should provide a detail of their security polices to include risk management, access control, network security, physical security, and backup and system recovery. They should also provide details of how customers’ systems would be segregated from others in a multi-tenant environment. However, often cloud providers tend not to reveal more details about their systems and data centres, claiming doing so would compromise their security. Moreover, cloud providers should implement regulatory compliances that cover operational and security areas that users may have concerns about. Theses compliances would improve the security by having cloud vendors and customers to be securely certified.

In document Comparación de la profundidad de polimerización y grado de conversión de resinas compuestas usando dos unidades de luz visible (página 35-40)