Computer System Security

(040613601)

Lecture 11 : cloud security

By Assoc. Prof. Benchaphon Limthanmaphon, PhD.

 Topic
 Introduction to Cloud
 Deployment Models
 Service Models
 Distinct Characteristics
 Key Technologies
 Security, Privacy, and Trust Challenges in Cloud Computing
 Security Attacks against Multi-Tenancy
 Security Attacks against Virtualization
 Data Security and Privacy in Cloud
 Lack of Trust among Multiple Stakeholders in Cloud
 Security, Privacy, and Trust Solutions in Cloud Computing
 Logging and Monitoring  Virtual Isolation
 Access Control  Defense against Co-Resident Attacks
 Encryption-Based Security  Establishing Trust in Cloud Computing
Solutions 2
 Introduction to Cloud
 Cloud computing is defined as a service model that enables convenient, on-
demand network access to a large shared pool of configurable computing
resources (eg. Networks, servers, storage, applications, and services) that
can be rapidly provisioned and released with minimal management effort or
service provider interaction.
 Features
 Use of internet-based services to support business process
 Rent IT-services on a utility-like basis
 Attributes
 Rapid deployment
 Low startup costs/ capital investments
 Costs based on usage or subscription
 Multi-tenant sharing of services/ resources
 Bring numerous advantages to users including:
 Reduced capital costs
 Easy access to information
 Improved flexibility
 Automatic service integration
 Quick deployment 3
 Introduction to Cloud
 The National Institute of Standards and Technology (NIST) model of
Cloud computing

 Essential characteristics
 On demand self-service
 Ubiquitous (Broad) network access
 Location independent resource pooling
 Rapid elasticity
4
 Measured service
 Deployment Models
 Cloud users have different options to deploy the cloud based on their
budget and security requirements.
 Public Cloud
 Private Cloud
 Community Cloud
 Hybrid Cloud
 Multicloud
 Deployment models provide different ways to trade off cloud user’s
budget and security requirements.

5
 Public Cloud
 available for the general public users through interfaces on web
browsers in a pay-as-you-go manner.
 Cloud Service Provider (CSP) has full ownership of the public cloud’s
policies, value and charging model.
 Ex: Amazon EC2, S3, Google AppEngine, and Force.com.
 Compare to other deployment models
 Public cloud minimizes cloud users’ cost by achieving economies
of scale.
 However, it also leads to more security issues due to the public access
to shared IT resources.

6
 Private Cloud
 provides services for internal usage and is not available to general
public.
 May be managed and operated by the organization itself or a third
party.
 Advantages of a private cloud includes:
 Maximize in-house resources utilization
 Higher security guarantee compared to public clouds
 Full access control over the activities that reside behind the
firewalls.
 Compared to other deployment models, it still generates high costs
due to the on-premises hardware maintenance/upgrade and IT
management.

7
 Community Cloud
 multiple organizations can collaborate with one another and form a
community cloud in order to reduce the cost from operating a private
cloud while still keeping the security control to some extent.
 A community cloud is similar to a private cloud in that it provides
services to a specific community of users, who trust one another and
share the same interests.
 It could be hosted by a third party or within one of the organizations in
the community.
 The community members cooperate on security controls over the cloud
and share the operation costs.
 Provides a balance between user’s budget and security requirements.

8
 Hybrid Cloud
 combines two or more cloud deployment models through standardized
or proprietary technology that enables data and application portability.
 In a hybrid cloud environment, workloads can be moved between the different
cloud environments as needed, depending on factors such as cost, security,
and performance requirements.
 By utilizing a hybrid cloud, organizations are able to outsource their
non-significant, peripheral activities to public clouds for cost-savings
while maintaining those core or sensitive business functions on
premise through private cloud to ensure the security guarantee.
 For example, an organization might use a public cloud for less sensitive
workloads that require elastic scalability, and a private cloud for more
sensitive workloads that require greater control and security. Data and
applications can be moved between the two environments seamlessly,
allowing organizations to take advantage of the benefits of both public
and private cloud computing while minimizing their respective
drawbacks.

