MODULE 4

CLOUD SECURITY

1
 CONTENTS

• Cloud Security risks

• Security, a major concern for cloud users.
• Privacy.
• Trust.
• Operating systems security.
• Virtual machine security.
• Security of virtualization.
• Security risks posed by shared images.
• Security risks posed by a management OS.
2
 INTRODUCTION

• Security has been a concern since the early days of computing, when a
computer was isolated in a room and a threat could be posed only by malicious
insiders.
• Malware can migrate easily from one system to another cross-national borders,
and infect systems all over the globe.
• Malware, such as the Stuxnet virus, targets industrial control systems
controlled by software .
• Cyberwarfare -“actions by a nation-state to penetrate another nation’s
computers or networks for the purposes of causing damage or
disruption”.
• A computer cloud is a target-rich environment for malicious individuals and
criminal organizations.
3
• Major concern for existing users and for potential new users of cloud
computing services.
• Outsourcing computing to a cloud generates new security and privacy
concerns.
• Standards, regulations, and laws governing the activities of organizations
supporting cloud computing have yet to be adopted.
• There is the need for international regulations adopted by the countries where
data centers of cloud computing providers are located.
• Service Level Agreements (SLAs) do not provide adequate legal protection for
cloud computer users, often left to deal with events beyond their control.

4
 CLOUD SECURITY RISKS
• Traditional threats : experienced by any system connected to the Internet.
• Impact -vast amount of cloud resources and the large user population.
• The traditional threats begin at the user site. The user must protect before
connect to the cloud and to interact with the application running on the
cloud.
• The favorite means of attack are distributed denial-of-service (DDoS) attacks,
which denying services to its users.; phishing; SQL injection or cross-site
scripting.
• Phishing -gain information from a site database. Such information could
be names and credit card numbers, Social Security Numbers (SSN), or
other personal information stored by online merchants or other service
providers.
• SQL injection -used against a Web site. An SQL command entered in a
Web form causes the contents of a database used by attacker or altered.
5
• Cross-site scripting -against Web sites. A browser permits the attacker to
• New threats :cloud servers host multiple VMs; multiple applications may
run under each VM. Multi-tenancy and VMM vulnerabilities open new
attack channels for malicious users. Identifying the path followed by an
attacker more difficult in a cloud environment.
• Authentication and authorization :the procedures in place for one
individual does not extend to an enterprise.
• Third-party control : generates a spectrum of concerns caused by the lack
of transparency and limited user control.
• Availability of cloud services: system failures, power outages, and other
catastrophic events could shutdown services for extended periods of time.
Data lock-in occurs, availability is that users cannot be assured that
an application hosted on the cloud will return correct results.

6
• Cloud Security Alliance (CSA) 2010 report identifies seven top threats to CC:
1. The abusive use of the cloud - the ability to conduct nefarious(criminal) activities
from the cloud. AWS instances or applications launch DDoS attacks or to
distribute spam and malware.
2. APIs that are not fully secure - may not protect the users during a range of activities
starting with authentication and access control to monitoring and control of the
application during runtime.
3. Malicious insiders - cloud service providers do not disclose their hiring standards
and policies, so this can be a serious threat.
4. Shared technology- due to multitenant access supported by virtualization.

7
5. Account hijacking- significant threat, and cloud users must be
aware of and guard against all methods of stealing credentials.
6. Data loss or leakage - if the only copy of the data is stored on the cloud,
then sensitive data is permanently lost when cloud data replication fails
followed by a storage media failure.
7. Unknown risk profile - exposure to the ignorance or underestimation of
the risks of cloud computing.

