Security in CloudInfrastructure Nowadaysone of the most discussed topics of information technology is cloud computingand its security.
When it comes to security, if your systems and the data arenot secured on the proper way, these systems can be broken and your data can behacked by hackers with bad intentions. Usually discussions focus on allstandard security pros, cons and requirements to stay safe. One of the mostimportant characteristics of any IT infrastructure that must be implemented ina much more serious way is the cloud infrastructure.Cloudcomputing is an on-demand service model for IT provision based onvirtualization and distributed computing technologies. The abstraction ofcomputing, network and storage infrastructure is the foundation of cloudcomputing.
Cloudcomputing offers businesses a number of compelling benefits, such as improvedscalability and flexibility, on-demand provisioning, and lower cost.Organizations no longer have to install expensive dedicated appliances behindcorporate firewalls to deliver mission-critical applications, and the cloudmakes it possible for knowledge workers to remain productive no matter wherethey are or what device they’re using. Despite the practical benefits, cloudcomputing should not be adopted without a thorough understanding of cloudsecurity concerns. In cloud computing, an organization trusts valuable data toa cluster of virtual machines harnessed to perform a task, each component ofwhich presents a point of entry into the system.
These virtual machines areoverseen by a hypervisor, which thus becomes a point of vulnerability. These riskscan be mitigated, and a good understanding of cloud computing should include adiscussion of the risks and how to mitigate them.The primarycategories of internal network attacks that customers should be concerned withinclude:1.Confidentiality breaches (disclosure of confidential data)2. Integritybreaches (unauthorized modification of data)3.Availability breaches (denial of service, either intentional or unintentional) Ø Cloud Deployment ModelsThecloud services can be implemented in four deployment models: • Public Cloud: The cloud infrastructureis made available to the general public or large industry group and is owned byan organization selling cloud services.
• Private Cloud: The cloud infrastructureis operated entirely for a single organization. It may be managed by theorganization or a third party, and may exist on-premises or off-premises.• Community Cloud: The cloudinfrastructure is shared by several organizations and supports a specificcommunity. It may be managed by the organizations or a third party, and mayexist on-premises or off-premises.• Hybrid Cloud: The cloud infrastructureis a composition of two or more clouds (private, community or public) that arebound together by standardized or proprietary technology that enablesportability of data and application. Ø Cloud Computing CategoriesCloudcomputing services can be offered in three basic ways: Software as a Service,Platform as a Service, and Infrastructure as a Service.
• Infrastructure as Service (IaaS):provides virtual machines and other abstracted hardware and operating systemswhich may be controlled through a service Application Programming Interface (API).It incorporates the capability to abstract resources as well as deliverphysical and logical connectivity to those resources. IaaS provides lessintegrated security capabilities and functionality beyond protecting theinfrastructure itself.
The onus for securing of and reporting on theinfrastructure falls on the provider, but all responsibility for the softwarestack from the operating system to the application is the responsibility of thecustomer. Examples include Amazon EC2 and S3,Terremark Enterprise Cloud, Windows Live Skydrive and Rackspace Cloud.• Platform as a Service (PaaS): allowscustomers to develop new applications using APIs, implemented and operated remotely.The platforms offered include development tools, configuration management anddeployment platforms.
PaaS is positioned over IaaS and adds an additional layerof integration with application development frameworks and functions such as database,messaging, and queuing. This tradeoff extends to security features andcapabilities, where the built-in capabilities are less complete, but there ismore flexibility to layer on additional security. The provider is responsiblefor securing the infrastructure and platform, and the responsibility of theapplication lies with the customer. Examples are Microsoft Azure, Force andGoogle App engine.• Software as a Service (SaaS): issoftware offered by a third party provider, available on demand, usually througha Web browser, operating in a remote manner. Examples include online wordprocessing and spreadsheet tools, CRM services and Web content deliveryservices. SaaS in turn is built upon the underlying IaaS and PaaS stacks andprovides a self-contained operating environment used to deliver the entire userexperience including the content, its presentation, the applications andmanagement capabilities.
SaaS provides the most integrated functionality builtdirectly into the offering, with the least consumer extensibility, and arelatively high level of integrated security since at the least the providerbears a responsibility for the security. The provider has responsibility formost aspects of security. Cloud computing architectures offer toits users numerous advantages that can be briefly summarized to:• Reduced cost, since services areprovided on demand with pay-as-you-use billing system;• Highly abstracted resources;• Instant scalability and flexibility;• Instantaneous provisioning;• Shared resources, such as hardware,database, etc.• Programmatic management through API ofWeb services;• Increased mobility – information is accessedfrom any location.Cloud Security Assessment1. Ensure effective governance, risk andcompliance processes exist2. Audit and ensure proper reporting ofoperational and business processes3.
Manage people, roles and identities4. Ensure proper protection of data andinformation5. Enforce privacy policies6. Assess the security provisions for cloudapplications7. Ensure cloud networks and connectionsare secure8.
