Cloud and IoT Security

3.4.Outline
• Cloud Computing
• Cloud Security Concepts
• Cloud Security Approaches
• The Internet of Things
• IoT Security
 Cloud Computing:
• NIST defines cloud computing, in NIST SP-800-145 (The
NIST Definition of Cloud Computing, September 2011) as
follows:

“Cloud computing: A model for enabling ubiquitous, convenient,

on-demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider
interaction. This cloud model promotes availability and is
composed of five essential characteristics,
three service models, and four deployment models.”
Cha r a ct e r ist ics
Br oa d Ra pid M e a su r e d On- D e m a n d

Esse n t ia l
N e t w or k Acce ss Ela st icit y Se r vice Se lf- Se r vice

Re sou r ce Poolin g

Soft w a r e a s a Se r vice ( Sa a S)
Pla t for m a s a Se r vice ( Pa a S)
Se r vice
M ode ls

I n fr a st r uct ur e a s a Se r vice ( I a a S)
D e ploym e nt
M ode ls

Pu blic Pr iva t e H ybr id Com m un it y

Figu r e 1 3 .1 Clou d Com pu t ing Ele m e n t s

 Cloud Service Models
Software as a service (SaaS)

NIST defines three service

models, which can be viewed Platform as a service (PaaS)
as nested service alternatives

Infrastructure as a service
(IaaS)
 Software as a Service
(SaaS)
It enables the
customer to use the
cloud provider’s
SaaS provides applications running
on the provider’s
service to
cloud infrastructure
customers in Examples of
• The applications are The use of SaaS
this service are
the form of accessible from various avoids the
Google Gmail,
software, client devices through a complexity of
simple interface, such
Microsoft 365,
software
specifically as a Web browser installation,
Salesforce,
application • Instead of obtaining Citrix
maintenance,
desktop and server GoToMeeting,
software, licenses for software
upgrades, and
and Cisco
patches
running on and products it uses, an WebEx
enterprise obtains the
accessible in same functions from
the cloud the cloud service
 Platform as a Service
(PaaS)
A PaaS cloud provides useful
software building blocks, plus a
A PaaS cloud provides service to PaaS enables the customer to
number of development tools,
customers in the form of a deploy onto the cloud
such as programming language
platform on which the customer’s infrastructure customer-created
tools, run-time environments,
applications can run or acquired applications
and other tools that assist in
deploying new applications

It is useful for an organization

that wants to develop new or Examples of PaaS include
In effect, PaaS is an operating tailored applications while AppEngine, Engine Yard,
system in the cloud paying for the needed computing Heroku, Microsoft Azure,
resources only as needed, and Force.com, and Apache Stratos
only for as long as needed
 Infrastructure as a Service
(IaaS)
The cloud service user does not
manage or control the resources of the
With IaaS, the customer has access to underlying cloud infrastructure, but IaaS provides virtual machines and
the resources of the underlying cloud has control over operating systems, other virtualized hardware and
infrastructure deployed applications, and possibly operating systems
limited control of select networking
components

IaaS offers the customer processing,

storage, networks, and other IaaS enables customers to combine
Examples of IaaS are Amazon Elastic
fundamental computing resources so basic computing services, such as
Compute Cloud, Microsoft Windows
the customer is able to deploy and number crunching and data storage,
Azure, Google Compute Engine, and
run arbitrary software, which can to build highly adaptable computer
Rackspace
include operating systems and systems
applications
Cloud Deployment
Models

Public cloud Community cloud

The four most

prominent deployment
models for cloud
computing are:

Private cloud Hybrid cloud

 Public Cloud
• A public cloud infrastructure is made available to the
general public or a large industry group, and is owned by
an organization selling cloud services
• The cloud provider is responsible both for the cloud infrastructure and for
the control of data and operations within the cloud

• A public cloud may be owned, managed, and operated by a

business, academic, or government organization, or some
combination of them
• All major components are outside the enterprise firewall, located in a
multitenant infrastructure
• Applications and storage are made available over the Internet via secured IP,
and can be free or offered at a pay-per-usage fee

• The major advantage of the public cloud is cost

• The principal concern is security
 Private Cloud
A private cloud is implemented within the internal IT environment of the organization

The organization may choose to manage the cloud in house or contract the management function to a third
party

The cloud servers and storage devices may exist on premise or off premise

Private clouds can deliver IaaS internally to employees or busines units through an intranet or the
Internet via a virtual private network (VPN), as well as software or storage as services to its branch
offices

