Module 5

Cloud Security
 Security for Virtualization Platform
 Host security
 Data security
 Data confidentiality and encryption,
Data availability, Data integrity
 Cloud firewall
 AAA administration for clouds (AAA
model)
 SSO for clouds
 Authentication and authorization in
clouds
 Security
• The CSA (Cloud Security Alliance) is also working on the
best practices and standards to enhance the privacy
and security of cloud applications, data and identity of
users.
• Authentication
• Authorization
• Security of data at rest/ data in motion
• Data integrity
• Auditing
 Security for Virtualization Platform

• Security for a cloud host is to some extent similar for

traditional, non-virtualized on premise servers
• With several users and applications in a cloud,
malwares can magnify damages faster than in any
dedicated environment
• In a cloud, users will need to deploy tools that can
immediately identify and resolve malware, data
integrity and authentication problems
• Above all, users must understand and document the
responsibilities to be shared between the cloud
provider and customer organization
• These responsibilities will depend on the services
(SaaS, PaaS or IaaS)
Security for the Virtualization Product
• The cloud provider is responsible for the security of the
virtualization software in all the public cloud
deployments
• It is the software that sits on top of the bare metal and
enables the provider or the customer to create and
delete virtual machines
• It enables several virtual machines or OS instances to
share the same underlying server resources
• Some common hypervisors –
i) vSphere from VMware,
ii) Hyper-V from Microsoft
iii) Xen from Citrix
• In PaaS and SaaS, the virtual machines are shared by
several customers where in an IaaS environment, each
virtual machine is owned by a customer
• Customers have no access or control of the
virtualization software
“There are several attacks on the hypervisor
level and these are known as bugs where a guest
(or virtual) machine can gain access to the host
operating system”
• A zero-day vulnerability: It signifies that hackers have
tools to launch attacks on the same day the flaw is
found
• Providers need to deploy measures to protect against
any unknown weaknesses in its software or
application updates
• Prevention measures:
i. Early problem detection techniques to be
implemented, IPS and IDS to protect against
intrusion
ii. Virtual LANs (vLANS) to be protected with IPsec to
protect in-transit messages
• Security for wireless communication:
- Since mobile access to cloud is becoming universally
ubiquitous, cloud providers must use schemes such as
WiFi Protected Access (WPA)
- It is to defend against wireless based attacks on the
hypervisor, OS and applications
- Different standards providing security to Wireless Network:
i. Wired Equivalent Privacy (WEP)
ii. WPA
iii. WPA-2
iv. WPA-3
 Wireless security
1. WEP: Wired Equivalent Privacy (WEP) was the first
attempt at wireless protection. WEP encrypts traffic
using a 64- or 128-bit key in hexadecimal. This is a
static key, which means all traffic, regardless of
device, is encrypted using a single key
2. WPA uses the temporal key integrity protocol (TKIP),
which dynamically changes the key that systems use.
TKIP employs a per-packet key, which means that it
dynamically generates a new 128-bit key for each
packet and thus prevents the types of attacks that
compromise WEP. TKIP encryption standard was later
superseded by the Advanced Encryption Standard
(AES)
• WPA also included message integrity checks to
determine if an attacker had captured or altered
data packets
• Keys used by WPA were 256-bit
 Wireless security
3. WPA2 is based on the robust security network (RSN)
mechanism and operates on two modes
- Personal mode or Pre-shared Key (WPA2-PSK) – which
relies on a shared passcode for access and is usually used in
home environments.
- Enterprise mode (WPA2-EAP) – as the name suggests,
this is more suited to organizational or business use.
- It included mandatory support for CCMP(Counter Mode
CBC-MAC Protocol), an AES(Advanced Encryption Standard)
based encryption mode
4. WPA3: Wi-Fi Alliance started certifying equipments that
had been WPA3-approved
• It includes 192-bit cryptographic strength (in WPA3-EAP
enterprise mode), 384-bit Hashed Message Authentication
Mode (HMAC), 256-bit Broadcast/Multicast Integrity
Protocol (BIP-GMAC-256), 256-bit Galois/Counter Mode
Protocol encryption (GCMP-256), SAE exchange, and WiFi
Device Provisioning Protocol (DPP)
 Host Security for SaaS
• For SaaS services, the provider owns and
manages the servers, network and applications
• The applications run on a number of virtual
machines with Linux, Windows or other operating
systems
• SaaS access hides the operating system from the
user
• To get assurance of the degree of security
implemented by the SaaS provider:
i. Customers can ask for detailed security status
after signing a Non-Disclosure Agreement (NDA)
with the provider
ii. Customers can ask if the provider has security
assessment report such as SAS 70 or SysTrust
report
iii. Customers can also ask for security certifications
 Host Security for PaaS
• The access, control and amount of information customers
can get for servers in a PaaS environment is similar to that
for SaaS
• Since PaaS provides an environment to develop products,
customers do have access to libraries and kernel-level
parameters
• Customers don’t have root or administrator-level privileges
