UNIT V SECURITY

Trust models for Grid security environment – Authentication and Authorization methods – Grid security
infrastructure – Cloud Infrastructure security: network, host and application level – aspects of data
security, provider data and its security, Identity and access management architecture, IAM practices in
the cloud, SaaS, PaaS, IaaS availability in the cloud, Key privacy issues in the cloud.

1. TRUST MODELS FOR GRID SECURITY ENVIRONMENT

 If qualified security mechanisms are not implemented properly in Grid environment the many security
issues may occur.These issues include
o Network sniffers(Spying the traffic to collect o malicious operation(disrupts computer
passwords) operation)
o Out-of-control access o Delegation (Process of handling over the
o Faulty operation authentication credentials to another user).
 Grid (Idea): To share the resources among many organizations and to solve large scale problems.
 Grid sites may exhibit unacceptable security conditions and system vulnerabilities.
 Two parameters are to be satisfy security-assurance condition
 User job demands the resource site to provide security assurance by issuing a Security
Demand (SD).

 The site needs to reveal its trustworthiness, using the parameter trust index (TI).
 If TI ≥ SD ,true leads to satisfaction in security-assurance
 Attributes that are required for determining security demand.
a. Trust model d. Self-defense capability
b. Security policy e. Attack history
c. Accumulated reputation(meaning belief) f. Site vulnerability
 Three challenges to establish the trust among grids
1. 1st challenge : Integration with existing systems and technologies
 Resources sites in a grid are heterogeneous and autonomous.
i. a single type of security is not compatible with and adopted by every hosting environment.
ii. Existing security infrastructure on the sites cannot be replaced overnight.
nd
2. 2 challenge: Interoperability with different ―hosting environments‖.
 Services are often invoked across multiple domains and need to be able to interact with one
another.
 The interoperation is required at the protocol, policy, and identity levels. Therefore for all these
levels, interoperation must be protected securely.

3. 3rd challenge: To construct trust relationships among interacting hosting environments.

 Grid Computing(Goal) : Resource Sharing
 Entities that submit request should believe that resource provider will process the request and
returns the result with QOS.
 Two models to maintain trust relationship
PKI based model (to authenticate & access) and Reputation based model
 There are 3 trust models

1
 a. Generalized Trust Model
b. Reputation-Based Trust Model
c. Fuzzy Trust Model
1.1 Generalized Trust Model

Figure: General trust model for grid computing

 Inference module is required to aggregate factors.

 Following are the inference and aggregation methods
 An intra-site fuzzy inference procedure is called to assess defence capability and direct reputation.
 Defence capability is decided by the firewall, intrusion detection system (IDS), intrusion response
capability, and anti-virus capacity of the individual resource site.
 Direct reputation is decided based on the job success rate, site utilization, job turnaround time,
and job slowdown ratio measured.
 Recommended trust is also known as secondary trust and is obtained indirectly over the grid
network.
1.2 Reputation-Based Trust Model
 Jobs are sent to a resource site only when the site is trustworthy
 Trustworthiness is calculated from the following information
i. Defence capability
 This refers to the site’s ability to protect itself from danger
 Assessed through intrusion detection, firewall, response capabilities, anti-virus capacity, and so
on.
ii. Direct reputation
 Based on the experience of previous jobs.
 Assessed through job execution success rate, cumulative site utilization, job turnaround time, job
slowdown ratio.

 Positive experience improves reputation and Negative experience decreases reputation

iii. Recommendation trust.

1.3 Fuzzy Trust Model(not exact i.e neither 0 nor 1)

 User programs supplies Security Demand(SD)

2
 Trust Index(TI) is aggregated through fuzzy logic inference process
 If TI =0 // Highest Risk =>decrease its reputation
 If TI=1 // Risk Free => improve its reputation
 Fuzzy inference is accomplished thru 4 steps
i. Fuzzification(Converting Fuzzy set to crisp set (0 &1))
ii. Inference (Fetching related results from database based on I/O)
iii. Aggregation (Grouping)
iv. Defuzzification (Converting crisp set to fuzzy set)
 If SD > TI (Should provide more security features i.e., should provide security upgrade)

2. AUTHENTICATION AND AUTHORIZATION METHODS

 Authentication methods in the grid: Passwords, PKI, and Kerberos.
 Password: Simplest method to identify users, but vulnerable.
 PKI: Popular method supported by GSI.
 To implement PKI, trusted third party, called the certificate authority (CA) is used.
 Each user applies a unique pair of public and private keys.
 Public keys: Issued by CA, by issuing a certificate, after recognizing a legitimate (meaning legal)
user.
 Private keys: Exclusive for each user to use, and is unknown to any other users.
 A digital certificate in IEEE X.509 format consists of the user name, user public key, CA name, and
a secrete signature of the user.
 Eg: Proxy Credentials using PKI
 Bob and Charlie both trust Alice, but Charlie does not trust Bob.
 Alice submits a task Z to Bob. The task Z demands many resources for Bob to use,
independently.
 Bob forwards a subtask Y of Z to Charlie. Because Charlie does not trust Bob and is not sure
whether Y is really originally requested by Alice, the subtask Y from Bob is rejected for
resources by Charlie.
 For Charlie to accept the subtask Y, Bob needs to show Charlie some proof of entrust from
Alice.
 A proxy credential is the solution proposed by GSI.
 A proxy credential is a temporary certificate generated by a user.
 Two benefits of using proxy credentials.
a. First
 is used by its holder to act on behalf of the original user or the delegating party.
 A user can temporarily delegate his right to a proxy.
b. Second
 single sign-on can be achieved with a sequence of credentials passed along the trust chain.
 The delegating party (Alice) need not verify the remote intermediate parties in a trust chain.
 The CA certificate is signed first with its own private key. Second, the certificate Alice holds is
signed with the private key of the CA. Finally, the proxy credential sent to her proxy (Bob) is

3
 signed with her private key. The procedure delegates the rights of Alice to Bob by using the
proxy credential. This is called a trust delegation chain.