Evaluate security controls on thephysical infrastructure and facilities9. Manage security terms in the cloud serviceagreement10. Understand the security requirements ofthe exit processØ Identity SecurityEnd-to-end identity management,third-party authentication services and identity must become a key element ofcloud security. Identity security keeps the integrity and confidentiality ofdata and applications while making access readily available to appropriateusers. Support for these identity management capabilities for both users andinfrastructure components will be a major requirement for cloud computing andidentity will have to be managed in ways that build trust.
It will require:• Strongerauthentication: Cloud computing must move beyond authentication of usernameand password, which means adopting methods and technologies that are ITstandard IT such as strong authentication, coordination within and betweenenterprises, and risk-based authentication, measuring behavior history, currentcontext and other factors to assess the risk level of a user request.• Strongerauthorization: Authorization can be stronger within an enterprise or aprivate cloud, but in order to handle sensitive data and compliance requirements,public clouds will need stronger authorization capabilities that can beconstant throughout the lifecycle of the cloud infrastructure and the data. Ø Information SecurityInthe traditional data center, controls on physical access, access to hardware andsoftware and identity controls all combine to protect the data. In the cloud, thatprotective barrier that secures infrastructure is diffused. The data needs its ownsecurity and will require:• Dataisolation: In multi-tenancy environment data must be held securely in orderto protect it when multiple customers use shared resources. Virtualization, encryptionand access control will be workhorses for enabling varying degrees ofseparation between corporations, communities of interest and users.
•Stronger data security: In existing data center environmentsthe role-based access control at the level of user groups is acceptable in mostcases since the information remains within the control of the enterprise. However,sensitive data will require security at the file, field or block level to meetthe demands of assurance and compliance for information in the cloud.• Effectivedata classification: Enterprises will need to know what type of data isimportant and where it is located as prerequisites to making performance cost-benefitdecisions, as well as ensuring focus on the most critical areas for data lossprevention procedures.• Informationrights management: it is often treated as a component of identity on whichusers have access to.
The stronger data-centric security requires policies andcontrol mechanisms on the storage and use of information to be associateddirectly with the information itself.• Governanceand compliance: A major requirement of corporate information governance andcompliance is the creation of management and validation information -monitoring and auditing the security state of the information with loggingcapabilities. The cloud computing infrastructures must be able to verify thatdata is being managed per the applicable local and international regulationswith appropriate controls, log collection and reporting.The foundational infrastructure for acloud must be inherently secure whether it is a private or public cloud orwhether the service is SAAS, PAAS or IAAS. It will require:• Inherentcomponent-level security: The cloud needs to be architected to be secure,built with inherently secure components, deployed and provisioned securely withstrong interfaces to other components and supported securely, withvulnerability-assessment and change-management processes that produce managementinformation and service-level assurances that build trust.
•Stronger interface security: The points in the system whereinteraction takes place (user-to-network, server-to application) requirestronger security policies and controls that ensure consistency andaccountability.• Resourcelifecycle management: The economics of cloud computing are based onmulti-tenancy and the sharing of resources. As the needs of the customers andrequirements will change, a service provider must provision and decommission correspondinglythose resources – bandwidth, servers, storage and security.
This lifecycleprocess must be managed in order to build trust.The infrastructure security can beviewed, assessed and implemented according its building levels – the network,host and application levels.Ø Infrastructure Security – The Network LevelWhen looking at the network level ofinfrastructure security, it is important to distinguish between public cloudsand private clouds. With private clouds, there are no new attacks,vulnerabilities, or changes in risk specific to this topology that information securitypersonnel need to consider.
If public cloud services are chosen, changingsecurity requirements will require changes to the network topology and themanner in which the existing network topology interacts with the cloud provider’snetwork topology should be taken into account. There are four significant riskfactors in this use case:• Ensuring the confidentiality andintegrity of organization’s data-in-transit to and from a public cloudprovider;• Ensuring proper access control(authentication, authorization, and auditing) to whatever resources are used atthe public cloud provider;• Ensuring the availability of theInternet-facing resources in a public cloud that are being used by anorganization, or have been assigned to an organization by public cloud providers;•Replacing the established model of network zones and tiers with domains.Ø Infrastructure Security – The Host LevelWhenreviewing host security and assessing risks, the context of cloud services deliverymodels (SaaS, PaaS, and IaaS) and deployment models public, private, and hybrid)should be considered. The host security responsibilities in SaaS and PaaSservices are transferred to the provider of cloud services.
IaaS customers areprimarily responsible for securing the hosts provisioned in the cloud (virtualizationsoftware security, customer guest OS or virtual server security).Ø Infrastructure Security – The Application LevelApplicationor software security should be a critical element of a security program. Mostenterprises with information security programs have yet to institute anapplication security program to address this realm. Designing and implementing applicationsaims at deployment on a cloud platform will require existing application securityprograms to reevaluate current practices and standards. The applicationsecurity spectrum ranges from standalone single-user applications to sophisticatedmultiuser e-commerce applications used by many users.
