Albaroodi, Hala - Critical Review of Openstack Security Issues and Weaknesses
Albaroodi, Hala - Critical Review of Openstack Security Issues and Weaknesses
ISSN: 1549-3636
© 2014 Science Publications
doi:10.3844/jcssp.2014.23.33 Published Online 10 (1) 2014 (http://www.thescipub.com/jcs.toc)
Keywords: Security, Cloud Computing, Software as a Services (SaaS), Platform as a Services (PaaS),
Infrastructureas a Services (IaaS), OpenStack
One issue that must be addressed directly is customer PaaS provides a level above IaaS and abstracts out
and vendor concerns about application and data security. everything up to OS, middleware, this offers various
There are strong concerns about insider divisions as well development environments in which developers can build
as vulnerabilities in application and system availability their applications without understanding what happens
behind the scenes (Grivas et al., 2010). Furthermore, the
that could be causing the loss of money and sensitive
developers offer a service that provides complete software
data. These challenges can discourage enterprises from development life-cycle management, from a to z
adopting SaaS applications within the cloud. IaaS (including planning, design, building applications,
completely changes the developers’ perceptions. Rather deployment, testing and maintenance). However,
than spending large amounts on infrastructure to build everything else is hidden from the developer’s view.
their own data centers or hiring host companies and
renting operational staff to initiate the project, developers 1.1. Security Issues in SaaS
can go to Amazon Web Services or one of the other IaaS In SaaS, the client’s security measures are dependent
providers to gain access to a virtual server while paying on the provider. The provider should ensure that each
only for the use of resources Amazon, 2013. user’s data are hidden from all other users. Security
Cloud brokers could provide accurate scaling; they measures must be in place and the client must be confident
could easily expand without worrying about scaling and that the application will be ready for use when needed. In
security (Buyya et al., 2009). In brief, IaaS and other SaaS, the cloud client will often replace old software
related services have enabled start-ups and other applications with newer ones. Therefore, the focus lies not
businesses to focus on their strengths without worrying upon the portability of applications but rather upon
protecting or developing the security functionality of
about the development and management of
legacy applications and attaining successful data migration
infrastructure. IaaS has fully abstracted the hardware
(Subashini and Kavitha, 2011; Seccombe et al., 2009).
underneath it and allows users to use infrastructure as a Vendors of SaaS services may host applications on their
service without being concerned with the underlying own private servers or use cloud computing IaaS provided
difficulties. The cloud has a binding value hypothesis in by a third-party (e.g., Amazon, Google). The use of cloud
terms of cost; although IaaS supplies infrastructure computing, along with the pay-and-go approach, helps
security and applications, activities within the cloud will application service providers reduce the cost of
require higher levels of security to be provided to infrastructure services and allows them to focus on
consumers (Grivas et al., 2010). providing the best possible service to customers.
In the past decade, computers have grown more to segment ESBS is not present in PaaS environments.
popular among enterprises as it services and computing Standards should be introduced to regulate the
have become commodities. Enterprises today can effectiveness of application security programs. Between
strategically view data and business processes (such as direct application and security, specific metrics available
records, transactions and pricing information) themselves patch coverage and vulnerability scores. These standards
and protect these processes with compliance policies and can indicate the quality of application coding. Attention
access control. Furthermore, if the SaaS provider is should be paid to how malicious entities are adapting to
leveraged as a public cloud computing service, the new cloud application architectures that hide application
enterprise’s data should be stored together with the data components from their view. Hackers are likely to attack
of other unconnected SaaS applications. In addition, the obvious code, although this is not necessarily restricted
cloud providers should duplicate and store data in to code running in the context of the user. They are likely
multiple locations across different countries for the to attack the infrastructure and perform comprehensive
purpose of maintaining high availability. Most black box testing. Service Oriented Architecture (SOA)
enterprises are familiar with the traditional on-premise applications, which are increasingly being distributed
model, in which data are stored within the premises of within the cloud (Cao et al., 2009).
the enterprise and are governed by the enterprise’s
policies. Thus, many businesses are uncomfortable with
the lack of control over and knowledge of how their data
are stored and whether it is secure in the SaaS model.
