Unit V Security
Unit V Security
Trust models for Grid security environment – Authentication and Authorization methods – Grid security
infrastructure – Cloud Infrastructure security: network, host and application level – aspects of data
security, provider data and its security, Identity and access management architecture, IAM practices in
the cloud, SaaS, PaaS, IaaS availability in the cloud, Key privacy issues in the cloud.
The site needs to reveal its trustworthiness, using the parameter trust index (TI).
If TI ≥ SD ,true leads to satisfaction in security-assurance
Attributes that are required for determining security demand.
a. Trust model d. Self-defense capability
b. Security policy e. Attack history
c. Accumulated reputation(meaning belief) f. Site vulnerability
Three challenges to establish the trust among grids
1. 1st challenge : Integration with existing systems and technologies
Resources sites in a grid are heterogeneous and autonomous.
i. a single type of security is not compatible with and adopted by every hosting environment.
ii. Existing security infrastructure on the sites cannot be replaced overnight.
nd
2. 2 challenge: Interoperability with different ―hosting environments‖.
Services are often invoked across multiple domains and need to be able to interact with one
another.
The interoperation is required at the protocol, policy, and identity levels. Therefore for all these
levels, interoperation must be protected securely.
1
a. Generalized Trust Model
b. Reputation-Based Trust Model
c. Fuzzy Trust Model
1.1 Generalized Trust Model
2
Trust Index(TI) is aggregated through fuzzy logic inference process
If TI =0 // Highest Risk =>decrease its reputation
If TI=1 // Risk Free => improve its reputation
Fuzzy inference is accomplished thru 4 steps
i. Fuzzification(Converting Fuzzy set to crisp set (0 &1))
ii. Inference (Fetching related results from database based on I/O)
iii. Aggregation (Grouping)
iv. Defuzzification (Converting crisp set to fuzzy set)
If SD > TI (Should provide more security features i.e., should provide security upgrade)
3
signed with her private key. The procedure delegates the rights of Alice to Bob by using the
proxy credential. This is called a trust delegation chain.
Figure: Interactions among multiple parties in a sequence of trust delegation operations using the PKI
Resource-pulling model: Puts the resource in the middle. The user checks the resource first. Then
the resource contacts its authority to verify the request, and the authority authorizes at step 3.Finally
the resource accepts or rejects the request from the subject at step 4.
4
Fig: Authorization agent model
GSI is composed of four distinct functions: message protection, authentication, delegation, and
authorization
Implementations of different standards are used to provide each of these functions
TLS (transport-level) or WS-Security and WS-SecureConversation (message level) are used as
message protection mechanisms in combination with SOAP.
X.509 End Entity Certificates or Username and Password are used as authentication credentials
X.509 Proxy Certificates and WS-Trust are used for delegation
5
SAML assertions are used for authorization: Security Assertion Markup Language (SAML, pronounced sam-
el) is an XML-based, open-standard data format for exchanging authentication and authorization
data between parties, in particular, between an identity provider and a service provider.
3.2 Message Protection
Web Services uses SOAP as their message protocol for Communication.
Message protection can be provided either by
Transporting SOAP messages over TLS, known as Transport-level security
Signing and/or encrypting portions of the SOAP message using the WS-Security standard, known as
Message-level Security
6
GSI also supports delegation and single sign-on through the use of standard X.509 proxy certificates.
GSI uses the Secure Sockets Layer (SSL) for its mutual authentication protocol.
To mutually authenticate, the first person (Alice) establishes a connection to the second person (Bob)
to start the authentication process
7
The new certificate contains the owner’s identity, modified slightly to indicate that it is a proxy.
The new certificate is signed by the owner, rather than a CA.
Certificate also contains validity period
Pictorial representation of trust delegation
Figure: A sequence of trust delegations in which new certificates are signed by the owners rather by the CA.
Once a proxy is created and stored, the user can use the proxy certificate and private key for mutual
authentication without entering a password.
For Mutual Authentication
When proxies are used, the remote party receives not only the proxy’s certificate (signed by the
owner), but also the owner’s certificate.
During mutual authentication, the owner’s public key (obtained from her certificate) is used to
validate the signature on the proxy certificate.
The CA’s public key is then used to validate the signature on the owner’s certificate.
