Chapter V (Cloud Computing Security Issues and Solutions)

Cloud Security Challenges

Trusting vendor’s security model
Multi-tenancy
Data ownership issues
QoS guarantees
Attraction to hackers (high-value target)
Security of virtual OSs in the cloud
Obtaining support from cloud vendor for security related investigations
Indirect administrator accountability
Loss of physical control
Possibility for massive outages
Encryption needs for cloud computing
Encrypting access to the cloud resource control interface
Encrypting administrative access to OS instances
Encrypting access to applications
Encrypting application data at rest
Threats to cloud computing security
1. Data breaches
2. Data loss
3. Account/service traffic hijacking
4. Insecure interface and APIs
5. Denial of service
6. Malicious insiders
7. Cloud abuse
8. Insufficient due diligence
9. Shared technology vulnerabilities
Data breaches
Clouds represent concentrations of corporate applications
and data, and if any intruder penetrated far enough, who
knows how many sensitive pieces of information will be
exposed.
If a multitenant cloud service database is not properly
designed, a flaw in one client's application could allow an
attacker access not only to that client's data, but every
other client's data as well. “
Unfortunately, while data loss and data leakage are both
serious threats to cloud computing, the measures you put in
place to mitigate one of these threats can exacerbate the
other.
Encryption protects data at rest, but lose the encryption key
and you've lost the data. The cloud routinely makes copies
of data to prevent its loss due to an unexpected die off of a
server. The more copies, the more exposure you have to
breaches.
Data loss
A data breach is the result of a malicious and
probably intrusive action.
Data loss may occur when a disk drive dies without
its owner having created a backup.
It occurs when the owner of encrypted data loses
the key that unlocks it.
Small amounts of data were lost for some Amazon
Web Service customers as its EC2 (Elastic
Compute Cloud)cloud suffered due to human
operator error on Easter weekend in 2011.
And a data loss could occur intentionally in the
event of a malicious attack
Account Or Service Traffic Hijacking
Phishing, exploitation of software vulnerabilities such as buffer
overflow attacks, and loss of passwords and credentials can all
lead to the loss of control over a user account.
An intruder with control over a user account can eavesdrop on
transactions, manipulate data, provide false and business-
damaging responses to customers, and redirect customers to a
competitor's site or inappropriate sites.
If your account in the cloud is hijacked, it can be used as a base by
an attacker to use the power of your reputation to enhance
himself at your expense.
If credentials are stolen, the wrong party has access to an
individual's accounts and systems.
A service hijacking lets an intruder into critical areas of a deployed
service with the possibility of "compromising the confidentiality,
integrity, and availability" of those services.
The must-do points are to prohibit the sharing of account credentials
between users, including trusted business partners; and to
implement strong two-factor authentication techniques "where possible."
Insecure APIs
The cloud era has brought about the contradiction of trying to
make services available to millions while limiting any damage
all these largely anonymous users might do to the service.
From authentication and access control to encryption and
activity monitoring, these interfaces must be designed to
protect against both accidental and malicious attempts to
circumvent policy.
Such policies prevent unauthorized users from reaching parts of
applications that are not part of the public service or restrict
users to operations that match their privilege level.
But layers are added to APIs to reach value-added services and
increasing complexity adds to the possibility that some
exposure exists. Security-conscious APIs offer many
protections.
Reliance on a weak set of interfaces and APIs exposes
organizations to a variety of security issues related to
confidentiality, integrity, availability and accountability.
Denial Of Service
Denial of service attacks are an old disrupter of online operations,
but they remain a threat nevertheless.
The assault by hundreds of thousands or millions of automated
requests for service has to be detected and screened out before it
ties up operations, but attackers have improvised increasingly
sophisticated and distributed ways of conducting the assault,
making it harder to detect which parts of the incoming traffic
are the bad actors versus legitimate users.
For cloud customers, "experiencing a denial-of-service attack is
like being caught in rush-hour traffic gridlock: there's no way
to get to your destination, and nothing you can do about it
except sit and wait.
When a denial of service attacks a customer's service in the cloud,
it may impair service without shutting it down, in which case the
customer will be billed by his cloud service for all the resources
consumed during the attack.
Persistent denial of service attacks may make it "too expensive for
you to run your service and you'll be forced to take it down yourself.
Malicious Insiders
Malicious insiders might seem to be a common threat in
cloud computing.
If one exists inside a large cloud organization, the
hazards are magnified.
One tactic cloud customers should use to protect
themselves is to keep their encryption keys on their
own premises, not in the cloud.
If the keys are not kept with the customer and are only
available at data-usage time, the system is still
vulnerable to malicious insider attack.
Systems that depend solely on the cloud service provider
for security are at great risk" from a malicious insider.
