Unit-5

SECURITY, STANDARDS, AND

APPLICATIONS
 Security Services

Authorized to
Know Availability

Data Never Loss Confidentiality Data Has Not Been

Machine Never Tampered With
Fail
Integrity
Cloud Security !! A major
Concern

• Security concerns arising because both customer data and

program are residing at Provider Premises.

• Security is always a major concern in Open System

Architectures

Customer
Data

Customer
Customer
Code

Provider Premises
 Why Cloud Computing
brings new threats?

• Cloud Security problems are coming from :

– Loss of control
– Lack of trust (mechanisms)
– Multi-tenancy

• These problems exist mainly in 3rd party management

models
– Self-managed clouds still have security issues, but not related to
above
 Why Cloud Computing
brings new threats?
Consumer’s loss of control

– Data, applications, resources are located with provider

– User identity management is handled by the cloud
– User access control rules, security policies and
enforcement are managed by the cloud provider
– Consumer relies on provider to ensure
• Data security and privacy
• Resource availability
• Monitoring and repairing of services/resources
 Why Cloud Computing
brings new threats?

Multi-tenancy :

Multiple independent users share the same

physical infrastructure

So, an attacker can legitimately be in the same

physical machine as the target
Who is the attacker?

Insider?
•Malicious employees at client
•Malicious employees at Cloud
provider
•Cloud provider itself

Outsider?
• Intruders
• Network attackers?
 Attacker Capability:
Malicious Insiders
• At client
– Learn passwords/authentication information
– Gain control of the VMs

• At cloud provider
– Log client communication
Attacker Capability: Cloud
Provider
• What?
– Can read unencrypted data
– Can possibly peek into VMs, or make copies of
VMs
– Can monitor network communication, application
patterns
 Attacker Capability:
Outside attacker
• What?
– Listen to network traffic (passive)
– Insert malicious traffic (active)
– Probe cloud structure (active)
– Launch DoS
 Challenges for the
attacker
How to find out where the target is located

How to be co-located with the target in the

same (physical) machine

How to gather information about the target

Organizing the threats using STRIDE

• Spoofing identity
• Tampering with data
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege
 Concerns

At a Broad level, Two major Questions :

• How much secure is the Data?

• How much secure is the Code?

 Security Issues from
Virtualization
• Virtualization providers provide
• is using- ParaVirtualization or full system virtualization.

• Instance Isolation: ensuring that Different instances running on

the same physical machine are isolated from each other.
• Control of Administrator on Host O/s and Guest o/s.
• Current VMs do not offer perfect isolation: Many bugs have been found in
all popular VMMs that allow to escape from VM!
•
• Virtual machine monitor should be ‘root secure’, meaning that no
level of privilege within the virtualized guest environment permits
interference with the host system.
 Streamlined Security
Analysis Process
• Identify Assets
– Which assets are we trying to protect?
– What properties of these assets must be maintained?
• Identify Threats
– What attacks can be mounted?
– What other threats are there (natural disasters, etc.)?
• Identify Countermeasures
– How can we counter those attacks?
• Appropriate for Organization-Independent Analysis
– We have no organizational context or policies
 Identify Assets &
Principles
• Customer Data
– Confidentiality, integrity, and availability
• Customer Applications
– Confidentiality, integrity, and availability
• Client Computing Devices
– Confidentiality, integrity, and availability
 Identify Threats

• Failures in Provider Security

• Attacks by Other Customers
• Availability and Reliability Issues
• Legal and Regulatory Issues
• Perimeter Security Model Broken
• Integrating Provider and Customer Security
Systems
 Failures in Provider
Security
• Explanation
– Provider controls servers, network, etc.
– Customer must trust provider’s security
– Failures may violate CIA principles
• Countermeasures
– Verify and monitor provider’s security
• Notes
– Outside verification may suffice
– For SMB, provider security may exceed customer security
 Attacks by Other
Customers
• Threats
– • Provider resources shared with untrusted parties
– • CPU, storage, network
– • Customer data and applications must be separated
– • Failures will violate CIA principles
• Countermeasures
– • Hypervisors for compute separation
– • MPLS, VPNs, VLANs, firewalls for network separation
– • Cryptography (strong)
– • Application-layer separation (less strong)
 Attacks by Other
Customers
• Threats
– Provider resources shared with untrusted parties
– CPU, storage, network
– Customer data and applications must be separated
– Failures will violate CIA principles
• Countermeasures
– Hypervisors for compute separation
– MPLS, VPNs, VLANs, firewalls for network separation
– Cryptography (strong)
– Application-layer separation (less strong)
 Legal and Regulatory
Issues
• Threats
– • Laws and regulations may prevent cloud computing
– • Requirements to retain control
– • Certification requirements not met by provider
– • Geographical limitations – EU Data Privacy
– • New locations may trigger new laws and regulations
• Countermeasures
– • Evaluate legal issues
– • Require provider compliance with laws and regulations
– • Restrict geography as needed
 Integrating Provider and
Customer Security
• Threat
– Disconnected provider and customer security systems
– Fired employee retains access to cloud
– Misbehavior in cloud not reported to customer
• Countermeasures
– At least, integrate identity management
– Consistent access controls
– Better, integrate monitoring and notifications
• Notes
– Can use SAML, LDAP, RADIUS, XACML, IF-MAP, etc.
 Evaluate the Asset