Figure: Interactions among multiple parties in a sequence of trust delegation operations using the PKI

2.1 Authorization for Access Control

 It is a process to specify access control of shared resources.
 Decisions can be made either at access point of service (or) centralized place.
Access point of service
 Resource is a host that provides processors & storage for services installed in it.
 Set of policies or rules, the resource may enforce access for local servers.
Central Authority
 A special entity of issuing, revoking policies of access rights granted to remote resource.
 Authority can be classified into three categories:
o Attribute authorities : issue attribute assertions
o Policy authorities : issue authorization policies
o Identity authorities : issue certificates.

 The authorization server makes the final authorization decision.

2.2 Three Authorization Models
 Subject-push model: The user conducts handshake with the authority first and then with the
resource site in a sequence.

Fig: Subject-push model

 Resource-pulling model: Puts the resource in the middle. The user checks the resource first. Then
the resource contacts its authority to verify the request, and the authority authorizes at step 3.Finally
the resource accepts or rejects the request from the subject at step 4.

Fig: Resource-pulling model

 Authorization agent model: Puts the authority in the middle. The subject check with the authority
at step 1 and the authority makes decisions on the access of the requested resources. The
authorization process is complete at steps 3 and 4 in the reverse direction.

4
 Fig: Authorization agent model

3. GRID SECURITY INFRASTRUCTURE(GSI)

 grid requires a security infrastructure with the following properties
 easy to use
 conforms with the VO’s security needs while working well with site policies of each resource
provider site
 Provides appropriate authentication and encryption of all interactions.
 GSI is a portion of the Globus Toolkit and provides fundamental security services needed to
support grids such as
 supporting for message protection, authentication and delegation, and authorization.
 GSI enables
 secure authentication and communication over an open network
 permits mutual authentication across and among distributed sites with single sign-on capability.
 No centrally managed security system is required
 GSI supports
a. Message-level security :which uses WS-Security standard and the WS-SecureConversation
specification to provide message protection for SOAP messages
b. Transport-level security: which means authentication via TLS with support for X.509 proxy certificates
3.1 GSI Functional Layers
 GT4 provides distinct WS and pre-WS authentication and authorization capabilities using entity certificates and
proxy certificates.

 Pictorial representation of GSI functional layers

GSI functional layers at the message and transport levels

 GSI is composed of four distinct functions: message protection, authentication, delegation, and
authorization
 Implementations of different standards are used to provide each of these functions
 TLS (transport-level) or WS-Security and WS-SecureConversation (message level) are used as
message protection mechanisms in combination with SOAP.
 X.509 End Entity Certificates or Username and Password are used as authentication credentials
 X.509 Proxy Certificates and WS-Trust are used for delegation
5
  SAML assertions are used for authorization: Security Assertion Markup Language (SAML, pronounced sam-

el) is an XML-based, open-standard data format for exchanging authentication and authorization

data between parties, in particular, between an identity provider and a service provider.
3.2 Message Protection
 Web Services uses SOAP as their message protocol for Communication.
 Message protection can be provided either by
 Transporting SOAP messages over TLS, known as Transport-level security
 Signing and/or encrypting portions of the SOAP message using the WS-Security standard, known as
Message-level Security

3.2.1 Transport-Level Security

 TLS provides for both integrity (reliability) protection and privacy (via encryption).
 Transport-level security uses X.509 credentials for Authentication
 It also provides “anonymous transport-level security.” : Which does not use credentials to provide
message protection without authentication
 In this mode of operation, authentication is done via username and password in a SOAP message.
3.2.2 Message-level Security
 GSI provides message-level security for SOAP messages by implementing the WSSecurity standard
and the WS-Secure Conversation specification.
 WS-Security standard from OASIS defines a framework for applying security to individual SOAP
messages
 WS-Secure Conversation (extension of WS-Security) is a proposed standard from IBM and Microsoft
that allows for an initial exchange of messages to establish a security context which can then be used
to protect subsequent messages in a manner that requires less computational overhead.
or
Web Services Secure Conversation (WS-SecureConversation) provides a secured session for long
running message exchanges
 GSI allows three additional protection mechanisms
1. Integrity protection: by which a receiver can verify that messages were not altered in transit
from the sender.
2. Encryption: by which messages can be protected to provide confidentiality.
3. Replay prevention: receiver can verify that it has not received the same message previously.
 These protections are provided between WS-Security and WS-SecureConversation.
3.3. Authentication and Delegation
 GSI uses of X.509 certificates and public keys for authentication and delegation.
 certificate includes four primary information:
1. a subject name: which identifies the person or object that the certificate represents
2. the public key belonging to the subject
3. the identity of a CA that has signed the certificate to certify that the public key and the identity
both belong to the subject
4. The digital signature of the named CA.