This establishes a chain of trust from the CA to the last proxy through the successive owners of
resources
Note:
GSI uses WS-Security with usernames and passwords.
When using usernames and passwords as opposed to X.509 credentials, the GSI provides
authentication, but no advanced security features such as delegation, confidentiality, integrity, and
replay prevention.
8
to use public cloud services, changing security requirements will require changes to your network
topology.
Pictorial Representation of topological similarities between a secure extranet and a private cloud.
For providing security CSPs do not publicly share their information related to their host platforms, host
operating systems, and the processes
10
In SaaS (e.g., Salesforce.com, Workday.com) or PaaS (e.g., Google App Engine, Salesforce.com’s
Force.com) cloud services, host security is opaque(meaning not clear) to customers
Informations are shared between CSP and customers based on non disclosure agreement (NDA) or share the
information via a controls assessment Framework such as SysTrust or ISO 27002.
Both the PaaS and SaaS platforms abstract and hide the host operating system from end users with a
host abstraction layer
SaaS or a PaaS customer, rely on the CSP to provide a secure host platform
Host security responsibilities in SaaS and PaaS services are transferred to the CSP.
PAAS SAAS
Users are given indirect access to the The abstraction layer is not visible to
host abstraction layer in the form of a users and is available only to the
PaaS application programming interface developers and the CSP’s operations
(API) that in turn interacts with the host staff.
abstraction layer.
11
From an attack surface perspective, the virtual server (Windows, Solaris, or Linux) may be
accessible to anyone on the Internet, so to provide security, the CSP blocks all port access to
virtual servers and recommends the customers to use port 22 (Secure Shell or SSH)
Some of the new host security threats in the public IaaS include:
Stealing keys (e.g., SSH private keys)
Listening on standard ports (e.g., FTP, NetBIOS, SSH)
Hijacking accounts that are not properly secured (i.e., weak or no passwords for standard accounts)
Attacking systems that are not properly secured by host firewalls.
Deploying Trojans embedded in the software component in the VM or within the VM image (the OS)
itself.
Securing virtual servers
Track the inventory of VM images and OS versions
Protect the integrity of the image from unauthorized access.
Isolate the decryption keys from the cloud where the data is hosted
Run a host firewall and open only the minimum ports necessary to support the services on an
instance.
Run only the required services and turn off the unused services (e.g., turn off FTP, print services,
network file services, and database services if they are not required).
If you suspect a compromise, shut down the instance, snapshot your block volumes, and back up the
root file system.
Security Controls at the host level
Preventive Controls Firewall, Strong Authentication
Detective Controls By maintaining logs, host-based IDS/IPS
12
Fig:The SDLC
4.3.1.1 Dos and EDoS:‐(Denial of Service and Economic Denial of Sustainability).
Application‐level DoS and DDoS attacks typically originate from compromised computer systems attached to
the Internet
Application-level DoS and DDoS attacks disrupt cloud services for an extended time.
A Denial of Service (DoS) attack is one in which a server or service is ―overwhelmed‖ by traffic and
consequently either disabled or made unavailable to its customers. Effect on the target of a DoS attack
is a loss of business.
EDOS(economic denial of sustainability (EDoS)): if your cloud-based service is designed to scale up
automatically (which some like Amazon EC2 are), then an attacker can grief you economically by
sending a huge number of (automated) requests but are actually fake. Your costs will rise as you scale
up, using more and/or larger servers (automatically) to service those fake requests.
DoS attacks on pay-as-you-go cloud applications will result in a dramatic increase in cloud utility bill: increased
use of network bandwidth, CPU, and storage consumption. This type of attack is also being characterized as
economic denial of sustainability
Apart from disrupting cloud services, resulting in poor user experience and service‐level impacts, DoS
attacks can quickly drain our company’s cloud services budget
4.3.1.2 End User Security
Customer of a cloud service, are responsible for end user security tasks: Security procedures to
protect your Internet-connected PC—and for practicing ―safe surfing.‖
Protection measures include use of security software, such as anti-malware, antivirus, personal firewalls,
security patches, and IPS-type software on your Internet-connected computer.
To achieve end‐to‐end security in a cloud, it is essential for customers to maintain good browser hygiene.
