Cloud Security: Basic Principles

Download PDF
0 downloads 0 Views 789KB Size Report
Comment
May 23, 2016 - liance (CSA), the top threats to cloud com- puting are: Abuse and nefarious use of cloud computing; Insecure interfaces and. APIs, Malicious ...
Cloud Security: Basic Principles

Cloud Security: Basic Principles Salam Ismaeel, Sarah Asiri

Ryerson University

May 23, 2016

1 Abstract

countability, non-repudiation and reliability also fall under the security dome. Confidentiality is the assurance that information is not made available or disclosed to unauthorized individuals, entities or processes. On the other hand, integrity is the assurance that the data being secured hasn’t been tampered. To ensure the security of information processing , data controllers must implement appropriate technical and organizational measures in order to protect it against [2]: (i) Unauthorized access or disclosure: in particular where the processing involves the transmission of data over a network. (ii) Destruction: accidental or unlawful destruction or data loss(iii) Modification: inappropriate alteration and data tamper. (iv) Unauthorized use: all other unlawful forms of processing. Security is the most prevalent factor inhibiting the adoption of cloud computing. Cloud computing can become disadvantageous in maintaining a level of assurance sufficient to sustain confidence in potential customers. The reasons behind the importance of cloud security are [3]: Increasing usage of cloud services in non-traditional

nterest in cloud computing has been growing significantly in the past years. More businesses are now switching to the cloud for data management, storage and analysis. According to the official NIST definition, cloud computing is a model that allows ubiquitous, convenient, on-demand network access to a shared pool of computing resources such as networks, servers, storage and applications, which can be provisioned rapidly with minimal management effort or service provider interaction[1]. However, security concerns have always been associated with cloud adoption. In this paper, we discuss security challenges in the cloud environment and their remedies. We also focus on encryption in the cloud and discuss some security considerations for OpenStack platform.

I

2 Introduction Security is the preservation of confidentiality, integrity and availability of information. Other properties such as authenticity, ac-

2

sectors; growing adoption of cloud services in government departments; Rise in cloud service-specific attacks; Growing usage of cloud services for critical data storage; Rise in employee mobility. This paper gives an introduction about the security issues in cloud environments with some possible treatments. In the paper, we put more focus on data encryption in the cloud. Additionally, OpenStack security considerations will be covered in the last section of this work.

representing physical ac- Access: cess, credentials, authentication, authorization, identity management, and anonymization. But according to the Cloud Security Alliance (CSA), the top threats to cloud computing are: Abuse and nefarious use of cloud computing; Insecure interfaces and APIs, Malicious insiders, Shared technology issues, Data loss or leakage, Account or service hijacking and Unknown risk profile [2, 5]. The next subsections describe each threat separately. A. Gap in Security In the cloud environment, customers cede control to the cloud provider; there is a related risk that the Cloud Service Provider (CSP) will not adequately handle the responsibility of addressing security the way they are supposed to, or even that Service Level Agreements (SLAs) do not include any provision of the necessary security services. This risk is dependent on the service model used in the cloud.

3 Security Issues in Cloud There are numbers of security issues for cloud computing, some of which are new, which are exacerbated by cloud models, and others are similar to traditional service provision models. The security risks depend greatly on the cloud service and the deployment model. Security issues in the cloud can be classified into [4]:

B. Unwanted Access Cloud computing - Storage and computing: including data may actually increase the risk of access to storage, unreliable computing, availconfidential information by: (a)Foreign govability, cryptography, sanitization and ernments because the data on the cloud malware. could be anywhere in the world, this in- Virtualization: related to managing vir- creases the risks of government surveillance. tual images (VMs), monitoring virtual And consumers may not be notified if this machines, virtualized traffic and virtual happens according to the privacy policies of that country. (b) Provider chains have inmachine mobility. adequate security mechanisms in place. (c) Data theft from machines in the cloud, like: - Internet and services: covering advanced persistent threats and malicious Rogue employees of CSPs; Data thieves outsiders, protocols and standards, web breaking into service providers machines; services, web technologies and availabil- Other customers of the same service if there is inadequate separation of different cusity. tomers data in a machine that they share - Network : focusing on mobile platforms in the cloud; Attackers may also break into and perimeter security. the networks of the CSP, subcontractors

3

or co-hosted customers; and Attackers may also use de-anonymization techniques. The damage that can be caused in these cases can be greater than non-cloud environments, due to the scale of operation and the presence of certain roles in cloud architectures with potentially extensive access including CSP system administrators and managed security service providers.

hybrid storage cloud. However, in general, cloud services can be more resilient than traditional services. G. Isolation Failure In SaaS model, the customers are users of multi-tenant applications developed by CSPs, where personal data and even financial data are stored by CSP in the cloud, and it is the responsibility of the CSP to secure that data. There is a risk that the mechanisms that separate storage, memory or routing between different tenants might fail, and hence, for example, other tenants could access sensitive information that belong to other customers.