Examples of services delivered through the private cloud include database on demand, email on demand,
and storage on demand

A key motivation for opting for a private cloud is security

Other benefits include easy resource sharing and rapid deployment to organizational entities
Community Cloud
•Has restricted access like a private
A community cloud shares cloud
characteristics of private and •The cloud resources are shared
public clouds among a number of independent
organizations like a public cloud

The organizations that share the

community cloud have similar
•An example would be the health
requirements and, typically, a care industry
need to exchange data with
each other
The cloud infrastructure may be •In this deployment model, the costs
managed by the participating are spread over fewer users than a
organizations or a third party, public cloud so only some of the
and may exist on premise or off cost savings potential of cloud
premise computing are realized
 Hybrid Cloud
• The hybrid cloud infrastructure is a composition of two or more
clouds (private, community, or public) that remain unique entities but
are bound together by standardized or proprietary technology that
enables data and application portability
• With a hybrid cloud solution, sensitive information can be placed in a
private area of the cloud, and less sensitive data can take advantage of
the benefits of the public cloud
• A hybrid public/private cloud solution can be particularly attractive
for smaller business
• Many applications for which security concerns are less can be
offloaded at considerable cost savings without committing the
organization to moving more sensitive data and applications to the
public cloud
 Private Community Public Hybrid

Scalability Limited Limited Very high Very high

Security Most secure option Very secure Moderately secure Very secure

Performance Very good Very good Low to medium Good

Reliability Very high Very high Medium Medium to high

Cost High Medium Low Medium

Comparison of Cloud Deployment Models

 Cloud Computing:
• NIST SP-500-292 (NIST Cloud Computing Reference
Architecture) establishes reference architecture,
described as follows:

“The NIST cloud computing reference architecture focuses on the

requirements of “what” cloud services provide, not a “how to”
design solution and implementation. The reference architecture is
intended to facilitate the understanding of the operational
intricacies in cloud computing. It does not represent the system
architecture of a specific cloud computing system; instead it is a
tool for describing, discussing, and developing a system-specific
architecture using a common framework of reference.”
 Objectives

NIST developed the reference architecture

with the following objectives in mind:

To illustrate and To facilitate the analysis

To provide a technical
understand the various of candidate standards
reference for CSCs to
cloud services in the for security,
understand, discuss,
context of an overall interoperability, and
categorize, and compare
cloud computing portability and reference
cloud services
conceptual model implementations
 Cloud Provider
Cloud Service Orchestration Cloud Cloud
Consumer Service Layer Service Broker
M anagement
SaaS
Service
PaaS I ntermediation
Cloud Business
Auditor Support

Security

Privacy
I aaS Service
Security Aggregation
Resource Abstraction Provisioning/
Audit
and Control Layer Configuration Service
Privacy Physical Resource Layer Arbitrage
I mpact Audit
Hardware Portability/
Performance I nteroperability
Facility
Audit

Cloud Carrier

Figu r e 1 3 .3 N I ST Cloud Com pu t in g Re fe r e n ce Ar ch it e ct u r e

Governance
Extend organizational practices pertaining to the policies, procedures, and standards used for
application development and service provisioning in the cloud, as well as the design, implementation,
testing, use, and monitoring of deployed or engaged services.
Put in place audit mechanisms and tools to ensure organizational practices are followed throughout
the system lifecycle.

Compliance
Understand the various types of laws and regulations that impose security and privacy obligations
on the organization and potentially impact cloud computing initiatives, particularly those involving data
location, privacy and security controls, records management, and electronic discovery requirements.
Review and assess the cloud provider’s offerings with respect to the organizational requirements to
be met and ensure that the contract terms adequately meet the requirements. NIST Guidelines
Ensure that the cloud provider’s electronic discovery capabilities and processes do not compromise the
privacy or security of data and applications. on
Trust
Ensure that service arrangements have sufficient means to allow visibility into the security and
Cloud Security
privacy controls and processes employed by the cloud provider, and their performance over time.
Establish clear, exclusive ownership rights over data.
and
Institute a risk management program that is flexible enough to adapt to the constantly evolving and
shifting risk landscape for the lifecycle of the system.
Privacy Issues
Continuously monitor the security state of the information system to support ongoing risk
management decisions.
and
Architecture Recommendations
Understand the underlying technologies that the cloud provider uses to provision services, including
the implications that the technical controls involved have on the security and privacy of the system, over
the full system lifecycle and across all system components. (Page 1 of 2)
I dentity and access management
Ensure that adequate safeguards are in place to secure authentication, authorization, and other
identity and access management functions, and are suitable for the organization.

