ECS781(A,P) CLOUD COMPUTING
Cloud Security
Dr. Ignacio Castro
School of Electronic Engineering and Computer Science
Ignacio Castro| Cloud Computing 1
Cloud Computing: roadmap for this module
▪Network layer: ▪ Networking
▪Application layer:
▪ Client/server, RPC, Web Services
▪ REST ▪Performance:
▪ SLA
▪ Management
▪Trends
▪ Monolithic applications → microservices
▪ Serverless: “hide complexity”
▪Security
Ignacio Castro| Cloud Computing 2
Contents
▪ Security concepts
▪ Attacks
▪ Security mechanisms
Ignacio Castro| Cloud Computing 3
Information security
▪ Hard to deliver: needs to protect services & assets against:
▪ accidental threats (e.g. software flaw, power- outage)
▪ “malicious” threats (e.g., virus, DDoS attack)
Ignacio Castro| Cloud Computing
https://xkcd.com/844/ 4
Cloud security is challenging
▪Hard to establish well-demarcated security “perimeters” (vs. traditional on-premise solution of hiding
everything behind firewalls) ▪Ubiquitous connectivity ▪Constant exchange of information
Ignacio Castro| Cloud Computing 5
Fundamental security attributes
Referred to as the CIA (or AIC) triad of InfoSec:
▪Confidentiality: information is not disclosed to (i.e. viewed by)
unauthorized entities
▪Integrity: information is not altered by unauthorized entities
▪Availability: information/service is reachable, usable and accessible to authorized entities
Ignacio Castro| Cloud Computing 6
Other security attributes
▪Data Origin Authentication: assurance that data is originally created/sent by a given entity
▪Non-Repudiation: assurance that an entity cannot deny a previous commitment/action
▪Entity-Authentication: assurance that a given entity is involved & active in a current session
▪Other derivative/compound attributes: ▪ anonymity, privacy, etc.
Ignacio Castro| Cloud Computing 7
Elements of security-risk assesment
▪Asset: anything that has a value (or can cause loss if compromised) and needs to be protected
▪Threat: any potential for occurrence of a violation of security ▪ Threat Agent: an entity that poses a threat
▪Attack: a threat that is carried out (using exploits)
▪ exploit: software/commands that take advantage of vulnerabilities to
enable an attack
Ignacio Castro| Cloud Computing 8
Vulnerabilities
A weakness (e.g. bug) that can be exploited by an attacker to perform its attack. Examples:
▪ Buffer Overflow or overrun
▪ Stack Overflow
▪ Weak Crypto-Suites
▪ Hard-coded Credentials
▪ Flawed Implementation of cryptographic primitives/algorithms ▪ Flawed Key Management
▪ Weak password policy
▪ Side Channels
▪ Unused Open Ports/Services
Ignacio Castro| Cloud Computing 9
Risk
The expected loss/harm/damage that can result of security attacks. Depends on:
▪ Asset Profile of an organization
▪ Vulnerability Profile: list/profile of known vulnerabilities in the
organization
▪ Impact of each vulnerability: expected losses/damages if the vulnerability is successfully exploited
▪ Threat Profile: probability that the organization will be the target of different types of attackers
Ignacio Castro| Cloud Computing 10
Examples of (Cloud-related) Threat-Agent types
▪Anonymous Attacker: non-trusted cloud service consumer without permission in the cloud
▪Malicious Service Agent: rogue service agent (with compromised or malicious logic) able to intercept and forward network traffic flowing in the cloud
▪ Trusted Attacker (a.k.a. Malicious Tenant): shares IT resources in the same cloud environment as the cloud consumer, has legitimate credentials and targets the cloud provider or other tenants
▪Malicious Insider: human threat agents with access to the cloud provider’s premises (e.g. disgruntled or bribed current or former employees of the cloud service provider with admin privilege)
Ignacio Castro| Cloud Computing 11
Examples of (Cloud-related) Threats
▪Insufficient Authorization: granting an attacker access to IT resources erroneously or too broadly.