There is great concern that problems involving data
availability or data breaches could lead to financial and
legal liabilities (Anding, 2010). Figure 2 depicts the
layered stack for a classic SaaS vendor as well as
important data security issues that span multiple layers.
Security components should be considered essential parts
of the SaaS application development and data deployment
processes, including security, network security, locality,
integrity, segregation, access, authentication and
authorization, confidentiality, web application security,
breaches, virtualization vulnerability, availability, backup,
identity management and sign-on processes. The different
security issues of SaaS are illustrated in Fig. 2.
1.2. Security Issues in PaaS
In PaaS, developers build applications on a
computing platform controlled by the provider. In
addition, any security issues beneath the application
level, such as network and host intrusion prevention, are
under the control of the provider, who must offer strong
guarantees that the data cannot be accessed by other
applications (Subashini and Kavitha, 2011). As a result,
PaaS offers more flexibility than SaaS at the expense of
customer-ready features. This trade-off extends to
security features and capabilities, in that built-in
capabilities are less complete, but, simultaneously, there
is more flexibility to incorporate additional security.
Applications which are sufficiently complex to take
advantage of an Enterprise Service Bus (ESB), but which
need to secure the ESB directly, benefit from protocols
such as Web Service (WS) security (Oracle, 2013). In
addition, is very beneficial to use PaaS for Successful
Executive Information System Development for
Education Domain (Kamaruddin, 2011). The capability Fig. 2. Security elements in the stack layers (SaaS, PaaS, IaaS)
1.3. Security Issues in IaaS asset value of the resources and asset value of the
resources and their nature of them settling together.
In IaaS, the developer has the best control over Cloud systems still use normal internet protocols and
security, as long there is no security hole in the security standards but require greater levels of security.
Virtualization Manager (VM). While in theory virtual Although secure protocols and encryption cater to
machines might be able to address these issues as they current needs to a certain extent, they are not context
arise, there are many security problems in practice. An oriented (Mell and Grance, 2009). A strong set of
additional factor is the reliability of the data stored in the policies and protocols is necessary to secure data
provider’s hardware. Due to the growing virtualization of transmission within the cloud. Concerns regarding the
the information society, enabling owners to maintain intrusion of external non-users into cloud databases
control over their data regardless of its physical location should also be considered. Standards should be
will become a topic of extreme interest. To obtain established to construct a secure, private and isolated
maximum trust and security on a cloud resource, several cloud environment in the internet that is capable of
techniques need to be practiced (Descher et al., 2009). avoiding attacks by cyber criminals.
The security obligations of both the provider and the The focus of this study is to inspect and evaluate the
consumer vary greatly between cloud service models. possibility of implementing cloud computing using OSS
Amazon’s Elastic Compute Cloud (EC2) infrastructure technology and, in particular, OpenStack, the pioneer
presents an example in which the vendor’s responsibility product of OSS. Moreover, this study contributes to the
for security extends only to the hypervisor. This means swift project, which is part of the OpenStack project, by
that they can only address security controls such as strengthening its security arsenal. Swift is the OpenStack
object storage project, the purpose of which is to offer
virtualization security, physical security and
cloud storage software in which users can store and
environmental security. The consumer is responsible for
retrieve large amounts of data in virtual containers.
the security controls corresponding to the system,
including the applications, OS and data (Seccombe et al., 1.4. OpenStack
2009). IaaS gives rise to security issues whose severity
This section gives an overview of OpenStack, its
depends on the cloud deployment model through which
components and the nature of its security mechanisms.