8
 AT TA CK S I N A CL O U D CO MP U T I NG E N V I RO N ME N T

Three actors involved- user, service and cloud infrastructure; six types of
attacks possible.
• The user can be attacked by:
 Service - SSL certificate spoofing(Obtaining fake certificates), attacks on
browser caches, or phishing attacks.
 The cloud infrastructure - attacks that either originates at the cloud or
spoofs to originate from the cloud infrastructure.
The service can be attacked by:
 A user- buffer overflow, SQL injection, and privilege escalation are the
common types of attacks.
 The cloud infrastructure - the most serious line of attack. Limiting access
to resources, privilege-related attacks, data distortion, injecting additional 9
operations.
The cloud infrastructure can be attacked by:
• A user -targets the cloud control system.
• A service -requesting an excessive amount of resources
and causing the exhaustion of the resources.

10
Diagram- 2 marks

11
 AUDITABILITY OF CLOUD ACTIVITIES

• The lack of transparency makes auditability a very difficult proposition for

cloud computing.
• Auditing guidelines elaborated by the National Institute of Standards (NIST)
are mandatory for US Government agencies:
the Federal Information Processing Standard (FIPS).
the Federal Information Security Management Act (FISMA).

12
 S EC U R I TY - TH E TO P C O N C ERN F O R C LO U D U S ER S

• The unauthorized access to confidential information and the data theft.

• Data is more vulnerable in storage, as it is kept in storage for extended periods of
time.
• Threats during processing cannot be ignored; such threats can originate from flaws in
the VMM, rogue VMs, or a VMBR.
• There is the risk of unauthorized access and data theft -a Cloud Service Provider
(CSP).
• Lack of standardization is also a major concern.
• Users are concerned about the legal framework for enforcing cloud computing
security.
• Multi-tenancy is the root cause of many user concerns. Nevertheless, multi-tenancy
enables a higher server utilization, thus lower costs.
• The threats caused by multi-tenancy differ from one cloud delivery model to another.
13
 LEGAL PROTECTION OF CLOUD USERS

• Existing laws stating that the CSP must exercise reasonable security
may be difficult to implement in a case where there is a chain of
outsourcing to companies in different countries.
• Finally, a CSP may be required by law to share private data with law
enforcement agencies.
• To minimize security risks regarding data handling by the CSP.
• First, users should evaluate the security policies and the mechanisms
the CSP has in place to enforce these policies.
• Then users should analyze the information that would be stored and
processed on the cloud.

14
• The contract between the user and the Cloud Service Provider (CSP) :
 CSP obligations to handle securely sensitive information and its
obligation to comply to privacy laws.
 CSP liabilities for mishandling sensitive information.
 CSP liabilities for data loss.
 The rules governing ownership of the data.
 The geographical regions where information and backups can be
stored.

15
Minimize security risks:
• user may try to avoid processing sensitive data on a cloud. e.g.,
processing of medical or personnel records.
• sensitive data to be stored on a public or hybrid cloud, then, whenever
feasible, data should be encrypted using either a fully homomorphic
encryption scheme or secure two-party computations.

16
 P R I VA C Y A N D P R I VA C Y I M PA C T A S S E S S ME N T

• Privacy ->the right of an individual, a group of individuals, or an organization

to keep information of personal nature or proprietary information from being
disclosed.
• Privacy is protected by law; sometimes laws limit privacy.
• Digital age has confronted legislators with significant challenges related to
privacy as new threats have emerged. For example, personal information
voluntarily shared, but stolen from sites granted access to it or misused can lead
to identity theft.
• Privacy concerns are different for the three cloud delivery models and also
depend on the actual context.

17
• The main aspects of privacy are: the lack of user control, potential
unauthorized secondary use, data proliferation, and dynamic
provisioning.
• The lack of user control -user-centric data control is incompatible with cloud
usage. Once data is stored on the CSP’s servers, the user loses control of the
exact location, and in some instances the user could lose access to the data. For
example, in case of the Gmail service,

• A CSP may obtain revenues from unauthorized secondary usage of the

information, e.g., for targeted advertising. There are no technological means to
prevent this use.

• Dynamic provisioning refers to threats due to outsourcing. A range of issues is

very fuzzy; for example, how to identify the subcontractors of a CSP

• Data proliferation refers to the rapid creation and storage of large amounts of 18

data, both structured and unstructured, by organizations.