▪ Weak authentication: a variation e.g. when weak passwords or shared accounts are used to protect IT resources
▪Overlapping Trust Boundaries: when the same physical resource or cloud service is shared by different cloud consumers, their trust boundaries overlap, which can be exploited by one of the consumers to compromise the security of others
Ignacio Castro| Cloud Computing 12
Contents
▪ Security concepts
▪ Attacks
▪ Security mechanisms
Ignacio Castro| Cloud Computing 13
Examples of (Cloud-related) Attacks
▪ Traffic Eavesdropping
▪ Malicious Intermediary (aka Main-In-The-Middle) ▪ Denial of Service (DoS)
▪ Virtualisation Attack
Ignacio Castro| Cloud Computing 14
Traffic Eavesdropping Attack
▪ Attack when data traversing to, from or within the cloud is “passively” viewed illegitimately, compromising confidentiality
Ignacio Castro| Cloud Computing 15
Malicious Intermediary or Main-In-The-Middle Attack
▪ Attack when messages/data are intercepted & potentially altered by a malicious service agent,
compromising ‘confidentiality’, and potentially
‘integrity’
Ignacio Castro| Cloud Computing 16
Denial of Service (DoS) Attack
▪ Maliciously over-loading IT resources so they cannot function properly, compromising their ‘availability’:
▪ Network overloading with traffic: huge number of requests and/or transmitting huge files, leaving no bandwidth or web server capacity for legitimate requests
▪ Excessive number of cloud service requests: consuming memory and processing resources
Ignacio Castro| Cloud Computing 17
Distributed-Denial-of-Service (DDoS) Attack
▪ DDoS attack from many locations, frequently by ‘zombie’ devices (bots), complicating detection and filtering of malicious requests
Ignacio Castro| Cloud Computing 18
Virtualisation Attack (VM Escape)
▪ The services running in a Virtual Machine gain direct access and manipulate the underlying physical resources using vulnerabilities in the virtualization platform (compromising confidentiality, integrity or availability)
Ignacio Castro| Cloud Computing 19
Contents
▪ Security concepts
▪ Attacks
▪ Security mechanisms ▪ Hashing
▪ Encryption
▪ Public Key Infrastructure (PKI) ▪ Other mechanisms
Ignacio Castro| Cloud Computing 20
Security Controls
Counter-measures preventing the exploitation of a vulnerability, decrease its probability of successful exploitation, or mitigate its impact if successfully exploited (security response)
▪ Security Mechanisms: technology/tools/procedures that perform Security Controls (used interchangeably with Security Controls)
▪ Security Policy: security rules and regulations (what is allowed/disallowed). Enforced through security controls
▪ Security Plan: description of the implementation of the Information Security Policy (list of security controls to be implemented & detail of implementation)
Ignacio Castro| Cloud Computing 21
Critical Security Controls
Ignacio Castro| Cloud Computing
22
http://www.sans.org/critical-security-con
trols
Contents
▪ Security concepts
▪ Attacks
▪ Security mechanisms ▪ Hashing
▪ Encryption
▪ Other mechanisms
Ignacio Castro| Cloud Computing 23
Hashing
A (Cryptographic) Hash (function) is a one-way function from a piece of data of arbitrary length to a data of fixed length (referred to as the message, digest, hash value, hash code, or simply, the hash)
Ignacio Castro| Cloud Computing
24
cloud
SHA1
000e793db 70c59309fa 6f0f36d004 6d110f3be3 c
Hashing, characteristics
▪ Should be easy to compute but practically impossible to invert
▪ A small change in the input should lead to significant change in the output
(avalanche effect)
▪ Same input will always yield the same hash value
▪ Computationally impractical to compute an inverse (otherwise, one can exhaustively compute the hash of every possible input & store the results for inverse lookup)
Ignacio Castro| Cloud Computing 25
Desired Security Properties of a Hash function
▪ Preimage resistance:
▪ given z, it is difficult to find an x such that h(x) = z
▪ Second Preimage resistance:
▪ given x & h(x), it is difficult to find y ≠ x such that h(y) = h(x)
▪ Collision-resistance:
▪ It is difficult to find any x, y, x ≠ y such that h(x) = h(y)
second-preimage resistance Preimage resistance
Ignacio Castro| Cloud Computing
26
Notable examples of hash functions
▪ MD-5 (Merkle-Damgard-5)
▪ output length = 128 bits
▪ Broken: no collision resistance
▪ SHA-1 (SHA: Secure Hash Algorithm)
▪ Output length = 160 bits
▪ Broken: no collision resistance (Google researchers)
▪ 110 years on a GPU, 4 days on a grid of 10,000 GPUs
▪ SHA-2
▪ Group including SHA-224, SHA-256, SHA-384, SHA-512 ▪ The number specifies the length of the output in bits ▪ Current standard
▪ SHA-3
▪ Output length: can be set arbitrary
▪ expected to replace SHA-2 as the standard
Ignacio Castro| Cloud Computing 27
Hash is broadly used (beyond security)
▪ Hash-tables:
▪ extensive use in database systems
▪ the hash immediately gives the index where something is stored
▪ Image hashing:
▪ Used for image recognition
▪ A database of hashed images (e.g. illegal content) is used to identify matches against an stream of images (e.g. in Facebook)
Ignacio Castro| Cloud Computing 28
Hashing for Password Storage Protection
▪ Storing user-names/passwords in plain-text is risky
▪ Instead, store user-names with the hash of the passwords
▪ To verify identity: compare the hash of what is entered with the stored hash ▪ Even better: use “salting” + hashing:
▪ each password is padded with a randomly generated string (called the “salt”) ▪ Hash it all (the salt is saved along with the hash).