This means keeping the browser (e.g., Internet Explorer, Firefox, Safari) patched (patch is a piece of
software designed to update a computer program) and updated to mitigate(less serious) threats
related to browser vulnerabilities.
4.3.1.3 Who Is Responsible for Web Application Security in the Cloud?
Depending on the cloud services delivery model (SPI) and service‐level agreement (SLA), the scope of
security responsibilities will fall on the shoulders of both the customer and the cloud provider.
The key is to understand what our security responsibilities are versus those of the CSP.
CPS should provide the following to the cloud users
Confidentiality Reliability
13
Availability Integrity
The following sections discuss the web application security in the context of the SPI cloud service
delivery model:‐
1. SaaS Application Security
SaaS providers are largely responsible for securing the applications and components they offer to customers
Customers are responsible for operational security functions, including user and access management
as supported by the provider.
Customers must, request information related to the provider’s security practices. under NDA.
This information should encompass
1. Design 4. Black‐and white‐box application security
2. Architecture testing
3. Development 5. Release management.
Some customers go to the extent of hiring independent security vendors to perform penetration
testing (black-box security testing) of SaaS applications (with consent from the provider) to gain
assurance independently.
Preventive Controls Applications are developed using security embedded SDLC process, user
authentication, access control, account management.
Detective Controls Logging event correlation, application vulnerability scanning and monitoring
14
5. Aspects of Data Security
Security is important in cloud at all ―levels‖ of services
a) infrastructure-as-a-service (IaaS)
b) platform-as-a-service (PaaS)
c) software-as-a-service (SaaS)
Aspects of data security, includes the following
1. Data-in-transit 4. Data lineage
2. Data-at-rest 5. Data provenance
3. Data Processing 6. Data Remanence
5.1 Data-in-transit
Data’s are encrypted during transfer (i.e) to and from cloud service provider.
The transmission protocols should provide authentication and confidentiality
Eg: FTP, HTTP, Secure Copy Programs(CSP):These protocols are used for transferring data across
the Internet.
5.2 Data-at-rest (refers to Stored at data centers)
If stored data is a simple storage then encrypting the data at rest is simple
Data-at-rest used by a cloud-based application is generally not encrypted, because encryption
would prevent indexing or searching of that data.
5.3 Data Processing
Data is never encrypted when it is processed
Homomorphism encryption allows processing the encrypted data without decrypting the data.
By using Predicate encryption, it is possible to process only some amount of encrypted data.
5.4 Data lineage
It is necessary to know exactly where and when the data was specifically located within the cloud
(for audit or compliance purposes).
Example
Data is transferred to a cloud provider, such as Amazon Web Services (AWS), on date x1 at
time y1.
Then processed on date x2 at time y2
Brought back into the organization for storage in an internal data warehouse on date x3 at time
y3.
Following the path of data (mapping application data flows or data path visualization) is known
as data lineage, and it is important for an auditor’s assurance (internal, external, and
regulatory).
5.5 Data provenance
Integrity of data refers to data that has not been changed in an unauthorized manner or by an
unauthorized person.
Provenance means not only that the data has integrity, but also that it is computationally accurate;
that is, the data was accurately calculated.
15
Eg:Consider the following financial equation: SUM((((2*3)*4)/6)−2) = $2.00
5.6 Data Remanence
Data remanence is the residual (meaning remaining) representation of data that has been in some
way erased or removed.
This residue may be due to data being left after performing a nominal delete operation, or through
physical properties of the storage medium.
Data Remanence can be removed by
o “Clearing and Sanitization”
Instructions on clearing, sanitization, and release of information systems (IS) media shall be
issued by the accrediting Cognizant Security Agency (CSA).
o “Clearing”
Clearing is the process of eradicating the data on media before reusing the media in an
environment that provides an acceptable level of protection for the data that was on the media
before clearing.
o “Sanitization”
Sanitization is the process of removing the data from media before reusing the media in an
environment that does not provide an acceptable level of protection for the data that was on
the media before sanitizing.