 FEDERAL TRADING COMMISSION RULES
• Four fair information practices(FIP) : refer to a set of principles and guidelines that
govern the collection, use, and management of personal data.
• Notice – web sites provide consumers clear and conspicuous notice of their information
practices, including what information they collect, how they collect it, how they use it,
how they provide Choice, Access, and Security to consumers, whether they disclose the
information collected to other entities, and whether other entities are collecting
information through the site.
• Choice - how their personal information is used. choice -internal secondary uses (such
as marketing back to consumers) and external secondary uses (such as disclosing data
to other entities).
• Access - offer consumers reasonable access to the information a web site has collected
about them, including a reasonable opportunity to review information and to correct
inaccuracies or delete information.
• Security - take reasonable steps to protect the security of the information they collect
from consumers. 19
 PRIVACY IMPACT ASSESSMENT (PIA)

• The need for tools capable to identify privacy issues in information systems.
• There are no international standards for such a process, though different
countries and organization require PIA reports.
• The centerpiece of A proposed PIA tool is based on a SaaS service.
The users accessing to the PIA tool must fill in a questionnaire.
The system used a knowledge base (KB) created and maintained by domain
experts.
The system uses templates to generate additional questions necessary and to
fill in the PIA report.
An expert system infers which rules are satisfied by the facts in the database
and provided by the users and executes the rule with the highest priority.

20
 TRUST

• Trust-> assured reliance on the character, ability, strength, or truth of someone

or something.
• Complex phenomena: enable cooperative behavior, promote adaptive
organizational forms, reduce harmful conflict, decrease transaction costs,
promote effective responses to crisis.
• Two conditions must exist for trust to develop.
Risk ->the perceived probability of loss; trust not necessary if there is no
risk involved, if there is a certainty that an action can succeed.
Interdependence -> the interests of one entity cannot be archived without
reliance on other entities.

21
• A trust relationship goes though three phases:
1.Building phase, when trust is formed.
2.Stability phase, when trust exists.
3.Dissolution phase, when trust declines.
• An entity must work very hard to build trust, but may lose the trust
very easily.

22
• There are different reasons for and forms of trust.
• Deterrence-based- costly penalties for breach of trust exceed any potential
benefits from opportunistic behavior.
• Calculus-based trust-the action involving the other party is in the self-interest
of that party.
• Relational trust After a long sequence of interactions, between entities can
develop based on the accumulated experience of dependability and reliance on
each other.
• Persistent trust is trust based on the long-term behavior of an entity,
• Dynamic trust is based on a specific context, e.g., a state of the system or the
effect of technological developments.

23
 INTERNET TRUST

• The missing identity, personal characteristics, and role definitions -

online trust(digitally)
• Offers individuals the ability to obscure or conceal their identity. The
anonymity(lack of unusual feature) reduces the cues normally used in
judgments of trust.
• Identity is critical for developing trust relations, it allows us to base our trust on
the past history of interactions with an entity.
• Anonymity causes mistrust because identity is associated with accountability.
• The opacity extends identity to personal characteristics.
• There are no guarantees that the entities we transact with fully understand the
role they have assumed.

24
• To remedy the loss of clues, security mechanisms for access control,
transparency of identity, and surveillance.
• Access control- keep intruders and mischievous agents out.
• Identity transparency- requires that the relationship between a virtual agent
and a physical person should be carefully checked through methods such as
biometric identification.
• Digital signatures and digital certificates are used for identification.
• Surveillance - intrusion detection or on logging and auditing. The first option
is based on real-time monitoring, the second on offline sifting through audit
records.
• Credentials are used when an entity is not known. Credentials are issued by a
trusted authority and describe the qualities of the entity using the credential.

25
 HOW TO DETERMINE TRUST

• Policies and reputation are two ways of determining trust.