6
 GSI also supports delegation and single sign-on through the use of standard X.509 proxy certificates.

Mutual Authentication between Two Parties

 Mutual authentication is a process by which two parties authenticating each other through digital certificate so
that both parties are assured of the others' identity .

 GSI uses the Secure Sockets Layer (SSL) for its mutual authentication protocol.
 To mutually authenticate, the first person (Alice) establishes a connection to the second person (Bob)
to start the authentication process

 Alice gives Bob her certificate.

 The certificate tells Bob who is Alice , her public key and what CA is being used to certify the
certificate.
 Bob verifies Alice’s certificate by checking the CA’s digital signature to make sure the CA actually
signed the certificate and the certificate hasn’t been tampered with.
 Once Bob has checked out Alice’s certificate, Bob must make sure Alice really is the person
identified in the certificate.
 Bob generates a random message and sends it to Alice, asking Alice to encrypt it.
 Alice encrypts the message using her private key, and sends it back to Bob. Bob decrypts the
message using Alice’s public key. If this results in the original random message, Bob knows Alice is
who she says she is.
 Now that Bob trusts Alice’s identity, the same operation must happen in reverse. Bob sends Alice
his certificate, and Alice validates the certificate and sends a challenge message to be encrypted.
Bob encrypts the message and sends it back to Alice, and Alice decrypts it and compares it with
the original. If it matches, Alice knows Bob is who he says he is.
3.4 Trust Delegation
 GSI provides a delegation capability and a delegation service that provides an interface to allow
clients to delegate (and renew) X.509 proxy certificates to a service.
 The interface to this service is based on the WS-Trust specification
 A proxy consists of a new certificate and a private key.
 The key pair that is used for the proxy is the public key embedded in the certificate and the
private key

7
 The new certificate contains the owner’s identity, modified slightly to indicate that it is a proxy.
 The new certificate is signed by the owner, rather than a CA.
 Certificate also contains validity period
 Pictorial representation of trust delegation

Figure: A sequence of trust delegations in which new certificates are signed by the owners rather by the CA.

 Once a proxy is created and stored, the user can use the proxy certificate and private key for mutual
authentication without entering a password.
 For Mutual Authentication
 When proxies are used, the remote party receives not only the proxy’s certificate (signed by the
owner), but also the owner’s certificate.
 During mutual authentication, the owner’s public key (obtained from her certificate) is used to
validate the signature on the proxy certificate.
 The CA’s public key is then used to validate the signature on the owner’s certificate.
 This establishes a chain of trust from the CA to the last proxy through the successive owners of
resources
Note:
 GSI uses WS-Security with usernames and passwords.
 When using usernames and passwords as opposed to X.509 credentials, the GSI provides
authentication, but no advanced security features such as delegation, confidentiality, integrity, and
replay prevention.

4. Cloud Infrastructure Security : Network, Host and Application Level

 Cloud computing security challenges fall into three broad categories:
 Data Protection: Securing your data both at rest and in transit
 User Authentication: Limiting access to data and monitoring who accesses the data
 Disaster and Data Breach(i.e., break) Contingency(i.e., emergency)Planning
4.1 Infrastructure Security
 Threats , Challenges and Guidance –associated with securing an organization’s core IT infrastructure
at i) Network Level ii) Host Level iii) Application Level
 Infrastructure security is different from IaaS security
4.1.1 Infrastructure Security – Network Level
 With private clouds, there are no new attacks, vulnerabilities, or changes in risk specific to this
topology.

8
 to use public cloud services, changing security requirements will require changes to your network
topology.
 Pictorial Representation of topological similarities between a secure extranet and a private cloud.

 Four significant risk factors are

 Ensuring the confidentiality and integrity of your organization’s data-in-transit to and from your
public cloud provider
 Ensuring proper access control (authentication, authorization, and auditing) to whatever resources
you are using at your public cloud provider
 Ensuring the availability of the Internet-facing resources in a public cloud that are being used by
your organization, or have been assigned to your organization by your public cloud providers
 Replacing the established model of network zones and tiers with domains
4.1.1.1 Ensuring Data Confidentiality and Integrity
 Resources and data previously confined(meaning is restricted) to a private network are now
exposed to the Internet, and to a shared public network belonging to a third‐party cloud provider.
 An example of problems associated with this risk factor is an Amazon Web Services (AWS)
security vulnerability reported in December 2008, digital signature algorithm used in query
request
4.1.1.2 Ensuring Proper Access Control
 Network resources that are put in public cloud, face many risk to its data.
 Ability to audit the operation of our cloud provider’s network in non existent
 Associated problems are
issue of reused (reassigned) IP addresses. (cloud providers do not sufficiently ―age‖ IP
Addresses when they are no longer needed for one customer)
4.1.1.3 Ensuring the Availability of Internet‐Facing Resources
9
Risk factor associated with this risk
1. BGP(Broader Gateway Protocol ) prefix hijacking/IP hijacking/route hijacking
Stealing IP addresses belonging to other networks
or
announcing an autonomous system address space that belongs to someone else without her
permission. Such announcements often occur because of a configuration mistake.

