PART V Other Aspects of Cloud

Chapter 17 Cloud Security and Privacy

Introduction
• Previous chapters describe cloud infrastructure, technologies, and the design of cloud-
native software.

• This chapter focuses on security vulnerabilities that arise in a cloud environment

focusing on cloud aspects and techniques that can overcome some of the conventional
approaches to security that are inadequate or ineffective in a cloud environment.

Cloud-Specific Security Problems

• Several factors contribute to an increase in the complexity of managing cloud
computation, communication, and data storage.

o Lack of control and visibility

▪ In a traditional IT environment, the staff controls the hardware and
software facilities and can investigate the root cause of problems.
▪ In a cloud environment, a tenant cannot configure or examine the
underlying systems and must trust that the provider’s staff has configured
security protections correctly.
▪ Additionally, when a tenant’s services do not perform as expected, the
tenant cannot easily tell whether the problem lies in the cloud
infrastructure, their design and deployment of systems, or interference
caused by an attacker.

o An infrastructure shared with outsiders

▪ Unlike a traditional IT infrastructure that serves one organization,
multiple tenants share cloud infrastructure.
▪ Although virtualization technologies should provide isolation between a
given tenant and other tenants, running multiple tenants on the same
infrastructure does increases security risks, and security and privacy
breaches have occurred.

o Many services with interdependencies among them

▪ Cloud systems use a microservices design in which many small services
run independently with communication among them. Having many
microservices that frequently communicate increases the attack
surface, giving attackers more opportunities to find vulnerabilities.

o Dynamic execution environment with bursts

▪ Orchestration systems achieve elasticity by scaling services as needed,
with new instances spread across multiple physical servers. Such
systems often exhibit bursty behavior where many new instances
appear in a short span of time.
 ▪ Rapid creation of instances makes it difficult to distinguish normal
execution from a Denial of Service (DoS) attack.

o Remote access for all users

▪ In a traditional IT setting, the facilities being accessed and the
employees accessing them reside in a single location.
▪ Cloud computing requires a remote access mechanism.
▪ The use of remote access increases the possible attack surface,
especially when installing and managing security software falls to
employees using their own devices.

o Extensive use of software from the cloud provider and third parties
▪ Traditional IT departments either purchase software from well-known,
trusted suppliers or hire software engineers to create custom software.
▪ Building cloud-native software has added complexity, such as
designing microservices that can be orchestrated leading to many cloud
users now incorporate pieces of open-source software into their
systems. For example, container software can be downloaded from
Docker repositories or GitHub.

Security In A Traditional Infrastructure

• Four aspects of traditional security.

o Insiders vs. outsiders

▪ A traditional IT infrastructure divides people into major groups:
insiders and outsiders.
▪ Insiders include employees, contractors or IT vendors who may need
to install or repair hardware and software systems.
▪ Anyone who is not an insider is an outsider
▪ This classification is based on identity and does not depend on whether
entry to the organization’s buildings is possible.
▪ In a traditional IT environment, all aspects of the system must be
designed to support the insider/outsider distinction. For example, a
typical organization has two Wi-Fi networks: a main campus network
that insiders use to conduct company business and a guest network that
outsiders can use to access the Internet and public company
information.

o Perimeter security
▪ To prevent outside attackers, organizations deploy perimeter security
mechanisms at each outside connection to control access. Example
perimeter security mechanisms include firewalls, Deep Packet
Inspection (DPI) systems, and scanners used to detect viruses and
other malware in emails and imported files.
 ▪ Perimeter security extends the idea of insiders/outsiders by making it
especially difficult for an attacker who does not have physical access to
the organization’s IT infrastructure.

o Demilitarized zones (DMZs)

▪ One perimeter security mechanism that prevents unwanted access
consists of placing a demilitarized zone on each external connection.
▪ Instead of allowing arbitrary network traffic, restrict access to a specific
set of servers placed on an isolated network. A simple example is an
organization’s public website.

o Standing privileges divided into a few levels

▪ Traditional security uses a semi-permanent assignment of standing
privileges which implies that once an individual has been assigned a
privilege level, the assignment remains unchanged from day to day.
▪ A typical organization has at least two standing privilege levels: one for
users and the other for system administrators.
▪ Larger organizations may compartmentalize privileges among a set of
individuals according to their duties.

Why Traditional Methods Do Not Suffice For The Cloud

• Instead of devoting a physical set of servers to a given tenant, a physical server may run
VMs and containers from multiple tenants who share the underlying physical network.

• The lack of a physical perimeter has consequences: a tenant cannot divide potential users
into insiders and outsiders or depend on perimeter control mechanisms to stop attackers.

