Security in Cloud Computing

Cloud Computing Basics

• Three Types
  • Infrastructure as a Service (IaaS)
    • Provides virtualized computing resources
    • Third party hosts the servers with hypervisor running the VMs as guests
    • Subscribers usually pay on a per-use basis
  • Platform as a Service (Paas)
    • Geared towards software development
    • Hardware and software hosted by provider
    • Provides ability to develop without having to worry about hardware or software
  • Software as a Service (SaaS)
    • Provider supplies on-demand applications to subscribers
    • Offloads the need for patch management, compatability and version control
• Deployment Models
  • Public Cloud - services provided over a network that is open for public to use
  • Private Cloud - cloud solely for use by one tenant; usually done in larger organizations
  • Community Cloud - cloud shared by several organizations, but not open to public
  • Hybrid Cloud - a composition of two or more cloud deployment models
• NIST Cloud Architecture
  • Cloud Carrier - organization with responsibility of transferring data; akin to power distributor for electric grid
  • Cloud Consumer - aquires and uses cloud products and services
  • Cloud Provider - purveyor of products and services
  • Cloud Broker - manages use, performance and delivery of services as well as relationships betwen providers and subscribers
  • Cloud Auditor - independent assor of cloud service an security controls
• FedRAMP - regulatory effort regarding cloud computing
• PCI DSS - deals with debit and credit cards, but also has a cloud SIG

Cloud Security

• Problem with cloud security is what you are allowed to test and what should you test
• Another concern is with a hypervisor, if the hypervisor is compromised, all hosts on that hypervisor are as well
• Trusted Computing Model - attempts to resolve computer security problems through hardware enhancements
  • Roots of Trust (RoT) - set of functions within TCM that are always trusted by the OS
• Tools
  • CloudInspect - pen-testing application for AWS EC2 users
  • CloudPassage Halo - instant visibility and continuous protection for servers in any cloud
  • Dell Cloud Manager
  • Qualys Cloud Suite
  • Trend Micro’s Instant-On Cloud Security
  • Panda Cloud Office Protection

Threats and Attacks

• Data Breach or Loss - biggest threat; includes malicious theft, erasure or modification
• Shadow IT - IT systems or solutions that are developed to handle an issue but aren’t taken through proper approval chain
• Abuse of Cloud Resources - another high threat (usually applies to Iaas and PaaS)
• Insecure Interfaces and APIs - cloud services can’t function without them, but need to make sure they are secure
• Service Oriented Architecture - API that makes it easier for application components to cooperate and exchange information
• Insufficient due diligence - moving an application without knowing the security differences
• Shared technology issues - multitenant environments that don’t provide proper isolation
• Unknown risk profiles - subscribers simply don’t know what security provisions are made int he background
• Others include malicious insiders, inadequate design and DDoS
• Wrapping Attack - SOAP message intercepted and data in envelope is changed and sent/replayed
• Session riding - CSRF under a different name; deals with cloud services instead of traditional data centers
• Side Channel Attack - using an existing VM on the same physical host to attack another
  • This is more broadly defined as using something other than the direct interface to attack a system