Understanding cloud computing Vulnerabilities

Source: Internet
Author: User
Tags virtual environment

Earlier, IEEE's Security & Privacy published an article titled Understanding Cloud Computing Vulnerabilities. Recently translated by InfoQ into Chinese, it is reproduced as follows:
Discussions on cloud computing security often fail to differentiate general and cloud computing-specific issues. In order to make the discussion on security vulnerabilities clearer, the author has developed some indicators based on the risk elements and reliable definitions of cloud computing.
Every day, every piece of news, blog posts, or other releases remind us of the security risks and threats of cloud computing. In most cases, security issues are considered to be the greatest obstacle to cloud computing adoption. However, such arguments about cloud computing security make it more difficult to find a perfect method to evaluate the actual security consequences. The reasons are as follows: first, in the discussions on risks, A large part of the basic terms-including risks, threats, and vulnerabilities-are used in different regions without considering their actual meanings. Secondly, not every question raised is particularly related to the background of cloud computing.
To better understand the new issues brought about by cloud computing in terms of security, we must analyze how cloud computing affects existing security issues. One of the key factors here is security vulnerabilities: cloud computing makes some of the vulnerabilities that you are familiar with more prominent and has contributed some new members. However, before carefully analyzing vulnerabilities specific to the cloud computing context, we must first determine what is a real "Vulnerability ".
Vulnerability: overview
Vulnerabilities are a prominent risk factor. In ISO 27005, risks are defined as "a potential possibility, that is, a specific threat exploits one or more facility vulnerabilities to cause damage to the Organization, "The measurement should include the probability of occurrence and the consequences of the event [1]. The Open Group Risk classification provides a useful risk factor Overview (see figure 1 ).
(Click to enlarge the image .)

Figure 1. Risk factors summarized in the risk classification of Open Group. The risk is the product of the occurrence frequency (left) of the event causing damage and the possible loss amplitude (right. Vulnerabilities have an impact on the frequency of events that cause damage.
In the classification method of Open Group, two top-level risk factors, like ISO 27005, are used: the probability of occurrence of harmful events (the frequency of occurrence of the event that causes damage here) and the consequences (here referred to as the possible loss margin ). The subelement of the possible loss margin (shown on the right side of 1) affects the final cost of a harmful event. The subfactors that cause damage (on the left side of Figure 1) are relatively complex. When a threat carrier (such as a hacker) successfully exploits a vulnerability, it will cause damage. The frequency of such a situation depends on two factors:
How often threat carriers try to exploit vulnerabilities. This frequency depends on the motive of the carrier (What benefits do they get from attacks? How much effort do they need? What are the risks for attackers ?), It also depends on the extent to which the carrier can access ("Touch") the target of the attack.
The gap between the attack capability of threat carriers and the robustness of the system to defend against attacks.
This second factor brings us closer to a useful definition of a vulnerability.
Define Vulnerabilities
According to the risk classification of Open Group,
"Vulnerabilities are the possibility that the facility cannot resist the threat carrier action. When there is a gap between the strength of the threat vector and the target's resistance, a vulnerability will occur.
Therefore, when describing a vulnerability, you must consider the background of a specific type of attack. Here is a real-world example. If a car cannot protect its drivers from being damaged by a 60-mile truck on the front, this is a vulnerability; the strength of the collapsed and energy-absorbing area of the car is too weak compared to the power of the truck. Compared to attacks from a bicycle or even a medium-speed car, the car's resistance is sufficient.
We can also describe computer vulnerabilities, that is, security-related errors that you can make up with patches provided by the vendor-the weakening or disappearance of a certain degree of resistance. For example, a buffer overflow vulnerability weakens the strength of the system to prevent arbitrary code execution, and whether attackers can exploit this vulnerability depends entirely on their capabilities.
Vulnerabilities and cloud computing risks
Now, we will start from the risk factor tree on the right to explore how cloud computing affects the risk factors in Figure 1.