• How would we be harmed if

– The asset became widely public & widely distributed?
– An employee of our cloud provider accessed the asset?
– The process of function were manipulated by an outsider?
– The process or function failed to provide expected results?
– The info/data was unexpectedly changed?
– The asset were unavailable for a period of time?
 Cloud Domains

Service contracts should address these 13 domains

• Architectural Framework
• Governance, Enterprise Risk Mgt
• Legal, e-Discovery
• Compliance & Audit
• Information Lifecycle Mgt
• Portability & Interoperability
 Cloud Domains

• Security, Business Continuity, Disaster

Recovery
• Data Center Operations
• Incident Response Issues
• Application Security
• Encryption & Key Mgt
• Identity & Access Mgt
• Virtualization
 Governance

• Identify, implement process, controls to

maintain effective governance, risk mgt,
compliance

• Provider security governance should be

assessed for sufficiency, maturity, consistency
with user ITSEC process
 Legal

• Functional: which functions & services in the

Cloud have legal implications for both parties

• Jurisdictional: which governments administer

laws and regs impacting services,
stakeholders, data assets

• Contractual: terms & conditions

Legal

• Both parties must understand each other’s roles

• Provider must save primary and secondary (logs)
data
• Where is the data stored?
– laws for cross border data flows
• Plan for unexpected contract termination and
orderly return or secure disposal of assets
• You should ensure you retain ownership of your
data in its original form
Compliance & Audit
• Hard to maintain with your sec/reg requirements, harder to
demonstrate to auditors
• Right to Audit clause
• Analyze compliance scope
• Regulatory impact on data security
• Evidence requirements are met
• Do Provider have SAS 70 Type II, ISO 27001/2 audit
statements?
Portability,
Interoperability
• When you have to switch cloud providers
• Contract price increase
• Provider bankruptcy
• Provider service shutdown
• Decrease in service quality
• Business dispute
Security

• Centralization of data = greater insider threat

from within the provider
• Require onsite inspections of provider facilities
– Disaster recovery, Business continuity, etc
Incident Response
• Cloud apps aren’t always designed with data integrity,
security in mind
• Provider keep app, firewall, IDS logs?
• Provider deliver snapshots of your virtual environment?
• Sensitive data must be encrypted for data breach regs
Application Security

• Different trust boundaries for IaaS, PaaS, Saas

• Provider web application security?
• Secure inter-host communication channel
Identity and Access Mgt

• Determine how provider handles:

– Provisioning, deprovisioning
– Authentication
– Federation
– Authorization, user profile mgt
Virtualization

• What type of virtualization is used by the

provider?
• What 3rd party security technology augments
the virtual OS?
• Which controls protect admin interfaces
exposed to users?
Possible Solutions

• Minimize Lack of Trust

– Policy Language
– Certification
• Minimize Loss of Control
– Monitoring
– Utilizing different clouds
– Access control management
– Identity Management (IDM)
• Minimize Multi-tenancy
Possible Solutions
– Loss of Control
• Take back control
– Data and apps may still need to be on the cloud
– But can they be managed in some way by the consumer?
– Lack of trust
• Increase trust (mechanisms)
– Technology
– Policy, regulation
– Contracts (incentives): topic of a future talk
– Multi-tenancy
• Private cloud
– Takes away the reasons to use a cloud in the first place
• Strong separation
 Possible Solutions

• Engage in full risk management process for each case

• For small and medium organizations
– Cloud security may be a big improvement!
– Cost savings may be large (economies of scale)
• For large organizations
– Already have large, secure data centers
– Main sweet spots:
– Elastic services
– Internet-facing services
• Employ countermeasures listed above
 Software as a Service Security
• Identity management in the cloud is immature
• Cross-site request forgery
• Cloud standards are weak
• Insecure authentication and session management
• Cross-site scripting because of lack of data validation
• Insecure exposure to references like files and directories
• Incorrectly configured (from a security perspective) databases, middleware
and operating systems
• Exposing sensitive data like user IDs, passwords and personal
identification information
• Checking for access inside the business logic on the server side
• Using components with known vulnerabilities
• Unvalidated redirects and forwards
• Secrecy not well informed
•  Access everywhere increases convenience, but also risk
• You don't always know where your data is
Open Cloud Consortium (OCC)

