Adapted from slides by Keke Chen

Reference book: Cloud Security and Privacy: An Enterprise

Perspective on Risks and Compliance (Theory in Practice), Tim
Mather et al. http://www.amazon.com/Cloud-Security-Privacy-
Enterprise-Perspective/dp/0596802765
Shucheng Yu, Cong Wang, Kui Ren, and Wenjing Lou. 2010.
Achieving secure, scalable, and fine-grained data access control
in cloud computing. In Proceedings of the 29th conference on
Information communications (INFOCOM'10). IEEE Press,
Piscataway, NJ, USA, 534-542.
http://www.ece.iit.edu/~ubisec/cloud/papers/INFOCOM10-
sharing.pdf
Security Guidance for Critical Areas of Focus in Cloud Computing
V3.0,
https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
Guidelines on Security and Privacy in Public Cloud Computing,
Wayne Jansen and Timothy Grance, NIST, January 2011
http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-
800-144_cloud-computing.pdf

What makes Cloud Security different from
Normal Cyber Security Systems?

Infrastructure
IaaS, PaaS, and SaaS
Focus on public clouds
No special security problems with private clouds
traditional security problems only
Different levels
Network level
Host level
Application level
Confidentiality and integrity of data-in-transit
Amazon had security bugs with digital signature on
SimpleDB, EC2, and SQS accesses (in 2008)
Less or no system logging /monitoring
Only cloud provider has this capability
Thus, difficult to trace attacks
Reassigned IP address
Expose services unexpectedly
Spammers using EC2 are difficult to identify
Availability of cloud resources
Some factors, such as DNS, controlled by the cloud
provider.
Physically separated tiers become logically
separated
E.g., 3 tier web applications


Private Cloud Network Security
Hypervisor security
zero-day vulnerability in VM, if the attacker
controls hypervisor

Virtual machine security
SSH private keys (if mode is not appropriately set)
VM images (especially private VMs)
Vulnerable Services
SaaS application security
Example: In an accident, Google Docs access
control failed. All users can access all documents

What are the issues?
How does a Cloud make things worse?
What techniques should be used?
Data-in-transit
Data-at-rest
Processing of data, including multitenancy
Data lineage
Data provenance
Data remanence

Data-in-transit
Confidentiality and integrity
Data-at-rest & processing data
Possibly encrypted for static storage
Cannot be encrypted for most PaaS and SaaS (such
as Google Apps) prevents indexing or searching
Research on indexing/searching encrypted data
Fully homomorphic encryption?


Definition: tracking and managing data
For audit or compliance purpose
Data flow or data path visualization
E.g. data transferred to AWS on date x1 at time y1 and
stored in a bucket on S3 example.s3.amazonaws.com,
then processed on date x2 at time y2 on EC2 in ec2-67-
202-51-223.compute-1.amazonaws.com, then stored in
another bucket, example2.s3.amazonaws.com, then
brought back locally on date x3 at time y3,
Time-consuming process even for inhouse data
center
Not possible for a public cloud
Origin/ownership of data
Verify the authority of data
Trace the responsibility
e.g., financial and medical data
Difficult to prove data provenance in a cloud
computing scenario
Data left intact by a nominal delete operation
In many DBMSs and file systems, data is deleted by
flagging it.
Lead to possible disclosure of sensitive
information
Department of Defense: National Industrial
security program operating manual
Defines data clearing and sanitization
The provider collects a huge amount of
security-related data
Data possibly related to service users
If not managed well, it is a big threat to users
security
What kinds of protocols and techniques are
needed/used?
Traditional trust boundary reinforced by
network control
VPN, Intrusion detection, intrusion prevention
Loss of network control in cloud computing
Have to rely on higher-level software controls
Application security
User access controls - IAM
IAM components
Authentication
Authorization
Auditing
IAM processes
User management
Authentication management
Authorization management
Access management access control
Propagation of identity to resources
Monitoring and auditing

Avoid duplication of identity, attributes, and credentials and
provide a single sign-on user experience
SAML(Security Assertion Markup Lang).
http://shibboleth.internet2.edu/docs/internet2-mace-
shibboleth-arch-protocols-200509.pdf

Automatically provision user accounts with cloud services and
automate the process of provisioning and deprovisioning
SPML (service provisioning markup lang).
http://www.oasis-open.org/standards#spmlv2.0

Provision user accounts with appropriate privileges and
manage entitlements
XACML (extensible access control markup lang).

