Cloud security control and auditing

Completed

When you run an application on the cloud, different aspects of security must be controlled by different entities. For instance, the following figure (from Azure) shows the breakdown of security responsibilities between the provider and the customer.

Figure 13: Security responsibilities in Azure (Source)

Many classes of applications require different infrastructure, process, and security certifications. Most cloud service providers will comply with a majority of the popular certifications and audit requirements followed in the US and Europe.

To develop an application that passes these compliance checks, both the cloud service providers and the application developers must apply a minimal set of security controls, which we will explore below. As with the rest of this course, we look at controls from a predominantly IaaS perspective. Obviously, as we move up the stack, the cloud service provider has to ensure the security of the resources it is responsible for.

For an IaaS cloud, the following table gives an overview of some of the the security controls to be implemented by both parties:

Domain	Cloud service provider responsibility	Customer responsibility
Identity and access management	A cloud service provider must provide information to customers about who is using the service. This requires that they: Deliver and maintain an authentication service (so that users cannot access resources without explicit privileges). Create a service that allows account management policy configuration. (Customers can add and remove users and roles.) Adopt insider misuse protections (monitor employees and restrict access to sensitive server locations).	Using the authentication and access control service provided by the cloud provider, customers must: Define roles, groups, and permissions. Create and disseminate credentials. Use access control logging. (The customer will have a log of all sensitive user events.) Use multi-factor authentication where appropriate.
Availability and fault tolerance	To ensure that the cloud is resilient to failure, cloud service providers must have: Tape backups and redundancy of storage and compute systems. Geo-distributed datacenters.	The redundancy provided by the cloud service provider has to be leveraged by the customer, who should: Add redundant options for connectivity to all endpoints. Use application-layer backups and snapshots of instances and storage state. (A snapshot of a VM instance, or a database, stores its state at a fixed moment in time, allowing a recovery to be performed from that point.)
Patching and configuration management	Ensure sandboxing of tenants using hypervisors and overlay networks. (This will be explained later.) Regular vulnerability assessments and penetration testing (when an internal or external team of "hackers" systematically attempts to break into a system) of bare metal, hypervisor, and networks.	Patch OS and machine images with the latest security updates. Use appropriate user roles with the least privilege for each application. (For example, when you run a web server on the cloud, ensure that it doesn't have access to any infrastructure keys, or even to local "root." This way, if your website is breached, the rest of your application is isolated.) Restrict traffic to instances using firewalls and virtual private clouds, and segment the network into zones (block all network traffic from untrusted sources).
Monitoring and detection	Verify that customer resources are not being used for nefarious activities (either intentionally or unintentionally), and take appropriate actions.	Install host-based intrusion detection and anti-malware systems. (These detect any misuse of your cloud network or hosts.) Define alerts and response strategies for incidents and breaches. (Be prepared for attacks and automate a recovery and logging protocol.)
Data security	Cross-tenant data access controls and privacy safeguards. (As described on the previous page, ensure that customers on the same physical infrastructure are isolated.) Data integrity verification and repair from redundant data stores. (When storing data in several replicas, ensure their consistency and accuracy.)	Use secure protocols (like SSL/TLS and IPsec) for data in transit. (These ensure that your network traffic cannot be read.) Encrypt data at rest. (Encrypt all the data you store on the cloud, such that even a rogue employee of the cloud service provider cannot disclose this information.)
Cryptographic object security	Support data encryption in all provided storage/file systems and DBs. (For example, Windows environments could allow BitLocker implementations.) Securely manage customer account and access credentials.	Create and distribute access keys (for cloud service provider APIs) as well as remote connectivity (like SSH, VNC, RDP). Do not store keys on the cloud where possible, so that a key will not be in the same place as the data.

Providers will often build in services that simplify the process for customers to implement security controls. For example, Azure provides Azure Network Security Groups, which can act as external network firewalls.