9
 Multicloud
 denotes the adoption of multiple cloud computing services in a single
heterogeneous architecture.
 A cloud user may use separate CSPs for infrastructure and software
services or different infrastructure providers for different workloads.
 A multicloud differs from a hybrid cloud in that it refers to multiple cloud
services rather than multiple deployment models.
 Motivations of using a multicloud deployment model:
 Reduce reliance on any single vendor
 Increase flexibility through choice
 Security and governance are more complicated.

10
 Security in Deployment Model
 The least secured model is a multicloud which has the most
complicated security governance scenarios by involving multiple
CSPs.
 The security over a public cloud goes beyond the control of cloud
users. They have to heavily rely on CSPs to provide security
guarantee.
 A private cloud provides the maximum level of security, follows by a
community cloud with consists of only collaborative organizations.
 In a hybrid cloud, users may lose part of their security controls by
outsourcing their non-significant data/tasks to a public cloud.

11
Cloud Reference Model
 provides a fundamental
reference point for the
development of cloud
computing
 for the software
architects, software
engineers, security
experts and businesses

12
 Service Models
 Software as a Service (SaaS) - On demand software
 A software delivery model that provides software services to cloud users
remotely as an Internet-based service.
 Key features : central management on software upgrades and patches,
web access from users
 Platform as a Service (PaaS)
 Provides cloud users with an application development environment,
includes operating system, programming-language execution
environment, databases and web servers.
 Key features:
 Services for quick, easy, and cost-effective application development,
testing and deployment
 Allowance of multiple concurrent users of the same development
application
 Support for development team collaboration
 Ex: Apprenda, Microsoft Azure, Google Compute Engine (GCE), and
Salesforce Heroku. 13
 Service Models
 Infrastructure as a Service (IaaS)
 Provides cloud users with fundamental IT resources, eg. servers,
storage, networks, and operating systems, as an on-demand service.
 Cloud users will be assigned one or multiple virtual machines (VMs)
over which they have full control.
 A virtualization software on top of the cloud physical infrastructure,
named hypervisor, hosts VMs owned by one or multiple cloud users as
guests and abstracts cloud users from the infrastructure details (eg.
management of physical servers, resource sharing and scaling, backup,
security, and so on)
 Popular hypervisors: Xen, VMware ESX/ESXi, KVM, Hyper-V
 Key features:
 Distribution of resources as a service
 Dynamic scaling of resources
 Resource sharing among multiple users
 Ex: Amazon Web Service (AWS) and Cisco Metapod
14
 Service Models
 Infrastructure as a Service (IaaS) cont.
 Compared to other service models, IaaS provides cloud users with more
controls, which allows capable users to further enhance their security
levels.
 Also grants cloud users more privilege and thus open more
opportunities for malicious users to exploit hypervisor vulnerabilities and
to penetrate the virtual isolation among different cloud users

15
 Impact of cloud computing on the
governance structure of IT organizations

16
 Distinct Characteristics
These characteristics distinguish cloud computing from conventional Internet-
based services which can serve as a basis to analyze security, privacy, and
trust challenges in the cloud environment.
 Broad-Based Network Access
 Indicates that cloud computing resources can be easily accessed by
cloud users over the Internet.
 It also provides a much larger attack surface by introducing a dynamic
series of access points that have a variety of security postures.
 Resource Pooling
 Indicates the joining of IT resources from a variety of locations and
shared among multiple customers or tenants to improve resource
utilization and reduce operation costs.
 Various security, privacy, and trust challenges are raised due to
imperfect isolation
 Risk of having untrustworthy tenants reside in the same physical
hardware
17
 Distinct Characteristics
 Rapid Elasticity
 Allows a user to upgrade or degrade the cloud services at run time in
order to promote scalability.
 The constantly changing allocation of resources among disparate
users dynamically increase the risk of resource compromises.
 If an attacker manages to hijack a resource and run malicious
code, the compromised resource could be assigned to multiple
users before its abnormal behavior is identified.
 This service injection attack could allow attackers to steal
confidential information or data from victim.

