Research Paper - Security Threats in Infrastructure as a Service Layer in Cloud Computing - 101003078

8/20/2019 Research Paper - Security Threats in Infrastructure as a Service Layer in Cloud Computing - 101003078

1/9

Security threats in Infrastructure as aService layer in Cloud Computing

Sahil Arora

B.E.(CSE), TIET

Thapar University

Abstract – Cloud Computing is often conceived as the next-gen technology of the IT

industry to facilitate development of large scale, on-demand, flexible computing

infrastructures. It is an archetype in which resources can be lent on pay-per-use basis thus

reducing the cost and complexity of the service providers. ut as it is said, with technology

comes responsibility, the need to develop proper security through cloud implementations is

!uite clear. Authenticity, Availability, Confidentiality, Integrity and "rivacy are essentialconcerns for both cloud providers and users as well. Infrastructure as a Service #IaaS$

serves as a foundation layer for other delivery models and overloo%ing security in this layer

will have negative impact on the other layers i.e., "aaS and SaaS. This paper presents a

detailed study of IaaS components security and several challenging security issues and their

countermeasures.

Keywords – Cloud Computing, Cloud Security, Infrastructure as a Service #IaaS$, Service

&evel Agreements #S&As$

I. I'T()*+CTI)'

Cloud computing is now-a-days one the

most emerging IT innovations. Most IT

companies announce to plan or already have

IT products according to the cloud

computing paradigm. It’s a pay-per-use

model in which the Infrastructure Provider

!y means of customi"ed #ervice $evel

%greements $%s' offers guarantees

typically e(ploiting a pool of resources.

)egarding definition of cloud computing

model the most widely used one is made !y

*I#T as +Cloud computin is a model !or

enablin con"enient, on#demand networ$

access to a s%ared pool o! con!iurable

computin resources (e.., networ$s,

ser"ers, storae, applications, and ser"ices)

t%at can be rapidly pro"isioned and released

wit% minimal manaement e!!ort or ser"ice

pro"ider interaction. T%is cloud model

promotes a"ailability and is composed o!

!i"e essential c%aracteristics, t%ree ser"ice

models, and !our deployment models.,/

Though cloud computing itself is still not

yet mature enough it is already evident that

security is its most critical flaw. 0/ 1/.

II. C&)+* C)"+TI'

S(/IC )*&S

Software as a Service (SaaS): This

includes end user applications

delivered on pay per use basis. The


2/9

• E - m a i l , v i r t u a l d e s k t o p ,

a p p l i c a t i o n s , C R M e t caa

S

• D e v e l o p m e n t t o o l s , e e c u t i o n r u n t i m e , d a t a b a s e s , ! e b s e r v e r s e t c"aa

S

• # n d i v i d u a l s e r v e r s , d i s k d r i v e s , n e t ! o r k , d o m a i n n a m e s e r v e r s e t c

#aaS

so$t!are re2uires only a !rowser and

networ3 connectivity. %n e(ample of #aa# is

Microsoft 4ffice156. 7efore it was

launched if a user re2uired an office

application say M# 8ord they would have

to purchase it install it !ac3up files etc.8ith 4ffice156 Microsoft 8ord can !e

ac2uired for a small monthly fee with no

client installation the files are automatically

!ac3ed up software upgrades are

automatically received and the software can

!e accessed from anywhere.

&lat!orm as a Ser"ice (&aaS)9 Provides a

platform for software developmentcompanies to run their software products.

#oftware products need physical servers to

run on with data!ase software and often

8e! servers too. These are all the platform

that the application runs on. 7uilding this

yourself is a time consuming tas3 and needs

to !e continually monitored and updated.

Paa# provides all of the platform out of the

!o( ena!ling software applications to !e

given to the platform which will e(ecutethem with no re2uirement for administration

of the lower level components.

In!rastructure as a Ser"ice (IaaS)' Provideshardware facilities which include a range of

features from individual servers to private

networ3s dis3 drives various long termstorage devices email servers domain name

servers as well as messaging systems. They

can !e provisioned on demand and ofteninclude software license fees for operating

systems and associated software installed on

the servers.

Thus the services which the cloud provides

fit into one of these models as descri!ed

a!ove. IT developers whose responsi!ility isinfrastructure use Iaa# software and

application developers use Paa# and the end

users use #aa#.