Abuse of Cloud Services
Cloud computing brings large-scale, elastic services to
enterprise users and hackers alike.
It might take an attacker years to crack an encryption key
using his own limited hardware. But using an array of
cloud servers, he might be able to crack it in minutes.
Hackers might use cloud servers to serve malware, launch
DDoS(Distributed Denial of Service) attacks, or distribute
pirated software.
Responsibility for use of cloud services rests with service
providers, but how will they detect inappropriate uses?
Do they have clear definitions of what constitutes abuse?
How will it be prevented in the future if it occurs once?
But clearly, cloud customers will need to assess service
provider behavior to see how effectively they respond.
Insufficient Due Diligence
Too many enterprises jump into the cloud without understanding the full scope of
the undertaking.
Without an understanding of the service providers' environment and protections,
customers don't know what to expect in the way of incident response,
encryption use, and security monitoring.
Not knowing these factors means organizations are taking on unknown levels of
risk in ways they may not even comprehend, but that are a far departure from
their current risks.
Chances are, expectations will be mismatched between customer and service.
What are contractual obligations for each party?
How will liability be divided?
How much transparency can a customer expect from the provider in the face of
an incident?
Enterprises may push applications that have internal on-premises network
security controls into the cloud, where those network security controls don't
work.
If enterprise architects don't understand the cloud environment, their application
designs may not function with proper security when they're run in a cloud
setting.
Shared Technology
In a multi-tenant environment, the compromise of a single
component, such as the hypervisor, exposes more than just the
compromised customer; rather, it exposes the entire environment
to a potential of compromise and breach.
The same could be said for other shared services, including CPU
caches, a shared database service, or shared storage.
The cloud is about shared infrastructure, and a misconfigured
operating system or application can lead to compromises beyond
their immediate surroundings.
In a shared infrastructure, it is recommended to build an in-depth
defensive strategy. Defenses should apply to the use of compute,
storage, networking, applications, and user access. Monitoring
should watch for destructive moves and behaviors.
 Cloud Computing Security Solutions
1) Security at the Network Level
2) Security at the Host Level
3) Security at the Application Level

1) Security at the Network Level

Ensuring data confidentiality and integrity of the
organizations data in transit to and from the public
cloud provider
Ensuring proper access control (Authentication,
Authorization, Auditing) to resources in the public
cloud
Ensuring availability of the Internet facing resources
of the public cloud used by the organization
Replacing the established network zones and tiers with
domains
2) Security at the Host Level
Host security at PaaS and SaaS Level
Both the PaaS and SaaS hide the host operating system
from end users
Host security responsibilities in SaaS and PaaS are
transferred to Cloud Service Provider (CSP)
Host security at IaaS Level Virtualization software
security, Hypervisor security
Threats: Blue Pill attack on the hypervisor
Customer guest OS or virtual server security
Attacks to the guest OS: e.g., stealing keys used to
access and manage the hosts
3) Security at the Application Level
Usually it’s the responsibility of both the CSP and the
customer
Application security at the SaaS level
SaaS Providers are responsible for providing application
security
Application security at the PaaS level
Security of the PaaS Platform
Security of the customer applications deployed on a PaaS
platform
Application security at the IaaS Level
Customer applications treated a black box
IaaS is not responsible for application level security
Cloud Storage and Data Security
Aspects of Data Security
Security for Data in transit
Data at rest
Processing of data including multitenancy
Solutions include encryption, identity management, sanitation
Data Security Mitigation
Even through data in transit is encrypted, use of the data in the cloud
will require decryption. That is, cloud will have unencrypted data
Mitigation
Sensitive data cannot be stored in a public cloud
Homomorphic encryption may be a solution in the future
Provider Data and its Security
What data does the provider collect – e.g., metadata, and how can this
data be secured?
Data security issues-Access control, Key management for encrypting
Confidentiality, Integrity and Availability are objectives of data
security in the cloud
Encryption-The Secure Socket Layer (SSL)
SSL is the standard security technology for establishing
an encrypted link between a web server and browser.
This ensures that data passed between the browser
and the web server stays private.
To create an SSL connection on a web server requires
an SSL certificate. When your cloud provider starts
an SSL session, they are prompted to complete a
number of questions about the identity of their
company and web site.
SSL is a fairly streamlined process, and operates in the
background. The only difference you are likely to see
is that the page takes a little longer to load because of
all the behind the-scenes certificate passing.
 Procedures to establish the SSL session
1. The browser checks the web site’s certificate to
ensure that the site you are connecting to is the
real site and not someone else intercepting and
spoofing the site.
2.The browser and web site decide on what type of
encryption to use.
3. The browser and server send each other unique
codes to use when encrypting information to be
sent.
4. The browser and server use the encryption to start
talking.
5.The browser shows the encrypting icon, and web
pages are passed as secured.