From the perspective of cloud customers, the possible processing of future losses described on the right side is completely unaffected by cloud computing: the consequences and the final cost of the incident-that is, the leakage of confidential information-are exactly the same, whether such data leaks occur on cloud platforms or traditional IT infrastructure. From the perspective of cloud service providers, things are a little different: Because cloud computing systems were previously isolated on the same infrastructure, an event that causes damage may have a considerable impact. However, the actual situation is easy to control and include in risk assessment: It seems that no conceptual changes need to be made to adapt to the impact analysis in the cloud computing environment.
Therefore, you must go to the left side of Figure 1-the frequency of the event that caused the damage-to find out if there is any change. Cloud computing can change the probability of a harmful event. As we will refer to later, cloud computing will cause a considerable change in the vulnerability elements. Of course, migrating to the cloud infrastructure may change the attacker's access level and motivation, as well as the workload and risks-a fact that must be considered in future work. However, to support risk assessment that is specific to cloud computing, it seems most beneficial to start from examining the strict nature of cloud computing-specific vulnerabilities.
Cloud computing
Is there a "cloud computing-specific" vulnerability? In this case, there must be some factors in the nature of cloud computing that make a vulnerability specific to cloud computing.
In essence, cloud computing combines known technologies (such as virtualization) with clever methods to provide IT services on the pipeline, resulting in economies of scale. Next we will discuss in more detail what are the core technologies and what are the key features of these technologies in cloud computing applications.
Core cloud computing technology
Cloud computing relies heavily on the following core technologies:
Web applications and services: Without Web applications and Web Service technologies, developing software as a service (SaaS) and platform as a service (PaaS) is unimaginable: saaS instances are usually implemented as Web applications, while PaaS instances provide development and Running Environments for Web applications and services. In infrastructure as a service (IaaS) instances, administrators usually use Web applications/service technologies to implement related services and APIs, such as customer management access.
Virtualized IaaS instances: virtualization skills are at the core of these technologies. Since PaaS and SaaS services are often built on supporting IaaS infrastructure, the importance of virtualization extends to these service models. In the future, we hope virtualization can evolve from virtualized servers to computing resources that can be directly used for SaaS services.
Encryption: Many cloud computing security requirements can be solved only by using encryption technology.
With the development of cloud computing, the list of core technologies is likely to expand.
Basic Features
In the description of its basic cloud features [2], the National Institute of Standards and Technology (NIST) has keenly pointed out what IT services are meant to provide in the pipeline:
On-demand self-service: users can use a portal website and management interface to order and manage services, rather than dealing with real people from service providers. The launch preparation and deprecation preparation of services and their related resources are automatically handled by the supplier.
Ubiquitous Network Access: cloud services are accessed through the network (usually the Internet) and use standard mechanisms and protocols.
Resource Pool: The computing resources used to provide cloud services are implemented by using a homogeneous infrastructure shared among all service users.
Agile Elasticity: resources can be quickly and elastically expanded or reduced.
Measurable service: the resource/service usage can be measured at any time, and a business model that supports resource usage optimization, usage user reports, and how much data is collected.
NIST's cloud computing definition framework, including its key feature list, has now evolved into a de facto standard for defining cloud computing.
Cloud computing-specific vulnerabilities
Based on the abstract view of cloud computing, we can now define what constitutes a cloud-specific vulnerability. We can say that a vulnerability is specific to the cloud, provided that:
A core cloud computing technology is inseparable or widely used,
The root cause is one of the key features of NIST,
This can be attributed to cloud computing innovation, which makes it difficult or even impossible to implement trial and test security control, or
It is common in the latest successful cloud computing services.
We are now studying these four indicators.
Core technical vulnerabilities
Core Technologies of cloud computing-Web applications and services, virtualization and encryption-some vulnerabilities are inherent in the technology itself, others are common in the popular implementation methods of this technology. Here are three examples of these vulnerabilities, including virtual machine escape, session control and hijacking, and insecure or outdated encryption.