Software isolation
Understand virtualization and other logical isolation techniques that the cloud provider employs in
its multi-tenant software architecture, and assess the risks involved for the organization.
Data protection
Evaluate the suitability of the cloud provider’s data management solutions for the organizational
data concerned and the ability to control access to data, to secure data while at rest, in transit, and in use,
and to sanitize data.
Take into consideration the risk of collating organizational data with those of other organizations
whose threat profiles are high or whose data collectively represent significant concentrated value.
Fully understand and weigh the risks involved in cryptographic key management with the facilities
available in the cloud environment and the processes established by the cloud provider.
Availability
Understand the contract provisions and procedures for availability, data backup and recovery, and
disaster recovery, and ensure that they meet the organization’s continuity and contingency planning
requirements.
Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations
can be immediately resumed, and that all operations can be eventually reinstituted in a timely and
organized manner.

I ncident response
Understand the contract provisions and procedures for incident response and ensure that they meet
the requirements of the organization.
Ensure that the cloud provider has a transparent response process in place and sufficient
mechanisms to share information during and after an incident.
Ensure that the organization can respond to incidents in a coordinated fashion with the cloud
provider in accordance with their respective roles and responsibilities for the computing environment.

NIST Guidelines on Cloud Security and Privacy Issues and

Recommendations

(Page 2 of 2)
 Security Issues for Cloud
Computing
• Security is a major consideration when augmenting or replacing on-premises
systems with cloud services
• Allaying security concerns is frequently a prerequisite for further discussions
about migrating part or all of an organization’s computing architecture to the
cloud
• Availability is another major concern
• Auditability of data must be ensured
• Businesses should perform due diligence on security threats both from outside
and inside the cloud
• Cloud users are responsible for application-level security
• Cloud vendors are responsible for physical security and some software security
• Security for intermediate layers of the software stack is shared between users and vendors

• Cloud providers must guard against theft or denial-of-service attacks by their

users and users need to be protected from one another
• Businesses should consider the extent to which subscribers are protected against
the provider, especially in the area of inadvertent data loss
 Control Functions and Classes
Technical Operational M anagement
Access Control Awareness and Training Certification, Accreditation and
Audit and Accountability Configuration and Security Assessment
Identification and Management Planning Risk Assessment
Authentication Contingency Planning System and Services Acquisition
System and Incident Response
Communication Maintenance
Protection Media Protection
Physical and Environmental
Protection
Personnel Security System
and Information Integrity
 Risks and
Countermeasures
The Cloud Security Alliance lists the following as
the top cloud-specific security threats:
• Abuse and nefarious use of cloud computing
o Countermeasures include:
• Stricter initial registration and validation processes
• Enhanced credit card fraud monitoring and coordination
• Comprehensive inspection of customer network traffic
• Monitoring public blacklists for one’s own network blocks
• Insecure interfaces and APIs
o Countermeasures include:
• Analyzing the security model of CSP interfaces
• Ensuring that strong authentication and access controls are implemented in
concert with encrypted transmission
• Understanding the dependency chain associated with the API
• Malicious insiders
o Countermeasures include:
• Enforce strict supply chain management and conduct a comprehensive
supplier assessment
• Specify human resource requirements as part of legal contract
• Require transparency into overall information security and management
practices, as well as compliance reporting
• Determine security breach notification processes

• Shared technology issues

o Countermeasures include:
• Implement security best practices for installation/configuration
• Monitor environment for unauthorized changes/activity
• Promote strong authentication and access control for administrative access
and operations
• Enforce SLAs for patching and vulnerability remediation
• Conduct vulnerability scanning and configuration audits
• Data loss or leakage
o Countermeasures include:
• Implement strong API access control
• Encrypt and protect integrity of data in transit and at rest
• Analyze data protection at both design and run time
• Implement strong key generation, storage and management, and destruction
practices

• Account or service hijacking

o Countermeasures include:
• Prohibit the sharing of account credentials between users and services
• Leverage strong two-factor authentication techniques where possible
• Employ proactive monitoring to detect unauthorized activity
• Understand CSP security policies and SLAs

• Unknown risk profile

o Countermeasures include:
• Disclosure of applicable logs and data
• Partial/full disclosure of infrastructure details
• Monitoring and alerting on necessary information
 Data Protection
in the Cloud
The threat of data compromise increases in the cloud,
due to the number of, and interactions between, risks
and challenges that are either unique to the cloud or
more dangerous because of the architectural or
operational characteristics of the cloud environment