2. DNS attacks/ DNS cache poisoning/DNS Cache Poisoning/DNS Spoofing

attacks whereby a DNS server is tricked into accepting incorrect information
or
is a type of attack that exploits vulnerabilities in the domain name system (DNS) to divert
Internet traffic away from legitimate servers and towards fake ones.
3. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
 Denial-of-service (DoS) attack is an attempt to make a machine or network resource
unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend
services of a host connected to the Internet.
 DDoS is a type of DOS attack where multiple compromised systems, which are often infected
with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack
4.1.1.4 Replacing the Established Model of Network Zones and Tiers with Domains
network security has relied on zones, such as intranet versus extranet Now uses Security Groups

4.2 Infrastructure Security: The Host Level

 The host level security threats are related to cloud services models (SaaS, PaaS, and IaaS) and
deployment models (public, private, and hybrid).
 Some of virtualization security threats related to public cloud
 VM escape
 system configuration
 drift
 insider threats by way of weak access control to the hypervisor
4.2.1 SAAS and PAAS Host Security Cloud Service Provider

 For providing security CSPs do not publicly share their information related to their host platforms, host
operating systems, and the processes

10
 In SaaS (e.g., Salesforce.com, Workday.com) or PaaS (e.g., Google App Engine, Salesforce.com’s
Force.com) cloud services, host security is opaque(meaning not clear) to customers
 Informations are shared between CSP and customers based on non disclosure agreement (NDA) or share the
information via a controls assessment Framework such as SysTrust or ISO 27002.

 Both the PaaS and SaaS platforms abstract and hide the host operating system from end users with a
host abstraction layer
 SaaS or a PaaS customer, rely on the CSP to provide a secure host platform
 Host security responsibilities in SaaS and PaaS services are transferred to the CSP.

PAAS SAAS
Users are given indirect access to the The abstraction layer is not visible to
host abstraction layer in the form of a users and is available only to the
PaaS application programming interface developers and the CSP’s operations
(API) that in turn interacts with the host staff.
abstraction layer.

4.2.2 IaaS Host Security

 IaaS customers are primarily responsible for securing the hosts provisioned in the cloud.
 Almost all IaaS services available today employ virtualization at the host layer
 host security in IaaS should be categorized as follows:
o Virtualization software security
o Customer guest OS or virtual server security
 Virtualization software security
 Virtualization software layer sits on top of bare metal and provides customers the ability to create
and destroy virtual instances.
 Virtualization at the host level can be accomplished using any of the virtualization models
o OS level virtualization
o Hardware based virtualization (Xen,VMware,Microsoft HyperV).
o Para Virtualization
 It is important to secure this layer of software that sits between the hardware and the virtual
servers.
 Hardware or OS virtualization enables the sharing of hardware resources across multiple guest VMs
without interfering with each other so that you can safely run several operating systems and
applications at the same time on a single computer
 Customer guest OS or virtual server security
 The virtual instance of an operating system that is provisioned on top of the virtualization layer
and is visible to customers from the Internet. e.g., various flavors of Linux, Microsoft, and Solaris.
Customers have full access to virtual servers.
 Customers of IaaS have full access to the virtualized guest VMs that are hosted and isolated from
each other by hypervisor technology.
 Customers are responsible for securing and ongoing security management of the guest VM.

11
  From an attack surface perspective, the virtual server (Windows, Solaris, or Linux) may be
accessible to anyone on the Internet, so to provide security, the CSP blocks all port access to
virtual servers and recommends the customers to use port 22 (Secure Shell or SSH)
Some of the new host security threats in the public IaaS include:
 Stealing keys (e.g., SSH private keys)
 Listening on standard ports (e.g., FTP, NetBIOS, SSH)
 Hijacking accounts that are not properly secured (i.e., weak or no passwords for standard accounts)
 Attacking systems that are not properly secured by host firewalls.
 Deploying Trojans embedded in the software component in the VM or within the VM image (the OS)
itself.
Securing virtual servers
 Track the inventory of VM images and OS versions
 Protect the integrity of the image from unauthorized access.
 Isolate the decryption keys from the cloud where the data is hosted
 Run a host firewall and open only the minimum ports necessary to support the services on an
instance.
 Run only the required services and turn off the unused services (e.g., turn off FTP, print services,
network file services, and database services if they are not required).
 If you suspect a compromise, shut down the instance, snapshot your block volumes, and back up the
root file system.
Security Controls at the host level
Preventive Controls Firewall, Strong Authentication
Detective Controls By maintaining logs, host-based IDS/IPS

4.3 Infrastructure Security: The Application Level

The application security spectrum ranges from standalone single-user applications to sophisticated
multiuser e-commerce applications used by millions of users
4.3.1 Application-Level Security Threats
 All web frameworks and all types of web applications are at risk of web application security
defects ranging from insufficient validation to application logic errors.
 use a combination of perimeter security controls and network- and host-based access controls
to protect web applications deployed in a tightly controlled environment, including corporate
intranets and private clouds, from external hackers.
 web applications deployed in a public cloud (the SPI model) must be designed for an Internet threat
model, and security must be embedded into the Software Development Life Cycle (SDLC)

12
 Fig:The SDLC
4.3.1.1 Dos and EDoS:‐(Denial of Service and Economic Denial of Sustainability).
 Application‐level DoS and DDoS attacks typically originate from compromised computer systems attached to
the Internet