First, the nature of virtualization determines the possibility of an attacker escaping from a virtual environment. Therefore, we must classify this vulnerability as a vulnerability that is inherent in virtualization and highly related to cloud computing.
Secondly, the Web application technology must overcome this problem. from the initial design perspective, HTTP is a stateless protocol, while Web applications require the concept of session state. There are many techniques to implement session processing, and many session processing implementations are vulnerable to session control and hijacking, this can be testified by any security professional with rich Web Application Security experience. Is session control/hijacking inherent in Web application technology, or is it "just" common in many current implementations? This is debatable. However, such a vulnerability may be related to cloud computing under any circumstances.
Finally, advances in password analysis can make any encryption mechanism or algorithm no longer secure, because there are always novel methods to crack. More commonly, encryption algorithms are found to have key-related defects, which can degrade the original strong encryption to weak encryption (sometimes even equivalent to completely unencrypted ). Without encryption to protect the confidentiality and integrity of data in the cloud, we cannot imagine that cloud computing can be widely used, therefore, insecure or outdated encryption vulnerabilities are closely related to cloud computing.
Critical cloud feature Vulnerabilities
As we mentioned earlier, NIST describes five key Cloud Computing Features: On-Demand self-service, ubiquitous network access, resource pools, agile elasticity and measurable services.
The following are examples of vulnerabilities that originate from one or more of the preceding features:
Unauthorized management interface access: On-Demand self-service cloud computing features require a management interface that can be opened to cloud service users. In this way, unauthorized access to management interfaces is a particularly relevant vulnerability for cloud computing systems, and the probability of unauthorized access is much higher than that of traditional systems, in those systems, only a few administrators can access the management function.
Internet protocol vulnerabilities: Ubiquitous Network Access to cloud computing means that cloud services are accessed through a network using standard protocols. In most cases, this network, that is, the Internet, must be considered untrusted. In this way, Internet protocol vulnerabilities are also related to cloud computing, such as vulnerabilities that cause man-in-the-middle attacks.
Data Recovery vulnerability: resource pools and elastic cloud features mean that resources allocated to a user may be reassigned to different users later. Therefore, for memory or storage resources, data written by the previous user may be recovered.
Avoid metering and billing: Measurable service cloud features mean that any cloud service is at an abstract level suitable for the service type (such as storage, processing capability, and active account) with metering capability. Metering data is used to optimize service delivery and billing. Vulnerabilities include manipulating metering and billing data and evading billing.
Next, we can use NIST's complete cloud computing definition to think about cloud computing.
Known security control Defects
If cloud computing innovation directly leads to implementation control difficulties, standard security control vulnerabilities should be considered specific to cloud computing. This vulnerability is also known as the challenge of control.
Here, we will analyze three examples of such control challenges. The first challenge is the lack of network-based control provided by virtual networks. Due to the limitation of the Nature of cloud services, the ability to manage access to IaaS network infrastructure and customize network infrastructure is usually limited, so standard control cannot be applied, for example, IP-based partitions. In addition, standard technologies, such as network-based vulnerability scanning, are usually forbidden by IaaS providers, one of the reasons is that they cannot distinguish friendly scanning from the activity of attackers. Finally, technologies like virtualization mean that network traffic is generated in both real and virtual networks, for example, when two virtual machine environments (VMEs) hosted on the same server communicate. These problems pose a challenge to control, because trial-and-test-based network-level security control may not work properly in a given cloud environment.
The second challenge is poor key management procedures. As indicated by a recent European Institute of network and information security [3], cloud computing infrastructure needs to manage and store many different types of keys. Because virtual machines do not have a fixed hardware infrastructure, and cloud-based content is often geographically dispersed, it is more difficult to implement standard control over keys of cloud computing infrastructure, such as hardware security module (HSM) storage.