• The cloud provider gives a number of Application
Programming Interfaces (APIs) which in turn are used by the
PaaS users to indirectly access the abstraction layer that
hides the operating system
• The host administration in PaaS is the responsibility of the
cloud provider
• It is the users' responsibility, as customer and consumer, to
own the risk of maintaining data in the cloud, understand
degree of security the cloud provider has instituted, and
whether it is sufficient for the end-user and developer
community
 Host Security for IaaS
• In IaaS, users have complete access to the server
OS, its resources such as the CPU, memory,
network ports, bandwidth and storage, along with
root or administrator password
• To protect from attacks, it is important to
understand that the virtual hosts in the cloud are
accessible to everyone
• Users must open only one port at a time, as and
when required, that is to be used with sFTP
(secure FTP), SSH (Secure Shell) and SCP (Secure
Copy)
• The encryption used by SSH provides
confidentiality and integrity to data over an
unsecured network
• Another attack surface is the APIs, along with
programs based on the APIs
• The following are some ways to tighten the host-level
security in an IaaS cloud:
i. Users should create their own OS image to be installed on
virtual servers. This protects the integrity of users OS image
ii. Every time a user installs an OS on a virtual host, it is
important to customize the hosts to run services required
by the application on the host. In this way, the users will be
able to decrease the attack surface and the number of
patch updates needed to install on the host
iii. Block ports that are not used such as FTP (ports 20 and 21),
telnet (port 23) and NetBIOS (port 139), SMTP (port 25).
According to Internet Security Systems (ISS), Port 139 is the
single most dangerous port on the Internet as all file and
printer sharing on a Windows machine runs over this port
iv. Install host-based IPS and IDS services to monitor and
analyze the OS and log files. It records the object attributes
(such as modification dates, size and permissions) and
creates a check-sum database for later comparison
v. Enable event logging for all security and user activities to
a dedicated log server. Setup automated alerts for malicious
events. Review log files regularly for security breaches
vi. Protect the encryption keys. Keep the keys separate
from the cloud where the data is stored. If the service or
data processing requires keys, users need to co-locate
them. After the processing is over, it is best to remove the
keys from the cloud
vii. Users are required to type passwords for sudo access to
gain root-level rights for Unix hosts.
viii. Enforce strong passwords for users
• Trend Micro™ has a product called SecureCloud™ that
encrypts and controls data in public and private cloud
environments with a simple, policy-based key
management
• Deep Security (again from Trend Micro™) provides
security for virtual hosts in a private or public cloud. It
combines intrusion detection and prevention, firewall,
 Data Security
• Data stored in cloud, faces the following crucial threats:
i. Data Availability—Data on cloud is Data available. A software or
hardware fault or data integrity problem in one part of the
infrastructure or data storage unit impacts not only that part of
the database but also the entire environment.
ii. Data Performance—Data is located at various datacenters owned
by the cloud provider. Data is far from the users, has higher
distance-induced latency, and has low performance with
synchronous writes, mirroring, and parallel read and write
operations
iii. Price—Price for storage space and bandwidth to access the data
must be low
iv. Flexibility—In a multi-tenant cloud, some tenant applications or
activity causes high utilization
v. Underlying Complexity—The underlying storage hardware can be
heterogeneous
vi. Data Security—The data must be encrypted (while at rest and in-
motion) and kept safe
vii. Data Integrity—With ease of access by varied user types, it is
critical to manage data integrity
 Data Security Concerns
• Security Risks—Due to inherent multi-tenancy and ease of
access within a cloud, the data is subjected to various
security risks Some concerns are;
i. Snooping—The access of each tenant should be limited to
his/her own data. A tenant in the cloud should not gain
access to another tenant’s data.
ii. Unauthorized Discovery—Data should be invisible to all
tenants except the owner
iii. Spoofing—Authentication mechanisms must be
implemented to make sure that no cloud tenant can
assume the identity of another tenant
iv. Accidental or Malicious Deletion—No user (except the data
owner) should be able to delete the data belonging to
another tenant
v. Denial-of-service Attacks—Other cloud users should not be
able to launch denial of service attacks on the shared
storage volumes of another customer’s data
Other concerns:
• Quality of Service: The second concern, after
security, is quality of service. Apprehensions
about performance, long response time, and WAN-
induced latency, inhibit many potential customers
from readily accepting cloud services
• Data Availability—The third concern, after security
and quality of service, is data availability. After a
customer starts using cloud services and data,
there are chances of unexpected downtime. There
have been several outages at cloud providers
despite their redundancy and replication
Data Confidentiality and Encryption

