A REFERENCE ARCHITECTURE FOR CLOUD COMPUTING AND ITS SECURITY
APPLICATIONS
by
Keiko Hashizume
A Dissertation Submitted to the Faculty of
the College of Engineering and Computer Science
in Partial Fulfillment of the Requirements for the Degree of
Doctor of Philosophy
Florida Atlantic University
Boca Raton, FL
May 2013
Copyright by Keiko Hashizume 2013
ii
ACKNOWLEDGEMENTS
I would like to thank my advisor, Dr. Eduardo B. Fernandez, for his guidance during these years. He has been a true mentor by supporting me not only during my research but also in my personal life. I would also like to express my gratitude to my committee members, Dr. Maria Petrie, Dr. Mihaela Cardei, Dr. Rainer Steinwandt, and the members of the Secure Systems Research Group for all their advice and constructive comments of this dissertation. I would like to thank also to Latin American and
Caribbean Consortium of Engineering Institutions for its support during my studies.
I want to thank the GSyA Research Group at the University of Castilla-La Mancha,
Ciudad Real, Spain, and the GRACE Center of the National Institute of Informatics, in
Tokyo, Japan, for hosting my visits to their institutions and collaborating with us. Those visits were supported by the PIRE Program of NSF (grant OISE-0730065).
iv
ABSTRACT
Author: Keiko Hashizume
Title: A Reference Architecture for Cloud Computing and Its Security Applications
Institution: Florida Atlantic University
Dissertation Advisor: Dr. Eduardo B. Fernandez
Degree: Doctor of Philosophy
Year: 2013
Cloud Computing is a relatively new computing model that provides on demand business or consumer IT services over the Internet. However, one of the main concerns in
Cloud Computing is security. In complex systems such as Cloud Computing, parts of a system are secured by using specific products, but there is rarely a global security analysis of the complete system. We have described how to add security to cloud systems and evaluate its security levels using a reference architecture. A reference architecture provides a framework for relating threats to the structure of the system and makes their numeration more systematic and complete. In order to secure a cloud framework, we have enumerated cloud threats by combining several methods because it is not possible to prove that we have covered all the threats. We have done a systematic enumeration of cloud threats by first identifying them in the literature and then by analyzing the activities from each of their use cases in order to find possible threats. These threats are realized in the form of misuse cases in order to understand how an attack happens from the point of
v view of an attacker. The reference architecture is used as a framework to determine where to add security in order to stop or mitigate these threats. This approach also implies to develop some security patterns which will be added to the reference architecture to design a secure framework for clouds. We finally evaluate its security level by using misuse patterns and considering the threat coverage of the models.
vi
A REFERENCE ARCHITECTURE FOR CLOUD COMPUTING AND ITS SECURITY
APPLICATIONS
TABLES ...... xi FIGURES ...... xii 1. INTRODUCTION ...... 1 2. BACKGROUND ...... 5 2.1. Cloud Service Models ...... 5 2.1.1. Infrastructure-as-a-Service ...... 5 2.1.2. Platform-as-a-Service ...... 6 2.1.3. Software-as-a-Service ...... 6 2.2. Cloud Service Deployment ...... 7 2.2.1. Public Cloud...... 7 2.2.2. Private Cloud ...... 8 2.2.3. Community Cloud ...... 9 2.2.4. Hybrid Cloud ...... 9 2.3. Characteristics of Cloud Computing ...... 10 2.4. Key Technologies for Cloud Computing ...... 11 2.4.1. Service Oriented Architecture (SOA) ...... 11 2.4.2. Web 2.0 ...... 12 2.4.3. Virtualization ...... 12 2.4.4. Reference Architectures ...... 13 2.4.5. Patterns...... 14 3. ANALYSIS OF SECURITY ISSUES ...... 15 3.1. Systematic review of Security issues for Cloud Computing ...... 15 3.1.1. Question Formalization ...... 16 3.1.2. Selection of Sources ...... 16 3.1.3. Review Execution ...... 17 vii
