Cloud Security: Infrastructure, Data

Security, and Security as a Service

Adapted from slides by Keke Chen

 Suggested Readings
• Reference book: “Cloud Security and Privacy: An
Enterprise Perspective on Risks and Compliance
(Theory in Practice)”, Tim Mather et al.
http://www.amazon.com/Cloud-Security-Privacy-
Enterprise-Perspective/dp/0596802765
• Security Guidance for Critical Areas of Focus in Cloud
Computing V3.0,
https://cloudsecurityalliance.org/guidance/csaguide.
v3.0.pdf
– Cloud Security Alliance
 Outline
• Overview
• Infrastructure Security
• Data Security
• Identity and access management
• Audit, compliance and federation of clouds
• Security and privacy concerns
• Security as a service
• Network security, policies (research)
Dimensions of Security
Tradeoffs and Security Provisions
 Cloud Alliance 7 Concerns
Domain
Governance and Enterprise Risk
Management
Legal Issues: Contracts and Electronic
Discovery
Compliance and Audit
Information Management and Data
Security
Portability and Interoperability
Traditional Security, Business Continuity
and Disaster Recovery
Data Center Operations
GUIDANCE DEALING WITH SECURITY
Govern and measure enterprise risk
Protection requirements, security breach
disclosure laws, regulatory requirements,
privacy requirements, international laws
Proving compliance during audit
Identification and control of data in cloud.
CAI
Move data services from one provider to
another, interoperability
Security of operational processes and
procedures (security, business continuity
and disaster recovery
Evaluation of Stability, On-going services
 Cloud Alliance 7 Concerns (Contd…)
Domain
Incident Response, Notification and
Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Security as a Service
GUIDANCE DEALING WITH SECURITY
Provider and user levels to enable proper
incident handling and forensics
+Application migration
Appropriate encryption and scalable key
management
Organization’s identity, access controls
Multi-tenancy, VM isolation, VM co-
residence, hypervisor vulnerabilities
Third part facilitated security assurance,
incident management, compliance
attestation, identity and access oversight
 NIST
• Guidelines on Security and Privacy in Public
Cloud Computing, Wayne Jansen and Timothy
Grance, NIST, January 2011
http://csrc.nist.gov/publications/drafts/800-
144/Draft-SP-800-144_cloud-computing.pdf
 Security: Pros v Cons of Cloud
• Staff Specialization. • System Complexity.
• Platform Strength. • Shared Multi-tenant
• Resource Availability. Environment.
• Backup and Recovery. • Internet-facing Services
• Mobile Endpoints. • Loss of Control.
• Data Concentration. • Botnets.
• Data Center Oriented. • Mechanism Cracking
• Cloud Oriented.
 Infrastructure Security
• Infrastructure
– IaaS, PaaS, and SaaS
• Focus on public clouds
– No special security problems with private
clouds – traditional security problems only
• Different levels
– Network level
– Host level
– Application level
 Network level
• Confidentiality and integrity of data-in-transit
– Amazon had security bugs with digital signature on
SimpleDB, EC2, and SQS accesses (in 2008)
• Less or no system logging /monitoring
– Only cloud provider has this capability
– Thus, difficult to trace attacks
• Reassigned IP address
– Expose services unexpectedly
– Spammers using EC2 are difficult to identify
• Availability of cloud resources
– Some factors, such as DNS, controlled by the cloud
provider.
• Physically separated tiers become logically
separated
– E.g., 3 tier web applications
Private Cloud Network Security
 Host level (IaaS)
• Hypervisor security
– “zero-day vulnerability” in VM, if the
attacker controls hypervisor