• To minimize risks when utilizing microservices, an organization must follow the

Principle of Least Privilege (PoLP) and give an individual the least privilege the
individual needs to perform their job. In a cloud environment, because few IT staffers
need absolute privileges, instead of granting broad access privileges, the security system
only allows individuals to be authorized for specific types of access for specific services.

• Unlike a traditional IT infrastructure, a cloud tenant cannot manage security on external

internet connections directly. Instead, a tenant must work with the cloud provider. The
tenant defines security policies, and the provider configures hardware and software
systems that implement the policies.

The Zero Trust Security Model

• In the absence of perimeterless (borderless) security, a zero trust security model is
needed. This approach assigns each user a set of privileges for each possible service.
Instead of merely allowing a user to log in once and then have access to all services,
each request is validated separately. The identity of the user or the identity of the user’s
device can be used to decide whether to grant or deny the request.
 • Moving to a zero trust model can be difficult because it requires choosing a balance
between security and convenience.

• In practice, implementing a zero trust model requires a centralized mechanism that

handles identity (i.e., passwords and authentication). Attempting to implement a zero
trust model without such a system introduces security holes because it leaves each
subsystem free to assign levels of privilege without coordination across all subsystems.

Identity Management
• To remain secure without using separate authentication for each service, an Identity
Management (IdM) software system uses a Single Sign On (SSO), which means a
user has the same login and password credentials for all services.

• An IdM system stores information about each individual, including their login,
password, and access rights and all services use the IdM system (which can be replicated
to handle scale) to ascertain whether a given individual can access the service.

• Accesses to the identity management system use encryption to ensure that the
information is kept safe.

• An IdM system can be designed to return a digital capability. The capability can
be passed to other services, allowing each service to decide whether a user is authorized
to access the service without requiring the user to enter their credentials multiple times

• An IdM system offers convenience for users, while assuring that a user’s access to a
service has been authenticated and the access has been authorized.

Privileged Access Management (PAM)

• IT staff members have the administrative or superuser level of privilege. An
organization must take special care to guard such access.

• A Privileged Access Management (PAM) system handles identity management for

privileged accounts. Instead of a master password that grants administrative privilege
on any system, PAM systems grant a staff member only privileges on the systems the
staff member administers.

• PAM systems log all accesses, providing a detailed record of which individual accessed
a system at a given time. The systems also record failed login attempts, providing a way
to track attackers.

• Some PAM systems provide further checks on the use of accounts and can send an alert
to the manager reporting suspicious activity.
AI Technologies And Their Effect On Security
• Artificial Intelligence (AI) technologies can influence security in negative ways.
Attackers can use AI techniques to bypass safeguards and gain unauthorized access to
data or systems and AI technology can be used to fool employes as well. Deep fakes
using machine learning (ML) systems have been used to obtain confidential data.

• AI techniques can strengthen safeguards as well. AI software can be used to detect

various types of anomalous behavior under the general topic of security analytics.

• Analytics software determines “normal” behavior, and then looks for exceptions.

o An AI system may be able to spot unusual behavior by an employee, such as

accesses made to data or services that the employee does not usually access or
accesses that occur at unusual times for the given employee.

o A machine learning program receives notification of each network connection

that arrives from the Internet, the program may be able to detect an instance of
a Distributed Denial of Service (DDoS) attack.

• Security analytics software can be context-aware so it can flag any access as unusual
if it does not occur in the usual context.

Protecting Remote Access

• Despite the physical location of remote devices, an organization must still maintain a
boundary between items that must remain secure and threats to those items. Three
principles help define security practices:

• Keep all communication confidential

o When an employee uses the Internet, steps must be taken to prevent outsiders
from eavesdropping.
o To keep communication confidential, all data must be encrypted.
o Virtual Private Network (VPN) software can be used to form a connection
to the organization’s cloud data center and encrypt all packets sent over the
connection, preventing outsiders from intercepting the contents of packets.
o To prevent accidental leaks between normal communication with Internet sites
and communication with the organization’s servers, once a VPN has been
invoked, it sends all packets to the cloud data center, even packets eventually
destined for some other site on the Internet.

• Protect and isolate business data

o Remote access introduces an additional danger: an employee may lose a device
that contains confidential business data.
o To protect it from accidental loss, all business data stored on a user’s device
must be encrypted. Some operating system vendors offer whole disk
encryption schemes that can prevent outsiders from reading data.
 • Enforce workflow security
o To ensure that all data remains safe independent of its location, an organization
must define a security policy for each workload, and keep the policies enforced
at each step as the data moves. Known as a workflow security approach, this
security policy for data is bound to the data itself.

Privacy In A Cloud Environment

• Security systems enforce protections to guarantee confidentiality, integrity, and
availability of data.

