This blog talks about some of the classic cloudsecurity concerns and some of the techniques to address them like cloud virtualization and secure introspection.
Security concerns in cloud computing
Some of the most common distinct security considerations for cloud-based services and service compositions include the following:
Shared and virtualized resources- The service's physical infrastructure, may be shared among multiple tenants.
Data privacy- As data is being hosted in vendor's data center.
Multi-tenancy- The service hosting processes and the exchanged data are executed and managed in shared environments.
Security in cloud computing is provided broadly by the following services
Virtualization: Each tenant may be given a completely isolated virtual environment to execute.
Virtual Private Network (VPN): Data exchange between cloud provider and user may be secured by using VPN.
Federated Identity: Federated identity is the ability to port data across security domains using claims and assertions from a digitally signed identity provider. Users who already authenticated themselves in the organization's network should be authorized to services of organization that may be running over the cloud. This is provided by federated identity service, which ties identity management of organization and cloud service provider together.
Policy Services: Defines policies that make assessment to decide which cloud service provider to choose depending of factors like reliability, security, etc.
Each of these services involve various techniques which boost security in cloud environment, the scope of this blog will only include a discussion on “virtualization”.
Security Measure: Virtualization
Virtualization is the key to enabling a Cloud Computing environment. In a multi-tenant environment it becomes vital that there is isolation between processes catering to different organizations. A bug in application or operating system can lead to isolation violation. The solution to such a problem to cater multiple organizations (tenants) is either by allocating separate physical machines or simply separate virtual machines.
Organizations may deploy security solutions over their virtual image which can provide some level of security even over public clouds. These can be deployed as software on virtual machines to increase protection and maintain compliance integrity of servers and applications. Some of these include:
Firewall
Intrusion detection and prevention
Integrity monitoring
Log inspection
Secure introspection
Firewall:
Firewall is a system designed to prevent unauthorized access to or from a private network. Firewall can help by decreasing the attack surface of virtualized servers in cloud computing environments
Deploying firewall on VM with policies that map to security policy of organization, one may achieve the Virtual Machine isolation, data filtering at fine-grained level of ports, data segregation for analysis covering all IP-based protocols, frame types, etc.. Attacks like Denial of Services (DoS) can be prevented. Firewalls also allow setting different policies over different network interfaces.
Intrusion Detection and Prevention System (IDS/IPS):
IDS/IPS can shield vulnerabilities in operating systems and enterprise applications until they can be patched, to achieve timely protection against known and zero-day attacks.
An IDS/IPS can detect newly discovered vulnerabilities in both applications and operating system running in VM. This provides protection against exploits attempting to compromise virtual machines. There are IDS/IPS which are based on artificial intelligence techniques which may learn about new vulnerabilities dynamically.
Integrity Monitoring:
It involves monitoring files, systems and registry for changes. Application files and critical system files (files, directories, registry keys and values, etc.) can be monitored for detecting malicious and unexpected changes which could signal compromise of cloud computing resources. Integrity monitoring software must be applied at the virtual machine level. An integrity monitoring solution should enable:
On-demand or scheduled detection.
Extensive file property checking, including attributes (enables compliance with PCI 10.5.5)
Directory-level monitoring.
Flexible, practical monitoring through includes/excludes.
Auditable reports.
Log Inspection:
Log inspection collects and analyzes operating system and application logs for security events. Rules are defined in log inspection which allows efficient extraction of security related events from multiple log-files. These logs can be sent to a stand-alone security system, or to a Security Information and Event Management (SIEM) system or centralized logging server for analysis. Log inspection software on cloud resources enables suspicious behavior detection. Like integrity monitoring, log inspection capabilities must be applied at the virtual machine level.
Secure introspection:
In cloud computing users may move images from one cloud to another, thus an effective solution requires learning what guest operating system (OS) runs in each virtual machine (VM) and secure the guest OS without relying on the guest OS functionality or an initially secure guest VM state. One such solution is secure introspection.
Secure introspection technique in proposes an architecture that doesn't assume any prior semantic knowledge of the guest OS, doesn't require any prior trust assumptions into any state of the guest VM and has a dedicated guest VM which acts as centralized security manager for all VMs.
Conclusion
Cloud- computing although brings lots of advantages to organizations, yet organizations need to carefully study and understand the security measures provided by the cloud service provider.
Virtualization plays a key role in cloud computing. While virtualization provide isolation in multi-tenant environment, some assumptions of virtual machine do not hold true in cloud environment. Such assumptions may pose a security threat. Techniques such as secure introspection, builds reliable security model for virtual environments without considering faulty assumptions.
References