• Virtual machine security

– SSH private keys (if mode is not
appropriately set)
– VM images (especially private VMs)
– Vulnerable Services
 Application level
• SaaS application security
– Example: In an accident, Google Docs
access control failed. All users can access
all documents
 Data Security
• Data-in-transit
• Data-at-rest
• Processing of data, including
multitenancy
• Data lineage
• Data provenance
• Data remanence
 Data Security
• Data-in-transit
– Confidentiality and integrity
• Data-at-rest & processing data
– Possibly encrypted for static storage
– Cannot be encrypted for most PaaS and
SaaS (such as Google Apps) → prevents
indexing or searching
• Research on indexing/searching encrypted
data
• Fully homomorphic encryption?
 Data lineage
• Definition: tracking and managing data
• For audit or compliance purpose
• Data flow or data path visualization
– E.g. data transferred to AWS on date x1 at time y1 and
stored in a bucket on S3 example.s3.amazonaws.com,
then processed on date x2 at time y2 on EC2 in ec2-
67-202-51-223.compute-1.amazonaws.com, then
stored in another bucket,
example2.s3.amazonaws.com, then brought back
locally on date x3 at time y3, …
• Time-consuming process even for inhouse data
center
– Not possible for a public cloud
 Data provenance
• Origin/ownership of data
– Verify the authority of data
– Trace the responsibility
– e.g., financial and medical data
• Difficult to prove data provenance in a
cloud computing scenario
 Data remanence
• Data left intact by a nominal delete
operation
– In many DBMSs and file systems, data is
deleted by flagging it.
• Lead to possible disclosure of sensitive
information
• Department of Defense: National
Industrial security program operating
manual
– Defines data clearing and sanitization
 Provider’s data and its security
• The provider collects a huge amount
of security-related data
– Data possibly related to service users
– If not managed well, it is a big threat to
users’ security
 Identity and Access Management
• IAM components
– Authentication
– Authorization
– Auditing
• IAM processes
– User management
– Authentication management
– Authorization management
– Access management – access control
– Propagation of identity to resources
– Monitoring and auditing
 Key Security and Privacy Issues
• Governance -- control and oversight over
policies, procedures, and standards for
application development, as well as the
design, implementation, testing, and
monitoring of deployed services.
 Key Security and Privacy Issues
• Compliance -- conformance with an
established specification, standard, regulation,
or law.
– Data location --- trans-border data flows include whether
the laws in the jurisdiction where the data was collected permit
the flow, whether those laws continue to apply to the data post
transfer, and whether the laws at the destination present
additional risks or benefits
– Laws and Regulations --- OMB, Clinger-Cohen Act,
FISMA, NARA (archives), HIPPA, PCI DSS (cards)
– Electronic Discovery --- FOIA, litigation
 Key Security and Privacy Issues
• Trust
– Insider Access --- (esp. DOS)
– Data Ownership --- Privacy versus data ownership.
– Composite Services --- Nesting and layering of
services, trust is not transitive, liability and
performance guarantees
– Visibility --- detailed network and system level
monitoring, oversight
– Risk Management
 Security as a Service
• Origins: Email Spam
• Today
– Email Filtering
– Web Content Filtering
– Vulnerability Management
– Identity Management as a service
– Etc.
• Naming: SaaS
– NOT to be confused with Software as a Service!
SecaaS: Security as a Service (Cloud Security Alliance)
https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf
 SaaS Categorization by CSA
CSA: Cloud Security Alliance
1. Identity and Access Management
2. Data Loss Prevention
3. Web Security
4. Email Security
5. Security Assessments
6. Intrusion Management
7. Security Information and Event Management (SIEM)
8. Encryption
9. Business Continuity and Disaster Recovery
10. Network Security
 Identity and Access Management
(IAM)
• SAML, SPML, XACML, (MOF/ECORE), OAuth, OpenID, Active
Directory Federated Services (ADFS2), WS- Federation
• Commercial Cloud Examples
– CA Arcot Webfort
– CyberArk Software Privileged Identity Manager
– Novell Cloud Security Services
– ObjectSecurity OpenPMF (authorization policy automation, for
private cloud only)
– Symplified
• Threats addressed
– Identity theft, Unauthorized access, Privilege escalation, Insider
threat, Non-repudiation, Excess privileges / Excessive access,
Delegation of authorizations / Entitlements, Fraud
 Data Loss Prevention
• Monitoring, protecting, and verifying the security of data
• by running as a client on desktops / servers and running rules
– “No FTP” or “No uploads” to web sites
– “No documents with numbers that look like credit cards can be
emailed”
– “Anything saved to USB storage is automatically encrypted and can
only be unencrypted on another office owned machine with a
correctly installed DLP client”
– “Only clients with functioning DLP software can open files from the
fileserver”
• Related to IAM
• Threats Addressed
– Data loss/leakage, Unauthorized access, Malicious compromises of
data integrity, Data sovereignty issues, Regulatory sanctions and fines
 Web Security
• Real-time protection
– On-premise through software/appliance installation
– Proxying or redirecting web traffic to the cloud provider
• Prevent malware from entering the enterprise via
activities such as web browsing
• Mail Server, Anti-virus, Anti-spam, Web Filtering, Web
Monitoring, Vulnerability Management, Anti-phishing
• Threats addressed
– Keyloggers, Domain Content, Malware, Spyware, Bot
Network, Phishing, Virus, Bandwidth consumption, Data
Loss Prevention, Spam
 Email Security
• Control over inbound and outbound email
• Enforce corporate polices such as acceptable use and
spam
• Policy-based encryption of emails
• Digital signatures enabling identification and non-
repudiation
• Services
– Content security, Anti- virus/Anti-malware, Spam filtering,
Email encryption, DLP for outbound email, Web mail, Anti-
phishing
• Threats addressed
– Phishing, Intrusion, Malware, Spam, Address spoofing
 Security Assessments
• Third-party audits of cloud services or assessments of local systems via
cloud-provided solutions
• Well defined and supported by multiple standards such as NIST, ISO, and
CIS
• Additional Cloud Challenges
– Virtualization awareness of the tool
– Support for common web frameworks in PaaS applications
– Compliance Controls for IaaS, PaaS, and SaaS platforms
• Services
– Internal and / or external penetration test, Application penetration test, Host
and guest assessments, Firewall / IPS (security components of the
infrastructure) assessments, Virtual infrastructure assessment
• Threats addressed
– Inaccurate inventory, Lack of continuous monitoring, Lack of correlation
information, Lack of complete auditing, Failure to meet/prove adherence to
Regulatory/Standards Compliance, Insecure / vulnerable configurations,
Insecure architectures, Insecure processes / processes not being followed
 Intrusion Management
• Using pattern recognition to detect and react to
statistically unusual events
• IM tools are mature, however
– virtualization and massive multi-tenancy is creating
new targets for intrusion
– raises many questions about the implementation of
the same protection in cloud environments
• Services
– Packet Inspection, Detection, Prevention
• Threats addressed
– Intrusion, Malware
 Security Information and Event
Management (SIEM)
• Accept log and event information
• Correlate and analyze to provide real-time reporting
and alerting on incidents / events
• Services
– Log management, Event correlation, Security/Incident
response, Scalability, Log and Event Storage, Interactive
searching and parsing of log data, Logs immutable (for
legal investigations)
• Threats addressed
– Abuse, Insecure Interfaces and APIs, Malicious Insiders,
Shared Technology Issues, Data Loss and Leakage, Account
or Service Hijacking, Unknown Risk Profile, Fraud
 Encryption
• The process of obfuscating/encoding data using
cryptographic algorithms
– Algorithm(s) that are computationally difficult to break
• Services
– VPN services, Encryption Key Management, Virtual Storage
Encryption, Communications Encryption, Application
Encryption, Database Encryption, digital signatures, Integrity
validation
• Threats addressed
– Failure to meet Regulatory Compliance requirements, Mitigating
insider and external threats to data, Intercepted clear text
network traffic, Clear text data on stolen / disposed of
hardware, Reducing the risk or and potentially enabling cross-
border business opportunities, Reducing perceived risks and
thus enabling Cloud's Adoption by government
 Business Continuity and Disaster
Recovery
• Ensure operational resiliency in the event of any
service interruptions
• Flexible and reliable failover
• Utilize cloud’s flexibility to minimize cost and maximize
benefits
• Services
– File recovery provider, File backup provider, Cold site,
Warm site, Hot site, Insurance, Business partner
agreements, Replication (e.g. Databases)Threats addressed
– Natural disaster, Fire, Power outage, Terrorism/sabotage,
Data corruption, Data deletion, Pandemic/biohazard
 Network Security
• Services that allocate access, distribute, monitor, and protect the
underlying resource services
– Address security controls at the network in aggregate, Or
– Specifically address at the individual network of each underlying
resource
• In Clouds, likely to be provided by virtual devices alongside
traditional physical devices
– Tight integration with the hypervisor to ensure full visibility of all
traffic on the virtual network layer is key
• Services
– Firewall (perimeter and server tier), Web application firewall, DDOS
protection/mitigation, DLP, IR management, IDS / IPS
• Threats addressed
– Data Threats, Access Control Threats, Application Vulnerabilities,
Cloud Platform Threats, Regulatory, Compliance & Law Enforcement
•
Network Security (Research)
Policies about the configurations of the infrastructure are used for specifying security and
availability requirements