• Data confidentiality in the cloud is a way to

protect data or messages from being understood
or used by unintended users or tenants of the
cloud
• Data is encrypted to achieve confidentiality
• There are two phases in the process:
1. a mathematical function is used to convert the
plain text to encrypted cipher. This is the simpler
of the two phases, but the mathematical function
must be complex and sound enough to give a
high degree of protection.
2. The second phase is to enable the authorized
recipients to decipher the ciphertext with ease
• Two types of encryption technique: Asymmetric
and Symmetric
1. Asymmetric Encryption—In asymmetric
encryption, different keys are used for encrypting
and decrypting, such as a public and a private
key
2. Symmetric Encryption: It can be used for at-rest
and in-transit cloud data. It uses a shared secret key
to encrypt as well as decrypt data.
 Key Protection
• The shared secret key can be a string of random letters,
numbers, or a simple word. It is applied to the text to
encrypt the content
• The sender and the recipient are both aware of the key,
they can quickly encrypt and decrypt documents and
messages exchanged between them
• The shared key can be protected by encrypting the key
itself using following steps;
i. The sender uses the recipient’s public key to encrypt
the shared key
ii. The encrypted shared key is sent to the recipient
iii. The recipient uses its own private key to decrypt the
key
• The above process ensures that cloud users who get
unauthorized access to the keys are not able to use the
keys, because the keys are encrypted and can be
decrypted only by the recipient
 Data Availability
• If the user keeps the data confidential and secure, it
must also be available to them whenever they need it
• SLAs with your cloud provider must have data uptime
agreements
• Data or service availability is expressed as a
percentage of uptime in a given year or month
• SLA with the cloud service provider must refer to
monthly allowed downtime
• If the data in the cloud is not accessible, the services
are down. Downtime has a soft and a hard cost,
which are explained as follows:
- Soft Cost—Loss in customer confidence and
employee morale.
- Hard Cost—Loss due to employee productivity and
customer revenue during the outage window
• Common reasons for service outages:
 Data Integrity
• The user needs to reactively detect if the data has been
modified and prevent such occurrences from happening again
• To detect if the data has been modified or tampered with,
users need to have data origin authentication
• Regular backups are important to reactively replace tampered
data
• There are many proactive measures that the cloud provider
can take to ensure data integrity:
- Must control the access to data using mechanisms such as
RBAC (Role based Access Control)
- Must design and implement user interfaces that prevent input
of invalid data
- Must use error detection and correction software when
transmitting data within or outside the cloud
• Solutions to maintain data integrity: Hash functions, MAC
function, Digital signature
 Cloud Storage Gateways
(CSGs)
• To address the performance and security issues in public
clouds, consumer organizations can use CSGs
• CSG is a storage appliance, residing in the customers'
premises and provides data protection by encrypting,
compressing, and archiving data sets before moving the
data to a cloud
• It intercepts all the I/O between the customer datacenter
and all the public clouds
• A hardware appliance with a cache
• A CSG could also be a downloadable software program
that can be installed on a server at the customer location
• CSGs eliminate the issue of vendor lock-in, because they
support various formats and facilitate data backup
• CSG vendor provides credentials for each cloud provider
and call-home features
Figure: CGS
• The call-home features allow the CSG to automatically
report issues, status, problems, and diagnostic reports to
the CSG vendor to enable preventive maintenance or
accelerate problem
• The CSG provides data protection in 4 steps:
