CSE407R01 - Cloud Computing

UNIT - IV

Security and Privacy

Thinking about security in the Cloud
Role-based Access Control
Secure Data in the Cloud
Secure your VMS and Containers
Secure Access to Cloud Software Services
 OVERVIEW
1. Thinking about security in the Cloud
2. Role-based Access Control
a. Sharing Secrets Among Containers In A Cluster
3. Secure Data in the Cloud
a. Secure Data In A Transit
b. Control Who Can Access Your Data
c. Encrypt Your Data
d. Complexities Of Sensitive Data
4. Secure your VMS and Containers
a. Poisoned VM or container image
b. Illicit Access to running VMS
c. Intercepted communication
d. Information leakage via VM Image
5. Secure Access to Cloud Software Services
 THINKING ABOUT SECURITY IN THE CLOUD

• Data is more secure on the cloud. Cloud has professionals who know more
about security than us.
• But every time our data is exposed to the internet, security is a big concern.
Anything communicating via a network is vulnerable to attack
• 3 areas of concern
– Secure data that you move to the cloud
– Secure access to VMS and containers u create
– Use software services in a secure manner
• The cloud provider manages the security OF the cloud, you manage the
security of the data IN the cloud.
• you are the one who defines the security mechanisms that you deploy to protect
your own content, platform, applications, systems, and networks
THINKING ABOUT SECURITY IN THE CLOUD
 THINKING ABOUT SECURITY IN THE CLOUD
• Best practices you can follow:
protect your keys, for example by
enabling multifactor authentication;
never share keys with other users
(instead, create new IAM users to
which you grant required permissions);
follow the principle of least privilege
when creating IAM users (i.e.,
configure them to be able to perform
only the actions that you expect them
to perform, such as only read storage
or only access storage in certain
regions);
monitor usage and billing
• Services Provided by Amazon:
Amazon CloudWatch (monitor metrics and
generate email alerts)
Amazon CloudTrail (obtain history of Amazon
API calls)
Azure security center(analysis of computing
resources used)
Azure Threat Analytics(detect abnormal
behavior, attacks and security issues)
Tools for application whitelisting (declare
which applications are allowed to access your
resources)
THINKING ABOUT SECURITY IN THE CLOUD
 ROLE BASED ACCESS SYSTEMS

• Used to grant restricted rights to individuals

• A role defines something that an user is authorized to do
• Azure – Role based Access control (RBAC)
• Amazon and Google – Identity and Access Management (IAM)

• Securing secrets among containers in a cluster

– Containers present additional security issues especially if they interact with other
services. Containers need access to API keys and passwords of services they invoke.
– Passing keys to docker file is not secure as they will be embedded in the Docker Image
– When using the Docker Swarm services to manage a collection of containers, you can use
the docker secret create command to send Docker a secret that is sent securely to the
swarm manager, where it is encrypted. When an authorized microservice is launched, the
Swarm manager sends that secret to the microservice, where it is stored in an in- memory
file system that is deleted when the microservice container is deleted
 SECURE DATA IN A CLOUD

• There is not possibility for failures in operational security as cloud has

highly secure data centres.
• 2 main vulnerabilities:
– Data in transit to and from the cloud (uploading/downloading data)
– Unauthorized access due to the user giving improper access permissions
A) Secure Data in a Transit
• Python SDKs use Transport Layer Security to transfer our data. This is used
by banking sites so its extremely secure. But encryption adds more security
• In Globus transfer you request data to be encrypted before. You can
configure it to make sure that the data going to/from an endpoint is always
encrypted prior transfer. Always enabled for amazon S3 Endpoints
• In Python SDK, set encrypt_data=true
 SECURE DATA IN A CLOUD

B) Control Who Can Access Your Data

• Incorrectly configured access control = threat, wrong people can see your data.
• RBAC = only restricts your team members. You have to use different mechanisms for external
collaborators.
• In Azure:
– Two keys: key1(master key, cannot be shared, used in APIs) and key2(collaborators who use
your storage account). You can regenerate either keys if you want to terminate access
– You can create containers and give different types of access for each container: no public
access, public read access to all blobs in the container including listing them, or public access
to blobs by name only.
– SAS (Shared Access Signature) to provide access to single individual.
– Generating a SAS signature or setting these access controls is easy to do from the portal or the
Azure SDK or from the Azure Storage Explorer running on your PC or Mac
Similar for Google and Amazon . Globus Auth service and API for Globus Sharing
 SECURE DATA IN A CLOUD

C) Encrypt Your Data:

• If your data is very sensitive, then it has to be encrypted at rest. Data is always encrypted
unless its read, retrieved or used. This provides additional security in case the access
controls are incorrect.
• Amazon and Azure both have two types of encryption: Server-side and Client-Side
• Server-side encryption:
– Asks the cloud vendor to automatically encrypt the data on arrival and decrypt during
access
– Amazon provided services:
✓ s3.Object('datacont', 'test.jpg').put( Body=open('/home/mydata/test.jpg', 'rb'),
ServerSideEncryption='AES256’)
code in Amazon S3
 SECURE DATA IN A CLOUD

