Upload
sunny-joon
View
212
Download
0
Embed Size (px)
Citation preview
8/20/2019 Research Paper - Security Threats in Infrastructure as a Service Layer in Cloud Computing - 101003078
1/9
Security threats in Infrastructure as aService layer in Cloud Computing
Sahil Arora
B.E.(CSE), TIET
Thapar University
Abstract – Cloud Computing is often conceived as the next-gen technology of the IT
industry to facilitate development of large scale, on-demand, flexible computing
infrastructures. It is an archetype in which resources can be lent on pay-per-use basis thus
reducing the cost and complexity of the service providers. ut as it is said, with technology
comes responsibility, the need to develop proper security through cloud implementations is
!uite clear. Authenticity, Availability, Confidentiality, Integrity and "rivacy are essentialconcerns for both cloud providers and users as well. Infrastructure as a Service #IaaS$
serves as a foundation layer for other delivery models and overloo%ing security in this layer
will have negative impact on the other layers i.e., "aaS and SaaS. This paper presents a
detailed study of IaaS components security and several challenging security issues and their
countermeasures.
Keywords – Cloud Computing, Cloud Security, Infrastructure as a Service #IaaS$, Service
&evel Agreements #S&As$
I. I'T()*+CTI)'
Cloud computing is now-a-days one the
most emerging IT innovations. Most IT
companies announce to plan or already have
IT products according to the cloud
computing paradigm. It’s a pay-per-use
model in which the Infrastructure Provider
!y means of customi"ed #ervice $evel
%greements $%s' offers guarantees
typically e(ploiting a pool of resources.
)egarding definition of cloud computing
model the most widely used one is made !y
*I#T as +Cloud computin is a model !or
enablin con"enient, on#demand networ$
access to a s%ared pool o! con!iurable
computin resources (e.., networ$s,
ser"ers, storae, applications, and ser"ices)
t%at can be rapidly pro"isioned and released
wit% minimal manaement e!!ort or ser"ice
pro"ider interaction. T%is cloud model
promotes a"ailability and is composed o!
!i"e essential c%aracteristics, t%ree ser"ice
models, and !our deployment models.,/
Though cloud computing itself is still not
yet mature enough it is already evident that
security is its most critical flaw. 0/ 1/.
II. C&)+* C)"+TI'
S(/IC )*&S
Software as a Service (SaaS): This
includes end user applications
delivered on pay per use basis. The
8/20/2019 Research Paper - Security Threats in Infrastructure as a Service Layer in Cloud Computing - 101003078
2/9
• E - m a i l , v i r t u a l d e s k t o p ,
a p p l i c a t i o n s , C R M e t caa
S
• D e v e l o p m e n t t o o l s , e e c u t i o n r u n t i m e , d a t a b a s e s , ! e b s e r v e r s e t c"aa
S
• # n d i v i d u a l s e r v e r s , d i s k d r i v e s , n e t ! o r k , d o m a i n n a m e s e r v e r s e t c
#aaS
so$t!are re2uires only a !rowser and
networ3 connectivity. %n e(ample of #aa# is
Microsoft 4ffice156. 7efore it was
launched if a user re2uired an office
application say M# 8ord they would have
to purchase it install it !ac3up files etc.8ith 4ffice156 Microsoft 8ord can !e
ac2uired for a small monthly fee with no
client installation the files are automatically
!ac3ed up software upgrades are
automatically received and the software can
!e accessed from anywhere.
&lat!orm as a Ser"ice (&aaS)9 Provides a
platform for software developmentcompanies to run their software products.
#oftware products need physical servers to
run on with data!ase software and often
8e! servers too. These are all the platform
that the application runs on. 7uilding this
yourself is a time consuming tas3 and needs
to !e continually monitored and updated.
Paa# provides all of the platform out of the
!o( ena!ling software applications to !e
given to the platform which will e(ecutethem with no re2uirement for administration
of the lower level components.
In!rastructure as a Ser"ice (IaaS)' Provideshardware facilities which include a range of
features from individual servers to private
networ3s dis3 drives various long termstorage devices email servers domain name
servers as well as messaging systems. They
can !e provisioned on demand and ofteninclude software license fees for operating
systems and associated software installed on
the servers.
Thus the services which the cloud provides
fit into one of these models as descri!ed
a!ove. IT developers whose responsi!ility isinfrastructure use Iaa# software and
application developers use Paa# and the end
users use #aa#.
III. SC+(IT0 ISS+S I'
C&)+* C)"+TI'
8ith the increasing advancement in the
Cloud technology there comes many
security threats present for the Cloud. *ow a
days a large num!er of users are !oarding
the cloud ship. 7ut at the !ac3 of their
minds they have an :unreasona!le’ fear of
facing security issues with this technology.