C. Vendor Lock-In As there is no standardized communication between and within cloud providers and no standardized data export format, it is difficult to migrate from one cloud provider to another or bring back data and process it in-house.

Virtual machines (VMs) are sandboxed environments and therefore completely isolated from each other. This assumption makes it safe for users to share the same hardware. The use of virtualization can introduce new security vulnerabilities, such as: (a) Attackers can escape the boundaries of this sandboxed environment and have full access to the host. (b) Cross-VM side-channel attacks, where the attacker breaches the isolation between VMs allowing extraction of data via information leakage due to the sharing of physical resources. (c) Virtual network attacks, which occur with inadequate data deletion before memory is assigned to a different customer or escape to the hypervisor, where an attacker uses a guest virtual machine to attack vulnerabilities in the hypervisor software.

D. Inadequate Data Deletion The problem lies in ensuring that data that should be deleted is actually wiped securely cannot be recovered by a CSP. This problem is exacerbated in cloud because: (a) multiple copies of the data is available on the cloud (b) it might be impossible to destroy a disk since it is storing other customers data. These risks of data exposure vary according to the service model. E. Compromise of the Management Interface This poses an increased risk compared to traditional hosting providers because remote access and web browser vulnerabilities can be introduced and hence, access can be given via these interfaces to larger sets of resources.

H. Missing Assurance and Transparency Cloud customers need to obtain assurance from cloud service providers that their data will be protected properly. They may also require that they are notified about security and privacy incidents. However, in some cases, taking this approach can be

F. Backup Vulnerabilities This serves as a form of backup, although it can lead to additional liabilities and threats from attackers. There is still potential for the data to be lost, particularly with Storage as a Service. A popular solution is a type of

4

difficult, particularly in cases of multiple transfers of data. Cloud-based storage of data that requires privacy assurance (such as personal data) is almost always deployed in private clouds. Heterogeneous cloud infrastructures make it difficult to have effective controls to check privacy compliance in an automated way, and the end user has no means to verify that his/her privacy requirements are being fulfilled. An open problem is finding a balance between data provenance and related privacy or other regulatory constraints in the cloud, where physical perimeters are not clearly delimited.

(i) Data leakage: API access control should be implemented strongly. Encryption techniques should be enabled to protect the integrity of data in transit as well as at rest. Furthermore, the protection of data should be analyzed at the time of design as well as run time. (ii) Abuse of cloud : Enforcing strict initial registration with validation processes, enhanced service for coordination and monitoring of credit card fraud, service for monitoring blacklists (public) for one’s own network blocks. (iii) Insecure Interfaces and APIs:Proper analysis of the security model of the interfaces is important. Also, Ensuring that strong access control and authentication methods are incorporated with the encrypted transmission.

I. Inadequate Monitoring, Compliance and Audit If a cloud customer migrates to the cloud, their previous investment in security certification may be put at risk if the CSP cannot provide evidence of their compliance with the relevant requirements and does not enable the cloud customer to audit its processing of the customers’ data. Furthermore, it may be difficult to evaluate how cloud computing affects compliance with internal security policies. CSPs need to implement internal compliance monitoring controls, in addition to an external audit process. However, provisioning of a full audit trail within the cloud, particularly in public cloud models, is still an unsolved issue.

(iv) Malicious Insiders: Supply chain management should be enforced strictly and comprehensive supplier assessment should also be conducted a as part of legal contracts specified in human resource requirements. Transparency is needed to be maintained in all information security practices and compliance reporting. Determination of a security breaches notification processes is needed. (v) Shared Technology Issues: Security should be implemented during configuration. Environment activity should be monitored effectively. Powerful authentication and control access should be promoted for the process of administration and activities. Service level agreements (SLA) should be enforced for the remedy of patching and vulnerability. Scanning of vulnerability and configuration audits

4 Possible Treatment Full protection of the enterprise or its customers’ personal information in the IaaS cloud is difficult, but not impossible [6]. This section summarizes some possible treatments for the security problems listed in the previous section [7].