the services are delivered. The physical security of the
infrastructure is extremely important; disaster 1.5. Overview on OpenStack
management plans are necessary to prevent damage,
either natural or intentional, to the infrastructure. In October 2010, the initial “austin” release of
Infrastructure includes not only the hardware in OpenStack was published. It consisted of only two
which data are computed and stored but also the paths by projects: Object storage and compute. Object storage was
which it is obtained or transmitted. In a standard cloud ready for production and compute was intended for
environment, data will be transmitted from source to testing. In February 2010, an updated version of
destination through numerous third-party infrastructure OpenStack was released under the name “bexar”. With
devices (Ristenpart et al., 2009). However, the bexar’s release came a new component, called
complexities arising from the various service deployment “OpenStack image service”. In addition to releasing the
models of IaaS are illustrated in Table 1. new project, the development teams also made some
Cloud architectures are built upon underlying enhancements to the previously announced projects. For
technology. A cloud built over the Internet inherits all of example, the object storage (swift) project introduced a
the internet’s inherent security risks. The foundations of means of authorizing and authenticating users, known as
cloud technology force consumers and providers with “swAuth”. The third release, code named “cactus”,
different physical locations to virtually access resources announced the addition of two features to the object
over the Internet (Prautzsch and Graves, 2011; Sehgal et al., storage project: The option to serve static content and the
2011). Even if an enormous amount of security is ability to perform content checksum validation during
established in the cloud, data must still be transmitted via get object actions. At the same time, OpenStack was
the underlying internet technology. Therefore, the performing quick enhancements on and providing
security concerns threatening the internet also threaten additional support for virtualization technology. the
the cloud. However, the risks to cloud computing are fourth and, at the time of this writing, latest OpenStack
especially great. The vulnerability consideration and release, “diablo”, was announced in September 2011, at
which point the OpenStack community included over (OpenStack, 2013). Following is a partial list of
1500 people and 87 companies. At this time, the OpenStack compute
number of product deployments began to increase. • Commodity servers, including CPU, memory, disk
Although the project teams improved scalability, and network interfaces, can be managed
availability and stability, many security concerns were • Local Area Networks (LAN) are Organized,
still pending. OpenStack is open-source software for including flat, flat DHCP, VLAN DHCP, ipv4 and
building private and public clouds (Wen et al., 2012; ipv6 networks works
Beloglazov et al., 2012a). OpenStack consists of three • Virtual machine image management tools include
main projects. The relationships between these importing, sharing and querying
projects are depicted in Fig. 3. • Floating IP addresses can be assigned (and re-
The core services are compute, storage, networking assigned) to VMs
and dashboard, whereas the auxiliary services are • VM image caching on compute nodes enhances the
identity and image: efficiency of VMs
Hence, scalability and repeatability are achieved. is simply an interface that can be installed on a
OpenStack likewise provides constant block-level network device. Promoting the use and standardisation
storage devices for computing tasks that require high of SDN, the Open Networking Foundation (ONF)
performance storage, which is often required by defined the specifications of SDN (Mell and Grance,
databases, expandable file systems, or servers that access 2009), including the components and basic functions
raw block-level storage (Baset, 2012). The features of of switches and the OpenFlow protocol for managing
OpenStack storage are as: OpenFlow switches from remote controllers.
OpenFlow accesses and manages the API controlling
• Commodity hard drives reduce the storage cost per the hardware, although information concerning the
byte latter is not disclosed by the device manufacturers and
• It is capable of self-healing because data are copied enables users to independently manage networks. The
to different sectors of the cloud; thus, the storage network framework allows various devices to be
system becomes highly redundant and reliable
incorporated within the cloud, including intrusion
• It can store data on a very large scale; multiple detection systems, load balancers and firewalls.
petabytes of data and billions of individual objects OpenStack dashboard (Horizon). OpenStack
can be stored dashboard enables administrators and users to provide,
• Amazon s3 (elastic block storage) API is supported manage and control cloud computation, storage and
• Utilities enable the management of account, networking resources. Dashboard is used to create
container and storage monitoring features users and projects, assign users to projects and
decrease the resources required for such projects. It
OpenStack image repository (glance). This also provides and controls resources allocated to
component enables discovery, registration and delivery projects. The OpenStack dashboard is an extensible
for disk and server images. Base image templates can be web-based application (Crago et al., 2011).
created for use in new instances users and administrators OpenStack identity (keystone). OpenStack identity
can also construct and store snapshots of images, which maintains a database of users and provides
can be saved in raw, VHD (Hyper-v), VDI (VirtualBox), authentication services. A common authentication
qcow2 (Qemu/KVM), VMDK (VMware) and OVF system is provided throughout the cloud and can be
(VMware, others) formats (Baset, 2012). integrated with third-party, back-end directory
OpenStack networking (quantum). OpenStack services (i.e., lightweight directory access protocol or
networking is an API-driven system for cloud networks ldap). It supports multiple verification systems, such
and IP addresses. Its features include the following: as the standard username and password, token-based
systems and web services such as Amazon. OpenStack
• Static, DHCP and floating IP addresses are managed identity allows cloud administrators to establish
• It supports several networking models, such as flat policies across users and systems, create users and
networks and VLANs tenants and grant permission to compute, store and
• It creates and manages users’ network resources (Beloglazov et al., 2012b). All of
• It supports SDN technology (i.e., openflow) the core services are illustrated in Fig. 4.