Identity and Access Management (IAM) in the Cloud
Authentication:Verifying the identity of a user, system or service
Authorization:Privileges that a user or system or service has after
being authenticated (e.g., access control)
Auditing:Exam what the user, system or service has carried out
Check for compliance
Why IAM?
Improves operational efficiency and regulatory compliance
management
IAM enables organizations to achieve access control and operational
security
Cloud use cases that need IAM
Organization employees accessing SaaS service using identity federation
IT admin access CSP management console to provision resources and
access foe users using a corporate identity
Developers creating accounts for partner users in PaaS
End user access storage service in a cloud
Applications residing in a cloud serviced provider access storage from another
cloud service
 IAM Practice
IAM process consists of the following:
User management
Authentication management,
Authorization management,
Access management,
Data management and provisioning,
Monitoring and auditing
Provisioning,
Credential and attribute management,
Entitlement management,
Compliance management,
Centralization of authentication and authorization
 Relevant IAM Standards, Protocols for Cloud
IAM Standards and Specifications for Organizations
SAML (Security Assertion Markup Language)
SPML (Service Provisioning Markup Language)
XACML (eXtensible Access Control Markup Language)
OAuth (Open Authentication) – cloud service X
accessing data in cloud service Y without disclosing
credentials
IAM Standards and Specifications for Consumers
OpenID
Information Cards
Open Authenticate (OATH)
Open Authentication API (Open Auth.)
 Security Management in the Cloud
Security Management Standards
Security Management has to be carried out in the cloud
Standards include ITIL (Information Technology Infrastructure Library)
and ISO 27001/27002
What are the policies, procedures, processes and work instruction for
managing security
Security Management in the Cloud
Access Control (ISIO, ITIL)
Vulnerability Management (ISO, IEC)
Patch Management (ITIL)
Configuration Management (ITIL)
Incident Response (ISO/IEC)
System use and Access Monitoring
Availability Management (ITIL)
SaaS availability-Customer responsibility: Customer must understand SLA and
communication methods, SaaS health monitoring
PaaS availability-Customer responsibility, ‘PaaS health monitoring
IaaS availability-Customer responsibility, IaaS health monitoring
 Access Control
Who should have access and why
How is a resources accessed
How is the access monitored
Impact of access control of SaaS, PaaS and IaaS
Security Vulnerability, Patch and Configuration
Management
How can security vulnerability, patch and
configuration management for an organization be
extended to a cloud environment
What is the impact of VPS on SaaS, PaaS and IaaS
Privacy Concerns with a Third Party
It is the accountability of organizations to data subjects as well as the
transparency to an organization’s practice around personal information
The first and most obvious concern is for privacy considerations. That is, if
another party is housing all your data, how do you know that it’s safe and
secure? You really don’t.
As a starting point, assume that anything you put on the cloud can be accessed
by anyone.
There are also concerns because law enforcement has been better able to get at
data maintained on a cloud, more so than they are from an organization’s
servers.
That doesn’t mean that there aren’t reputable companies who would never think
of compromising your data and who aren’t staying on the cutting edge of
network security to keep your data safe. In a glass-half-full world, that’s what
all the companies are doing. But in reality, even if providers are doing their
best to secure data, it can still be hacked, and then your sensitive information
is at the mercy of whoever broke in.
 Tips for a secure cloud computing
a)Identify and Assign Value to Assets
b)Assess Your Liabilities
c)Research Compliance Requirements
d)Determine Your Risk Tolerance
e)Research Potential Providers’ Processes
f)Ask About Security and Reliability Certifications
g)Build Security Controls into the Contract
h)Negotiate Service Levels and Exit Strategies
i)Pursue Offline Security Measures
j)Read the Cloud Security Alliance Guidance
Document
a) Identify and Assign Value to Assets
Assets could be include applications such as customer relationship
management (CRM) or accounting; data, including private
customer information; or infrastructure such as hosted servers
and operating systems.
The Cloud Security Alliance (CSA), an industry association set up to
promote security in the cloud, recommends a structured, step-by-
step approach to planning and managing cloud security, and this
is where it starts.
Ask yourself how valuable the assets that you’re considering moving
to the cloud are to your organization,
What would happen if you couldn’t access online software for an
hour or a day, for example, or the provider lost your data or
hackers stole sensitive information from the providers’
computers?
Not all cloud providers are the same, If you assign a value to your
assets, then it’s easier to decide what level of security you’re going
to need.
 b) Assess Your Liabilities
One of the biggest cloud security concerns is the risk
of breaches resulting in loss or theft of sensitive
private data.
If the information leaked is proprietary only to your
company, liability is not a concern. But you need to
know where responsibility lies if customer or
patient information goes missing.
If there’s a breach and data is lost, it’s not the cloud
provider who is on the hook, It’s the way all the
regulatory bodies are coming down on this.