• Supports the development of standards for cloud computing and frameworks for
interoperating between clouds;
• develops benchmarks for cloud computing; and
• supports reference implementations for cloud computing, preferably open source reference
implementations.
• The OCC has a particular focus in large data clouds. It has developed the MalStone
Benchmark for large data clouds and is working on a reference model for large data
clouds.
Organization for the Advancement of Structured Information Standards
(OASIS)

OASIS drives the development, convergence and adoption of open standards for
the global information society. The source of many of the foundational standards
in use today, OASIS sees Cloud Computing as a natural extension of SOA and
network management models. The OASIS technical agenda is set by members,
many of whom are deeply committed to building Cloud models, profiles, and
extensions on existing standards, including:
• Security, access and identity policy standards -- e.g., OASIS SAML,
XACML, SPML, WS-SecurityPolicy, WS-Trust, WS-Federation, KMIP,
and ORMS.
• Content, format control and data import/export standards -- e.g., OASIS
ODF, DITA, CMIS, and SDD.
• Registry, repository and directory standards -- e.g., OASIS ebXML and
UDDI.
• SOA methods and models, network management, service quality and
interoperability -- e.g., OASIS SCA, SDO, SOA-RM, and BPEL
Distributed Management Task Force (DMTF)

• standards enable effective management of IT environments. The

organization is composed of companies that collaborate on the
development, validation and promotion of infrastructure management
standards.
• DMTF management standards are critical to enabling interoperability
among multi-vendor systems, tools multi-vendor IT infrastructures,
and systems and network management including cloud, virtualization,
desktop, network, servers, storage and solutions within the enterprise.
 Some DMTF Standards
• Cloud Infrastructure Management Interface (CIMI)
• Common Information Model (CIM)
• Web-Based Enterprise Management (WBEM)
• Systems Management Architecture for Server Hardware(SMASH)
• Desktop and mobile Architecture for System Hardware (DASH)
• Redfish
• Web Services Management (WS-MAN)
• Virtualization Management Initiative (VMAN)
• Open Virtualization Format (OVF)
• The Network Management Initiative (NETMAN
 Standards for application developers

• The Green Grid brings together end users, technology providers,

utility companies, facility architects and policy makers to create a

set of standards that would allow for a more efficient utilization

of resources.

• Cloud Security Alliance, CSA, lays out the best practices for

cloud computing security.

• Distributed Management Task Force has suggested the use of

the Open Virtualization Format, which provides a method for

moving virtual machines from one platform to another.

• The Institute of Electrical and Electronics Engineers Standards

Association works to develop, nurture and advance worldwide technologies.

 According to InfoWorld, the IEEE has set up two working groups for cloud

computing standards and interoperability.  The P2301 Workgroup will be

involved in standardizing cloud management and portability with the use of

various interfaces and file formats. The P2302 Workgroup, will focus on

interoperability and federation.

• The National Institute of Standards and Technology is a non-regulatory

federal agency that pushes for standards in science and technology. 

• The Storage Networking Industry Association has its Cloud Data

Management Interface. It provides protocols on how a company should move

data between public and private clouds.

 Problems with Cloud Computing
Standardization

• With the number of cloud service providers doing different

tasks differently, it is unlikely that they would just agree on
one set of cloud computing standards.  This is especially true
if they were working on a different set of principles than the
proposed standards.
• many organizations proposing different standards, these
standards that govern cloud computing are just coming into
existence. It is quite reasonable to think and predict that it will
take years, or decades even, to get developed.
Standards for Messaging

• SIMPLE (Session Initiation Protocol for

Instant Messaging and Presence Leveraging
Extensions)
• open-source, XML-based XMPP (eXtensible
Messaging and Presence Protocol). Both are
currently being developed by the Internet
Engineering Task Force (IETF).
 Standards for security
1. Ensure effective governance, risk and compliance processes
exist
2. Audit operational and business processes
3. Manage people, roles and identities
4. Ensure proper protection of data and information
5. Enforce privacy policies
6. Assess the security provisions for cloud applications
7. Ensure cloud networks and connections are secure
8. Evaluate security controls on physical infrastructure and
facilities
9. Manage security terms in the cloud SLA
10. Understand the security requirements of the exit process
 Cloud security
standards
• ISO 38500- IT Governance
• COBIT
• ITIL
• ISO 20000
• SSAE 16
• FISMA- U.S federal law
 Cloud Security Standards

• LDAP
• SAML 2.0
• OAUTH 2.0
• WS-Federation
• OpenID Connect
• XAMCL