Data must be secured while

Even with these precautions,
at rest, in transit, and in use,
corruption and other denial-of-
and access to the data must
service attacks remain a risk
be controlled

For data at rest, the ideal security The client can employ encryption to
measure is for the client to encrypt the protect data in transit, though this
database and only store encrypted data in involves key management
the cloud, with the CSP having no access responsibilities for the CSP
to the encryption key

The client can enforce access control

techniques, but CSP is involved to some
extent depending on the service model used
 Data Protection
in the Cloud
Multi-instance Model Multi-tenant Model
• Provides a unique DBMS • Provides a predefined
running on a VM instance for environment for the cloud
each cloud subscriber subscriber that is shared with
• This gives the subscriber other tenants, typically
complete control over role through tagging data with a
definition, user authorization, subscriber identifier
and other administrative tasks • Tagging gives the appearance
related to security of exclusive use of the
instance, but relies on the
cloud provider to establish and
maintain a sound secure
database environment
 Cloud Security
as a Service
• In the context of cloud computing, cloud security as a service,
designated SecaaS, is a segment of the SaaS offering of a CSP
• The CSA defines SecaaS as the provision of security applications
and services via the cloud either to cloud-based infrastructure and
software, or from the cloud to the customers’ on-premise systems
• The CSA has identified the following SecaaS categories of service:
• Identity and access management
• Data loss prevention
• Web security
• E-mail security
• Security assessments
• Intrusion management
• Security information and event management
• Encryption
• Business continuity and disaster recovery
• Network security
 Encryption

E-mail security

Data loss Security assessments

prevention Security information and
event management
Business continuity and
disaster recovery

Web security
I ntrusion
management

I dentity and access management

Network security

Cloud service clients and adversaries

Figu r e 1 3 .6 Ele m e n t s of Clou d Se cu r it y a s a Se r vice

 OpenStack
Open-source software project of the OpenStack Foundation that aims to
produce an open-source cloud operating system

The principal objective is to enable creating and managing huge groups of

virtual private servers in a cloud computing environment

OpenStack is embedded, to one degree or another, into data center

infrastructure and cloud computing products

It provides multi-tenant IaaS, and aims to meet the needs of public and private
clouds, regardless of size, by being simple to implement and massively
scalable
 OpenStack
• The OpenStack OS consists of a number of independent
modules, each of which has a project name and a
functional name
• The security module for OpenStack is Keystone
• Keystone provides the shared security services essential
for a functioning cloud computing infrastructure
o It provides the following main services:
• Identity
• Token
• Service catalog
• Policies
 The Internet of Things
(IoT)
• IoT is a term that refers to the expanding interconnection of smart
devices, ranging from appliances to tiny sensors
• A dominant theme is the embedding of short-range mobile transceivers into a
wide array of gadgets and everyday items, enabling new forms of
communication between people and things, and between things themselves
• The Internet supports the interconnectivity usually through cloud systems

• The objects deliver sensor information, act on their environment, and in

some cases modify themselves, to create overall management of a larger
system

• The IoT is primarily driven by deeply embedded devices

• These devices are low-bandwidth, low-repetition data capture, and low-
bandwidth data-usage appliances that communicate with each other and provide
data via user interfaces
• Embedded appliances, such as high-resolution video security cameras, video
VoIP phones, and a handful of others, require high-bandwidth streaming
capabilities
 Evolution
With reference PCs, servers, routers, firewalls, and so on,

to the end Information bought as IT devices by enterprise IT people,

primarily using wired connectivity
systems technology (IT)
supported, Machines/appliances with embedded IT built by
the Internet Operational non-IT companies, such as medical machinery,
SCADA, process control, and kiosks, bought as
has gone technology (OT) appliances by enterprise OT people, primarily
through using wired connectivity
roughly four Smartphones, tablets, and eBook readers bought
generations Personal technology as IT devices by consumers (employees)
exclusively using wireless connectivity and often
of deployment multiple forms of wireless connectivity
culminating
Single-purpose devices bought by consumers,
in the IoT: Sensor/actuator IT and OT people exclusively using wireless
connectivity, generally of a single form, as part
technology of larger systems