i. The CSG cache accelerates I/O rates and enables a
convenient replication procedure
ii. Files that are to-be-copied to the cloud are first stored in
the CSG cache
iii. After a certain pre-set time interval, the cache data is
pushed to the cloud
iv. Data that is read from the cloud is copied to the cache
CSG must provide the following features or benefits:
• Caching Algorithms: The cache in a CSG provides a buffer
of vital data to speed access and reads, instead of having
to reach out to the original servers to read data each time
it is required
• Intelligent Pre-fetching Algorithms: CSG must monitor read
patterns and intelligently pre-fetch data from the cloud to
the cache before the user requests the data
• Caching Time Periods: Some CSGs allow users to setup a
caching time duration
• Synchronous Snapshots: CSG must take a synchronous
snapshot of the user file tree and data. This is an
instantaneous, sub-second picture of the customer’s file
system at a particular instant
• Data Replication Process: CSG must have an efficient data
transfer mechanism. Ideally, it must split files into chunks
• End-to-end Encryption: This protects data from being
read by unauthorized users and hackers. The CSG must
use strong data encryption for the content as well as the
metadata
• Secure Channels: the data in-transit between the CSG
and the cloud is double encrypted; it is encrypted before
it is transmitted and also when it is sent over a Virtual
Private Network (VPN) tunnel to the cloud
• Data Compression: It helps reduce bandwidth and
storage space utilization
• CSG Tuning Parameters: CSG must allow its
administrator to tune certain parameters such as
maximum bandwidth utilization during certain time
periods and cache push intervals
 AWS Storage Gateway
• It is a hybrid cloud storage solution that helps
customers overcome hybrid cloud storage challenges,
and bridge the gap between their on-premises
environments and the cloud
• Storage Gateway enables on-premises applications to
use cloud storage by providing low-latency data access
over standard storage protocols
• A local cache stores your most recently used data on
premises, and the cloud provides scalability in addition
to industry-leading data protection, durability,
availability, security, and performance.
• Designed to be easy to deploy, easy to activate, easy
for your applications to access and provide security
 Cloud Firewall
• A cloud firewall is a network firewall appliance, explicitly
built to work with other cloud-based security solutions
• It serves the same purposes as traditional firewalls, but it
is different from a traditional firewall on the following
three aspects:
1. Scalability—Cloud firewalls are designed to scale as
customer bandwidth increases, or at the least, any
hardware upgrade has to be made transparent to
customers.
2. Availability—Cloud firewall providers offer extremely high
availability through an infrastructure with fully redundant
power and network services, as well as backup strategies
in the event of a site failure
3. Extensibility—Cloud firewalls are available in locations
where the network manager can provide a protected
communications path
 Virtual Firewall
• A VF is a network firewall service running entirely within a
virtualized environment
• Like a physical firewall, it provides the usual packet filtering
and monitoring
• Virtual firewalls provide an easy way to decrease investment
expenses by consolidating multiple logical firewalls onto a
single platform
• Depending on the point of deployment, virtual firewalls can
operate in two different modes namely, bridge mode and
hypervisor mode
• In bridge-mode, the firewall acts like a physical firewall that
works with a physical or virtual switch to intercept network
traffic destined for other network segments
• In hypervisor mode, the firewall service resides in the
virtualization hypervisor, where it can capture, monitor, and
filter all the activities of all the virtual machines and logical
resources
 AAA
Authentication, Authorization
and Accounting