18
 Distinct Characteristics
 Pay-as-you-go services
 Allows a user to scale, customize, and provision computing
resources, including software, storage, and development platforms,
so that cloud users are billed according to their actual usage of these
resources.
 This metering information has become a potential vulnerability that
can be manipulated by attackers.
 A theft of service attack presents a greater threat to the cloud, and it
specifically targets the measured service feature.
 This attack is made possible by the scheduling vulnerabilities of
the hypervisors.
 The attacker is able to consume cloud resources without the
knowledge of the CSP and avoid the billing charges.

19
 Key Technologies
Diverse technologies have been developed in cloud computing
scenarios to provide high quality and cost-efficient solutions for cloud
users.
 Multi-tenancy
 Multiple tenants on the same physical hardware to reduce costs of
the user by leveraging economics of scale
 In SaaS, multiple tenants have their applications share a single
instance of object code
 In PaaS, each tenant may have various layers of their hosted
solution, such as business logic, data access logic and storage, or
presentation logic, hosted across multiple physical servers
 In IaaS, the hosted environment for each tenant is partitioned and
controlled by a single instance of hypervisor and virtualization
software.

20
 Key Technologies
 Virtualization
 Refer to the logical abstraction of computing resources from
physical constraints eg. virtual machine
 Can be implemented at different layers: hardware, software
network and desktop virtualization.
 Virtualization at multiple layers may be integrated to flexibly
provide services based on user’s requirements
 In a virtualized environment, computing resources can be
dynamically created, expanded, shrunk, or moved according to
users’ demands, which greatly improves agility, and flexibility,
reduces costs, and enhances business values for cloud
computing.

21
 Key Technologies
 Distributed Data Storage
 The cloud stores a users’ data in a logical storage pool which may
physically span multiple geographically distributed data centers.
 High data reliability is achieved by backing up data using
redundant storage at different places around the globe.
 Cloud Federation
 Is the practice of interconnecting the cloud computing resources
from multiple cloud service providers.

22
 Causes of Problems Associated
with Cloud Computing
 Most security problems stem from:
 Loss of control
 Lack of trust (mechanisms)
 Multi-tenancy

 These problems exist mainly in 3rd party management models

 Self-managed clouds still have security issues, but not related to
above

23
 Security Attacks against Multi-Tenancy
 hosting multiple tenants with heterogeneous security settings and diverse
behaviors on the same physical or logical platform.
 Uncoordinated security controls among disparate tenants
 Security policies made by different tenants may disagree or conflict
with one another.
 Such disagreement or conflict could introduce threats to tenants’
needs, interests, or concerns.
 The tenant with fewer security controls or misconfigurations is easier
to compromise, which may later server as a stepping stone to the
more secured tenants located in the same host.
 Attacks against general co-residents
 Adversaries taking advantage of the co-residency opportunities may
launch diverse attacks against their co-residents.
 This attack usually does not target specific tenants in the cloud
 Attacker’s goal is to exhaust shared resources in the system, other
tenants are not able to consume the cloud services. 24
 Security Attacks against Multi-Tenancy
 Attacks against target co-residents
 Attackers may manage to place their malicious tenants in the same
physical device that hosts the target tenant and then launch attacks
against it.
 3 Steps of running this type of attack:
 Determine the location of the target tenant through network probing
 Use tools such as nmap, hping, and wget
 Place a malicious tenant on the same host as the targeted tenant.
 By taking advantage of the CSP’s placement locality, an
instance flooding strategy, where the attacker launches as many
tenants in parallel as possible, has successfully achieved co-
residency with a specific target tenant.
 Attack the target tenant. With the success of the first two steps,
attackers are able to place malicious tenants at the same physical
servers as the target tenant.
25
 Security Attacks against Virtualization

 Physical vulnerabilities
 Vulnerabilities in the physical infrastructure still threaten the virtual
environment.
 On the other hand, the virtualized environment will be exposed to
threats if the underlying physical infrastructure has been
compromised.
 New access context
 Virtualization brings new challenges to user authentication,
authorization, and accounting in terms of properly defining roles
and policies.
 The lack of security border and isolation introduces the possibility
of information leakage.