III. SC+(IT0 ISS+S I'

C&)+* C)"+TI'

8ith the increasing advancement in the

Cloud technology there comes many

security threats present for the Cloud. *ow a

days a large num!er of users are !oarding

the cloud ship. 7ut at the !ac3 of their

minds they have an :unreasona!le’ fear of

facing security issues with this technology.

The shift from server to service-!asedthin3ing is transforming the way technology

department thin3s a!out delivering

computing technology and applications. ;et

these advances have created new security

vulnera!ilities including security issues

whose full impact is still emerging.

Cy!ercriminals and the needless distur!ance

they can cause have !ecome the leading

concern of cloud security e(perts. That


3/9

A. *ata Breac%es

?ata !reaches are every CT4’s worst

nightmare. This implies lea3age of an

organi"ation’s sensitive private data into the

hand of the competitors and unwanted people. 8hile data loss and data lea3age are

!oth severe threats to cloud computing the

measures you put in place to reduce one of

these threats can enhance the other. ;ou can

have data encryption to reduce the impact of

a data !reach !ut if encryption 3ey is lost

all your data is lost as well. Conversely one

may decide to 3eep offline !ac3ups of his

data to reduce the impact of a catastrophic

data loss !ut it increases e(posure to data

!reaches.

B. *ata +oss

The thought of losing one’s data

permanently is terrifying for !oth consumers

and !usinesses. Malicious attac3ers are one

of the 3ey reasons for the loss of data. %ny

accidental deletion !y the cloud service

provider or worse a physical calamity such

as a fire or earth2ua3e can lead to the

permanent loss of customers’ data unless the provider ta3es ade2uate measures to !ac3up

data.

C. Account i-ac$in

In 0>>@ many %ma"on systems were

hiAac3ed to run Beus !otnet nodes. In %pril

0>> %ma"on e(perienced a Cross-#ite

#cripting &##' !ug that allowed attac3ers

to hiAac3 credentials from the site.

%ccount or service hiAac3ing is not new.

Phishing fraud and e(ploitation of software

vulnera!ilities still achieve results. Cloud

solutions add more elements to the top of the

stac3. If an attac3er gains access to your

credentials they can intercept your activities

and transactions manipulate data return

falsified information and redirect your

clients to illegitimate sites. ;our account or

service instances may !ecome a new !ase

for the attac3er. =rom here they may

leverage the power of your reputation to

launch su!se2uent attac3s.

*. Insecure A&Is

Cloud providers e(pose a set of %PIs and

software interfaces that customers use to

manage and interact with cloud services.

These interfaces perform the maAor

functions of provisioning management and

monitoring. )eliance on a wea3 set of

interfaces and %PIs e(poses firms to many

security issues related to availa!ilityaccounta!ility confidentiality and integrity.

E. /alicious Insiders

The Duropean 4rgani"ation for *uclear

)esearch 3nown as CD)* defines

malicious insiders as9

0A malicious insider t%reat to an

orani1ation is a current or !ormer

employee, contractor, or ot%er business

partner w%o %as or %ad aut%ori1ed access to

an orani1ation2s networ$, system, or data

and intentionally e3ceeded or misused t%at

access in a manner t%at neati"ely a!!ected

t%e con!identiality, interity, or a"ailability

o! t%e orani1ation2s in!ormation or

in!ormation systems.4

=rom Iaa# to Paa# and #aa# The malicious

insider has increasing levels of access to

more critical systems and data.

. *enial o! Ser"ice

?enial-of-service attac3s are attac3s meant

to prevent users from accessing their data or

their applications. D(periencing a denial-of-

service attac3 is li3e !eing caught in rush-

hour traffic gridloc39 there’s no way to get to


4/9

your destination and nothing you can do

a!out it e(cept sit and wait. 7y forcing the

victim cloud service to consume of finite

system resources such as processor power

dis3 space networ3 !andwidth and

memory. The attac3er causes an intolera!lesystem slowdown and leaves all of the

legitimate service users confused and angry

as to why the service isn’t responding.

5. Insu!!icient *ue *ilience

Cloud Computing has !rought the promise

of improved efficiencies improved security

and cost reductions and that’s the reason

why many organi"ations are Aumping into

the cloud world. 7ut too many enterprises Aump into the cloud without understanding

the full scope of the underta3ing. %n

organi"ation that rushes to adopt cloud

technologies su!Aects itself to a num!er of

issues. Contractual issues arise over

o!ligations on lia!ility response or

transparency !y creating mismatched

e(pectations !etween the C#P and the

customer. Pushing applications that are

dependent on +internal, networ3-levelsecurity controls to the cloud is dangerous

when those controls disappear or do not

match the customer’s e(pectation.