Finally, the security indicators were not adjusted based on the cloud infrastructure. Currently, there is no such standardized security indicator specific to cloud computing, so that cloud customers can use it to monitor the security status of cloud resources. Before such security indicators are formulated and implemented, control over security assessment, audit, and accountability will be more difficult, expensive, or even impossible.
Common vulnerabilities in the latest cloud computing instances
Although cloud computing is relatively young, there are already countless cloud computing instances in the market. Therefore, we add the fourth empirical indicator for the preceding three vulnerability indicators specific to cloud computing: If a vulnerability is common in the latest cloud computing instance, it must be considered to be specific to cloud computing. Examples of these vulnerabilities include injection vulnerabilities and weak authentication schemes.
Attacks against Injection Vulnerabilities refer to fragments that manipulate service or application input to interpret or execute input in a way beyond developers' intent. Examples of Injection Vulnerabilities include:
SQL Injection: it refers to the back-end execution of databases that contain SQL code and lead to errors;
Command Injection: contains commands that are incorrectly executed through the operating system;
Cross-site Scripting: JavaScript code is included in the input and executed in the victim's browser.
In addition, many widely used authentication mechanisms are weak. For example, the username and password used for verification are weak for the following reasons:
Insecure user behavior (select weak passwords, repeated passwords, and so on );
Limitations inherent in the single-factor authentication mechanism.
The implementation of the authentication mechanism may also have weaknesses and cause attacks, such as credential interception and replay. Most of the latest cloud computing services currently adopt the user name and password authentication mechanism.
Architecture components and vulnerabilities
Cloud service models are generally divided into SaaS, PaaS, and IaaS. When deploying cloud infrastructure, each mode affects the exposed vulnerabilities. Adding more structures to the service mode stack will help: Figure 2 provides a cloud computing reference architecture that clarifies the most important security-related cloud computing components, it also provides an abstract overview of cloud computing to analyze security issues.

Figure 2. Cloud computing reference architecture. We have established a ing relationship between cloud computing-specific vulnerabilities and the components of this reference architecture. This gives us a general idea of which vulnerabilities may be related to a given cloud computing service.
This reference architecture is based on the work at the University of California and IBM in Los Angeles [4. It inherits the layered method, because the layer can contain one or more ?? Service components. Here, we use the broad concept of "service", which may include both material (such as construction, power and hardware) and non-material (such as runtime environment ). For the two layers of cloud computing software environment and cloud software infrastructure, this model defines three main service components in the layer-computing, storage, and communication. The top layer server can be implemented by the lower layer of the stack. In fact, the middle layer is skipped. For example, Web applications on the cloud can be implemented and operated in a traditional way-that is, running on a standard operating system, instead of using the infrastructure and environment components of dedicated cloud computing software. From this layering and combination, we can know that any layer of the model may switch from in-site service or function supply to service and function outsourcing.
In addition to the original mode, we also identified the support functions of several layers of services, and added them to the model to vertically cover several horizontal layers.
Our cloud computing reference architecture has three main parts:
Support (IT) infrastructure: these are common facilities and services for any IT services, cloud computing, or other means. We include them in the architecture because we want to provide a panoramic view-to fully describe IT security, we must also take care of the cloud service's non-specific cloud computing components.
Infrastructure specific to cloud computing: these components constitute the core of cloud services. Cloud computing vulnerabilities and corresponding controls are usually mapped to these components.
Cloud service consumers: similarly, we include cloud service customers in the architecture because it is important for comprehensive security discussions.
In addition, we clearly express the network that separates cloud service consumers from cloud computing infrastructure because cloud resources are passed (usually untrusted) network access is one of the main features of cloud computing.
Using the structure of the cloud computing reference architecture, we can now discuss the components of the architecture and give examples of each component specific to cloud computing vulnerabilities.