26
 Security Attacks against Virtualization

 Attacks against hypervisor

 The hypervisor that manages multiple VMs becomes the target of
attacks.
 Ex. If an attacker gains access over the hypervisor, he or she is
able to manipulate the network traffic, configuration files, and the
connection status of the VMs located on top of the hypervisor.
 Attacks against VMs
 Diverse attacks can be launched against virtual machines.
 Ex. VM hijacking

27
 Data Security and Privacy in Cloud

 Data loss and data breach

 The distributed storage for multiple data copies may increase
risks of data breaches and inconsistency.
 Cheap data and data analysis
 The rapid development of cloud computing has facilitated the
generation of big data, leading to cheap data collections and
analysis.
 Data storage and transmission under multiple regional regulations
 Due to the distributed infrastructure of the cloud, cloud user’s data
may be stored on data centers geographically located in multiple
legal jurisdictions, leading to cloud user’s concerns about the
legal reach of local regulations on data stored out of region.
 Ex: data privacy law are not the same for every country.

28
Lack of Trust among Multiple Stakeholders
in Cloud
 Cloud users’ trust on CSPs
 Trust establishment process relies on the development of technology,
people’s changing mindset, and transparency between cloud users
and service providers.
 CSP’s trust in cloud users – this problem has been neglected for several
reasons:
 Cloud service provider’s potential loss caused by malicious users is
often underestimated
 Cloud’s open nature and the economies of scale feature drive CSPs
to attract more cloud users, as long as they honestly pay for their
resource consumption.
 Evaluating users’ trustworthiness by tracking and analyzing their
behaviors in not trivial and usually leads to extra resource
consumption and management costs.

29
Lack of Trust among Multiple Stakeholders
in Cloud
 Trust in other parties
 For a multicloud model may be deployed where multiple CSPs
work together to provide services for a cloud user’s different
workloads.
 The Cloud user’s overall security guarantee has to rely on the
collaborations from multiple CSPs.
 Third parties (such as audit, authentication, encryption) are
proposed to facilitate trust development between cloud users and
CSPs through recommendations.

30
 Security, Privacy, and Trust Solutions
in Cloud Computing
 Logging and Monitoring
 Access Control
 Encryption-Based Security Solutions
 Virtual Isolation
 Defense against Co-Resident Attacks
 Establishing Trust in Cloud Computing

31
 Logging and Monitoring
 Collect ample evidence of user behaviors as well as system status to
assist anomaly detection.
 User behavior monitoring
 All users are assigned a security label based on prior activities,
and additional surveillance is given to those with previous security
violations.
 Any abnormalities will result in denied permission and immediate
altering.
 Machine learning techniques can be applied to identify malicious
users.
 System status monitoring
 Anomaly detection should be based on the effects on the system
caused by malicious events rather than on the behavior of
individual users.
32
 Access Control
 Cloud computing has introduced new access context which significantly
increases the risks of fraudulent users obtaining unauthorized access to
data and services.
 Access control, consisting of authentication, authorization, and
accountability, is the way of ensuring that the access is provided only to
the authorized users and hence the data is stored in a secure manner.
 Advanced access control techniques:
 Role-based multi-tenancy access control – applies identity
management to determine the user’s identity and applicable roles, is
designed to efficiently manage a user’s access privilege to achieve
application independence and data isolation.
 Access policies based on data attributes – allow the data owner to
delegate most of the computation tasks involved in fine-grained data
access control to untrusted cloud servers without disclosing the
underlying data contents.
 Physical measures are proposed to ensure the access control to the
hypervisor or VMs. Ex. Hardware token possessed by the
33
administrator in order to launch the hypervisor.
 Encryption-Based Security Solutions
 Encryption is still one of the major solutions to address data
confidentiality, integrity, and privacy issues in cloud computing.
 Critical question: which party should encrypt the data and manage the
encryption keys.
 Cloud users can simply rely entirely on CSP for their encryption needs.
Ex.
 Amazon Simple Storage Service (S3) encrypts user’s data by default.
 Cloud users lose control over ensuring the confidentiality of their
data since CSP has full access to the data.
 Even if the CSP does not intend to do any harm to the cloud
user’s data, there is still a risk associated with malicious insiders.
 To prevent this possibility, a ciphertext policy-attribute-based
encryption (CP-ABE) can be used to achieve a fine-grained data
access control by enabling cloud users to define their own access
policies over the data encrypted by CSP.