• The key data requirements in a cloud are

confidentiality, integrity, and availability
• The cloud providers and users must make sure
that the login access is well protected
• In the cloud, users have multiple ways to
authenticate and check user identities
• The login credentials must be encrypted with the
Personally Identifiable Information (PII) for security
 AAA Model
• AAA (or triple-a) has traditionally proven to be a battle-
tested model for user-access security
• The login or security server first checks if the login
name and password are legitimate- Authentication
• It then decides the modules of the application or sets
of data that he or she can use or view- Authorization
• The server keeps a log or account of all the resources
utilized and the user activities- Accounting
Fig. Authentication & Authorization by AAA server
 SSO for cloud (Authentication)
• Single Sign-on enables users to access multiple
systems or applications after signing in only once
• When user signs in, the user identity is recognized and
there is no need to sign in again and again to access
• Mechanisms for SSO:
i. SAML token
ii. Kreberos
iii. OTP
 SAML
• Security Assertion Markup Language is XML-based open
standard data format for exchanging security
information
• When user tries to access cloud application, a SAML
request is generated and user is redirected to the
identity provider
• SP parses the SAML request and authenticate user on
cloud
 Kerberos
• It is open authentication protocol
• Uses tickets for authenticating client to a service that
communicate over an un-secure network
• Provides authentication for both client and server
• Client authenticates itself to Authentication server on KDC (Key
distribution center). Sends client ID and remote service to access
• AS checks if client is on database and generates TGS session key.
That will be used by client and remote service for communication.
Session key further encrypted with user password.
• KDC generates ticket i.e. TGT (Ticket granting ticket) includes client
id, client network address, ticket validity period and session key.
Encrypt this ticket with secret TGS key
• Further, KDC sends encrypted session key and TGT to client
• Client decrypt and uses session key
• Client encrypts client ID and current time using session key to
prepare authenticator and sends it to TGS along with TGT
• TGS decrypts TGT using secret key and retrieves session key. TGS
then decrypts the authenticator using session key and uses client ID
and time.
• TGS then sends two piece of data to client- Service secret key and
session key
• After receiving client server ticket and session key from TGS, the
client has enough information to authenticate itself to remote
services
• When client wants to communicate with remote
services,
- Client sends two piece of data- (i) Client-server ticket
encrypted with service’s secret key and (ii) New
authenticator includes client id, timestamp and
encrypted session key
- Remote service decrypts client-server key and
authenticator to get session key
- It responds with timestamp found in client’s
authenticator plus 1, encrypted using session key
- Client will decrypt the message using session key and
confirms timestamp
 One Time Password (OTP)
• It is authentication mechanism
• Uses OTM tokens are useful to prevent replay attacks
• Text messaging is most commonly used communication
for OTP
• Time based OTP generation is a popular
synchronization based algorithm
 Authorization Management in clouds
Authorization refers to specifying the access rights to the
protected res0urces using access policies.
• OAuth:
- Open standard for authorization that allows resource
owners to share their private resources stored on one site
with another site
- OAuth 1.0 protocol was published in 2010 and OAuth 2.0
framework was published in 2012
- In OAuth model, an application requests access to
resources controlled by the resource owner
- The resource owner grants permission to access the
resources in the form of a token and matching shared-
secret
- Token does not share credentials for resources. Tokens can
be granted with a restricted scope and limited lifetime
Figure. OAuth Authorization flow
 Accounting for Clouds Resource Utilization
• Accounting for cloud is the amount of all resources
utilized by a user or an organization within a specific
time period
• Accounting does not allow or deny anything
• The utilization should include:
i. Amount of time the user is logged in and actively
using the applications
ii. Hardware resources used such as processing power,
memory, and storage space
iii. Amount of data transferred, which can be data that
is moved into the cloud, out of the cloud, or between
two storage devices within the cloud
iv. The billing rates could be different, based on the
origin and destination of the data transfer
• Cloud service providers must have a way consumers can
review their daily or weekly utilization or in real-time to
forecast the bill
• There must be a way for a trusted third party to evaluate
and verify the resource utilization and billing
• The administrator must be able to set quotas (maximum
allowed utilization) for each user, application, or
resource
• Payment per billing period must be based on the
following:
i. Reserved Resources—The user or customer may
reserve storage space, CPU, and memory for its use
ii. Utilized Resources—The billing for bandwidth and
application time would be based on actual utilization by
the customer
• Accounting keeps a log of resource consumption such as
the following:
i. Identity of the user
ii. Amount of resource used
iii. Start and end time of use Chapter
iv. Amount of data transferred
v. Length of connection
vi. Purpose of using the resource
vii.Nature of service delivered

• Following are the two types of accounting reports:

i. Real Time Accounting Information: Useful for cloud
users to track usage and predict the bill, expected at the
end of the payment cycle
ii. Batch Accounting Information: Useful for cloud service
providers for billing at the end of each payment cycle.
The data is also used for studying utilization trends and
capacity planning