The shift from server to service-!asedthin3ing is transforming the way technology
department thin3s a!out delivering
computing technology and applications. ;et
these advances have created new security
vulnera!ilities including security issues
whose full impact is still emerging.
Cy!ercriminals and the needless distur!ance
they can cause have !ecome the leading
concern of cloud security e(perts. That
8/20/2019 Research Paper - Security Threats in Infrastructure as a Service Layer in Cloud Computing - 101003078
3/9
A. *ata Breac%es
?ata !reaches are every CT4’s worst
nightmare. This implies lea3age of an
organi"ation’s sensitive private data into the
hand of the competitors and unwanted people. 8hile data loss and data lea3age are
!oth severe threats to cloud computing the
measures you put in place to reduce one of
these threats can enhance the other. ;ou can
have data encryption to reduce the impact of
a data !reach !ut if encryption 3ey is lost
all your data is lost as well. Conversely one
may decide to 3eep offline !ac3ups of his
data to reduce the impact of a catastrophic
data loss !ut it increases e(posure to data
!reaches.
B. *ata +oss
The thought of losing one’s data
permanently is terrifying for !oth consumers
and !usinesses. Malicious attac3ers are one
of the 3ey reasons for the loss of data. %ny
accidental deletion !y the cloud service
provider or worse a physical calamity such
as a fire or earth2ua3e can lead to the
permanent loss of customers’ data unless the provider ta3es ade2uate measures to !ac3up
data.
C. Account i-ac$in
In 0>>@ many %ma"on systems were
hiAac3ed to run Beus !otnet nodes. In %pril
0>> %ma"on e(perienced a Cross-#ite
#cripting &##' !ug that allowed attac3ers
to hiAac3 credentials from the site.
%ccount or service hiAac3ing is not new.
Phishing fraud and e(ploitation of software
vulnera!ilities still achieve results. Cloud
solutions add more elements to the top of the
stac3. If an attac3er gains access to your
credentials they can intercept your activities
and transactions manipulate data return
falsified information and redirect your
clients to illegitimate sites. ;our account or
service instances may !ecome a new !ase
for the attac3er. =rom here they may
leverage the power of your reputation to
launch su!se2uent attac3s.
*. Insecure A&Is
Cloud providers e(pose a set of %PIs and
software interfaces that customers use to
manage and interact with cloud services.
These interfaces perform the maAor
functions of provisioning management and
monitoring. )eliance on a wea3 set of
interfaces and %PIs e(poses firms to many
security issues related to availa!ilityaccounta!ility confidentiality and integrity.
E. /alicious Insiders
The Duropean 4rgani"ation for *uclear
)esearch 3nown as CD)* defines
malicious insiders as9
0A malicious insider t%reat to an
orani1ation is a current or !ormer
employee, contractor, or ot%er business
partner w%o %as or %ad aut%ori1ed access to
an orani1ation2s networ$, system, or data
and intentionally e3ceeded or misused t%at
access in a manner t%at neati"ely a!!ected
t%e con!identiality, interity, or a"ailability
o! t%e orani1ation2s in!ormation or
in!ormation systems.4
=rom Iaa# to Paa# and #aa# The malicious
insider has increasing levels of access to
more critical systems and data.
. *enial o! Ser"ice
?enial-of-service attac3s are attac3s meant
to prevent users from accessing their data or
their applications. D(periencing a denial-of-
service attac3 is li3e !eing caught in rush-
hour traffic gridloc39 there’s no way to get to
8/20/2019 Research Paper - Security Threats in Infrastructure as a Service Layer in Cloud Computing - 101003078
4/9
your destination and nothing you can do
a!out it e(cept sit and wait. 7y forcing the
victim cloud service to consume of finite
system resources such as processor power
dis3 space networ3 !andwidth and
memory. The attac3er causes an intolera!lesystem slowdown and leaves all of the
legitimate service users confused and angry
as to why the service isn’t responding.
5. Insu!!icient *ue *ilience
Cloud Computing has !rought the promise
of improved efficiencies improved security
and cost reductions and that’s the reason
why many organi"ations are Aumping into
the cloud world. 7ut too many enterprises Aump into the cloud without understanding
the full scope of the underta3ing. %n
organi"ation that rushes to adopt cloud
technologies su!Aects itself to a num!er of
issues. Contractual issues arise over
o!ligations on lia!ility response or
transparency !y creating mismatched
e(pectations !etween the C#P and the
customer. Pushing applications that are
dependent on +internal, networ3-levelsecurity controls to the cloud is dangerous
when those controls disappear or do not
match the customer’s e(pectation.