The level is responsiblefor managing:• Application-level security threats;• End user security;• SaaS application security;• PaaS application security;• Customer-deployed application security• IaaS application security• Public cloud security limitationsItcan be summarized that the issues of infrastructure security and cloud computinglie in the area of definition and provision of security specified aspects eachparty delivers. Ø The point of FailureCloud computingcontinues to transform the way organizations use, store, and share data,applications, and workloads. It has also introduced a host of new securitythreats and challenges. With so much data going into the cloud—and into publiccloud services in particular—these resources become natural targets for badactors.1.
Data breaches: A data breach might be the primary objective of atargeted attack or simply the result of human error, applicationvulnerabilities, or poor security practices, CSA says. It might involve anykind of information that was not intended for public release, includingpersonal health information, financial information, personally identifiableinformation, trade secrets, and intellectual property. An organization’scloud-based data may have value to different parties for different reasons. Therisk of data breach is not unique to cloud computing, but it consistently ranksas a top concern for cloud customers.2.Insufficient identity, credential, and access management: Badactors masquerading as legitimate users, operators, or developers can read,modify, and delete data; issue control plane and management functions; snoop ondata in transit or release malicious software that appears to originate from alegitimate source, CSA says.
As a result, insufficient identity, credential, orkey management can enable unauthorized access to data and potentially catastrophicdamage to organizations or end users.3.Insecure interfaces and application programming interfaces (APIs): Cloudproviders expose a set of software user interfaces (UIs) or APIs that customersuse to manage and interact with cloud services. Provisioning, management, andmonitoring are all performed with these interfaces, and the security andavailability of general cloud services depends on the security of APIs, CSAsays. They need to be designed to protect against accidental and maliciousattempts to circumvent policy.4.System vulnerabilities: System vulnerabilities are exploitablebugs in programs that attackers can use to infiltrate a system to steal data,taking control of the system or disrupting service operations. Vulnerabilitieswithin the components of the operating system put the security of all servicesand data at significant risk, CSA says.
With the advent of multi-tenancy in thecloud, systems from various organizations are placed close to each other andgiven access to shared memory and resources, creating a new attack surface.5.Account hijacking: Account or service hijacking is not new,CSA notes, but cloud services add a new threat to the landscape. If attackersgain access to a user’s credentials, they can eavesdrop on activities andtransactions, manipulate data, return falsified information and redirectclients to illegitimate sites. Account or service instances might become a newbase for attackers. With stolen credentials, attackers can often accesscritical areas of cloud computing services, allowing them to compromise theconfidentiality, integrity, and availability of those services.6.Malicious insiders: While the level of threat is open todebate, the fact that insider threat is a real adversary is not, CSA says.
Amalicious insider such as a system administrator can access potentiallysensitive information, and can have increasing levels of access to morecritical systems and eventually to data. Systems that depend solely on cloudservice providers for security are at greater risk.7.Advanced persistent threats (APTs): APTs are aparasitical form of cyber attack that infiltrates systems to establish afoothold in the IT infrastructure of target companies, from which they stealdata. APTs pursue their goals stealthily over extended periods of time, oftenadapting to the security measures intended to defend against them. Once inplace, APTs can move laterally through data center networks and blend in withnormal network traffic to achieve their objectives, CSA says.8.Data loss: Data stored inthe cloud can be lost for reasons other than malicious attacks, CSA says.
Anaccidental deletion by the cloud service provider, or a physical catastrophesuch as a fire or earthquake, can lead to the permanent loss of customer data unlessthe provider or cloud consumer takes adequate measures to back up data,following best practices in business continuity and disaster recovery.9.Insufficient due diligence: When executives create businessstrategies, cloud technologies and service providers must be considered, CSAsays. Developing a good roadmap and checklist for due diligence when evaluatingtechnologies and providers is essential for the greatest chance of success.Organizations, that rush to adopt cloud technologies and choose providerswithout performing, due diligence, expose themselves to a number of risks.
10.Abuse and nefarious use of cloud services: Poorly securedcloud service deployments, free cloud service trials, and fraudulent accountsign-ups via payment instrument fraud expose cloud computing models tomalicious attacks, CSA says. Bad actors might leverage cloud computingresources to target users, organizations, or other cloud providers. Examples ofmisuse of cloud-based resources include launching distributed denial-of-serviceattacks, email spam, and phishing campaigns.11.Denial of service (DoS): DoS attacks are designed to preventusers of a service from being able to access their data or applications. Byforcing the targeted cloud service to consume inordinate amounts of finitesystem resources such as processor power, memory, disk space, or networkbandwidth, attackers can cause a system slowdown and leave all legitimateservice users without access to services.
12.Shared technology vulnerabilities: Cloud serviceproviders deliver their services scalably by sharing infrastructure, platformsor applications, CSA notes. Cloud technology divides the “as-a-service”offering without substantially changing the off-the-shelfhardware/software—sometimes at the expense of security. Underlying componentsthat comprise the infrastructure supporting cloud services deployment may nothave been designed to offer strong isolation properties for a multi-tenantarchitecture or multi-customer applications. This can lead to shared technologyvulnerabilities that can potentially be exploited in all delivery models.