 Application-level DoS and DDoS attacks disrupt cloud services for an extended time.
 A Denial of Service (DoS) attack is one in which a server or service is ―overwhelmed‖ by traffic and
consequently either disabled or made unavailable to its customers. Effect on the target of a DoS attack
is a loss of business.
 EDOS(economic denial of sustainability (EDoS)): if your cloud-based service is designed to scale up

automatically (which some like Amazon EC2 are), then an attacker can grief you economically by
sending a huge number of (automated) requests but are actually fake. Your costs will rise as you scale
up, using more and/or larger servers (automatically) to service those fake requests.
 DoS attacks on pay-as-you-go cloud applications will result in a dramatic increase in cloud utility bill: increased
use of network bandwidth, CPU, and storage consumption. This type of attack is also being characterized as
economic denial of sustainability
 Apart from disrupting cloud services, resulting in poor user experience and service‐level impacts, DoS
attacks can quickly drain our company’s cloud services budget
4.3.1.2 End User Security
 Customer of a cloud service, are responsible for end user security tasks: Security procedures to
protect your Internet-connected PC—and for practicing ―safe surfing.‖
 Protection measures include use of security software, such as anti-malware, antivirus, personal firewalls,
security patches, and IPS-type software on your Internet-connected computer.

 To achieve end‐to‐end security in a cloud, it is essential for customers to maintain good browser hygiene.
This means keeping the browser (e.g., Internet Explorer, Firefox, Safari) patched (patch is a piece of
software designed to update a computer program) and updated to mitigate(less serious) threats
related to browser vulnerabilities.
4.3.1.3 Who Is Responsible for Web Application Security in the Cloud?

 Depending on the cloud services delivery model (SPI) and service‐level agreement (SLA), the scope of
security responsibilities will fall on the shoulders of both the customer and the cloud provider.
 The key is to understand what our security responsibilities are versus those of the CSP.
 CPS should provide the following to the cloud users
 Confidentiality  Reliability

13
 Availability  Integrity
 The following sections discuss the web application security in the context of the SPI cloud service
delivery model:‐
1. SaaS Application Security
 SaaS providers are largely responsible for securing the applications and components they offer to customers
 Customers are responsible for operational security functions, including user and access management
as supported by the provider.
 Customers must, request information related to the provider’s security practices. under NDA.
 This information should encompass
1. Design 4. Black‐and white‐box application security
2. Architecture testing
3. Development 5. Release management.
 Some customers go to the extent of hiring independent security vendors to perform penetration
testing (black-box security testing) of SaaS applications (with consent from the provider) to gain
assurance independently.

Preventive Identity management, multifactor authentication, endpoint security

Controls measures
Detective Controls Login history and available reports from SaaS Vendors
2. PaaS Application Security
 PaaS vendors broadly fall into the following two major categories:
o Software vendors (e.g., Bungee, Etelos, GigaSpaces, Eucalyptus)
o CSPs (e.g., Google App Engine, Salesforce.com’s Force.com, Microsoft Azure)
 PaaS application security encompasses two software layers:
 Security of the PaaS platform itself (i.e., runtime engine)
 Security of customer applications deployed on a PaaS platform

Preventive Controls User Authentication, account management, antivirus, IPS

Detective Controls Application vulnerability scanning

3. IaaS Application Security

 IaaS cloud providers (e.g., Amazon EC2, GoGrid, and Joyent) treat the applications on customer
virtual instances as a black box.
 The entire stack - customer applications, runtime application platform (Java, .NET, PHP, Ruby on
Rails, etc.), and so on runs on the customer’s virtual servers and is deployed and managed by
customers.
 Customers have full responsibility for securing their applications deployed in the IaaS cloud.
 Developers writing applications for IaaS clouds must implement their own features to handle
authentication and authorization.

Preventive Controls Applications are developed using security embedded SDLC process, user
authentication, access control, account management.
Detective Controls Logging event correlation, application vulnerability scanning and monitoring
14
5. Aspects of Data Security
 Security is important in cloud at all ―levels‖ of services
a) infrastructure-as-a-service (IaaS)
b) platform-as-a-service (PaaS)
c) software-as-a-service (SaaS)
 Aspects of data security, includes the following
1. Data-in-transit 4. Data lineage
2. Data-at-rest 5. Data provenance
3. Data Processing 6. Data Remanence
5.1 Data-in-transit
 Data’s are encrypted during transfer (i.e) to and from cloud service provider.
 The transmission protocols should provide authentication and confidentiality
 Eg: FTP, HTTP, Secure Copy Programs(CSP):These protocols are used for transferring data across
the Internet.
5.2 Data-at-rest (refers to Stored at data centers)
 If stored data is a simple storage then encrypting the data at rest is simple
 Data-at-rest used by a cloud-based application is generally not encrypted, because encryption
would prevent indexing or searching of that data.
5.3 Data Processing
 Data is never encrypted when it is processed
 Homomorphism encryption allows processing the encrypted data without decrypting the data.
 By using Predicate encryption, it is possible to process only some amount of encrypted data.
5.4 Data lineage
 It is necessary to know exactly where and when the data was specifically located within the cloud
(for audit or compliance purposes).
 Example
 Data is transferred to a cloud provider, such as Amazon Web Services (AWS), on date x1 at
time y1.
 Then processed on date x2 at time y2
 Brought back into the organization for storage in an internal data warehouse on date x3 at time
y3.
 Following the path of data (mapping application data flows or data path visualization) is known
as data lineage, and it is important for an auditor’s assurance (internal, external, and
regulatory).
5.5 Data provenance
 Integrity of data refers to data that has not been changed in an unauthorized manner or by an
unauthorized person.
 Provenance means not only that the data has integrity, but also that it is computationally accurate;
that is, the data was accurately calculated.