3.1.4. Results and Discussion ...... 17 3.2. Security in the SPI model ...... 18 3.2.1. Software-as-a-Service (SaaS) Security Issues ...... 19 3.2.2. Platform-as-a-Service (PaaS) Security Issues ...... 21 3.2.3. Infrastructure-as-a-Service (IaaS) Security Issues ...... 23 3.3. Analysis of Security issues in Cloud Computing ...... 27 3.3.1. Countermeasures ...... 33 3.4. Summary ...... 38 4. REFERENCE ARCHITECTURE ...... 40 4.1. Cloud Architecture Overview ...... 41 4.2. Cloud Computing Standards ...... 42 4.3. Use Case Model ...... 44 4.4. Infrastructure-as-a-Service ...... 54 4.4.1. Intent ...... 54 4.4.2. Context ...... 54 4.4.3. Problem ...... 55 4.4.4. Forces ...... 55 4.4.5. Solution ...... 56 4.4.6. Implementation ...... 62 4.4.7. Known Uses ...... 64 4.4.8. Consequences ...... 64 4.4.9. Related Patterns ...... 67 4.5. Platform-as-a-Service ...... 67 4.5.1. Intent ...... 67 4.5.2. Context ...... 67 4.5.3. Problem ...... 68 4.5.4. Solution ...... 69 4.5.5. Implementation ...... 73 4.5.6. Known Uses ...... 78 4.5.7. Consequences ...... 79 4.5.8. Related Patterns ...... 80 viii
4.6. Software-as-a-Service ...... 81 4.6.1. Intent ...... 81 4.6.2. Context ...... 81 4.6.3. Problem ...... 81 4.6.4. Solution ...... 82 4.6.5. Implementation ...... 85 4.6.6. Known Uses ...... 86 4.6.7. Consequences ...... 87 4.6.8. Related Patterns ...... 89 4.7. Reference Architecture Environment ...... 89 4.8. Summary ...... 92 5. MISUSE PATTERNS ...... 93 5.1. Resource Usage Monitoring Inference in Cloud Computing ...... 94 5.1.1. Intent ...... 94 5.1.2. Context ...... 94 5.1.3. Problem ...... 95 5.1.4. Solution ...... 95 5.1.5. Consequences ...... 100 5.1.6. Countermeasures ...... 102 5.1.7. Forensics ...... 103 5.1.8. Related Patterns ...... 103 5.2. Malicious Virtual Machine Creation ...... 103 5.2.1. Intent ...... 103 5.2.2. Context ...... 104 5.2.3. Problem ...... 104 5.2.4. Solution ...... 104 5.2.5. Consequences ...... 109 5.2.6. Countermeasures ...... 110 5.2.7. Forensics ...... 110 5.3. Malicious Virtual Machine Migration Process ...... 110 5.3.1. Intent ...... 110 ix
5.3.2. Context ...... 111 5.3.3. Problem ...... 111 5.3.4. Solution ...... 111 5.4. Consequences ...... 115 5.4.1. Countermeasures ...... 116 5.4.2. Forensics ...... 116 5.4.3. Related Patterns ...... 117 5.5. Discussion ...... 117 5.5.1. Summary ...... 118 6. SECURE REFERENCE ARCHITECTURE ...... 119 6.1. Securing a cloud reference architecture ...... 120 6.2. Administration of Security Use Cases ...... 121 6.3. Identifying threats ...... 123 6.4. Cloud Defenses ...... 125 6.4.1. Secure virtual machine image repository system...... 126 6.5. Secure Reference Architecture ...... 129 6.6. Evaluating security using a reference architecture ...... 130 6.7. Summary ...... 133 7. RELATED WORK ...... 135 8. CONCLUSIONS AND FUTURE WORK ...... 139 REFERENCES ...... 144
x
TABLES
Table 1: Summary of the topics considered in each approach ...... 17 Table 2. Vulnerabilities in Cloud Computing ...... 29 Table 3. Threats in Cloud Computing...... 30 Table 4. Relationships between Threats, Vulnerabilities, and Countermeasures ...... 32 Table 5: Misuse Activities Analysis ...... 125 Table 6: Threat List vs. Mitigation Defenses...... 131
xi
FIGURES
Figure 1: Infrastructure-as-a-Service Model ...... 6 Figure 2: Platform-as-a-Service Model ...... 6 Figure 3: Software-as-a-Service Model ...... 7 Figure 4: Public Cloud ...... 8 Figure 5: Private Cloud ...... 8 Figure 6: Community Cloud ...... 9 Figure 7: Hybrid Cloud ...... 10 Figure 8: Cloud Architecture Overview ...... 42 Figure 9: Common Use Cases for Cloud Computing ...... 49 Figure 10: Use Case Diagram for IaaS ...... 51 Figure 11: Use Case Diagram for PaaS ...... 52 Figure 12: Use Case Diagram for SaaS ...... 54 Figure 13: Class Diagram for Infrastructure-as-a-Service architecture ...... 58 Figure 14: Sequence Diagram for Use Case Create a Virtual Machine ...... 60 Figure 15: Sequence Diagram for Use Case Migrate a Virtual Machine ...... 62 Figure 16: Eucalyptus’ main components ...... 63 Figure 17: Class Diagram for PaaS Pattern ...... 70 Figure 18: Sequence Diagram for Consuming Development Software ...... 71 Figure 19: Sequence Diagram for Deploying an Application ...... 72 Figure 20: The Force.com stack and services (from [18]) ...... 74 Figure 21: Class Diagram of Force.com’s PaaS architecture ...... 77 Figure 22: Class Diagram for SaaS Pattern ...... 83 Figure 23: Sequence Diagram for UC1 - Subscribe to an application ...... 84 Figure 24: Sequence Diagram for UC2 - Consume an application ...... 85 Figure 25: Class Diagram for a Cloud Computing Environment ...... 91 Figure 26: Class Diagram for virtualization in Cloud Computing ...... 97 xii