Cloud computing software infrastructure and environment
The cloud computing software infrastructure layer abstracts the basic IT resources provided as services to the upper layer into an abstract layer. These resources include: computing resources (usually VME-virtual machine environment), storage and (network) communication. These services can be used independently. A typical scenario is that they are used in storage services, but they are often bundled together. In this case, the server will be attached with a network connection (usually) it also provides access to storage. Such bundled services are generally referred to as IaaS, regardless of whether they have storage capabilities.
The software environment layer of cloud computing provides services at the application platform level:
A development and runtime environment that supports services and applications developed in one or more languages;
Storage Service (database interface instead of file sharing );
Communication infrastructure, such as Microsoft's Azure service bus.
Vulnerabilities at the infrastructure and environment layers are usually closely related to one of the three resource types provided by the two layers. However, cross-tenant access vulnerabilities are related to all three types of resources. The preceding Virtual Machine escape vulnerability is a typical example. We use it as an example of a vulnerability inherent in the core virtualization technology, but we can also think that it is essentially a feature of the resource pool: when using the resource pool, unauthorized cross-resource access will become a problem. Therefore, for PaaS, even if the technology used to isolate different tenants (and Tenant Services) is not necessarily based on Virtualization (but this is actually a more and more popular trend, cross-tenant access vulnerabilities also have an impact. Similarly, cloud storage can easily lead to cross-tenant storage access. Cloud communication, in the form of virtual networks, can easily lead to cross-tenant network access.
Computing resources
A group of highly important computing resource vulnerabilities are related to how to handle Virtual Machine images: the only feasible way to provide almost identical server images-to provide on-demand services for virtual servers-is to clone template images.
Virtual Machine template images with vulnerabilities can spread many vulnerabilities in operating systems or applications to more systems. Attackers may pretend to be service customers renting a virtual server to gain administrator privileges, so that they can analyze the system composition, patch version, and even the specific code, so as to obtain the image useful when attacking other customers ?? . Another issue is that images may come from untrusted sources. This phenomenon becomes more prominent with the appearance of the virtual image trading market of The IaaS service. In this case, there may be some risks. For example, images may be passive and provide backdoors for attackers.
The data leakage caused by Virtual Machine Replication is also a similar vulnerability, because the image is cloned to provide on-demand services. Cloning may cause the leakage of confidential data on the Virtual Machine: some elements of an operating system, such as the host key and encrypted string, should belong to exactly one host, however, cloning may damage this implicit premise about privacy. This is also an emerging trading market for Virtual Machine images-for example, Amazon EC2-will lead to a related problem: users can convert running images into templates and provide template images to other users. Based on the usage of the image before the template is created, the image may contain content that the user is not willing to disclose.
There are also some control issues, some of which are related to application encryption. If a problem occurs when the virtualization abstraction layer between the hardware and the operating system generates a random number for the Virtual Machine runtime environment, this weak random number generation mechanism may cause encryption vulnerabilities, hardware-level information sources are often required to generate random numbers. Virtualization may have defects in exploiting such information sources, or accommodating multiple virtual machine runtime environments on the same host may exhaust available information sources, resulting in a weak random number generation mechanism. As we mentioned earlier, this abstraction layer makes the use of advanced security controls, such as hardware security modules, more complex, and the result may be a poor key management program.
Storage
In addition to data recovery vulnerabilities caused by resource pools and elastic features, there is also a control problem related to media erasure, which is often difficult or impossible to implement in a cloud computing environment. For example, at the end of a lifecycle, if a disk is still used by another tenant, the data destruction policy of the physical hard disk to be destroyed cannot be executed.
Because encryption technology is often used to overcome storage-related vulnerabilities, this core technology vulnerability-insecure or outdated encryption and poor key management-has a special position in cloud storage.