• Policies reveal the conditions to obtain trust, and the actions when some of
the conditions are met. Policies require the verification of credentials;
credentials are issued by a trusted authority and describe the qualities of the
entity using the credential.
• Reputation is a quality attributed to an entity based on a relatively long
history of interactions or possibly observations of the entity.
Recommendations are based on trust decisions made by others and filtered
through the perspective of the entity assessing the trust.
• In a computer science context : trust of a party A to a party B for a service
X is the measurable belief of A in that B behaves dependably for a
specified period within a specified context (in relation to service X).
26
 OPERATING SYSTEM SECURITY

• OS allows multiple applications to share the hardware resources of a

physical system, subject to a set of policies.
• Measures to prevent a person from illegally using resources in a computer
system, or interfering with them in any manner- O S security
• A critical function of an OS is to protect applications against a wide range of
malicious attacks, e.g., unauthorized access to privileged information,
tempering with executable code, and spoofing.
• Such attacks can now target even single-user systems such as personal
computers, tablets, or smartphones.
• Data brought into the system may contain malicious code; this could occur
via a Java applet, or data imported by a browser from a malicious Web site.
• The mandatory security of an OS -“any security policy where the definition
of the policy logic and the assignment of security attributes is tightly
controlled by a System security policy administrator ” 27
• The elements of the mandatory OS security:
Access control -> mechanisms to control the access to different system
objects.
Authentication usage ->mechanisms to authenticate a principal.
Cryptographic usage policies ->use Cryptographic mechanisms to protect the
data
• Applications with special privileges that perform security-related functions are
called trusted applications. It allows lowest level of privileges required to
perform their functions. For example, type enforcement is a mandatory security
mechanism that can be used to restrict a trusted application to the lowest level of
privileges.

28
• Commercial OS do not support a multi-layered security; only distinguish
between a completely privileged security domain and a completely
unprivileged one.
• Trusted paths, mechanisms supporting user interactions with trusted
software, is critical to system security.
• If such mechanisms do not exist, malicious software can impersonate
trusted software.
• Some systems provide trust paths -login authentication and password
changing and allow servers to authenticate their clients.

29
• The solution to decompose a complex mechanism into several components
with well-defined roles.
• The access control mechanism consist of enforcer and decider components.
The enforcer will gather the required information about the agent attempting
the access and will pass this information to the decider. Finally, it will carry
out the actions requested by the decider.
• A trusted-path mechanism is required to prevent malicious software invoked
by an authorized application. A trusted path is also required to prevent an
impostor from impersonating the decider agent. A similar solution is proposed
for cryptography usage.

30
• Java Virtual Machine (JVM) accepts byte code in violation of language
semantics; moreover, it cannot protect itself from tampering by other
applications.
• Closed-box platforms- cellular phones, game consoles, and automated
Teller machines (ATMs) could have embedded cryptographic keys reveal
their true identity to authenticate the software running on them.
• Such facilities are not available to open-box platforms, the traditional
hardware designed for commodity operating systems.
• A highly secure operating system is necessary but not sufficient unto itself
• Application-specific security is also necessary.
• Security implemented above the operating system is better
• Ex: Electronic commerce that requires a digital signature on each
transaction.
• Commodity OS offer low assurance. 31
• OS is a complex software system consisting of millions of lines of
code, and it is vulnerable to a wide range of malicious attacks.
• An OS poorly isolates one application from another, and once an
application is compromised, the entire physical platform and all
applications running on it can be affected.
• The platform security level is thus reduced to the security level of the
most vulnerable application running on the platform.