• Organizations must comply with regulations that require special treatment for some
forms of data (e.g., in the US, HIPAA regulations apply to the collection, storage, and
transmission of data containing individuals’ medical information).

• In t hi s cont e xt , the term privacy refers to keeping sensitive information about an

individual safe from public dissemination.

• Privacy is not just about keeping an individual’s data confidential. Because the Internet
contains so much information about individuals, an organization must ask whether any
new data including aggregate statistics can be used in combination with data from
other sources to deduce information about individuals.

Back Doors, Side Channels, And Other Concerns

• Interestingly, privacy considerations intertwine with other aspects of data security.

o If login credentials are stolen, an attacker can use them to launch attacks
against any web applications the user is authorized for.

o Because cloud systems rely on virtualization to isolate computation,

communication, and storage systems. Three points of contact between
applications cause concern: shared computing systems, shared networks, and
shared storage systems

o The hardware and software technologies used for virtualization work well, and
most achieve complete isolation. However, flaws, including flaws in the
underlying hardware, allow data to transfer from one application to another
through a side channel.

o Attackers can also try to insert a back door into systems that send copies of
data to the attacker.
Cloud Providers As Partners For Security And Privacy
• When it moves its computing to the cloud, an organization must learn to use the
configuration and management interfaces the provider offers. A new interface can be
difficult to master, and small mistakes can lead to security problems. This becomes
more complex in a multi-cloud environment because security systems available from
one provider may not be available from another.

• To keep attackers at bay, in a traditional IT infrastructure, the IT staff follows the maxim
“trust no outsiders”. However, in a cloud environment, an IT staff becomes dependent
on the cloud provider so they must learn to view the provider as a partner. Specifically,
the tenant specifies its security policies and trusts the provider to help implement the
policies.

• Cooperation with a provider and the tenant is particularly critical when an incident
occurs or when an anomaly has been detected. If a tenant is unable to analyze the
problem, discover the cause, and affect a repair, the problem may be rooted in the
underlying infrastructure where only the provider has the authority needed to diagnose
the cause.

Summary
• The cloud environment poses special concerns for a tenant:
o The tenant has less control and visibility into the underlying systems, making it
difficult to diagnose problems.

o Because a tenant must share the infrastructure with outsiders, potential attackers
have much closer proximity to the tenant’s systems.

o Because cloud replicates microservices to handle scale, a tenant faces a dynamic

execution environment with bursts of activity and dependencies among
microservices which further complicate security.

o The remote user access mandated by cloud means a tenant must ensure
confidentiality of business data while allowing employees to communicate over
the Internet.

o A tenant must depend on software from the cloud provider and third parties.

• Traditional security divides users into insiders who work for the organization
(employees and contractors) and outsiders who have no relationship to the organization.
However, in a cloud environment, where potential attackers may have access to shared
networks, using the insider/outsider distinction does not provide sufficient security.

• Traditional IT infrastructure uses perimeter security, with the organization forming a

conceptual fortress with security systems used to control access at external such as a
demilitarized zone (DMZ) at each connection to the Internet. However, in a cloud
 environment, perimeter security does not apply so tenants must adopt a perimeterless
(i.e., borderless) approach that uses zero trust security.

• With zero trust, a tenant uses an identity management system that controls each user’s
access rights, allowing fine-grained restrictions. A Privileged Access Management
system handles administrative (superuser) privileges and logs all accesses.

• Artificial Intelligence technologies can be used both to break security and to strengthen
security. Attackers use AI schemes to probe vulnerabilities. Organizations use AI
technologies, especially machine learning, to detect anomalous behavior of users,
applications, and network traffic. AI technologies can also use the context in which
accesses occur to identify anomalies.

• Encryption and Virtual Private Network technologies can keep data confidential when
an employee uses remote access. In addition, an organization must take steps to prevent
outsiders from accessing data on a user’s device. An organization can use workflow
security, which means a security policy stays with data, even if the data moves to
an employee’s device.

• The availability of many information sources makes privacy difficult, particularly when
it is possible to combine such things as statistical aggregates of data with other sources
of information to associate facts with specific individuals.

• Cloud complicates privacy by increasing the risk of back doors and side channels
through which personal data can leak. Although most virtualization technologies
provide the needed isolation for applications, flaws in hardware and software can
create side channels.

• Learning to use the provider’s interfaces for configuration and management can be
difficult, and configuration errors can cause security problems. When defining security
in a cloud environment, a tenant must change the philosophy of not trusting any
outsiders and learn to view the cloud provider as a partner who can help ensure systems
follow the tenant’s security policies and who can identify and repair problems in the
underlying infrastructure.