Figure 27: Co-locate attacker’s VM besides the Victim’s VM ...... 99 Figure 28: Sequence Diagram for the use case Infer some of the victim’s information by monitoring his resource usage ...... 100 Figure 29: Class diagram for VM Image Misuse Pattern ...... 106 Figure 30: Sequence Diagram for the Use Case Publish a Malicious VM Image ...... 107 Figure 31: Sequence Diagram for the use case Launch a VM using a malicious VM Image...... 108 Figure 32: Class Diagram for VM Migration Process ...... 112 Figure 33: Sequence Diagram for the use case Man-in-the-middle attack during VM migration process ...... 114 Figure 34: Sequence Diagram for the use case Migrate several VMs to a victim VMM...... 115 Figure 35: Securing a cloud reference architecture ...... 121 Figure 36: Security Use Case Model ...... 123 Figure 37: Activity Diagram for Use Cases “Create VMI” and “Publish VMI” ...... 124 Figure 38: Secure VMI Repository System ...... 128 Figure 39: Secure IaaS pattern ...... 130 Figure 40: Sequence Diagram for the use case Publish a Malicious VM Image ...... 132 Figure 41: Sequence Diagram for the Use Case Securely Publish VM Images ...... 133
xiii
1. INTRODUCTION
Cloud Computing is a relatively new computing paradigm that improves the utilization of resources and decreases the power consumption of hardware while increasing flexibility and scalability as well as advantages for users such as paying for only used resources and access everywhere. Due to the immaturity of this computing model, there are a lot of definitions for Cloud Computing, but we consider that NIST provides a broad definition which states that a Cloud Computing is “a model for enabling convenient, on demand network access to a shared of pool configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” [1]. The core of Cloud Computing is a variety of resources, software, and information that are provided on demand to the customers from a browser.
Cloud Computing leverages a number of computing models and technologies such as
Service Oriented Architecture (SOA), Web 2.0, virtualization and other Internet-based technologies. In some respects, Cloud Computing represents the maturing of these technologies and is a marketing term to represent that maturity and the services they provide [2].
Cloud Computing offers three fundamental delivery models: Infrastructure-as-a-
Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). IaaS
1 provides processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. PaaS offers platform layer resources, including operating system support and software development frameworks to build, deploy and deliver applications into the cloud. SaaS provides end-user applications that are running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email).
Even though there are several benefits to adopting Cloud Computing, there are also some significant barriers to its acceptance. One important issue is security, followed by privacy, standardization and legal matters. There are several security challenges that are specific for each delivery model. Also, Cloud Computing inherits security issues from its underlying technologies and presents its own security challenges as well. This makes even harder to secure the entire system. Most security measures have been developed to mitigate or stop parts of a system, but there is rarely a global security analysis of the complete cloud system. Thus, our goal is to develop a secure reference architecture to manage these security issues.
In this work, we make the following contributions:
1. An analysis of vulnerabilities and threats (Chapter 3 and [3]) for cloud
environments. This analysis helps to understand security implications when
adopting Cloud Computing. Starting with an overview of the challenges identified
in the literature, the analysis identifies the main vulnerabilities and threats of
Cloud Computing and how service models can be affected by them. Also, we
2
describe the relationship between these vulnerabilities and threats, and how there
vulnerabilities can be exploited in order to perform an attack.
2. A reference architecture (Chapter 4) to understand the fundamental structures of
clouds. A reference architecture is a generic architecture, valid for a particular
domain [4][5]. Various reference architectures have been defined by different
organizations such as IBM [6], HP [7], NIST [8], and Oracle [9], giving their
proprietary solutions or not considering security aspects. The majority of these
reference architectures describe a high level of the main components of clouds.
Even when we think that they provide useful information, we need to describe
cloud architectures in a more precise way. Thus, we need a semi-formal approach
like UML which describes architectures in a relatively precise way. Our cloud
architecture defines each delivery service model through patterns and
demonstrates how it helps in explaining the overall Cloud Computing
environment.