Ignacio Castro| Cloud Computing
29
Hashing for data integrity/protection
▪ Hash of a piece of data (e.g. message) == unique ID
▪ If the data is (accidentally or maliciously) altered (even slightly), then its hash
will be different
▪ Do not store/transmit the hash(data) + data:
▪ an adversary can change the data and compute its hash and replace both the data and the hash
Ignacio Castro| Cloud Computing 30
Contents
▪ Security concepts
▪ Attacks
▪ Security mechanisms ▪ Hashing
▪ Encryption
▪ Other mechanisms
Ignacio Castro| Cloud Computing 31
Encryption
▪ Conversion of the intelligible data –plaintext – into unintelligible data (apparently random sequence of bits) – ciphertext – that can only be recovered –decrypted – using a secret key
▪ Hashing vs. encryption:
▪ hashing is one-way: no computationally feasible way to get the original message ▪ encryption can be easily reversed (decryption) with the secret key
▪ Classes of encryption:
▪ Symmetric Key Encryption
▪ Asymmetric (Public-Key) Encryption
Ignacio Castro| Cloud Computing 32
Symmetric Encryption
▪ “symmetric key”:
▪ Plain-text + key → cipher-text
▪ Plain-text cipher-text + + key
▪ Both parties need to know the secret key
Ignacio Castro| Cloud Computing 33
Symmetric Encryption
▪ Sequence of (non-destructive) “substitutions” (replacing the original alphabet with a new one) and “transpositions” (permutation or shuffling the order of the original characters)
▪ The shared secret key, intuitively, is the “recipe” of doing the substitutions and permutations, so by “undoing” them in the reverse order (and only by following that recipe), the original message can be retrieved
Ignacio Castro| Cloud Computing 34
Classes of symmetric key ciphers
▪ Block-Cipher:
▪ data is divided into “blocks” (fixed-length chunks, ie. n-bits)
▪ encryption/decryption on blocks independent of each other using the shared “key” for each block
▪ Stream-Cipher:
▪ 2 streams:
▪ stream of input text: encryption of 1 byte of plaintext at a time
▪ stream of key data: key data stream is generated by a function whose seed is the encryption key
▪ Encryption: a byte from the input stream and a byte from the key stream and combining them using some function
Ignacio Castro| Cloud Computing 36
Classes of symmetric key ciphers
▪Block-Cipher: ▪Stream-Cipher:
Ignacio Castro| Cloud Computing 37
Symmetric key encryption, pros and cons
▪Advantages
▪Simple and efficient algorithms
▪Can even be implemented directly in the hardware (e.g. using electronic circuits such as XOR gates)
▪Disadvantages
▪Requires a mechanism to “securely” establish the shared key
▪In a multi-party setting, it is impossible to establish the identity of each party (everyone has the same key)
▪Non-repudiation is impossible: same key is used for encryption and decryption, the recipient can fraudulently claim a message is encrypted and sent by the sender
Ignacio Castro| Cloud Computing 38
Asymmetric encryption: public key cryptography
▪No need to share a secret key!
▪A breakthrough that revolutionized
email and ecommerce
▪Computationally intensive (MUCH more than symmetric encryption)
▪Discovered in the late 70s in the US and UK
https://www.wired.com/1999/04/crypto/ https://math.berkeley.edu/~kpmann/encryption.pdf
Ignacio Castro| Cloud Computing 40
Public-key cryptography usages
▪Public-key encryption: message is encrypted with a recipient’s public key
▪The message can only be decrypted by the owner of the matching private key
▪Properties: confidentiality and integrity
▪Private-key encryption: message is signed with sender’s private key
▪verifiable by anyone with the sender’s public key
▪Can be used as a “signature”
▪Properties: integrity, data-origin authentication, non- repudation
Ignacio Castro| Cloud Computing 41
Public-key Encryption
B B
A A
A B
B A
1. Generate Keys
2. Exchange public
3. Encryption with receiver’s public key
5. Receiver decrypts the message with its private key
Ignacio Castro| Cloud Computing keys
4. Exchange ciphered text
43
Public-key encryption in HTTPs
▪ HTTPS = HTTP secured via SSL/TLS
▪ Public key encryption used to establish a common key securely
▪ Then use symmetric key encryption
▪ Due to public-key encryption computational overhead!