. Abuse o! Cloud Ser"ices

8ith cloud even small organi"ations have

access to vast amounts of computing power.

Eowever not everyone wants to use this

power for good. It might ta3e an attac3er

years to crac3 an encryption 3ey using his

own limited hardware !ut using an array of

cloud servers he might !e a!le to crac3 it in

minutes. This threat is more of an issue for

cloud service provider and raises a num!er

of serious implications for those providers.

Eow will you detect people a!using your

serviceF Eow will you define a!useF Eow

will you prevent them from doing it againF

I. S%ared Tec%noloy 6ulnerabilities

% compromise of an integral component of

shared technology architecture such as thehypervisor or an application in a #aa#

environment e(poses the compromised

customer. It also e(poses the entire

environment to a potential of compromise

and !reach. This vulnera!ility is catastrophic

!ecause it potentially can affect an entire

cloud at once.

I/. IaaS ST(+CT+(

Infrastructure layer &Iaa#' consists of several

components that have !een developed in the

past and still are in the development stage.

The most common security challenges of the

cloud world have !een discussed earlier.

Eowever !reaching the security of one

component adversely affects the security of

other components which in turn affects the

overall security of the system. In this

section we will cover on Iaa# components

their security issues and propose

recommendations and solutions.

A. Ser"ice +e"el Areement (S+As)

#$%’s contains the complete list of services

delivered !y the provider with their

complete definition. It also contains the

parameters which determine whether the

provider is delivering the service as

promised and an auditing mechanism tomonitor the service. #$%’s deliver important

information regarding the responsi!ilities of

the provider and the consumer and remedies

availa!le to !oth if the terms of the #$% are

not met.


5/9

=or a cloud provider one of the maAor uses

of #$%’s is to ma3e decisions a!out its

infrastructure. $et’s ta3e an e(ample a

provider might o!serve that throughput for a

particular service is hardly meeting the

consumer


6/9

#aaS

Security

Model

Dataleaka%e

protection

&uthentication and

&uthori'ation

#n$rastructur

al(ardenin%

End to Endlo%%in%

End to EndEncryption

A. *ata lea$ae protection and usae

monitorin

?ata stored in an Iaa# infrastructure needs

to !e closely monitored. 8hen you’re

deploying Iaa# in a pu!lic cloud it is of

critical importance. ;ou need to 3now who

is accessing the information from what type

of device the information was accessed the

location from which it was accessed and

what happened to that information after it

was accessed.

These pro!lems can !e solved !y usingmodern )ights Management services and

applying restrictions to all information that

is considered !usiness critical. Create legal

policies for this information and then deploy

those policies in a way that doesn’t re2uire

user intervention. In addition you should

create a transparent process that controls

who can see that information and then create

a +self-destruct, policy for sensitive

information that does not need to live

indefinitely outside of the confines of the

corporate datacenter.

B. Aut%entication and Aut%ori1ation

Gigorous authentication and authori"ation

methods are re2uired in order to have a data

loss prevention &?$P' solution. In case of

authentication consider two factor or multi-

factor authentication for all information that

needs to !e restricted. In addition consider

tiering your access policies !ased on the

level of trust you have for each identity

provider for your Iaa# cloud solutions. Thelevel of authori"ation you ena!le from an

identity provide such as Hoogle Mail is

going !e a lot lower than if the identity

provider is your corporate %ctive ?irectory

environment. Integrate this authori"ation

tiering into your ?$P solution.

C. In!rastructure %ardenin

Girtual machines and GM templates should

!e hardened and clean. ;ou can do this withinitial system hardening when you create the

images and you can also ta3e advantage of

technologies that ena!le you to update the

images offline with the latest service and

security updates. Ma3e sure that you have a

process in place to test the security of these

master images on a regular !asis to confirm

that there has !een no drift from your

desired configuration due to malicious or

non-malicious changes from the originalconfiguration.

*. End to end encryption

In end to end encryption you should use

whole dis3 encryption which ensures that

all data on the dis3 are encrypted so that it

can !e prevented from online as well as

offline attac3s. %lso ma3e sure that all

communications to host 4#’s and GM’s in

the Iaa# infrastructure are encrypted. This

can !e done over ##$T$# or IPsec. This

includes not only communications from

management stations !ut also

communications !etween the virtual

machines themselves. 4ne should also

deploy mechanisms such as homomorphic

encryption to 3eep end-user communications

iure 8 *eployin IaaS Security /odel


7/9

safe and secure. This is a form of encryption

that allows comple( calculations to !e

performed on the data even though it is

encrypted.