. Abuse o! Cloud Ser"ices
8ith cloud even small organi"ations have
access to vast amounts of computing power.
Eowever not everyone wants to use this
power for good. It might ta3e an attac3er
years to crac3 an encryption 3ey using his
own limited hardware !ut using an array of
cloud servers he might !e a!le to crac3 it in
minutes. This threat is more of an issue for
cloud service provider and raises a num!er
of serious implications for those providers.
Eow will you detect people a!using your
serviceF Eow will you define a!useF Eow
will you prevent them from doing it againF
I. S%ared Tec%noloy 6ulnerabilities
% compromise of an integral component of
shared technology architecture such as thehypervisor or an application in a #aa#
environment e(poses the compromised
customer. It also e(poses the entire
environment to a potential of compromise
and !reach. This vulnera!ility is catastrophic
!ecause it potentially can affect an entire
cloud at once.
I/. IaaS ST(+CT+(
Infrastructure layer &Iaa#' consists of several
components that have !een developed in the
past and still are in the development stage.
The most common security challenges of the
cloud world have !een discussed earlier.
Eowever !reaching the security of one
component adversely affects the security of
other components which in turn affects the
overall security of the system. In this
section we will cover on Iaa# components
their security issues and propose
recommendations and solutions.
A. Ser"ice +e"el Areement (S+As)
#$%’s contains the complete list of services
delivered !y the provider with their
complete definition. It also contains the
parameters which determine whether the
provider is delivering the service as
promised and an auditing mechanism tomonitor the service. #$%’s deliver important
information regarding the responsi!ilities of
the provider and the consumer and remedies
availa!le to !oth if the terms of the #$% are
not met.
8/20/2019 Research Paper - Security Threats in Infrastructure as a Service Layer in Cloud Computing - 101003078
5/9
=or a cloud provider one of the maAor uses
of #$%’s is to ma3e decisions a!out its
infrastructure. $et’s ta3e an e(ample a
provider might o!serve that throughput for a
particular service is hardly meeting the
consumer
8/20/2019 Research Paper - Security Threats in Infrastructure as a Service Layer in Cloud Computing - 101003078
6/9
#aaS
Security
Model
Dataleaka%e
protection
&uthentication and
&uthori'ation
#n$rastructur
al(ardenin%
End to Endlo%%in%
End to EndEncryption
A. *ata lea$ae protection and usae
monitorin
?ata stored in an Iaa# infrastructure needs
to !e closely monitored. 8hen you’re
deploying Iaa# in a pu!lic cloud it is of
critical importance. ;ou need to 3now who
is accessing the information from what type
of device the information was accessed the
location from which it was accessed and
what happened to that information after it
was accessed.
These pro!lems can !e solved !y usingmodern )ights Management services and
applying restrictions to all information that
is considered !usiness critical. Create legal
policies for this information and then deploy
those policies in a way that doesn’t re2uire
user intervention. In addition you should
create a transparent process that controls
who can see that information and then create
a +self-destruct, policy for sensitive
information that does not need to live
indefinitely outside of the confines of the
corporate datacenter.
B. Aut%entication and Aut%ori1ation
Gigorous authentication and authori"ation
methods are re2uired in order to have a data
loss prevention &?$P' solution. In case of
authentication consider two factor or multi-
factor authentication for all information that
needs to !e restricted. In addition consider
tiering your access policies !ased on the
level of trust you have for each identity
provider for your Iaa# cloud solutions. Thelevel of authori"ation you ena!le from an
identity provide such as Hoogle Mail is
going !e a lot lower than if the identity
provider is your corporate %ctive ?irectory
environment. Integrate this authori"ation
tiering into your ?$P solution.
C. In!rastructure %ardenin
Girtual machines and GM templates should
!e hardened and clean. ;ou can do this withinitial system hardening when you create the
images and you can also ta3e advantage of
technologies that ena!le you to update the
images offline with the latest service and
security updates. Ma3e sure that you have a
process in place to test the security of these
master images on a regular !asis to confirm
that there has !een no drift from your
desired configuration due to malicious or
non-malicious changes from the originalconfiguration.
*. End to end encryption
In end to end encryption you should use
whole dis3 encryption which ensures that
all data on the dis3 are encrypted so that it
can !e prevented from online as well as
offline attac3s. %lso ma3e sure that all
communications to host 4#’s and GM’s in
the Iaa# infrastructure are encrypted. This
can !e done over ##$T$# or IPsec. This
includes not only communications from
management stations !ut also
communications !etween the virtual
machines themselves. 4ne should also
deploy mechanisms such as homomorphic
encryption to 3eep end-user communications
iure 8 *eployin IaaS Security /odel
8/20/2019 Research Paper - Security Threats in Infrastructure as a Service Layer in Cloud Computing - 101003078
7/9
safe and secure. This is a form of encryption
that allows comple( calculations to !e
performed on the data even though it is
encrypted.