✓ Amazon manages your keys, encrypting object with unique key and encrypting that key
with a master key
✓ you can obtain access to an audit trail of when your key was used and by whom
– Azure provided services:
✓ Done by Azure Storage Service Encryption
– Google provided services
✓ done by Google Cloud Datastore
– Amazon allows the user to require that all data uploaded to container be encrypted; however,
the encryption request must still be made on individual uploads, as indicated previously. (An
attempt to upload data without the encryption parameter then raises an error.)
– Azure allows the user to enable encryption at the level of a storage account; once enabled, all
data uploaded to that account are encrypted.
– Google Cloud Datastore always encrypts.
 SECURE DATA IN A CLOUD

• Client-side Encryption:
– useful when you want to ensure that the cloud provider never has access to
your unencrypted data.
– Amazon and Azure both provide tools that you can use to encrypt data before
they are sent over the wire. You might use these tools, for example, to create a
secure backup of data otherwise maintained in on-premises storage,
particularly if regulatory requirements prevent unencrypted data from leaving
your premises.
– But note that you are responsible for preserving the keys (as you are with
server-side encryption, if you provide the keys): if you lose a key, the data that
it encrypted are also lost.
 SECURE DATA IN A CLOUD

D) Complexities of Sensitive Data:

• If your work involves access to personal health data or other sensitive information, then you are likely
subject to various rules and regulations that will affect whether and how you can use cloud resources.
• For example, in the U.S., work with personal health information (PHI) must comply with the provisions
of the Health Insurance Portability and Accountability Act (HIPAA) and in particular its Security Rule,
which mandates administrative, physical, and technical safeguards for electronic PHI.
• The important takeaway points are that:
– the major commercial cloud vendors can all satisfy HIPAA physical security standards
– this does not mean that you can just put HIPAA-covered data in the cloud and consider yourself
compliant with HIPAA regulations. You must ensure that your entire end-to-end computing
infrastructure is compliant, and thus managing HIPAA data requires your institution’s involvement
and supervision.
• One way to simplify the process of making a cloud-based computing infrastructure HIPAA compliant is
to bring the cloud inside your institution’s security boundary. This task can be accomplished in various
ways by the cloud vendors.
 SECURE YOUR VMS AND CONTAINERS

• Need to protect access key while creating VM instances or containers

• 4 risks associated with VMs :
 SECURE YOUR VMS AND CONTAINERS

A) Poisoned VM or Container Image

• Running a container that you didn’t create is dangerous. It may make your private data
accessible to others, cause denial of service attacks on other computers, or corrupt your
computational results.
• Another concern is that a downloaded VM image may not be up to date with security
patches and thus is vulnerable to attacks.
• In these cases – we verify its source, ensure that it is up to date and run it within a secured
environment.
• In the case of VMs, each cloud vendor supplies a collection of trusted images that you can
deploy; the cloud vendor also provides free malware tools that you may install once your
image is running.
• In the case of containers, another solution is to provide a secure hash along with the image.
This is a key that can be used to verify that the container image has not been tampered with.
You can then use the hash key as part of the docker pull command.
 SECURE YOUR VMS AND CONTAINERS

B) Illicit Access to Running VMs

• A VM is similar to a computer. So are the steps that you deploy for protection.
• Steps to prevent illicit access to running VMs:
– Limit who can access the instance.
– Ensure that the credentials that allow access to instance are not compromised
– Ensure that the software running on an instance is up to date with all security
patches
– If you run web applications such as Jupyter or a web service, make sure the
network ports that they use are open and the software listening on those ports is
not subject to known exploits. Run Jupyter with a key pair and password. If
you want more than one user to have access to Jupyter, it is better to run the
JupyterHub multiuser system.
 SECURE YOUR VMS AND CONTAINERS

C) Intercepted Communications

• Best way to prevent this is remove them from the internet and place them on
VPN (Virtual Private Network). A VPN carries its own IP addresses and
subnets that are not recognized as being part of the Internet.
• You can set up a VPN in a number of ways; the choice depends on the network
you need to create. Each public cloud allows you to use their cloud portal to
create a VPN that solves your specific problem
 SECURE YOUR VMS AND CONTAINERS

D) Information Leakage via VM Image

• As when pushing code to GitHub, you need to make sure that the images that you share do
not contain credentials or other confidential information.
• Bugiel et al. tested 1,100 Amazon AMI EC2 images from Europe and the U.S. and found
that about one-third contained an SSH back door: a public key that allows remote access to
the instance. They were able to use this back door to extract AWS API keys, private keys,
and credentials, as well as private data from many instances.
• Amazon warns users about this problem when discovered, but you are well advised,
whenever you clone an image from any repository, to look for any authorized keys files in
user home directories and delete them.
 SECURE ACCESS TO CLOUD SOFTWARE SERVICES

• Issue - how to control access to the services that you create for others and host in
the cloud.
• How can you authorize the software for customers.
• In developing such mechanisms, SSL and HTTPS are certainly important, as are
passwords.
• You can create access control lists that can add some protection if you have a way
to authenticate your users.
• Another solution to the authentication problem is to use a third-party
authentication system.
• The Azure app service provides a simple tool that you can use to enable Facebook,
Google, or Microsoft as the authentication provider for your service.
• The Globus tools can also help with authentication and authorization.
THANK YOU