6. Providers Data & its Security
Cloud users should be aware of how their own data is secured and they should know the following
o How the data is protected
o How the metadata is formed for cloud users
o How the security related data is protected by provider
o How data is collected, monitored by firewall and Intrusion Prevention System.
o The following has to be completely aware by cloud users : Data Storage , Confidentiality, Integrity,
Availability
Data Storage: Confidentiality of data, Integrity of data, Availability of data
Data Confidentiality
Access control mechanism used for protecting data
How the data is actually protected
Access Control Mechanism
Has both authentication and authorization
Cloud service provider use weak authentication mechanism and they try to provide
administrator authorization
Data Protection
When the Encrypted data is stored in the cloud
Where the encrypted data is stored
What is the key strength of encryption
Who will encrypt the data? Either cloud user or cloud service provider
What type of encryption(Symmetric or Asymmetric)
16
Symmetric Encryption
Sender encrypts the plain text using shared key resulting in a cipher text. Receiver decrypts the cipher
text using the same shared key
Asymmetric Encryption
Sender encrypts the plain text using receiver’s public key resulting in a cipher text. Receiver decrypts
the cipher text using the receiver’s private key.
Data Integrity
Data Integrity can be assured by using Message Authentication code(MAC) on encrypted
data by using block symmetric encryption algorithm
Hash function is used for creating MAC code
Data Availability
This is assured by maintaining Backups.
In case of any disaster or failure data’s can retrieved from backup’s
7. Identity and Access Management
Identity and access management (IAM) is the security and business discipline that "enables the
right individuals to access the right resources at the right times and for the right reasons."
Or
IAM technology can be used to initiate, capture, record and manage user identities and their related
access permissions in an automated fashion
IAM Functions
a. Authentication
o Authentication is the process of verifying the identity of a user or system (e.g., Lightweight
Directory Access Protocol [LDAP] verifying the credentials presented by the user)
o LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate
organizations, individuals, and other resources such as files and devices in a network, whether on
the public Internet or on a corporate intranet
b. Authorization
17
Authorization is the process of determining the privileges the user or system is entitled to once the
identity is established (in other words, authorization is the process of enforcing policies.)
c. Auditing
In IAM, auditing is the process of reviewing and examination of authentication, authorization
records, and activities to determine the adequacy(satisfactory) of IAM.
7.1 IAM Architecture and Practice
IAM is not a monolithic solution that can be easily deployed to gain capabilities immediately
IAM components/process can be classified
1. Authentication management
2. User Management
3. Authorization Management
4. Access Management
5. Data management and provisioning
6. Monitoring and auditing
18
Pictorial representation of IAM components
1. Authentication management
process for determining that an entity is who or what it claims to be.
2. User Management
User management module defines the set of administrative functions such as identity creation,
propagation, and maintenance of user identity and privileges.
One of its components is user life cycle management that enables an enterprise to manage the
lifespan of a user account, from the initial stage of provisioning to the final stage of de-provisioning
19
3. Authorization
Authorization determines whether a user is permitted to access a particular resource.
Or
process for determining entitlement(privilege) rights that decide what resources an entity is permitted to access
in accordance with the organization’s policies
authorized entity.
Access management is the process of granting authorised users the right to use a service, while preventing
access to non-authorised users.
5. Data management and provisioning
Propagation of identity and data for authorization to resources via automated or manual processes
6. Monitoring and auditing
Monitoring, auditing, and reporting compliance(meaning is conformity) by users regarding access to
resources within the organization based on the defined policies
7.2 IAM processes support the following operational activities
1. Provisioning
Process provides users access to data repositories or systems, applications, and databases based on a
unique user identity.
21
1. understand the SLA and communication methods (e.g., email, RSS feed, website URL with outage
information) to stay informed on service outages.
2. use automated tools such as Nagios or Siteuptime.com to verify the availability of the SaaS
service.
3. understand the availability management factors, including the SLA of the service, and clarify with
the CSP any gaps in SLA exclusions and service credits when disruptions occur.
Communication and clear expectations are required for service provider and their customers to identify
what is important and realistic with respect to standards and expectations.
Customers of cloud services makes use of a multitenant service delivery model (The term "software
multitenancy" refers to a software architecture in which a single instance of software runs on a server
and serves multiple tenants) is usually designed with a ―one size fits all‖ operating principle, which
means CSPs typically offer a standard SLA for all customers.