system. OpenStack utilizes the concept of projects • Usernames and passwords. Passwords and
and tenants to group people into logical units for usernames that are used for accessing images will
cloud computing. However, the administrator of a be stored in Cleartext in the db and in external
single project is granted managerial rights to all storage. When glance stores images on swift, for
projects, not merely the project at hand, by the example, the username and password of the swift
interface. The administrator’s privileges, account will be stored as Cleartext in the db
including the creation of new users and projects, together with the URL of the swift object. This
have the potential to change other projects, could potentially allow the information of any
remove items swift user to be accessed and read from the db.
This storage of information is unnecessary
• Cleartext is used in the network API.
because the username and password are already
OpenStackapi endpoints encourage the use of
stored in the glance configuration file
cleartext and no SSL/TLS support is available
right now. This allows for easy man-in-the-middle The problems discussed in this section will be used
attacks and even “sniffing” passwords over the as the basis for studying cloud security solutions in
wire can be trivial subsequent sections. While studying the security
• No authentication in the client-server system. It issues of cloud computing in the previous section, we
appears that any host with access to the db and to discovered which issues are often discussed in relation
the AMQP system can act as a compute node and to identity and access management. In this section, we
launch VMs discuss identity and access management.
Recently, all components of “Essex”, the latest release of authentication generates a token that is used to authorize
OpenStack, support Identity Service (Keystone), which service requests. The password and username are given
introduces a more secure way of storing passwords in the as input to the API interface. When authentication
database. Customers must be identified by Keystone succeeds, the resulting feedback includes an
before they are allowed to use any of the cloud authentication token and service catalogue. Note that
services, which guarantees a unique point of entry. tokens remain valid for 12 h. Issued tokens become
Keystone encrypts usernames and passwords and invalid in two situations:
provides each user with a unique token that enables
access to the services for which they are authorized. So • If the token is expired
far, Identity Service provides the most complete • If the token has been canceled
security solution available to Open Source clouds.
1.11. Authentication Tokens It is important that the authentication be executed
over a secure channel, such as Transport Layer
Authentication tokens play similar roles as identifiers Security (TLS); otherwise, an attacker could obtain a
for web applications. An API, such as an OpenStack user token by executing a man-in-the-middle-attack
service, is used to authenticate a user. Successful and remove the user who received the token from the
authentication system. However, Rostyslav Slipetskyy This study discusses issues that arise with the
has subjected the algorithms that are imported for deployment model of cloud computing; in particular, this
token generation to a more detailed examination. The study focuses on OpenStack security issues and threats.
algorithm imitates the approach used to generate Certain parts of OpenStack are considered secure while
Universally Unique ID (UUID) and utilizes a solid others need to be improved. OpenStack does not support
source of randomness that has no known minimum password complexity requirements and
disadvantages and thus is considered to be secure by passwords are stored in plain text format. There are no
(Slipetskyy, 2011). controls to regulate access to sensitive files, including
1.12. Susceptibility of Authentication Data those containing passwords. Information transferred
within the cloud is not protected through the use of file
The transfer of OpenStack authentication data from encryption techniques.
one server to another is not safe. SwAuth has security
issues that allow provider admins to view the data 3. REFERENCES
belonging to all users who are managed by the admin
account. Malicious users are also able to gain access Anding, M., 2010. SaaS: A Love-Hate Relationship for
other users’ passwords (Lonea et al., 2012; Enterprise Software Vendors. In: Software-as-a-
Dlamini et al., 2012). Service: Anbieterstrategien, Kundenbedürfnisse und
Wertschöpfungsstrukturen, Benlian, A., T. Hess and
1.13. Maliciousof Data P. Buxmann (Eds.), Springer DE, Wiesbaden, ISBN-
Most cloud providers do not encrypt data before 10: 383498731X, pp: 43-56.
saving it to a cluster. In fact, OpenStack does not provide Baset, S.A., 2012. Open source cloud technologies.