15
  Eg:Consider the following financial equation: SUM((((2*3)*4)/6)−2) = $2.00
5.6 Data Remanence
 Data remanence is the residual (meaning remaining) representation of data that has been in some
way erased or removed.
 This residue may be due to data being left after performing a nominal delete operation, or through
physical properties of the storage medium.
 Data Remanence can be removed by
o “Clearing and Sanitization”
Instructions on clearing, sanitization, and release of information systems (IS) media shall be
issued by the accrediting Cognizant Security Agency (CSA).
o “Clearing”
Clearing is the process of eradicating the data on media before reusing the media in an
environment that provides an acceptable level of protection for the data that was on the media
before clearing.
o “Sanitization”
Sanitization is the process of removing the data from media before reusing the media in an
environment that does not provide an acceptable level of protection for the data that was on
the media before sanitizing.
6. Providers Data & its Security
 Cloud users should be aware of how their own data is secured and they should know the following
o How the data is protected
o How the metadata is formed for cloud users
o How the security related data is protected by provider
o How data is collected, monitored by firewall and Intrusion Prevention System.
o The following has to be completely aware by cloud users : Data Storage , Confidentiality, Integrity,
Availability
 Data Storage: Confidentiality of data, Integrity of data, Availability of data
 Data Confidentiality
 Access control mechanism used for protecting data
 How the data is actually protected
 Access Control Mechanism
 Has both authentication and authorization
 Cloud service provider use weak authentication mechanism and they try to provide
administrator authorization
 Data Protection
 When the Encrypted data is stored in the cloud
 Where the encrypted data is stored
 What is the key strength of encryption
 Who will encrypt the data? Either cloud user or cloud service provider
 What type of encryption(Symmetric or Asymmetric)
16
Symmetric Encryption
 Sender encrypts the plain text using shared key resulting in a cipher text. Receiver decrypts the cipher
text using the same shared key

Asymmetric Encryption
 Sender encrypts the plain text using receiver’s public key resulting in a cipher text. Receiver decrypts
the cipher text using the receiver’s private key.

 Data Integrity
 Data Integrity can be assured by using Message Authentication code(MAC) on encrypted
data by using block symmetric encryption algorithm
 Hash function is used for creating MAC code
 Data Availability
 This is assured by maintaining Backups.
 In case of any disaster or failure data’s can retrieved from backup’s
7. Identity and Access Management

 Identity and access management (IAM) is the security and business discipline that "enables the
right individuals to access the right resources at the right times and for the right reasons."
Or
 IAM technology can be used to initiate, capture, record and manage user identities and their related
access permissions in an automated fashion
IAM Functions
a. Authentication
o Authentication is the process of verifying the identity of a user or system (e.g., Lightweight
Directory Access Protocol [LDAP] verifying the credentials presented by the user)
o LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate
organizations, individuals, and other resources such as files and devices in a network, whether on
the public Internet or on a corporate intranet
b. Authorization
17
  Authorization is the process of determining the privileges the user or system is entitled to once the
identity is established (in other words, authorization is the process of enforcing policies.)
c. Auditing
 In IAM, auditing is the process of reviewing and examination of authentication, authorization
records, and activities to determine the adequacy(satisfactory) of IAM.
7.1 IAM Architecture and Practice
 IAM is not a monolithic solution that can be easily deployed to gain capabilities immediately
 IAM components/process can be classified
1. Authentication management
2. User Management
3. Authorization Management
4. Access Management
5. Data management and provisioning
6. Monitoring and auditing

18
 Pictorial representation of IAM components

1. Authentication management
process for determining that an entity is who or what it claims to be.
2. User Management
 User management module defines the set of administrative functions such as identity creation,
propagation, and maintenance of user identity and privileges.
 One of its components is user life cycle management that enables an enterprise to manage the

lifespan of a user account, from the initial stage of provisioning to the final stage of de-provisioning

19
3. Authorization
 Authorization determines whether a user is permitted to access a particular resource.
Or
process for determining entitlement(privilege) rights that decide what resources an entity is permitted to access
in accordance with the organization’s policies

4. Access management/rights management/identity management

 Granting permission to access resource within the organization in response to a request from an

authorized entity.
 Access management is the process of granting authorised users the right to use a service, while preventing
access to non-authorised users.
5. Data management and provisioning
Propagation of identity and data for authorization to resources via automated or manual processes
6. Monitoring and auditing
Monitoring, auditing, and reporting compliance(meaning is conformity) by users regarding access to
resources within the organization based on the defined policies
7.2 IAM processes support the following operational activities
1. Provisioning
Process provides users access to data repositories or systems, applications, and databases based on a
unique user identity.

2. Credential and attribute management

 processes designed to manage the life cycle of credentials(certificate/ID) and user attributes—create,
issue, manage, revoke—to minimize the business risk associated with identity.
 Credentials are usually bound to an individual and are verified during the authentication process.