Communication
The most prominent example of the cloud communication service is to provide network support for the virtual machine running environment in The IaaS environment. Due to resource pools, several customers may have the same network infrastructure components: vulnerabilities in shared network infrastructure components, such as vulnerabilities in DNS servers or Dynamic Host Configuration protocols, or IP protocol vulnerabilities-may cause cross-tenant network-based attacks in IaaS infrastructure.
The virtualization network also raised a control issue: in cloud services, like other problems above, the possibility of managing permissions for IaaS network infrastructure access and tailoring network infrastructure is usually limited. In addition, the use of technologies such as virtualization will cause network traffic not only to occur on the "real" network, it also occurs in virtual networks (for example, communication between two virtual machine running environments hosted on the same server). Most virtual networks only provide a limited possibility of integration based on network security. All in all, this forms a control problem, that is, inadequate network-based control, because the network-level security control based on trial and test may not work in some cloud computing environments.
Cloud computing Web Applications
Web applications use browser technology to perform user interaction in the previous section. As browser-based technologies such as JavaScript, Java, Flash, and Silverlight are more widely used, Web cloud computing applications can be divided into two types:
Application Components maintained on the cloud;
Browser components running in your browser.
In the future, developers will use more and more technologies such as Google Gears to allow offline use of Web application browser components without frequent access to remote data. We have already described two typical Web application technical vulnerabilities: session control and hijacking, and injection vulnerabilities.
Other vulnerabilities specific to Web applications are related to browser front-end components. The vulnerabilities include client-side data operations. Users can exploit this vulnerability to manipulate the data that application components send to the Application Group of the server to attack Web applications. In other words, the input received by the server component is not the input sent by the "expected" client component, but the input that has been changed or completely generated by the user. In addition, Web applications rely on browser mechanisms to isolate third-party content embedded into applications (such as advertising and Mashup components. Therefore, the browser isolation vulnerability may allow third-party content to operate on Web applications.
Services and APIs
Although all layers of cloud computing infrastructure seem to provide services clearly, to discuss the security of cloud computing infrastructure, it is worth special consideration for all infrastructure services and application programming interfaces. Most services may be Web services, which also have many Web application vulnerabilities. In fact, the Web application layer may be fully implemented by one or more Web services, so that the application URL will only expose the browser components to the user. Therefore, supporting services and API functions also have many vulnerabilities at the Web application layer.
Manage access
NIST's cloud computing definition points out that one of the core features of cloud services is that they can be quickly prepared and released, and only need the cooperation of minimum management work or service providers. Therefore, one thing that each cloud service has in common is the management interface, which directly leads to the vulnerability of illegal access to the management interface. In addition, because Web applications or services are often used for management access, they usually cause the same vulnerabilities as Web Application Layer and service/API components.
Identity, authentication, authorization, and audit mechanisms
All cloud services (and the management interface of each cloud service) require identity management, authentication, authorization, and audit (IAAA) mechanisms. To some extent, some parts of these mechanisms may be separated and used as an independent IAAA service for other services. Adequate authorization check (this will inevitably use authentication and/or authorization information received from The IAAs Service) the two IAAA elements of cloud infrastructure audit are an integral part of each Service implementation.
Most of the vulnerabilities associated with the IAAA components must be considered specific to cloud computing because they are common in the latest cloud computing instances. We have already cited the weak user authentication mechanism as an example. Other examples include:
Denial of service due to account locking: a frequently used security control, especially for username and password verification methods, is to lock accounts that continuously fail to verify requests within a short period of time. Attackers can use this method to launch DoS attacks against a user.
Weak credential reset mechanism: When cloud computing vendors manage user creden themselves rather than using federal authentication, they must provide a mechanism to reset creden。 to prevent missing or missing creden. In the past, the password recovery mechanism has proved to be very weak.
Unauthorized or incorrect authorization check: cloud computing instances of the latest Web applications and services are prone to unauthorized or incorrect authorization checks, which may expose unauthorized information or behaviors to users. For example, the lack of authorization check is the root cause of URL guessing attacks. In this attack, you can modify the URL to display information of other user accounts.