5

should have to be conducted. (vi) Account or Service Hijacking : Employ restrictions for the sharing of account credentials between services and users. Two-factor strong authentication methods should be implemented where possible. Unauthorized activity should be detected effectively. Cloud provider security policies and SLAs should be understood clearly.

(vii) Identity as a Service (IDaaS): A federated identity means that user’s profile (attributes and credentials) will be linked together and stored across several identity management systems. One application of federated identity is Single-Sign-On (SSO), which enables access control to all cloud applications in an enterprise. SSO allows only a single point of login to be used by users to access cloud services and web applications used by an enterprise. This enables the exchange of trust relationships between multiple domains where authentication information is shared across these domains, which can reduce security threats and management complexity [8]. Figure 1 provides an abstract view of how an SSO solution can provide many benefits to enterprises.

Figure 1: High Level SSO Illustration of Intel’s Identity Bridge Solution[9]

rate, as well as availability and disaster recovery capabilities. This can be achieved by employing dual redundant data centers, load balancing and clustered servers and applications. (3) It is imperative to consider deploying strong authentication techniques to authenticate users, such a two-factor authentication, One Time Password (OTP), and context-aware authentication.

Before integrating SSO into the customer’s cloud solution, it is important to take a few points into consideration [9, 10]: (1) SSO solution should successfully integrate with directory systems, such as Active directory, Microsoft or Oracle. Additionally, integration with third-party SaaS services, such as Google, should be enabled. (2) It is important that SSO solutions are capable of maintaining a high uptime

5 Encryption in the Cloud In the cloud, where there are multiple tenants and administrators working for someone else it would seem obvious that huge amounts of data would need to be encrypted [5]. The two main practical problems in application of an encryption scheme in the cloud are choosing the

6

suitable type of encryption based on application functionality. The power business requirements and specifying the of such encryption is that no practical algorithm within that class [11]. attacker can crate a valid ciphertexts or modify a legitimate ciphertext withFull Disk Encryption (FDE) is one of the out the user noticing . However, this well known techniques in which encryption sacrifices search, document preview, and of the entire hard drive occurs while the other types of an application’s functionality. device it is installed in is powered off or first powered on, before the user or II. Selective encryption: It is done administrator provides authentication to by encrypting only sensitive data such enable the device to boot up. It protects as social security numbers or account data from being compromised if the server numbers. Selective encryption is often or its storage is lost or stolen. But FDE used in sharing applications when content does absolutely nothing to protect a Server inspection and identification capability is Area Network (SAN) that is powered on used to determine sensitive data, enabling and running on a cloud data center from users to encrypt based on a policy. Search Malware, insider threats, and other current functionality in this type of encryption may threats. not be available. There are three useful layers of encryption used outside the FDE encryption:

III. Format Preserving Encryption (FPE): FPE keeps the length and the format of the original text. Such functionality is useful when a specific format is required by the application. The FPE very useful if the application requires server-side input validation checks, and the security requirements can tolerate equality leakage.

• Application layer Encryption: by implementing encryption and decryption routines within the application.

• File Encryption: individually encrypt files as they are written to the disk, and decrypt the required file only when needed, leaving the rest of the IV. Searchable encryption: In some files encrypted. applications, we can waiver some security • Database Encryption: Individual to utilize searching ability. In general, database records, or even particular security weakness it shares is that the fields within a record, can be main- equality of keywords is leaked making tained in an encrypted state and only certain statistical attacks possible. There decrypted individually when proper au- are three different approaches in searchable encryption: (1) Keyword extraction: by thorization is granted. preserving the search keywords on enThis is done by one or more of the seven crypted documents. This method is useful types of encryption: if we usually search documents for certain keywords only. (2) Word-by-word : by I. Regular (Unstructured) data encryp- encrypting each word individually, making tion: It is the best candidate to encrypt the document searchable by any word. But data in storage but severely impacts with equality leakage, makes statistical

7

6 Encryption ment

attacks possible. (3) Search by prefix : by leveraging a local search tokenization index, i.e. local plaintext index of search word as data is sent to a cloud provider. The main problem in this approach is that the user requires access to the local index before going to the cloud. Also, this local index represents a good target for attackers.