You collected the data and chose how to store it. So
you’re on the hook if something goes wrong.”
In other words, caveat emptor -- let the buyer beware. And
in this case, you’re the buyer
c)Research Compliance Requirements
Long before you engage with potential providers, you need to
build a list of regulatory requirements for security.
In some industries -- banking and health care are examples --
government or industry regulations establish standards for
how electronic data is handled, including stipulating the
level of security in place. You may not even be permitted to
use cloud services, or there may be restrictions, such as the
data must be stored within the borders of your own country.
The number and type of security controls in place may well be
defined by regulation, If you’re processing credit card
transactions, for example, you may need to comply with
PCI-DSS standards.
Even if nothing ever goes wrong security-wise, failing to
comply with regulations can land you in hot water.
d) Determine Your Risk Tolerance
These initial steps all play into this admittedly somewhat
nebulous, but pivotal, next step. How much are you willing
to risk, how much can you afford to risk -- given the
liabilities, the regulatory requirements, the importance of
the assets to your organization?
Based on the level of risk you may face, choose an appropriate
cloud scenario referring to a cloud implementation that
involves some data or program logic remaining on your
business premises.
The other critical consideration is the cost of ensuring
security, whether in the cloud or at your own offices. The
more security controls you demand from cloud providers,
the more expensive their services will be.
But if we could give any advice to small businesses, it would be
to not necessarily accept the lowest-cost solution, Cost is not
the only thing to consider.
e) Research Potential Providers’ Processes
With this preparatory work behind you, it’s time to start assessing what’s
available in the cloud services market.
You can begin by studying their marketing literature, but to find out in detail
how the service works -- where and how data moves and where it resides,
what security controls are in place by default and the extent to which the
provider is willing to tailor a security solution for you -- you will have to talk
to them.
You will need to know what types and levels of encryption the provider can offer
to ensure that even if data is leaked it cannot be read.
You also need to know about the provider’s business continuity provisions. What
happens if its main data center burns down? Does it only have one data
center? In how many places does it store your data and how? Ask about
security monitoring and auditing processes, and what kind of reporting the
provider does. If there is a breach, will the company tell you?
But all this work will make life a lot easier later. After the implementation, it will
be much more complicated and expensive to make changes. So you need to
map everything out in advance.
 f) Ask About Security and Reliability Certifications
One way small businesses can short-circuit due diligence on
providers’ security controls is to ask about various
certifications they may have, or look for mention of them at
the provider’s website.
By considering only those providers with documented,
verifiably sound security practices may eliminate some of
the need to delve deeper.
The CSA itself has developed a certification program under its
Trusted Cloud Initiative, which some providers are
beginning to use.
There are also more general certifications that any organization can
get, not just cloud providers, such as ISO27001 Information Security
Standards and ISACA IT Audit, Security, Governance and Risk
Certification
g) Build Security Controls into the Contract
This is where the rubber hits the road. With any cloud service,
you will be entering into a contract. The provider may not be
willing to negotiate anything, or may not be willing to extend
much flexibility to smaller customers.
At the very least, you need to carefully study the contract
language as it relates to security controls.
And if the provider is willing to negotiate, you need to establish
in the contract the type and level of encryption to be used,
where and when -- all determined by the analysis in earlier
steps -- and the safeguards against data loss to be used, such
as redundant storage.
You may also be able to negotiate the right to audit the
company’s facilities or security practices.
Many cloud providers may not give the right to audit and the
more security you ask for in general, the more the cost is
going to go up. But we suggest asking for the right to audit.
 h) Negotiate Service Levels and Exit Strategies
Security in the cloud is not just about protecting data. It’s also about
ensuring your own business continuity. Your ongoing operations may
now utterly depend on being able to access a cloud service. What
happens if the provider’s service is unavailable for a short or a long
period?
Some providers will negotiate a service level agreement (SLA) specifying
uptime percentages and the time to respond to trouble calls.
SLAs may include financial penalties, often a discounting of service fees, if
the provider fails to meet the terms. The stricter the terms, though,
typically, the more you will pay for the service.
It’s also important to ensure that you’re not locked in to the provider’s
service so that it’s difficult, expensive or virtually impossible to
disengage and take your business and data to a different provider in the
event you become dissatisfied or find a better deal.
And try to pre-negotiate the terms for changing contracted services in response to
changes in your business to guard against prohibitively expensive fees for doing this
Pursue Offline Security Measures
One of the problems with moving to the cloud is the
loss of control over your “security profile.” But in
some cases, it may be possible to preserve some
control –
by using offline backup of data stored in the cloud, for
example, or preserving the right to control
encryption keys so that in the event a provider’s
system is compromised, there is no possibility of
keys falling into the wrong hands