34
 Encryption-Based Security Solutions
 ciphertext policy-attribute-based encryption (CP-ABE)
 Specifically, cloud users can grant differential access rights to
different parties according to their attributes.
 Such access rights will be used to generate private keys for each
party.
 Only a party with a set of attributes satisfying the access policy of the
encrypted data can decrypt the ciphertext and obtain the data.
 It does not rely on CSPs for preventing unauthorized data access.

35
 Encryption-Based Security Solutions
 To avoid the full access of data from CSP, cloud users can choose their
own encryption method, encrypt their data and store in the cloud.
 Challenge: How CSPs can provide data services to cloud users,
such as search, insertion and deletions, while not decrypting their
data.
 Homomorphic encryption is useful in this scenario
 Allows CSPs to manage users’ data by providing services such
as searches, correctness verification, and error localization
without having to decrypt it.
 CryptDB has been proposed to prevent a curious DBA from learning
private data.
 Use key technique involves in an SQL-aware encryption strategy
– executes SQL queries over encrypted data.

36
 Encryption-Based Security Solutions
 If cloud users choose to do the encryption by themselves, they have to be
responsible for the heavy computation introduced by encryption algorithms.
 The quality of encryption algorithms arbitrarily chosen by individual
cloud users could be questionable.
 More Problems – cloud users lose their encryption keys or the key has
been stolen by an attacker who compromises their workstations.
 Last approach, A trusted third-party organization to be in charge of
encryption and managing the encryption keys.
 Solves some security problems (lost key, or weak encryption
algorithms), but cloud users still face the possibilities of losing privacy
and confidentiality since the third-party encryption service still has full
access to their data.
 Newly emerging cloud encryption methods in term of key management –
they do not allow any one party to take full ownership of an encryption key.
 Key is divided into pieces, each of which is kept by a cloud user, a CSP,
and a third-party data encryption service.
37
 Virtual Isolation
 To keep the benefits generated by resource sharing among different cloud
users, while addressing security issues caused by it, much research
focuses on enhancing virtual isolation.
 Aims to provide a certain level of isolation among tenants’ data,
computing, and application processes.
 Can be implemented in different levels of cloud
 Hardware level – eg. allocating memory bandwidth and processor
cache
 Isolation can also be facilitated by utilizing hypervisors or virtual
machine monitor (VMM), a piece of computer software, firmware, or
hardware that creates and runs virtual machine.
 Some software level resource management mechanisms are
proposed to perform isolation for cache, disk, memory bandwidth and
network.
 Security models are established to ensure isolation.
 Ex: tenant-ID is introduced on the data-link layer to securely
segment, isolate, and identify tenants and their assets in the cloud.38
 Defense against Co-Resident Attacks

 Classify into two categories

 First schemes - Aim at detecting malicious residents by analyzing
their unique behavior patterns
 Second category do not explicitly differentiate malicious residents
from normal ones. Treat all residents a potential attackers and
provide more general solutions.
 Such as increasing the difficulties of achieving or verifying co-
residence, obfuscating side channel information, or running VMs
at isolated physical servers.

39
 Establishing Trust in Cloud Computing
 Establishing cloud users’ trust on CSPs - Typical trust evaluation relies on
three steps:
 Determine the evaluation criteria – related with several factors
including data location, allowance of investigation, data segregation,
availability, long-term viability, regulatory compliance, backup and
recovery, and privileged user access.
 Collecting evidence about CSPs’ behavior – can be collected through
CSPs’ self-assessment, third-party auditing, and cloud users’ own
experience.
 Deriving trust aggregation algorithm. – diverse trust models have been
proposed to evaluate the trustworthiness of CSP.
 Ensuring the trustworthiness of cloud computing resources, such as
hardware, software, applications and so on
 Evaluating the trustworthiness of cloud users
 Ex. Collect evidence about users’ behavior, and propose an analytic
hierarchy process (AHP) based trust model to calculate user trust.
 Trust evaluation on other parties or entities.
 Trust models are developed to evaluate other parties
40