• A critical device should be placed within a security perimeter

• Unprotected devices should not communicate with machines running critical services
• Computation on confidential data must performed on hosts under the control of DoD

• Policy-driven approach has been taken by FISMA, PCI-DSS, NERC

Scalability
Real-time detection of violations

Requirements Monitoring itself needs to be secure

Information needs to be shared

across cloud providers
37
 Middleware for Assured Clouds
DORA Subsystem

External
Event Odessa Agent
Aggregator
Formal Design and

Trustworthiness of Workflows
Reaction analysis of Assured

Policy Distribution
Agent
Mission Critical
Computations

Odessa Agent
Reaction
Agent

External
NetOdessa
Event Evaluation on a
Agent
Aggregator distributed networked
test-bed

Trust Calculation Distance from

Module Compliance
Calculation

Risk Assessment Modules

38
 Reaction Agents are part of the
Middleware
When a policy violation is detected
• Security, availability, or timeliness requirements might not be
satisfied
• We need to reconfigure the system

We implemented a cloud-based OpenFlow reaction agent

OpenFlow
controller

Reaction
Agent

39
 To Read Further
• Roy H. Campbell, Mirko Montanari, Reza Farivar, Middleware for
Assured Clouds, Journal of Internet Services and Applications,
2011 [pdf]
• Kroske, E. ; Farivar, R. ; Montanari, M. ; Larson, K. ; Campbell,
R.H., NetODESSA: Dynamic Policy Enforcement in Cloud Networks,
30th IEEE Symposium on Reliable Distributed Systems - Workshops
(SRDSW), 2011
• Mirko Montanari, Roy H. Campbell, Attack-resilient Compliance
Monitoring for Large Distributed Infrastructure Systems, IEEE
International Conference on Network and System Security (NSS),
Sept 2011. [pdf]
• Mirko Montanari, Ellick Chan, Kevin Larson, Wucherl Yoo, Roy H.
Campbell, "Distributed Security Policy Conformance," IFIP SEC
2011, Lucerne, Switzerland, June 2011. [pdf]