Reference book: Cloud Security and Privacy: An Enterprise
Perspective on Risks and Compliance (Theory in Practice), Tim Mather et al. http://www.amazon.com/Cloud-Security-Privacy- Enterprise-Perspective/dp/0596802765 Shucheng Yu, Cong Wang, Kui Ren, and Wenjing Lou. 2010. Achieving secure, scalable, and fine-grained data access control in cloud computing. In Proceedings of the 29th conference on Information communications (INFOCOM'10). IEEE Press, Piscataway, NJ, USA, 534-542. http://www.ece.iit.edu/~ubisec/cloud/papers/INFOCOM10- sharing.pdf Security Guidance for Critical Areas of Focus in Cloud Computing V3.0, https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf Guidelines on Security and Privacy in Public Cloud Computing, Wayne Jansen and Timothy Grance, NIST, January 2011 http://csrc.nist.gov/publications/drafts/800-144/Draft-SP- 800-144_cloud-computing.pdf
What makes Cloud Security different from Normal Cyber Security Systems?
Infrastructure IaaS, PaaS, and SaaS Focus on public clouds No special security problems with private clouds traditional security problems only Different levels Network level Host level Application level Confidentiality and integrity of data-in-transit Amazon had security bugs with digital signature on SimpleDB, EC2, and SQS accesses (in 2008) Less or no system logging /monitoring Only cloud provider has this capability Thus, difficult to trace attacks Reassigned IP address Expose services unexpectedly Spammers using EC2 are difficult to identify Availability of cloud resources Some factors, such as DNS, controlled by the cloud provider. Physically separated tiers become logically separated E.g., 3 tier web applications
Private Cloud Network Security Hypervisor security zero-day vulnerability in VM, if the attacker controls hypervisor
Virtual machine security SSH private keys (if mode is not appropriately set) VM images (especially private VMs) Vulnerable Services SaaS application security Example: In an accident, Google Docs access control failed. All users can access all documents
What are the issues? How does a Cloud make things worse? What techniques should be used? Data-in-transit Data-at-rest Processing of data, including multitenancy Data lineage Data provenance Data remanence
Data-in-transit Confidentiality and integrity Data-at-rest & processing data Possibly encrypted for static storage Cannot be encrypted for most PaaS and SaaS (such as Google Apps) prevents indexing or searching Research on indexing/searching encrypted data Fully homomorphic encryption?
Definition: tracking and managing data For audit or compliance purpose Data flow or data path visualization E.g. data transferred to AWS on date x1 at time y1 and stored in a bucket on S3 example.s3.amazonaws.com, then processed on date x2 at time y2 on EC2 in ec2-67- 202-51-223.compute-1.amazonaws.com, then stored in another bucket, example2.s3.amazonaws.com, then brought back locally on date x3 at time y3, Time-consuming process even for inhouse data center Not possible for a public cloud Origin/ownership of data Verify the authority of data Trace the responsibility e.g., financial and medical data Difficult to prove data provenance in a cloud computing scenario Data left intact by a nominal delete operation In many DBMSs and file systems, data is deleted by flagging it. Lead to possible disclosure of sensitive information Department of Defense: National Industrial security program operating manual Defines data clearing and sanitization The provider collects a huge amount of security-related data Data possibly related to service users If not managed well, it is a big threat to users security What kinds of protocols and techniques are needed/used? Traditional trust boundary reinforced by network control VPN, Intrusion detection, intrusion prevention Loss of network control in cloud computing Have to rely on higher-level software controls Application security User access controls - IAM IAM components Authentication Authorization Auditing IAM processes User management Authentication management Authorization management Access management access control Propagation of identity to resources Monitoring and auditing
Avoid duplication of identity, attributes, and credentials and provide a single sign-on user experience SAML(Security Assertion Markup Lang). http://shibboleth.internet2.edu/docs/internet2-mace- shibboleth-arch-protocols-200509.pdf
Automatically provision user accounts with cloud services and automate the process of provisioning and deprovisioning SPML (service provisioning markup lang). http://www.oasis-open.org/standards#spmlv2.0
Provision user accounts with appropriate privileges and manage entitlements XACML (extensible access control markup lang).
Authorize cloud service X to access my data in cloud service Y without disclosing credentials Oauth (open authentication). ACS: Assertion Consumer Service
SSO : single sign-on
PEP: policy enforcement point (app interface) PDP: policy decision point OpenID Information Cards Open Authentication (OATH)
Issues for OpenID Phishing malicious relying party forwards end- user to bogus identity provider authentication page Allows sniffing of certificate and replay
Difference Open ID versus Oauth (Thanks to Wikipedia) Dealing with heterogeneous, dynamic, loosely coupled trust relationships Enabling Login once, access different systems within the trust boundary Single sign-on (SSO) Centralized access control services Yahoo! OpenID Traditional methods not effective in clouds Assumes the data owner and the servers storing the data are in the same trusted domain Servers responsible enforcing access control policies Not valid in clouds since the data owner and cloud servers are in different domains the data resources are not physically under the full control of the owner, or any single cloud server Apply cryptographic methods Encrypt data & disclose keys to authorized users Encrypt each file using a public key components corresponding to access attributes Disclose data decryption keys only to authorized users Problems with existing solutions Heavy computation overhead on the data owner for key distribution and data management Per file access control lists (ACL) not scalable File groups still coarse grained Fine-grained+scalable+confidential access control: open challenge An extremely challenging issue: implementing user revocation requires re-encryption of data files accessible to the leaving user may need update of secret keys for all the remaining users
Services for data security and access control for data on cloud servers Define and enforce access policies based on data attributes Delegate most of the computation tasks involved in fine grained data access control to untrusted cloud servers without disclosing the underlying data Data owners delegate data re-encryption and user secret key update to cloud servers without disclosing data contents or user access privilege information Key Policy Attribute-Based Encryption (KP-ABE) a public key cryptography primitive for one-to-many communications Proxy Re-Encryption (PRE) a cryptographic primitive in which a semi-trusted proxy is able to convert a ciphertext encrypted under Alices public key into another ciphertext that can be opened by Bobs private key without seeing the underlying plaintext Lazy re-encryption
associate each file with a set of attributes assign each user an access structure defined over these attributes KP-ABE to escort data encryption keys of files heavy computation overhead online burden on the owner he is in charge of all the operations of data/user management user revocation owner should re-encrypt all the files accessible to that user Combine PRE with KP-ABE delegate computation intensive operations to Cloud Servers without disclosing the underlying file contents Confidentiality Cloud Servers are not able to learn the plaintext of files lazy re-encryption technique Cloud Servers aggregate computation tasks computation complexity on Cloud Servers is proportional to the number of system attributes, or linear to the size of the user access structure/tree independent to the number of users in the system Scalability is thus achieved Combine proxy re-encryption with KP-ABE and delegate most of the computational task to Cloud Servers Cloud Servers keep a partial copy of each users secret key, i.e., secret key components of all but one (dummy) attributes When the data owner redefines attributes revoke a user, he also generates corresponding proxy re-encryption keys and sends them to Cloud Servers Cloud Servers, given these proxy re-encryption keys, can update user secret key components and re-encrypt files accordingly without knowing the underlying files Use lazy re-encryption and enable Cloud Servers to aggregate multiple successive secret key update / file re-encryption operations into one statistically save the computation overhead Ch 6-10 in book More on Saas, PaaS, IaaS Availability Management Privacy Audit and Compliance Security as a Cloud Service Security Monitoring (Papers by Professor Campbell, Mirko Montanari) Practical Intrusion Detection System (IDS results) Ravi Iyer.