E. End to end loin The logging and reporting solutions !ecome
highly important in the event of a security
!reach. $ogging is critical for incident
response and forensics – and the reports and
findings after the incident are going to
depend heavily on your logging
infrastructure. Ma3e sure that all compute
networ3 memory and storage activity is
logged and that the logs are stored in
multiple secure locations with e(tremelylimited access.
/I. C)'C&+SI)'
Cloud Computing is an evolving computer
paradigm. The *I#T document has defined
several re2uirements for a cloud computing
solution. There are three service models for
cloud computing9 #aa# Paa# and Iaa#.
8hen deploying an Iaa# solution there are a
num!er of security issues that need to !e
considered for !oth private cloud Iaa# and
pu!lic cloud Iaa# which are highlighted in
this research paper. The security issues
presented here concern the security of each
Iaa# component in addition to recent
proposed solutions.
%CJ*48$D?HDMD*T
I am very grateful to Mr. Haurav #harma
for his support to write this paper.
8/20/2019 Research Paper - Security Threats in Infrastructure as a Service Layer in Cloud Computing - 101003078
8/9
References
Appication *enial o! Ser"ice. &n.d.'. )etrieved from The open we! application security proAect9
https9www.owasp.orginde(.php%pplicationK?enialKofK#ervice
Cloud Security Issues # A !adin worry. &n.d.'. )etrieved from )amco !log9
http9www.ramco.com!logcloud-security-issues-fading-worry
C"arnec3i C. &0> *ovem!er @'. Cloud Ser"ice /odels' Comparin SaaS, &aaS and IaaS .
)etrieved from $earning Tree International9 http9cloud-
computing.learningtree.com0>>@cloud-service-models-comparing-saas-paas-and-
iaas
Hill P. L. &0>1 %pril'. Utility Computing in the cloud. 9racle /aa1ine pp. -6.
Hoodin ?. &0>> %pril '. Ama1on pures account %i-ac$in t%reat !rom site. )etrieved from
The )egister9 http9www.theregister.co.u30>>>0>ama"onKwe!siteKtreat
Hrance T. N Mell P. &0>>@ Luly >'. T%e :IST de!inition o! Cloud Computin. )etrieved from
http9www.wheresmyserver.co.n"storagemediafa2-filescloud-def-v6.pdf
Eonan M. &0>0 *ovem!er '. Kill t%e password ' ;%y a strin o! c%aracters cant protect us
anymore0ff-mat-
honan-password-hac3er
Eowell ?. &0>1 Lanuary 5'. Cloud Computin 7sers are losin data, Symantec !inds S=/C .
)etrieved from Investors.com9 http9news.investors.comtechnology>51-5>O6-
cloud-computing-data-loss-high-in-symantec-study.htm
Jassner M. &0> Lune 0@'. omomorp%ic Encryption' Can it sa"e cloud computin0 %pril 01'. Insecure A&I implementations t%reaten Cloud . )etrieved from ?ar3
reading9 http9www.dar3reading.comcloudinsecure-api-implementations-threaten-
cl010@>>O>@
Miller M. &0>>@'. Cloud Computing - 8e! 7ased %pplication that change the way you
colla!orate online. >7E, 8nd print .
#chwart" M. L. &0>0 Lune 1'. :ew 6irtuali1ation 6ulnerability Allows Escape To yper"isor Attac$s. )etrieved from Information 8ee39
http9www.informationwee3.comsecurityapplication-securitynew-virtuali"ation-
vulnera!ility-allows0>>>@@5
#hinder ?. &0>1 Lanuary 01'. Security Considerations !or In!rastructure as a Ser"ice Cloud
Computin . )etrieved from 8indows #ecurity9 http9www.windowsecurity.comarticles-
8/20/2019 Research Paper - Security Threats in Infrastructure as a Service Layer in Cloud Computing - 101003078
9/9
tutorialsCloudKcomputing#ecurity-Considerations-Infrastructure-#ervice-Cloud-
Computing-Model.html
T%e :otorious :ine ' loud C9mputin t%reats in 8?@. &0>1 =e!ruary'. )etrieved from Cloud
#ecurity alliance9 http9www.cloudsecurityalliance.orgtopthreats
Gilaca ). N 4liveira ). &0>>@'. % fle(i!le large scale decentrali"ed o!Aect store. ;***/. %rchitecture 4verview.