▪ These established (symmetric) keys are “ephemeral”:
frequently changed (to ensure their freshness) using the same public key pairs
Ignacio Castro| Cloud Computing 44
Private-key Encryption
B B
A A
A B
B A
1. Generate Keys
2. Exchange public
3. Encryption with sender private key
5. Receiver with senders public key
Ignacio Castro| Cloud Computing keys
4. Exchange ciphered text
45
Private-key cryptography: Digital Signature
▪ Bob signs his message by using his private key to encrypt the message
▪ Hashing to reduce computational overhead ▪ Bob signature:
▪ hash of his message→shorter
▪ encrypt the hash with his private key and appends it to the message ▪ Alice verification:
▪ decrypt the encrypted hash using Bob’s public key ▪ compute the hash of the message
▪ Check if the two digests match
Ignacio Castro| Cloud Computing
46
Public key’s trust problem
▪ Anyone can generate pairs of public-private keys:
an imposter could claim ownership of a public key
▪ Solution: trust by hierarchy
▪ digital certificates: public key, information about owner’s identity, validity period ▪ All of these are digitally signed by (the private key) of the Certificate Authority (CA) ▪ CA’s public key is easier to ascertain (e.g. pre-installed in the browser)
Ignacio Castro| Cloud Computing 47
Public Key Infrastructure (PKI)
▪ Protocols, data formats, roles, rules, practices and policies that enable a large- scale system to reliably use public key cryptography
▪ Key-pairs’ creation, access control, back-up, monitoring, revocation/expiration, archival/destruction
▪ Establishes trust and of public key identification through digital certificates issued by Certificate Authorities (e.g., Verisign, COMODO, Thwate)
▪ Alternatives to Cas: “block-chain-based PKI”
Ignacio Castro| Cloud Computing 48
Contents
▪ Security concepts
▪ Attacks
▪ Security mechanisms ▪ Hashing
▪ Encryption
▪ Other mechanisms
Ignacio Castro| Cloud Computing 49
IAM (Identity and Access Management)
▪ Security mechanism controlling user identities & access privileges
▪ Components:
▪ Authentication: verifying the identity of each entity
▪ Authorization: defines roles/responsibilities, attributes and access control rules ▪ Management:
▪ User: how new user identities & access groups are created, how/when passwords are reset, password policies
▪ Credentials: how credentials are securily stored, retrieved, modified
Ignacio Castro| Cloud Computing
50
SSO (Single-Sign-On)
▪ Persistent authentication: security broker
▪ No re-authentication: propagates authentication and authorization across multiple cloud
services
▪ Security broker generates “tokens”
▪ based on the credentials provided by the user (e.g. session token/cookie)
▪ Can remain valid for the duration of the user’s session
▪ Security context information is shared with the needed & trusted IT resources
Ignacio Castro| Cloud Computing
51
SSO’s: security vs usability
▪ Advantages:
▪ greater efficiency & ease of use
▪ Disadvantages:
▪ Single point of failure: security broker
▪ Mismanagement of tokens can compromise security
▪ If a malicious agent steals a token, it can assume the identity of its user without having to know its credentials
▪ If tokens are not destroyed sensitive information of the users might be inferred
Ignacio Castro| Cloud Computing
52
Cloud-Based Security Groups
▪ Improves data protection by placing barriers between IT resources
▪ Resource segmentation: creates cloud-based security group mechanisms that are
determined through security policies→virtual network perimeters
▪ Each cloud-based IT resource is assigned to at least one cloud-based security group
▪ Each logical cloud-based security group is assigned specific rules that govern the communication between the security groups.
Ignacio Castro| Cloud Computing 54
Cloud-Based Security Groups in AWS
▪ Associated with EC2 instances
▪ Provide security at the protocol and port access level
▪ Each security group contains a set of rules that filter traffic coming into and out of an EC2 instance (e.g. similarly to a firewall)
Ignacio Castro| Cloud Computing 55
Hardened virtual server image
▪ A VM image that has been subjected to a hardening process (and saved in the VM images repository)
▪ Hardening: stripping unnecessary software from a system to limit potential vulnerabilities that can be exploited by attackers (i.e., reducing its attack surface)
▪ This results in a VM template that is significantly more secure than the original standard image
Ignacio Castro| Cloud Computing 56
Cloud Computing: roadmap for this module
▪Network layer: ▪ Networking
▪Application layer:
▪ Client/server, RPC, Web Services
▪ REST ▪Performance:
▪ SLA
▪ Management
▪Trends
▪ Monolithic applications → microservices
▪ Serverless: “hide complexity”
▪Security
Ignacio Castro| Cloud Computing 57
ECS781(A,P) CLOUD COMPUTING
Dr. Ignacio Castro
School of Electronic Engineering and Computer Science
Ignacio Castro| Cloud Computing 58