3. Entitlement management/authorization policies/access rights

20
 the collection of access rights to perform transactional functions
or
ensures that users are assigned only the required privileges (least privileges) that match with
their job functions.
 Is used to strengthen the security of web services, web applications, legacy applications, documents
and files, and physical security systems.
4. Compliance management
process implies that access rights and privileges are monitored and tracked to ensure the security of an
enterprise’s resources.
5. Identity federation management
A federation is an association of organizations that come together to exchange information about their
users and resources to enable collaborations and transactions (process of managing the trust relationships
established beyond the internal network boundaries)
6. Centralization of authentication (authN) and authorization (authZ)
A central authentication and authorization infrastructure ease the need for application developers to build
custom (tradition)authentication and authorization features into their applications.
8. SaaS, PaaS, IaaS availability in the cloud
8.1 SaaS AVAILABILITY
 SaaS service providers are responsible for business continuity, application, and infrastructure
security management processes.
 The tasks which IT organization once handled will now be handled by the CSP.
 Customers can avail the services through SLA.
 In some cases, SaaS vendors may not offer SLAs and may simply address service terms and
conditions.
 Examples for Saas SLA:
a. Example-1: Salesforce.com(SaaS provider) does not offer a standardized SLA that describes
and specifies performance criteria and service commitments.
b. Example-2: CRM SaaS provider, NetSuite, offers the following SLA clause:
 Uptime Goal—NetSuite commits to provide 99.5% uptime.
 Scheduled and Unscheduled Maintenance.
 Regularly scheduled maintenance time does not count as downtime.
 Maintenance time is regularly scheduled if it is communicated at least two full business days
in advance of the maintenance time.
 NetSuite hereby provides notice that every Saturday night 10:00pm–10:20pm Pacific Time
is reserved for routine scheduled maintenance for use as needed.
c. Example-3 : Google Apps Agreement
 Google Apps Covered Services web interface will be operational and available to Customer
at least 99.9% of the time in any calendar month (the ―Google Apps SLA‖).
8.1.1 Customer Responsibility
 Customers should

21
 1. understand the SLA and communication methods (e.g., email, RSS feed, website URL with outage
information) to stay informed on service outages.
2. use automated tools such as Nagios or Siteuptime.com to verify the availability of the SaaS
service.
3. understand the availability management factors, including the SLA of the service, and clarify with
the CSP any gaps in SLA exclusions and service credits when disruptions occur.
 Communication and clear expectations are required for service provider and their customers to identify
what is important and realistic with respect to standards and expectations.
 Customers of cloud services makes use of a multitenant service delivery model (The term "software
multitenancy" refers to a software architecture in which a single instance of software runs on a server
and serves multiple tenants) is usually designed with a ―one size fits all‖ operating principle, which
means CSPs typically offer a standard SLA for all customers.
 Most SaaS providers use virtualization technologies to deliver a multitenant service.
 If the resources (network, CPU, memory, storage) are not allocated in a fair manner across the
tenants to perform the workload, it is possible that a highly demanding tenant may starve other
tenants, which can result in lower service levels or poor user experience.
8.1.2. Eg: SaaS Health Monitoring
 The following options are available to customers to stay informed on the health of their service:
 Service health dashboard published by the CSP.
 SaaS providers publish the current state of the service, current outages that may impact
customers, and upcoming scheduled maintenance services on their website .
 The Cloud Computing Incidents Database (CCID). (This database is generally community
supported, and may not reflect all CSPs and all incidents that have occurred.)
 Customer mailing list that notifies customers of occurring and recently occurred outages.
 Internal or third-party-based service monitoring tools that periodically check SaaS provider
health and alert customers when service becomes unavailable (e.g., Nagios monitoring tool).
 RSS feed hosted at the SaaS service provider
8.2 PaaS AVAILABILITY
 In PaaS service, customers (developers) build and deploy PaaS applications on top of the CSP-supplied
PaaS platform.
 The PaaS platform is typically built on a CSP owned and managed network, servers, operating
systems, storage infrastructure, and application components (web services).
 PaaS applications are assembled with CSP-supplied application components.
 Example-1
 A social network application on the Google App Engine that depends on a Facebook application for
a contact management service.
 The customer is responsible for managing the availability of the customer developed application
and third-party services, and the PaaS.
 CSP is responsible for the PaaS platform and any other services supplied by the CSP.

22
 Example-2:Force.com is responsible for the management of the AppExchange platform, and customers
are responsible for managing the applications developed and deployed on that platform.
 PaaS providers may also offer a set of web services, including a message queue service, identity
and authentication service, and database service, and application may depend on the availability of
those service components (an example is Google’s BigTable).
 PaaS platform enforces quotas on compute resources (CPU, memory, network I/O).
 On reaching the thresholds (upper limit) of the quota, the application may not be able to respond
within the normal latency expectations and could eventually become unavailable.
 Eg: the Google App Engine has a quota system whereby each App Engine resource is measured
against one of two kinds of quotas:
1. a billable quota
2. a fixed quota.
 Billable quotas are resource maximums set by customers, to prevent the cost of the application
from exceeding budget.
 Fixed quotas are resource maximums set by the App Engine to ensure the integrity of the system.

