CLOUD SECURITY

MECHANSMS
.

Preetha V, AP/CSE, SRIT

Cloud Security Mechanisms
• 10.1 Encryption
• 10.2 Hashing
• 10.3 Digital Signature
• 10.4 Public Key Infrastructure (PKI)
• 10.5 Identity and Access Management (IAM)
• 10.6 Single Sign-On (SSO)
• 10.7 Cloud-Based Security Groups
• 10.8 Hardened Virtual Server Images

Preetha V, AP/CSE, SRIT

10.1. Encryption
Data, by default, is coded in a readable format known as plaintext.
When transmitted over a network, plaintext is vulnerable to unauthorized and potentially
malicious access.
The encryption mechanism is a digital coding system dedicated to preserving the confidentiality
and integrity of data.
It is used for encoding plaintext data into a protected and unreadable format.
Encryption technology commonly relies on a standardized algorithm called a cipher to transform
original plaintext data into encrypted data, referred to as ciphertext.
When encryption is applied to plaintext data, the data is paired with a string of characters called
an encryption key, a secret message that is established by and shared among authorized parties.
The encryption key is used to decrypt the ciphertext back into its original plaintext format.
The encryption mechanism can help counter the traffic eavesdropping, malicious intermediary,
insufficient authorization, and overlapping trust boundaries security threats.
For example, malicious service agents that attempt traffic eavesdropping are unable to decrypt
messages in transit if they do not have the encryption key (Figure 10.1).

Preetha V, AP/CSE, SRIT

Preetha V, AP/CSE, SRIT
Symmetric Encryption
Symmetric encryption uses the same key for both encryption and
decryption, both of which are performed by authorized parties that use the
one shared key.
Also known as secret key cryptography, messages that are encrypted with
a specific key can be decrypted by only that same key.
Parties that rightfully decrypt the data are provided with evidence that the
original encryption was performed by parties that rightfully possess the
key.
A basic authentication check is always performed, because only
authorized parties that own the key can create messages.
This maintains and verifies data confidentiality.

Preetha V, AP/CSE, SRIT

Asymmetric Encryption
Asymmetric encryption relies on the use of two different keys, namely a
private key and a public key.
With asymmetric encryption (which is also referred to as public key
cryptography), the private key is known only to its owner while the public
key is commonly available.
A document that was encrypted with a private key can only be correctly
decrypted with the corresponding public key.
Conversely, a document that was encrypted with a public key can be
decrypted only using its private key counterpart.
As a result of two different keys being used instead of just the one,
asymmetric encryption is almost always computationally slower than
symmetric encryption.

Preetha V, AP/CSE, SRIT

10.2. Hashing
The hashing mechanism is used when a one-way, non-reversible form
of data protection is required.
Once hashing has been applied to a message, it is locked and no key
is provided for the message to be unlocked.
A common application of this mechanism is the storage of
passwords. Hashing technology can be used to derive a hashing code
or message digest from a message, which is often of a fixed length
and smaller than the original message.
The message sender can then utilize the hashing mechanism to attach
the message to digest the message.
((A message digest is a cryptographic hash function containing a
string of digits created by a one-way hashing formula. Message
digests are designed to protect the integrity of a piece of data or
media to detect changes and alterations to any part of a message.))
Preetha V, AP/CSE, SRIT
The recipient applies the same hash function to the message to verify that
the produced message digest is identical to the one that accompanied the
message.
Any alteration to the original data results in an entirely different message
digest and clearly indicates that tampering has occurred.
In addition to its utilization for protecting stored data, the cloud threats
that can be mitigated by the hashing mechanism include malicious
intermediary and insufficient authorization.
An example is illustrated in Figure 10.3.

Preetha V, AP/CSE, SRIT

Preetha V, AP/CSE, SRIT
10.3. Digital Signature
The digital signature mechanism is a means of providing data
authenticity and integrity through authentication and non-
repudiation.
A message is assigned a digital signature prior to transmission,
which is then rendered invalid if the message experiences any
subsequent, unauthorized modifications.

A digital signature provides evidence that the message

received is the same as the one created by its rightful sender.

Preetha V, AP/CSE, SRIT

Both hashing and asymmetrical encryption
are involved in the which essentially exists as a message digest that was
encrypted by a private key and appended to the original message.
The recipient verifies the signature validity and uses the corresponding
public key to decrypt the digital signature, which produces the message
digest.
The hashing mechanism can also be applied to the original message to
produce this message digest.
Identical results from the two different processes indicate that the message
maintained its integrity.
The digital signature mechanism helps mitigate the malicious intermediary,
insufficient authorization, and overlapping trust boundaries security threats
(Figure 10.5).

