Cloud security control and auditing

  • 14 minutes

When you run an application on the cloud, different aspects of security must be controlled by different entities. For instance, the following figure (from Azure) shows the breakdown of security responsibilities between the provider and the customer.

Security responsibilities in Azure between provider and customer.

Figure 13: Security responsibilities in Azure (Source)

Many classes of applications require different infrastructure, process, and security certifications. Most cloud service providers will comply with a majority of the popular certifications and audit requirements followed in the US and Europe.

To develop an application that passes these compliance checks, both the cloud service providers and the application developers must apply a minimal set of security controls, which we will explore below. As with the rest of this course, we look at controls from a predominantly IaaS perspective. Obviously, as we move up the stack, the cloud service provider has to ensure the security of the resources it is responsible for.

For an IaaS cloud, the following table gives an overview of some of the the security controls to be implemented by both parties:

Domain Cloud service provider responsibility Customer responsibility
Identity and access management A cloud service provider must provide information to customers about who is using the service. This requires that they:
  • Deliver and maintain an authentication service (so that users cannot access resources without explicit privileges).
  • Create a service that allows account management policy configuration. (Customers can add and remove users and roles.)
  • Adopt insider misuse protections (monitor employees and restrict access to sensitive server locations).
 Using the authentication and access control service provided by the cloud provider, customers must:
  • Define roles, groups, and permissions.
  • Create and disseminate credentials.
  • Use access control logging. (The customer will have a log of all sensitive user events.)
  • Use multi-factor authentication where appropriate.
Availability and fault tolerance To ensure that the cloud is resilient to failure, cloud service providers must have:
  • Tape backups and redundancy of storage and compute systems.
  • Geo-distributed datacenters.
 The redundancy provided by the cloud service provider has to be leveraged by the customer, who should:
  • Add redundant options for connectivity to all endpoints.
  • Use application-layer backups and snapshots of instances and storage state. (A snapshot of a VM instance, or a database, stores its state at a fixed moment in time, allowing a recovery to be performed from that point.)
Patching and configuration management
  • Ensure sandboxing of tenants using hypervisors and overlay networks. (This will be explained later.)
  • Regular vulnerability assessments and penetration testing (when an internal or external team of "hackers" systematically attempts to break into a system) of bare metal, hypervisor, and networks.
  • Patch OS and machine images with the latest security updates.
  • Use appropriate user roles with the least privilege for each application. (For example, when you run a web server on the cloud, ensure that it doesn't have access to any infrastructure keys, or even to local "root." This way, if your website is breached, the rest of your application is isolated.)
  • Restrict traffic to instances using firewalls and virtual private clouds, and segment the network into zones (block all network traffic from untrusted sources).
Monitoring and detection Verify that customer resources are not being used for nefarious activities (either intentionally or unintentionally), and take appropriate actions.
  • Install host-based intrusion detection and anti-malware systems. (These detect any misuse of your cloud network or hosts.)
  • Define alerts and response strategies for incidents and breaches. (Be prepared for attacks and automate a recovery and logging protocol.)
Data security
  • Cross-tenant data access controls and privacy safeguards. (As described on the previous page, ensure that customers on the same physical infrastructure are isolated.)
  • Data integrity verification and repair from redundant data stores. (When storing data in several replicas, ensure their consistency and accuracy.)
  • Use secure protocols (like SSL/TLS and IPsec) for data in transit. (These ensure that your network traffic cannot be read.)
  • Encrypt data at rest. (Encrypt all the data you store on the cloud, such that even a rogue employee of the cloud service provider cannot disclose this information.)
Cryptographic object security
  • Support data encryption in all provided storage/file systems and DBs. (For example, Windows environments could allow BitLocker implementations.)
  • Securely manage customer account and access credentials.
  • Create and distribute access keys (for cloud service provider APIs) as well as remote connectivity (like SSH, VNC, RDP).
  • Do not store keys on the cloud where possible, so that a key will not be in the same place as the data.

Providers will often build in services that simplify the process for customers to implement security controls. For example, Azure provides Azure Network Security Groups, which can act as external network firewalls.

The process of verifying the presence of these controls is known as a security audit. These audits can be done internally (by hiring a technical consultant) or externally (by a certifying agency). To host sensitive information on the cloud, both the provider and the customer must pass these audits.

References

  1. Mather, Tim et. al. (2009). Cloud security and privacy: an enterprise perspective on risks and compliance. O'Reilly Media
  2. Pucher, Alex et. al. (2012). A Survey on Cloud Provider Security Measures. University of California Santa Barbara

Check your knowledge

1.

On VM, if you install Wireshark, you should be able to sniff packets from:

2.

The process of mapping instances from the virtual cloud to the physical infrastructure is called cloud cartography. Assuming that you're an IaaS provider, which of the following will protect an attacker from mapping your service?

3.

You host an email server on the cloud only to find that the emails that your service sends are categorized as spam by anti-spammers like Spamhaus. However, the content of your mails is not spam-like. What could be a possible reason for this filtering?

4.

Some service providers offer dedicated VM instances as an added security measure. Such instances are guaranteed to run on dedicated hardware that will not be shared with other users of the cloud service. Which of the following threats will you be protected against on a dedicated VM?

5.

A cloud firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface. All packets must pass through this layer; thus an instance's neighbors have no more access to that instance than any other host on the internet and can be treated as if they are on separate physical hosts. These can be configured as security groups. What is one disadvantage of this method?

6.

Homomorphic encryption is a special form of encryption where computation can be carded out on encrypted data. For instance, if Bing used homomorphic encryption, it would receive an encrypted version of your search term, find the matches without looking at it, and return an encrypted version of the results. Your data would never be exposed. Recent research from Craig Gentry at Stanford demonstrated a practical way to create an encryption scheme that allows addition and multiplication. Why is this not widely used?

7.

If you're an educator building a service that runs and grades student code to add two numbers, which of the following should you not do?