32
 VIRTUAL MACHINE SECURITY
• Hybrid and hosted VMs, expose the entire system to the vulnerability of the host
OS.
• In a traditional VM the Virtual Machine Monitor (VMM) controls the access to the
hardware and provides a stricter isolation of VMs from one another than the
isolation of processes in a traditional OS.
A VMM controls the execution of privileged operations and can enforce
memory isolation as well as disk and network access.
The VMMs are considerably less complex and better structured than traditional
operating systems thus, in a better position to respond to security attacks.
A major challenge a VMM sees only raw data regarding the state of a guest
operating system while security services typically operate at a higher logical
level, e.g., at the level of a file rather than a disk block.
• A secure TCB (Trusted Computing Base) is a necessary condition for security in a
virtual machine environment; if the TCB is compromised then the security of the33
entire system is affected.
(a) Virtual security services provided by the VMM; (b) A dedicated security VM.

34
• VM technology provides a stricter isolation of virtual machines from one
another than the isolation of processes in a traditional operating system.
• VMM controls the execution of privileged operations and can thus enforce
memory isolation as well as disk and network access.
• The VMMs are considerably less complex and better structured than
traditional operating systems; thus, they are in a better position to respond to
security attacks.
• A major challenge is that a VMM sees only raw data regarding the state of a
guest operating system, whereas security services typically operate at a
higher logical level, e.g., at the level of a file rather than a disk block.
• A guest OS runs on simulated hardware, and the VMM has access to the
state of all virtual machines operating on the same hardware.
• The state of a guest virtual machine can be saved, restored, cloned, and
encrypted by the VMM.

35
• Surveys VM-based intrusion detection systems such as Livewire and
Siren, which exploit the three capabilities of a virtual machine for
intrusion detection: isolation, inspection, and interposition.

• The VMM has the ability to review the state of the guest VMs, and
interposition means that the VMM can trap and emulate the privileged
instruction issued by the guest VMs.

• VM-based intrusion prevention systems such as SVFS, NetTop, and

IntroVirt and surveys Terra, a VM-based trust computing platform.

• Terra uses a trusted virtual machine monitor to partition resources

among virtual machines.

36
 VMM-BASED THREATS
• Starvation of resources and denial of service for some VMs.
• Probable causes:
(a) badly configured resource limits for some VMs.
(b) a rogue VM with the capability to bypass resource limits set in VMM.
• VM side-channel attacks: malicious attack on one or more VMs by a rogue VM
under the same VMM.
• Probable causes:
(a) lack of proper isolation of inter-VM traffic due to misconfiguration of the
virtual network residing in the VMM.
(b) limitation of packet inspection devices to handle high speed traffic, e.g.,
video traffic.
(c) presence of VM instances built from insecure VM images, e.g., a VM
image having a guest OS without the latest patches.
37

• Buffer overflow attacks.

 VM-BASED THREATS

• Deployment of rogue or insecure VM. Unauthorized users may create insecure

instances from images or may perform unauthorized administrative actions on
existing VMs.
• Probable cause:
• Improper configuration of access controls on VM administrative tasks such as
instance creation, launching, suspension, re-activation and so on.
• Presence of insecure and tampered VM images in the VM image repository.
• Probable causes:
(a) lack of access control to the VM image repository.
(b) lack of mechanisms to verify the integrity of the images, e.g., digitally
signed image.
38
 SECURITY OF VIRTUALIZATION
• The complete state of an operating system running under a virtual machine is
captured by the VM; this state can be saved in a file and then the file can be
copied and shared. Implications:
• Ability to support the IaaS delivery model. In this model a user selects an
image matching the local environment used by the application and then
uploads and runs the application on the cloud using this image.
• Increased reliability. An operating system with all the applications running
under it can be replicated and switched to a hot standby.
• Improved intrusion prevention and detection. A clone can look for known
patterns in system activity and detect intrusion. The operator can switch to a
hot standby when suspicious events are detected.
• More efficient and flexible software testing. Instead of a very large number of
dedicated systems running under different OS, different version of each OS,
and different patches for each version, virtualization allows the multitude of
OS instances to share a small number of physical systems.