Coarse-grained authorization control: the cloud service management interface is especially inclined to provide a coarse-grained authorization control model. Therefore, standard security measures such as separation of duties cannot be implemented because they cannot only provide users with permissions to start their work.
The possibility of insufficient logs and monitoring: Currently, there is no standard or mechanism for cloud computing customers to record and monitor facilities in cloud computing resources. This leads to a sharp problem, that is, the log file records all Tenant events and cannot easily crop the information of a single tenant. In addition, insufficient monitoring capabilities often prevent suppliers from conducting security monitoring. It is difficult-or even impossible-to implement security control that requires recording and monitoring until we develop available standards for recording and monitoring and implement them as tools.
In terms of cloud service provider experience, among all these IAAA vulnerabilities, the current verification problem is a major vulnerability because it puts the data in the cloud service at risk [5].
Provider
The vulnerabilities of all cloud computing components, or, more specifically, the inability to allow users to control cloud computing infrastructure just like their own infrastructure, usually worries providers. Control issues include the possibility of insufficient security audit and the fact that authentication methods and Security metrics are not used in cloud computing. In addition, standard security controls such as auditing, authentication, and continuous security detection are not effectively implemented.
Cloud computing is still in the development stage. With the maturity of this field, more cloud-specific vulnerabilities will certainly emerge, and the old threats will also weaken. From the risk classification of Open Group, coupled with the four indicators that we have identified here specific to cloud computing vulnerabilities, we have obtained precise definitions of vulnerabilities, improving accuracy and clarity, this is exactly what we have not discussed so far about cloud computing security.
Some previously successful security controls become ineffective in the context of cloud computing, which are often prominent in security control issues. Therefore, these issues have special significance for further cloud computing security research. In fact, there are a lot of efforts, such as the development of security measurement and authentication methods, and the development of full-featured virtual network components, all trying to solve these control problems directly, the method is to use trial and test-based control in cloud computing.
Author Profile
Bernd Grobauer is a senior consultant in information security and leads the research activities of the Siemens Computer Emergency Response Team (CERT), including security event detection and processing, malware defense, and cloud computing security. Grobauer has a doctorate in computer science from the University of ohous, Denmark. He is a member of the qualification advisory committee of the international information integrity institution. To contact him, please send an email to the bernd.grobauer@siemens.com.
Tobias Walloschek is a senior management consultant for Siemens IT solutions and services companies. He is interested in cloud computing security and business import strategies. Walloschek has a bachelor's degree in Business Administration from the University of Applied Sciences in Germany. He is an information system security certification expert. To contact him, please send an email to the tobias.walloschek@siemens.com.
Elmar Stocker is a manager of Siemens IT solutions and services, where he is responsible for portfolio strategy and professional service portfolio monitoring. He also leads cloud computing security and PaaS activities. Elmar Stocker has a master's degree in computer science from the German University of AI. To contact him, please send an email to the elmar.stoecker@siemens.com.
 
[1] ISO/IEC 27005: 2007 Information Technology-Security Techniques-Information Security Risk Management, Int 'l Org. Standardization, 2007.
 
[2] P. Mell and T. Grance, "adjust tively and Securely Using the Cloud Computing Paradigm (v0.25)," presentation, US Nat 'l Inst. Standards and Technology, 2009;
 
[3] European Network and Information Security Agency (ENISA), Cloud Computing: Benefits, Risks, and Recom-mendations for Information Security, Nov. 2009;
 
[4] L. youseff, M. butrico, and D. da Silva, "Towards a Unified Ontology of Cloud Computing," Proc. grid Computing Environments Workshop (GCE), IEEE Press, 2008; doi: 10.1109/GCE.2008.4738443.
[5] E. Grosse, "Security at Scale," invited talk, ACM Cloud Security Workshop (CCSW), 2010;


Author: "focus on security management platform"

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.