E. End to end loin The logging and reporting solutions !ecome

highly important in the event of a security

!reach. $ogging is critical for incident

response and forensics – and the reports and

findings after the incident are going to

depend heavily on your logging

infrastructure. Ma3e sure that all compute

networ3 memory and storage activity is

logged and that the logs are stored in

multiple secure locations with e(tremelylimited access.

/I. C)'C&+SI)'

Cloud Computing is an evolving computer

paradigm. The *I#T document has defined

several re2uirements for a cloud computing

solution. There are three service models for

cloud computing9 #aa# Paa# and Iaa#.

8hen deploying an Iaa# solution there are a

num!er of security issues that need to !e

considered for !oth private cloud Iaa# and

pu!lic cloud Iaa# which are highlighted in

this research paper. The security issues

presented here concern the security of each

Iaa# component in addition to recent

proposed solutions.

%CJ*48$D?HDMD*T

I am very grateful to Mr. Haurav #harma

for his support to write this paper.


8/9

References

Appication *enial o! Ser"ice. &n.d.'. )etrieved from The open we! application security proAect9

https9www.owasp.orginde(.php%pplicationK?enialKofK#ervice

Cloud Security Issues # A !adin worry. &n.d.'. )etrieved from )amco !log9

http9www.ramco.com!logcloud-security-issues-fading-worry

C"arnec3i C. &0> *ovem!er @'. Cloud Ser"ice /odels' Comparin SaaS, &aaS and IaaS .

)etrieved from $earning Tree International9 http9cloud-

computing.learningtree.com0>>@cloud-service-models-comparing-saas-paas-and-

iaas

Hill P. L. &0>1 %pril'. Utility Computing in the cloud. 9racle /aa1ine pp. -6.

Hoodin ?. &0>> %pril '. Ama1on pures account %i-ac$in t%reat !rom site. )etrieved from

The )egister9 http9www.theregister.co.u30>>>0>ama"onKwe!siteKtreat

Hrance T. N Mell P. &0>>@ Luly >'. T%e :IST de!inition o! Cloud Computin. )etrieved from

http9www.wheresmyserver.co.n"storagemediafa2-filescloud-def-v6.pdf

Eonan M. &0>0 *ovem!er '. Kill t%e password ' ;%y a strin o! c%aracters cant protect us

anymore0ff-mat-

honan-password-hac3er

Eowell ?. &0>1 Lanuary 5'. Cloud Computin 7sers are losin data, Symantec !inds S=/C .

)etrieved from Investors.com9 http9news.investors.comtechnology>51-5>O6-

cloud-computing-data-loss-high-in-symantec-study.htm

Jassner M. &0> Lune 0@'. omomorp%ic Encryption' Can it sa"e cloud computin0 %pril 01'. Insecure A&I implementations t%reaten Cloud . )etrieved from ?ar3

reading9 http9www.dar3reading.comcloudinsecure-api-implementations-threaten-

cl010@>>O>@

Miller M. &0>>@'. Cloud Computing - 8e! 7ased %pplication that change the way you

colla!orate online. >7E, 8nd print .

#chwart" M. L. &0>0 Lune 1'. :ew 6irtuali1ation 6ulnerability Allows Escape To yper"isor Attac$s. )etrieved from Information 8ee39

http9www.informationwee3.comsecurityapplication-securitynew-virtuali"ation-

vulnera!ility-allows0>>>@@5

#hinder ?. &0>1 Lanuary 01'. Security Considerations !or In!rastructure as a Ser"ice Cloud

Computin . )etrieved from 8indows #ecurity9 http9www.windowsecurity.comarticles-


9/9

tutorialsCloudKcomputing#ecurity-Considerations-Infrastructure-#ervice-Cloud-

Computing-Model.html

T%e :otorious :ine ' loud C9mputin t%reats in 8?@. &0>1 =e!ruary'. )etrieved from Cloud

#ecurity alliance9 http9www.cloudsecurityalliance.orgtopthreats

Gilaca ). N 4liveira ). &0>>@'. % fle(i!le large scale decentrali"ed o!Aect store. ;***/. %rchitecture 4verview.

Documents

Research Paper - Security Threats in Infrastructure as a Service Layer in Cloud Computing - 101003078