8.2.1 Customer Responsibility

 Customer should analyze the dependencies of the application on the third-party web services
(components) and outline a management strategy to manage and monitor all the dependencies.
 The following considerations are for PaaS customers:
 PaaS platform service levels
o Customers should carefully review the terms and conditions of the CSP’s SLAs and
understand the availability constraints.
 Third-party web services provider service levels
o When PaaS application depends on a third-party service, it is critical to understand the SLA
of that service.
 Network connectivity parameters for the network (Internet)-connecting PaaS platform with third-
party service providers
o The parameters typically include bandwidth and latency factors.
8.2.2 Paas Health Monitoring
 PaaS applications are always web-based applications hosted on the PaaS CSP platform (e.g., Java or
Python application hosted on the Google App Engine).
 Customers should monitor their application, as well as the third-party web component services.
 Customer should configure management tools to monitor the health of web services. This will require
the knowledge of the web services protocol (HTTP, HTTPS) and the required protocol parameters (e.g.,
URI) to verify the availability of the service.
 Monitoring can be done through application programming interfaces (APIs), monitoring application can
involve a standard web services protocol, such as Representational State Transfer (REST), Simple
Object Access Protocol (SOAP), eXtensible Markup Language/ Hypertext Transfer Protocol (XML/HTTP),
and in a few cases, proprietary protocols.

23
 The following options are available to customers to monitor the health of their service:
1. Service health dashboard published by the CSP
2. CCID (this database is generally community-supported, and may not reflect all CSPs and all
incidents that have occurred)
3. CSP customer mailing list that notifies customers of occurring and recently occurred outages
4. RSS feed for RSS readers with availability and outage information
5. Internal or third-party-based service monitoring tools that periodically check PaaS application,
as well as third-party web services that monitor application (e.g., Nagios monitoring tool)

8.3 IaaS AVAILABILITY

 IaaS delivery model should include both a computing and storage (persistent and ephemeral)
infrastructure in the cloud.
 IaaS providers may also offer other services such as account management, a message queue service,
an identity and authentication service, a database service, a billing service, and monitoring services.
 Customers are responsible for all aspects of availability management since they are responsible for
provisioning and managing the life cycle of virtual servers.
 Managing IaaS virtual infrastructure in the cloud depends on five factors:
1. Availability of a CSP network, host, storage, and support application infrastructure. This factor
depends on the following:
a. CSP data center architecture, including a geographically diverse and fault-tolerance
architecture.
b. Reliability, diversity, and redundancy of Internet connectivity used by the customer and
the CSP.
c. Reliability and redundancy architecture of the hardware and software components used for
delivering compute and storage services.
d. Availability management process and procedures, including business continuity processes
established by the CSP.
2. Availability of virtual servers and the attached storage for computer services.
3. Availability of virtual storage that users and virtual server depend on for storage service.
a. This includes both synchronous and asynchronous storage access.
b. Synchronous storage access demand low data access latency and continuous availability.
c. Eg: synchronous storage include database transactions, video streaming, and user
authentication. Inconsistency or disruptions to storage in synchronous storage has a higher
impact on overall server and application availability.
d. Asynchronous access is more tolerant to latency and availability.
e. Eg: cloud-based storage service for backing up computer over the Internet.
4. Availability of network connectivity to the Internet or virtual network connectivity to IaaS services.
5. Availability of network services, including a DNS, routing services, and authentication services
required to connect to the IaaS service.
8.3.1 IaaS Health Monitoring

24
  The following options are available to IaaS customers for managing the health of their service:
 Service health dashboard published by the CSP.
 CCID (this database is generally community-supported, and may not reflect all CSPs and all
incidents that have occurred).
 CSP customer mailing list that notifies customers of occurring and recently occurred outages.
 Internal or third-party-based service monitoring tools (e.g., Nagios) that periodically check the
health of IaaS virtual server.
 Web console or API that publishes the current health status of virtual servers and network.
9. Key Privacy Issues
 The Key Privacy Issues of the cloud are as follows,
1. Access 5. Destruction
2. Compliance 6. Auditing
3. Storage 7. Monitoring
4. Retention 8. Privacy
9.1 Access: Individual should be able to access all their personal information based on their request.

9.2 Compliance (meaning agreement)

 What are the privacy compliance requirements in the cloud?
 What are the applicable laws, regulations, standards, and contractual commitments that govern
this information, and who is responsible for maintaining the compliance?
 How are existing privacy compliance requirements impacted by the move to the cloud?
 Clouds can cross multiple jurisdictions; for example, data may be stored in multiple countries, or in
multiple states within the Country
9.3 Storage
 Where is the data in the cloud stored?
 Was it transferred to another data center in another country?
 Is it commingled (meaning mixed) with information from other organizations that use the same
Cloud Service Provider (CSP)?
 Privacy laws in various countries place limitations on the ability of organizations to transfer some
types of personal information to other countries.
 Data transfer from one data centre to another, may occur without the knowledge of the
organization, resulting in a violation of the local law.
9.4 Retention (meaning preservation)
 How long is personal information retained in cloud?
 Which retention policy governs the data?
 Does the organization own the data, or the CSP?
 Who enforces the retention policy in the cloud?
9.5 Destruction
 How does the cloud provider destroy PII (Personally Identifiable Information) at the end of the
retention period?

25
  How do organizations ensure that their PII is destroyed by the CSP at the right point and is not
available to other cloud users?
 How do they know that the CSP didn’t retain additional copies?
 Did the CSP really destroy the data, or just make it inaccessible to the organization?
 Is the CSP keeping the information longer than necessary so that it can mine the data for its own
use?
9.6 Audit and monitoring
 How can organizations monitor their CSP and provide assurance to relevant stakeholders that
privacy requirements are met when their PII is in the cloud?
9.7 Privacy breaches (meaning break)
 How do you know that a breach has occurred?
 How do you ensure that the CSP notifies you when a breach occurs?
 Who is responsible for managing the breach notification process and costs associated with the
process?

26