Key

Manage-

One of the most difficult processes in public cloud computing is key management. Whenever, we have strong key management we should get strong security. Because key generation and management for cloud computing paradigm is not standardized, in this section the best practices for encryption key management are summarized [5, 13, 14]:

V. Order-Preserving Encryption (OPE): in this type, the ciphertexts preserve order of plaintexts. This make it easy to search, sort, query the ciphertexts. But totally effects the confidentiality of the ciphertext because of the leakage of the relative distance between it and the underlying plaintexts.

- Maintain control of all private/secret encryption keys. It’s fine to use encryption services offered by the cloud provider or a reputable third party, as long as the party offering the services do not get access to the encryption keys. - Use the best practices regarding the key management and encryption products from reliable vendors.

VI. Data tokenization: It depends on the creation of a token for each plaintext, and storing the data and tokens locally and then passing the tokens to the cloud application. This enable the user to search for keywords and sort through the data on the server. But it has the same drawbacks as the order-preserving encryption (OPE). In addition, the local storage for the data and the corresponding tokens should be protected.

- Use off-the-shelf-technology where possible. By storing encryption keys separately from encrypted data. Encryption keys also should not be stored within application configuration files or compiled into the application itself. - The key scope should be maintained at the individual or group level. - Configure encryption to be transparent to users. To make security usable, it’s critical that encryption be as transparent as possible, ideally so that users aren’t even aware it’s in use.

VII. Fully Homomorphic Encryption (FHE): The cloud receives the ciphertext of the data, performs computations on the ciphertext, and returns the encoded value of the result [12]. The main problem in that higher-level operations and real world functionality are still many years away.

- Use standard algorithms and do not use proprietary encryption algorithms. In summary, organizations with sensitive data stored in clouds should encrypt this

8

data in a matter that they maintain control over the encryption keys. These keys should be stored separately from the encrypted data to prevent a single compromise from granting access to both the keys and the data they protect. Moreover, encryption should be configured to be transparent to users so that it does not affect usability.

Dashboard (horizon) It is a public facing manner with all the usual security concerns of public web portals. Identity (keystone) Security concerns here related to trust in authentication, management of authorization tokens, and secure communication. Image (glance) Trusted processes for managing the life cycle of disk images are required, as are all the previously 7 OpenStack: Security Do- mentioned issues with respect to data mains security. Data processing (sahara) Security conThis section gives an overview of OpenStack siderations for data processing should focus Services security considerations and Open- on data privacy and secure communications Stack security domains. All these part need to provisioned clusters. further studying and analysis. The goal is to give a brief idea about these topics. All theOther Consideration OpenStack resis information are mainly given by Open- lies on messaging for internal communicaStack Organization, specially from [15]. tion between several of its services. By default, OpenStack uses message queues based on the Advanced Message Queue Protocol 7.1 OpenStack Security (AMQP). The message queuing system is a Consideration primary security concern for any OpenStack OpenStack components’ security considera- deployment. tions are: At last, securing the access to the Compute (nova) The security of databases and their contents is yet another Compute is critical for an OpenStack security concern. deployment. The techniques used should include support for strong instance iso7.2 OpenStack Security Domains lation, secure communication between Compute sub-components, and resiliency A security domain includes users, applications, servers or networks that share comof public-facing API endpoints. Object Storage (swift) and Block mon trust requirements and expectations Storage (Cinder) In the two modules, within a system. Typically they have the security should focus on access control and same authentication and authorization reencryption of data in transit and at rest. quirements and users. Other concerns may relate to system abuse, Although you may desire to break these illegal or malicious content storage, and domains down further, generally these four cross authentication attack vectors. distinct security domains (Public, Guest, Networking (neutron) Security concerns Management and Data) form the minimum with the networking service include network that is required to deploy any OpenStack traffic isolation, availability, integrity and cloud securely. These security domains confidentiality. can be mapped independently or combined

9

to represent the majority of the possible is considered trusted. However, when areas of trust within a given OpenStack considering an OpenStack deployment, deployment. there are many systems that bridge this domain with others, potentially reducing Public The public security domain is the level of trust you can place on this an entirely untrusted area of the cloud domain. infrastructure. It can refer to the Internet as a whole or simply to networks over which you have no authority. Any data that transits this domain with confidentiality or integrity requirements should be protected using compensating controls. This domain should always be considered untrusted.