39
 MORE ADVANTAGES OF VIRTUALIZATION

• Straightforward mechanisms to implement resource management policies:

To balance the load of a system, a VMM can move an OS and the applications
running under it to another server when the load on the current server exceeds a
high water mark.
To reduce power consumption, the load of lightly loaded servers can be moved to
other servers and then, turn off or set on standby mode the lightly loaded servers.
• When secure logging and intrusion protection are implemented at the VMM layer, the
services cannot be disabled or modified. Intrusion detection can be disabled and logging
can be modified by an intruder when implemented at the OS level. A VMM may be able
to log only events of interest for a post-attack analysis.

40
 UNDESIRABLE EFFECTS OF VIRTUALIZATION

• Diminished ability to manage the systems and track their status.

 The number of physical systems in the inventory of an organization is limited by cost,
space, energy consumption, and human support. Creating a virtual machine (VM)
reduces ultimately to copying a file, therefore the explosion of the number of VMs. The
only limitation for the number of VMs is the amount of storage space available.
 Qualitative aspect of the explosion of the number of VMs ->traditionally, organizations
install and maintain the same version of system software. In a virtual environment the
number of different operating systems, their versions, and the patch status of each
version will be very diverse. Heterogeneity will tax the support team.
 The software lifecycle has serious implication on security. The traditional assumption
the software lifecycle is a straight line, hence the patch management is based on a
monotonic forward progress. The virtual execution model maps to a tree structure rather
than a line; indeed, at any point in time multiple instances of the VM can be created and
then, each one of them can be updated, different patches installed, and so on.

41
 IMPLICATIONS OF VIRTUALIZATION ON
SECURITY

• Infection may last indefinitely some of the infected VMs may be dormant at the time when
the measures to clean up the systems are taken and then, at a later time, wake up and infect
other systems; the scenario can repeat itself.
• In a traditional computing environment a steady state can be reached. In this steady state all
systems are brought up to a desirable state. This desirable state is reached by installing the
latest version of the system software and then applying to all systems the latest patches. Due
to the lack of control, a virtual environment may never reach such a steady state.
• A side effect of the ability to record in a file the complete state of a VM is the possibility to
roll back a VM. This allows a new type of vulnerability caused by events recorded in the
memory of an attacker.
• Virtualization undermines the basic principle that time sensitive data stored on any system
should be reduced to a minimum.

42
 SECURITY RISKS POSED BY SHARED
IMAGES

• Image sharing is critical for the IaaS cloud delivery model. For example, a user of AWS
has the option to choose between
 Amazon Machine Images (AMIs) accessible through the Quick Start.
 Community AMI menus of the EC2 service.
• Many of the images analyzed by a recent report allowed a user to undelete files, recover
credentials, private keys, or other types of sensitive information with little effort and
using standard tools.
• A software vulnerability audit revealed that 98% of the Windows AMIs and 58% of
Linux AMIs audited had critical vulnerabilities.
• Security risks:
 Backdoors and leftover credentials.
 Unsolicited connections.
 Malware. 43
 SECURITY RISKS POSED BY A MANAGEMENT
OS

• A virtual machine monitor, or hypervisor, is considerably smaller than an operating

system, e.g., the Xen VMM has ~ 60,000 lines of code.
• The Trusted Computer Base (TCB) of a cloud computing environment includes not
only the hypervisor but also the management OS.
• The management OS supports administrative tools, live migration, device drivers, and
device emulators.
• In Xen the management operating system runs in Dom0; it manages the building of all
user domains, a process consisting of several steps:
 Allocate memory in the Dom0 address space and load the kernel of the guest
operating system from the secondary storage.
 Allocate memory for the new VM and use foreign mapping to load the kernel to
the new VM.
 Set up the initial page tables for the new VM.
 Release the foreign mapping on the new VM memory, set up the virtual CPU
registers and launch the new VM.
44
The trusted computing base of a Xen-based environment includes the hardware, Xen, and the
management operating system running in Dom0. The management OS supports administrative tools,
live migration, device drivers, and device emulators. A guest operating system and applications
running under it reside in a DomU.

45
END OF MODULE 4

46