Proceedings of the 3rd ACM Symposium on Cloud
any data encryption at all; thus, users would need to
Computing, Oct. 14-17, San Jose, CA, USA., pp: 1-
encrypt their data before uploading it and manage their 140. DOI: 10.1145/2391229.2391257
encryption keys themselves. Beloglazov, A., S.F. Piraghaj, M. Alrokayan and R.
It may be difficult to track security issues in cloud Buyya, 2012a. A Step-by-Step Guide to Deploying
computing environments. Therefore, the primary aim of OpenStack on CentOS Using the KVM Hypervisor
this study is to highlight the implications of the major and GlusterFS Distributed File System.
security issues. Table 3 provides a summary of these Beloglazov, A., S.F. Piraghaj, M. Alrokayan and R.
security issues, which are divided into five categories Buyya, 2012b. Deploying open-stack on centos
and listed with their implications. using the KVM hypervisor and glusterFS distributed
file system. University of Melbourne.
Buyya, R., R. Ranjan and R.N. Calheiros, 2009.
2. CONCLUSION Modeling and simulation of scalable Cloud
computing environments and the CloudSim toolkit:
Cloud computing provides an important benefit to
Challenges and opportunities. Proceedings of the
companies looking for an advantage in today’s economy. International Conference on High Performance
Many providers are offering cloud computing services; Computing and Simulation, Jun. 21-24, Leipzig,
this competition will lead to increasingly affordable Germany, pp: 1-11.
prices over time. Lower prices enable businesses to use Cao, B.Q., B. Li and Q.M. Xia, 2009. A service-oriented
staff for other tasks and allow them to consume QoS-assured and multi-agent cloud computing
resources more efficiently by paying for services only as architecture. Cloud Comput., 5931: 644-649. DOI:
they are needed. These features, supported by an 10.1007/978-3-642-10665-1_66
attractive and economical pay-as-you-go approach, have Cigoj, P. and T. Klobucar, 2012. Cloud security and
led to growing support for this model. OpenStack. Proceedings of the 1st International
One important threat posed by cloud computing is the Conference on CLoud Assisted ServiceS, (AS’ 12),
pp: 20-106.
obscuring of boundaries between internal and external
Crago, S., K. Dunn, P. Eads, L. Hochstein and D.I. Kang
security concerns. To understand how well companies’ et al., 2011. Heterogeneous cloud computing.
data are kept safe, security services in the cloud must be Proceedings of the IEEE International Conference
closely studied. In second level will be the availability, on, Cluster Computing, Sept. 26-30, IEEE Xplore
as providers can be victims of attacks that stop the Press, Austin, TX, pp: 378-385. DOI:
running of their operations. 10.1109/CLUSTER.2011.49
Descher, M., P. Masser, T. Feilhauer, A.M. Tjoa and D. Mamaghani, N.D., R. Samizadeh and F. Saghafi, 2011.
Huemer, 2009. Retaining data control to the client in Evaluating the readiness of Iranian research centers
infrastructure clouds. Proceedings of the in knowledge management. Am. J. Econ. Bus.
International Conference on, Availability, Admin, 3, 203-212. DOI:
Reliability and Security, Mar. 16-19, IEEE Xplore 10.3844/ajebasp.2011.203.212
Press, Fukuoka, pp: 9-16. DOI: Mell, P. and T. Grance, 2009. Draft NIST working
10.1109/ARES.2009.78 definition of cloud computing. National Institute of
Standards and Technology.
Dlamini, M., H. Venter, J. Eloff and Y. Mitha, 2012.
Mell, P. and T. Grance, 2011. The NIST definition of
Authentication in the Cloud: A risk-based approach. cloud computing (draft). NIST special publication,
University of Pretoria. Recommendations of the National Institute of
Grivas, S.G., T.U. Kumar and H. Wache, 2010. Cloud Standards and Technology.
broker: Bringing intelligence into the cloud. OpenStack, 2013. Compute administration manual-
Proceedings of the 3rd International Conference on, cactus.