Authorize cloud service X to access my data in cloud service Y
without disclosing credentials
Oauth (open authentication).
ACS: Assertion
Consumer Service

SSO : single sign-on

PEP: policy enforcement point
(app interface)
PDP: policy decision point
OpenID
Information Cards
Open Authentication (OATH)

Issues for OpenID
Phishing malicious relying party forwards end-
user to bogus identity provider authentication page
Allows sniffing of certificate and replay


Difference Open ID versus Oauth (Thanks to Wikipedia)
Dealing with heterogeneous, dynamic, loosely
coupled trust relationships
Enabling Login once, access different
systems within the trust boundary
Single sign-on (SSO)
Centralized access control services
Yahoo! OpenID
Traditional methods not effective in clouds
Assumes the data owner and the servers storing
the data are in the same trusted domain
Servers responsible enforcing access control policies
Not valid in clouds since the data owner and cloud
servers are in different domains
the data resources are not physically under the full
control of the owner, or any single cloud server
Apply cryptographic methods
Encrypt data & disclose keys to authorized users
Encrypt each file using a public key components corresponding to
access attributes
Disclose data decryption keys only to authorized users
Problems with existing solutions
Heavy computation overhead on the data owner for key
distribution and data management
Per file access control lists (ACL) not scalable
File groups still coarse grained
Fine-grained+scalable+confidential access control:
open challenge
An extremely challenging issue: implementing user
revocation
requires re-encryption of data files accessible to the leaving
user
may need update of secret keys for all the remaining users

Services for data security and access control for data on
cloud servers
Define and enforce access policies based on data attributes
Delegate most of the computation tasks involved in fine grained data
access control to untrusted cloud servers without disclosing the
underlying data
Data owners delegate data re-encryption and user
secret key update to cloud servers without disclosing
data contents or user access privilege information
Key Policy Attribute-Based Encryption (KP-ABE)
a public key cryptography primitive for one-to-many communications
Proxy Re-Encryption (PRE)
a cryptographic primitive in which a semi-trusted proxy is able to convert a
ciphertext encrypted under Alices public key into another ciphertext that can
be opened by Bobs private key without seeing the underlying plaintext
Lazy re-encryption

associate each file with a set of attributes
assign each user an access structure defined over these attributes
KP-ABE to escort data encryption keys of files
heavy computation overhead
online burden on the owner
he is in charge of all the operations of data/user management
user revocation owner should re-encrypt all the files accessible to that user
Combine PRE with KP-ABE delegate computation intensive
operations to Cloud Servers without disclosing the underlying file
contents
Confidentiality Cloud Servers are not able to learn the plaintext of
files
lazy re-encryption technique Cloud Servers aggregate
computation tasks
computation complexity on Cloud Servers is
proportional to the number of system attributes, or
linear to the size of the user access structure/tree
independent to the number of users in the system
Scalability is thus achieved
Combine proxy re-encryption with KP-ABE and delegate
most of the computational task to Cloud Servers
Cloud Servers keep a partial copy of each users secret
key, i.e., secret key components of all but one (dummy)
attributes
When the data owner redefines attributes revoke a user, he
also generates corresponding proxy re-encryption keys
and sends them to Cloud Servers
Cloud Servers, given these proxy re-encryption keys, can
update user secret key components and re-encrypt files
accordingly without knowing the underlying files
Use lazy re-encryption and enable Cloud Servers to
aggregate multiple successive secret key update / file
re-encryption operations into one statistically save the
computation overhead
Ch 6-10 in book
More on Saas, PaaS, IaaS Availability Management
Privacy
Audit and Compliance
Security as a Cloud Service
Security Monitoring (Papers by Professor
Campbell, Mirko Montanari)
Practical Intrusion Detection System (IDS
results) Ravi Iyer.