Most SaaS providers use virtualization technologies to deliver a multitenant service.
If the resources (network, CPU, memory, storage) are not allocated in a fair manner across the
tenants to perform the workload, it is possible that a highly demanding tenant may starve other
tenants, which can result in lower service levels or poor user experience.
8.1.2. Eg: SaaS Health Monitoring
The following options are available to customers to stay informed on the health of their service:
Service health dashboard published by the CSP.
SaaS providers publish the current state of the service, current outages that may impact
customers, and upcoming scheduled maintenance services on their website .
The Cloud Computing Incidents Database (CCID). (This database is generally community
supported, and may not reflect all CSPs and all incidents that have occurred.)
Customer mailing list that notifies customers of occurring and recently occurred outages.
Internal or third-party-based service monitoring tools that periodically check SaaS provider
health and alert customers when service becomes unavailable (e.g., Nagios monitoring tool).
RSS feed hosted at the SaaS service provider
8.2 PaaS AVAILABILITY
In PaaS service, customers (developers) build and deploy PaaS applications on top of the CSP-supplied
PaaS platform.
The PaaS platform is typically built on a CSP owned and managed network, servers, operating
systems, storage infrastructure, and application components (web services).
PaaS applications are assembled with CSP-supplied application components.
Example-1
A social network application on the Google App Engine that depends on a Facebook application for
a contact management service.
The customer is responsible for managing the availability of the customer developed application
and third-party services, and the PaaS.
CSP is responsible for the PaaS platform and any other services supplied by the CSP.
22
Example-2:Force.com is responsible for the management of the AppExchange platform, and customers
are responsible for managing the applications developed and deployed on that platform.
PaaS providers may also offer a set of web services, including a message queue service, identity
and authentication service, and database service, and application may depend on the availability of
those service components (an example is Google’s BigTable).
PaaS platform enforces quotas on compute resources (CPU, memory, network I/O).
On reaching the thresholds (upper limit) of the quota, the application may not be able to respond
within the normal latency expectations and could eventually become unavailable.
Eg: the Google App Engine has a quota system whereby each App Engine resource is measured
against one of two kinds of quotas:
1. a billable quota
2. a fixed quota.
Billable quotas are resource maximums set by customers, to prevent the cost of the application
from exceeding budget.
Fixed quotas are resource maximums set by the App Engine to ensure the integrity of the system.
23
The following options are available to customers to monitor the health of their service:
1. Service health dashboard published by the CSP
2. CCID (this database is generally community-supported, and may not reflect all CSPs and all
incidents that have occurred)
3. CSP customer mailing list that notifies customers of occurring and recently occurred outages
4. RSS feed for RSS readers with availability and outage information
5. Internal or third-party-based service monitoring tools that periodically check PaaS application,
as well as third-party web services that monitor application (e.g., Nagios monitoring tool)
24
The following options are available to IaaS customers for managing the health of their service:
Service health dashboard published by the CSP.
CCID (this database is generally community-supported, and may not reflect all CSPs and all
incidents that have occurred).
CSP customer mailing list that notifies customers of occurring and recently occurred outages.
Internal or third-party-based service monitoring tools (e.g., Nagios) that periodically check the
health of IaaS virtual server.
Web console or API that publishes the current health status of virtual servers and network.
9. Key Privacy Issues
The Key Privacy Issues of the cloud are as follows,
1. Access 5. Destruction
2. Compliance 6. Auditing
3. Storage 7. Monitoring
4. Retention 8. Privacy
9.1 Access: Individual should be able to access all their personal information based on their request.
25
How do organizations ensure that their PII is destroyed by the CSP at the right point and is not
available to other cloud users?
How do they know that the CSP didn’t retain additional copies?
Did the CSP really destroy the data, or just make it inaccessible to the organization?
Is the CSP keeping the information longer than necessary so that it can mine the data for its own
use?
9.6 Audit and monitoring
How can organizations monitor their CSP and provide assurance to relevant stakeholders that
privacy requirements are met when their PII is in the cloud?
9.7 Privacy breaches (meaning break)
How do you know that a breach has occurred?
How do you ensure that the CSP notifies you when a breach occurs?
Who is responsible for managing the breach notification process and costs associated with the
process?
26