The process of verifying the presence of these controls is known as a security audit. These audits can be done internally (by hiring a technical consultant) or externally (by a certifying agency). To host sensitive information on the cloud, both the provider and the customer must pass these audits.

References

1. Mather, Tim et. al. (2009). Cloud security and privacy: an enterprise perspective on risks and compliance. O'Reilly Media
2. Pucher, Alex et. al. (2012). A Survey on Cloud Provider Security Measures. University of California Santa Barbara

---

Check your knowledge

1.

On VM, if you install Wireshark, you should be able to sniff packets from:

Only my VM.

Nothing. Wireshark will not work on the VM.

All VMs in the same physical machine.

All VMs in the same rack.

2.

The process of mapping instances from the virtual cloud to the physical infrastructure is called cloud cartography. Assuming that you're an IaaS provider, which of the following will protect an attacker from mapping your service?

Statically allocating private IPs (used for communication within the cloud network)

Allowing VMs to access properties of the underlying hardware

Statically allocating public IPs (as viewed over the public internet)

Dynamically allocating both public and private IPs

3.

You host an email server on the cloud only to find that the emails that your service sends are categorized as spam by anti-spammers like Spamhaus. However, the content of your mails is not spam-like. What could be a possible reason for this filtering?

This is just an inherent problem of public clouds, where you have to share resources with untrusted entities, which could impact you in unpredictable ways. Cloud providers should add features like outbound spam monitoring to protect their own reputation. Services like Spamhaus should continue unchanged.

You should never host an email server on the public cloud because the Massive Surveillance Bureau will be tracking it.

Both Spamhaus and cloud providers need to adapt to this new type of problem.

This problem is due to IP reputation systems only. These systems broadly categorize large subnets of IP addresses as spammers, even if only a few of them actually contribute to spam traffic. Instead, reputation-based blocking should be done for each IP address. The cloud provider cannot take any action to protect itself.

4.

Some service providers offer dedicated VM instances as an added security measure. Such instances are guaranteed to run on dedicated hardware that will not be shared with other users of the cloud service. Which of the following threats will you be protected against on a dedicated VM?

Datacenter failure leading to your VM shutting down.

A vulnerability in your website that allows hackers to deface it.

Malicious code from a competitor hosted on a neighboring VM.

A vulnerability on the physical server that the cloud provider did not patch.

5.

A cloud firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface. All packets must pass through this layer; thus an instance's neighbors have no more access to that instance than any other host on the internet and can be treated as if they are on separate physical hosts. These can be configured as security groups. What is one disadvantage of this method?

It doesn't protect you from bad traffic sent from other instances, since they're inside the firewall.

Because the firewall isn't hosted on the instance, it's more vulnerable if your instance gets breached, because the attacker can easily change the security group settings from within the instance.

It doesn't protect you from bad traffic sent from other instances on the same hardware.

The security groups don't let you log traffic that's being blocked, so you have reduced visibility about security events.

6.

Homomorphic encryption is a special form of encryption where computation can be carded out on encrypted data. For instance, if Bing used homomorphic encryption, it would receive an encrypted version of your search term, find the matches without looking at it, and return an encrypted version of the results. Your data would never be exposed. Recent research from Craig Gentry at Stanford demonstrated a practical way to create an encryption scheme that allows addition and multiplication. Why is this not widely used?

The government won't allow encryption that it can't decrypt through a legal channel.

The scheme is currently computationally very expensive, and takes too long.

Gentry's scheme supports both addition and multiplication operations on ciphertexts, from which it's impossible to construct circuits for performing arbitrary computation.

7.

If you're an educator building a service that runs and grades student code to add two numbers, which of the following should you not do?

Run the script with the least privileges required.

Block network access.

Restrict the amount of memory that the code can access.

Add a timeout to kill the code after a certain duration.

Block the script from accessing any files outside the given folder.

Run the script as the root user.

Log any code that violates the policies, because it might corrupt the logs.

You must answer all questions before checking your work.