It is the fourth generation that is usually thought of as the IoT, and which is
marked by the use of billions of embedded devices
Edge
A gateway interconnects the
IoT-enabled devices with the
higher-level communication
networks
•It performs the necessary translation
At the edge of a typical between the protocols used in the
communication networks and those
enterprise network is a network used by devices
of IoT-enabled devices consisting •It may also perform a basic data
of sensors and perhaps actuators aggregation function
•These devices may communicate with
one another
•A cluster of sensors may all transmit their
data to one sensor that aggregates the
data to be collected by a higher-level
entity
 Fog
• In many IoT deployments, massive amounts of data may be generated by a
distributed network of sensors
• Rather than store all of that data permanently (or at least for a long period) in central
storage accessible to IoT applications, it is often desirable to do as much data
processing close to the sensors as possible
• The purpose of what is sometimes referred to as the edge computing level is to
convert network data flows into information that is suitable for storage and higher-
level processing
• Processing elements at these levels may deal with high volumes of data and perform
data transformation operations, resulting in the storage of much lower volumes of
data
• The following are examples of fog computing operations:

Evaluation Formatting Expanding/decoding Distillation/reduction Assessment

 Fog
• Generally fog computing devices are deployed physically near the edge
of the IoT network near the sensors and other data-generating devices
• Fog computing and fog services are expected to be a distinguishing
characteristic of the IoT
• Fog computing represents an opposite trend in modern networking from
cloud computing
• With cloud computing, massive, centralized storage and processing resources are made
available to distributed customers over cloud networking facilities to a relatively small
number of users
• With fog computing, massive numbers of individual smart objects are interconnected
with fog networking facilities that provide processing and storage resources close to the
edge devices in an IoT
• Fog computing addresses the challenges raised by the activity of
thousands or millions of smart devices, including security, privacy,
network capacity constraints, and latency requirements
• The term fog computing is inspired by the fact that fog tends to hover low
to the ground, whereas clouds are high in the sky
 Core
• The core network, also referred to as a backbone network, connects
geographically dispersed fog networks as well as providing
access to other networks that are not part of the enterprise
network

• Typically the core network will use very high-performance

routers, high-capacity transmission lines, and multiple
interconnected routers for increased redundancy and capacity

• The core network may also connect to high-performance, high-

capacity servers such as large database servers and private cloud
facilities

• Some of the core routers may be purely internal, providing

redundancy and additional capacity without serving as edge
routers
 Cloud Fog
Location of processing/storage Center Edge
resources

Latency High Low

Access Fixed or wireless Mainly wireless
Support for mobility Not applicable Yes
Control Centralized/hierarchical (full control) Distributed/hierarchical (partial control)

Service access Through core At the edge/on handheld device

Availability 99.99% Highly volatile/highly redundant

Number of users/devices Tens/hundreds of millions Tens of billions

Main content generator Human Devices/sensors
Content generation Central location Anywhere
Content consumption End device Anywhere
Software virtual infrastructure Central enterprise servers User devices

Comparison of Cloud and Fog Features

 Patching Vulnerability
There is a crisis point with The embedded devices are Chip manufacturers have
regard to the security of riddled with vulnerabilities strong incentives to produce
embedded systems, including and there is no good way to their product as quickly and
IoT devices patch them cheaply as possible

The end user may have no The result is that the hundreds
The device manufacturers
means of patching the system of millions of Internet-
focus is the functionality of
or, if so, little information connected devices in the IoT
the device itself
about when and how to patch are vulnerable to attack

It is potentially a graver threat

This is certainly a problem
with actuators, where the
with sensors, allowing
attacker can affect the
attackers to insert false data
operation of machinery and
into the network
other devices
 IoT Security and Privacy
Requirements
• ITU-T Recommendation Y.2066 includes a list of security
requirements for the IoT
• The requirements are defined as being the functional
requirements during capturing, storing, transferring,
aggregating, and processing the data of things, as well as
to the provision of services which involve things
• The requirements are:
• Communication security
• Data management security
• Service provision security
• Integration of security policies and techniques
• Mutual authentication and authorization
• Security audit
Application
platforms

Authentication
secure data transfer
Internet or
enterprise
network

Security, privacy
Gateways of data at rest

Authentication
secure data transfer

Devices

Figure 13.11 I oT Gateway Security Functions

 MiniSec
• MiniSec is an open-source security module that is part of
the TinyOS operating system
• It is designed to be a link-level module that offers a high
level of security, while simultaneously keeping energy
consumption low and using very little memory
• MiniSec provides confidentiality, authentication, and
replay protection
• MiniSec has two operating modes, one tailored for
single-source communication, and another tailored for
multi-source broadcast communication
MiniSec Data authentication

Resilient
to lost Confidentiality
messages
MiniSec is
designed to
meet the
following
requirements:
Low
Replay
energy
protection
overhead

Freshness