Preetha V, AP/CSE, SRIT

Figure 10.5. Cloud Service Consumer B sends a message that was digitally signed but
was altered by trusted attacker Cloud Service Consumer A. Virtual Server B is
configured to verify digital signatures before processing incoming messages even if
they are within its trust boundary. The message is revealed as illegitimate due to its
invalid digital signature, and is therefore rejected by Virtual Server B.
Preetha V, AP/CSE, SRIT
10.4. Public Key Infrastructure (PKI)
A common approach for managing the issue of asymmetric keys is based on the
public key infrastructure (PKI) mechanism, which exists as a system of protocols,
data formats, rules, and practices that enable large-scale systems to securely use
public key cryptography.
This system is used to associate public keys with their corresponding key owners
(known as public key identification) while enabling the verification of key validity.
PKIs rely on the use of digital certificates, which are digitally signed data structures
that bind public keys to certificate owner identities, as well as to related information,
such as validity periods.
Digital certificates are usually digitally signed by a third-party certificate authority
(CA), as illustrated in Figure 10.7

Preetha V, AP/CSE, SRIT

Preetha V, AP/CSE, SRIT
10.5. Identity and Access Management (IAM)
mechanism encompasses the components and policies necessary to
control and track user identities and access privileges for IT resources,
environments, and systems.
Specifically, IAM mechanisms exist as systems comprised of four main
components:
• Authentication – Username and password combinations remain the
most common forms of user authentication credentials managed by
the IAM system, which also can support digital signatures, digital
certificates, biometric hardware (fingerprint readers), specialized
software (such as voice analysis programs), and locking user accounts
to registered IP or MAC addresses.

Preetha V, AP/CSE, SRIT

• Authorization – The authorization component defines the correct
granularity for access controls and oversees the relationships between
identities, access control rights, and IT resource availability.
• User Management – Related to the administrative capabilities of the
system, the user management program is responsible for creating new
user identities and access groups, resetting passwords, defining
password policies, and managing privileges.
•Credential Management–The credential management system
establishes identities and access control rules for defined user
accounts, which mitigates the threat of insufficient authorization.

Preetha V, AP/CSE, SRIT

10.6. Single Sign-On (SSO)
The single sign-on (SSO) mechanism enables one cloud service
consumer to be authenticated by a security broker, which establishes
a security context that is persisted while the cloud service consumer
accesses other cloud services or cloud-based IT resources.
Otherwise, the cloud service consumer would need to re-
authenticate itself with every subsequent request.

Preetha V, AP/CSE, SRIT

The SSO mechanism essentially enables mutually independent
cloud services and IT resources to generate and circulate runtime
authentication and authorization credentials.
The credentials initially provided by the cloud service consumer
remain valid for the duration of a session, while its security
context information is shared (Figure 10.9).
The SSO mechanism’s security broker is especially useful when
a cloud service consumer needs to access cloud services residing
on different clouds (Figure 10.10)

Preetha V, AP/CSE, SRIT

Preetha V, AP/CSE, SRIT
Preetha V, AP/CSE, SRIT
10.7. Cloud-Based Security Groups
Cloud resource segmentation is a process by which separate physical and virtual IT
environments are created for different users and groups.
For example, an organization’s WAN can be partitioned according to individual
network security requirements.
One network can be established with a resilient firewall for external Internet
access, while a second is deployed without a firewall because its users are internal
and unable to access the Internet.
Resource segmentation is used to enable virtualization by allocating a variety of
physical IT resources to virtual machines.
It needs to be optimized for public cloud environments, since organizational trust
boundaries from different cloud consumers overlap when sharing the same
underlying physical IT resources.
The cloud-based resource segmentation process creates cloud-based security group
mechanisms that are determined through security policies.
Networks are segmented into logical cloud-based security groups that form logical
network perimeters.
Each cloud-based IT resource is assigned to at least one logical cloud-based security
group.
Each logical cloud-based security group is assigned specific rules that govern the
communication between the security groups.
Preetha V, AP/CSE, SRIT
Multiple virtual servers running on the same physical server can
become members of different logical cloud-based security groups
(Figure 10.11).
Virtual servers can further be separated into public-private
groups, development production groups, or any other designation
configured by the cloud resource administrator.

Preetha V, AP/CSE, SRIT

Preetha V, AP/CSE, SRIT
Cloud-based security groups delineate areas where different
security measures can be applied.
Properly implemented cloud-based security groups help limit
unauthorized access to IT resources in the event of a security
breach.
This mechanism can be used to help counter the denial of service,
insufficient authorization, and overlapping trust boundaries threats,
and is closely related to the logical network perimeter mechanism

Preetha V, AP/CSE, SRIT

10.8. Hardened Virtual Server Images
As previously discussed, a virtual server is created from a template
configuration called a virtual server image (or virtual machine
image).
Hardening is the process of stripping unnecessary software from a
system to limit potential vulnerabilities that can be exploited by
attackers.
Removing redundant programs, closing unnecessary server ports,
and disabling unused services, internal root accounts, and guest
access are all examples of hardening.
A hardened virtual server image is a template for virtual service
instance creation that has been subjected to a hardening process
(Figure 10.13).
This generally results in a virtual server template that is significantly
more secure than the original standard image.
Preetha V, AP/CSE, SRIT
Preetha V, AP/CSE, SRIT