Cloud Computing, Jul. 5-10, IEEE Xplore Press, Oracle, 2013. WiringthroughanEnterpriseServiceBus.
Miami, FL, pp: 544-545. DOI: Prautzsch, F. and S. Graves, 2011. Commercial
10.1109/CLOUD.2010.48 SATCOM in support of protected connectivity for
Jackson, K., 2012. OpenStack Cloud Computing the Warfighter and first responder. Proceedings of
Cookbook. 1st Edn., Packt Publishing Ltd, the Military Communications Conference, Nov. 7-
Birmingham, ISBN-10: 1849517339, pp: 318. 10, IEEE Xplore Press, Baltimore, MD, pp: 2296-
Kamaruddin, M.A.R.R., 2011. A framework of 2301. DOI: 10.1109/MILCOM.2011.6127664
successful executive information system Ristenpart, T., E. Tromer, H. Shacham and S. Savage,
development for education domain. Am. J. Applied 2009. Hey, you, get off of my cloud: Exploring
Sci., 8: 997-1003. DOI: information leakage in third-party compute clouds.
Proceedings of the 16th ACM Conference on
10.3844/ajassp.2011.997.1003
Computer and Communications Security, Nov. 09-
Kandukuri, B.R., V.R. Paturi and A. Rakshit, 2009. 13, Chicago, IL, USA, pp: 199-212. DOI:
Cloud security issues. Proceedings of the IEEE 10.1145/1653662.1653687
International Conference on Services Computing, Seccombe, A., A. Hutton, A. Meisel, A. Windel and A.
Sept. 21-25, IEEE Xplore Press, Bangalore, pp: 517- Licciardi et al., 2009. Security guidance for critical
520. DOI: 10.1109/SCC.2009.84 areas of focus in cloud computing. Cloud Security
Kaur, S., 2013. Pushing frontiers with the first lady of Alliance.
emerging technologies-How to Secure Our Sehgal, N.K., S. Sohoni, Y. Xiong, D. Fritz and W.
Bluetooth Insecure World. IETE Technical Rev., 30: Mulia et al., 2011. A cross section of the issues and
95-101. DOI: 10.4103/0256-4602.110547 research activities related to both information
Khan, R.H., J. Ylitalo and A.S. Ahmed, 2011. OpenID security and cloud computing. IETE Technical Rev.,
authentication as a service in OpenStack. 28: 279- 291.
Proceedings of the7th International Conference on, Shey, H., R. Wang, J.P. Garbini and E. Daley, 2009. The
Information Assurance and Security (IAS), Dec. 5-8, State of Enterprise Software: 2009. Forrester
IEEE Xplore Press, Melaka, pp: 372-377. DOI: Research, Inc.
10.1109/ISIAS.2011.6122782 Slipetskyy, R., 2011. Security issues in OpenStack. Mrs.,
Laszewski, G.V., J. Diaz, F. Wang and G.C. Fox, 2012. Thesis, Norwegian University of Science and
Comparison of multiple cloud frameworks. Technology.
Proceedings of the 5th International Conference on, Subashini, S. and V. Kavitha, 2011. A survey on security
Cloud Computing, Jun. 24-29, IEEE Xplore Press, issues in service delivery models of cloud
Honolulu, HI., pp: 734-741. DOI: computing. J. Netw. Comput. Appli., 34: 1-11. DOI:
10.1109/CLOUD.2012.104 10.1016/j.jnca.2010.07.006
Lonea, A.M., D.E. Popescu and O. Prostean, 2012. A Wen, X., G. Gu, Q. Li, Y. Gao and X. Zhang, 2012.
survey of management interfaces for eucalyptus Comparison of open-source cloud management
cloud. Proceedings of the 7th IEEE International platforms: OpenStack and OpenNebula. Proceedings
Symposium on Applied Computational Intelligence of the 9th International Conference on Fuzzy
and Informatics, May 24-26, IEEE Xplore Press, Systems and Knowledge Discovery, May 29-31,
Timisoara, pp: 261-266. DOI: IEEE Xplore Press, Sichuan, pp: 2457-2461. DOI:
10.1109/SACI.2012.6250013 10.1109/FSKD.2012.6234218