Data The data security domain is concerned primarily with information pertaining to the storage services within OpenStack. Most of the data transmitted across this network requires high levels of integrity and confidentiality. In some cases, depending on the type of deployment there may also be strong availability Guest Typically used for compute requirements. instance-to-instance traffic, the guest security domain handles compute data Bridging security domains A bridge generated by instances on the cloud but not services that support the operation is a component that exists inside more than of the cloud, such as API calls. Public one security domain. Any component that and private cloud providers that do not bridges security domains with different trust have stringent controls on instance use levels or authentication requirements must or allow unrestricted internet access to be carefully configured. These bridges are VMs should consider this domain to be often the weak points in network architecuntrusted. Private cloud providers may ture. A bridge should always be configured want to consider this network as internal to meet the security requirements of the and trusted, only if the proper controls are highest trust level of any of the domains implemented to assert that the instances it is bridging. In many cases the security and all associated tenants are to be trusted. controls for bridges should be a primary concern due to the likelihood of attack. Management The management security domain is where services interact. Sometimes referred to as the ”control plane”, the networks in this domain transport confidential data such as configuration parameters, user names, and passwords. Command and Control traffic typically resides in this domain, which necessitates strong integrity requirements. Access to this domain should be highly restricted and monitored. At the same time, this domain should still employ all of the security best practices. In most deployments this domain

8 Summary We can notice by the end of this chapter, there are several challenges and research area within the topic of Cloud Security form the formal aspects to empirical research outlining novel techniques. All of the users whether individual or organization should be well aware of the security threats existing in the cloud.

10

And because OpenStack is the most inter-

esting platform during our course,security considerations in OpenStack Services were given. But still, the chapter should cover more details about Keystone project that provides Identity, Token, Catalog and Policy services for use specifically by projects in the OpenStack family.

References [1] T. G. Peter M. Mell. (2011) The nist definition of cloud computing. [2] S. Pearson and G. Yee, Privacy and security for cloud computing. Springer Science & Business Media, 2013.

risk and remedy,” in Computational Intelligence and Networks (CINE), 2015 International Conference on. IEEE, 2015, pp. 192–193. [8] M. Stihler, A. O. Santin, A. L. Marcon Jr, and J. D. S. Fraga, “Integral federated identity management for cloud computing,” in New Technologies, Mobility and Security (NTMS), 2012 5th International Conference on. IEEE, 2012, pp. 1–5. [9] J. Reavis, “How intel cloud sso works,” Tech. Rep., 2015. [Online]. Available: http://www.opendatacenteralliance.org

[10] T. Eid, “Cloud single sign-on for saas providers,” Tech. Rep., 2015. [Online]. [3] V. Chary and A. Krishna. (2012) Available: https://www.intralinks.com Cloud security. [Online]. Available: http://www.slideshare.net/VenkateshChary/cloud[11] A. Boldyreva and P. Grubbs, “Making security-ppt encryption work in the cloud,” Network Security, vol. 2014, no. 10, pp. 8 – 10, [4] D. Fernandes, L. Soares, J. Gomes, 2014. M. Freire, and P. Incio, “Security issues in cloud environments: a [12] S. Ruj and R. Saxena, “Securing cloud survey,” International Journal of data,” Cloud Computing with e-Science Information Security, vol. 13, no. 2, Applications, p. 41, 2015. pp. 113–170, 2014. [Online]. Available: [13] M. Ali, S. U. Khan, and A. V. Vasihttp://dx.doi.org/10.1007/s10207lakos, “Security in cloud computing: 013-0208-7 Opportunities and challenges,” Information Sciences, vol. 305, pp. 357–383, [5] C. S. Alliance. (2011) Security guid2015. ance for critical areas of focus in cloud computing v3.0. [Online]. Available: [14] K. Scarfone, “The true story of https://cloudsecurityalliance.org data-at-rest encryption and the cloud,” Tech. Rep., 2015. [Online]. Available: [6] H. Albaroodi, S. Manickam, and https://www.firehost.com P. Singh, “Critical review of openstack security: Issues and weaknesses,” Jour[15] OpenStack. (2015) Openstack senal of Computer Science, vol. 10, no. 1, curity guide. [Online]. Available: p. 23, 2013. http://docs.openstack.org/sec/ [7] A. Aich, A. Sen, and S. R. Dash, “A survey on cloud environment security

11