3. Listing possible attack for cloud environments is not enough; we need to
understand how these attacks can compromise cloud components. For this, we
developed some misuse patterns (Chapter 5, [10]) that describe how an attack
happens from the point of view of the attacker [11]. With a complete catalog of
misuse patterns, we can apply them systematically and use the reference
architecture to find where to add security measures to mitigate or stop an attack.
4. Identification of security patterns for some of the threats listed previously in the
analysis (Chapter 6). Some cloud services are exposed as web services. We
developed some security patterns for Web services [12], and we can also use
3
existing security defenses which can be tailored for cloud systems. We also
identified new patterns.
5. A secure reference architecture (Chapter 6) that includes defensive measures to
secure cloud environments, which combines both security and misuse patterns in
order to add security features in the reference architecture. By checking if a threat
(misuse pattern) can be stopped or mitigated in the secure reference architecture,
we can evaluate its level of security.
Our approach aims towards a reference architecture that can be used as secure framework that can be used for architects or designers before opting for any type of cloud system model. This work is based primarily in identifying main threats and describing them using misuse patterns, and also providing security defenses as forms of security patterns.
Chapter 2 presents some background information that will be useful for the reader to understand better this work. In Chapter 3, we present a categorization of security issues for clouds focused in its delivery models, identifying the main vulnerabilities and threats found in the literature. In Chapter 4, a reference architecture is presented which provides a conceptual model defining the three most fundamental delivery models. Chapter 5 illustrates three misuse patterns including Resource Usage Monitoring Inference,
Malicious Virtual Machine Creation and Malicious Virtual Machine Migration Process.
Chapter 6 presents a secure reference architecture and an evaluation of the architecture using both misuse and security patterns. Chapter 7 provides some related work. In
Chapter 8, we present some conclusions and possible future work.
4
2. BACKGROUND
This section presents basic concepts in order to have a better understanding of this work.
2.1. Cloud Service Models
Cloud computing providers offer three fundamental services according to the following service models:
2.1.1. Infrastructure-as-a-Service
IaaS is the most basic cloud service model where cloud providers offer servers, storage and network, typically in a form of virtual appliances. Consumers can deploy and run any software such as operating systems and applications. IaaS providers are responsible for the underlying infrastructure including housing, running, and maintaining these resources while consumers are responsible for maintaining the operating system and their applications. Examples of IaaS providers include Amazon’s EC2 [13],
Eucalyptus [14], and Open Nebula [15].
5
Figure 1: Infrastructure-as-a-Service Model
2.1.2. Platform-as-a-Service
In the PaaS, providers offer environments for developing, deploying, hosting, and testing software applications. Typically it includes programming language, database, libraries, and other development tools. Consumers are not responsible for the underlying infrastructure, operating systems, or storage, but they are responsible for their deployed applications. Microsoft Azure [16], Google App Engine [17], and Force.com [18] are some examples of PaaS providers.
Figure 2: Platform-as-a-Service Model
2.1.3. Software-as-a-Service
In SaaS, cloud providers offer applications on demand that are hosted on the cloud and can be accessed through thin clients. Consumers do not manage or control the 6 underlying infrastructure. Some SaaS applications allow limited user-specific customization. Salesforce.com’s CRM (Customer Relationship Management) [19],
Google apps [20], and Freshbooks [21] are some examples of SaaS providers.
Figure 3: Software-as-a-Service Model
2.2. Cloud Service Deployment
Cloud Computing can be deployed in different ways such as public, private, hybrid and community clouds.
2.2.1. Public Cloud
A Public Cloud is deployed by an organization (Cloud Provider), in which it offers its services to the general public over the Internet. The infrastructure is owned and managed by the service provider, and it is located in his facilities. These services are usually offered on a pay-as-you-go model. Cloud providers are responsible for the installation, management, provisioning and maintenance of the cloud services. For the users, their data is stored and processed in the cloud which may raise security and privacy issues.
7
Figure 4: Public Cloud
2.2.2. Private Cloud
A Private Cloud is deployed for a single organization and is dedicated only to that organization’s internal users. A private cloud resides in the organization’s facilities; however, it can be hosted and managed by a third party provider. Organizations are in charge of the operation, maintenance and management of the cloud, so that data security and availability can be controlled by them.
Figure 5: Private Cloud
8
2.2.3. Community Cloud
Community clouds are deployed for a group of organizations that share common computing concerns. It may be owned, managed and operated by one or some of the organization members.
Figure 6: Community Cloud
2.2.4. Hybrid Cloud
It is a combination of the previous types of clouds (private, public, or community). In order to ensure security, an organization should migrate some of its process to a public cloud while remaining its critical process in-house.
9
Figure 7: Hybrid Cloud
2.3. Characteristics of Cloud Computing
In general, Cloud Computing has the following characteristics [22][23][1][24][25]:
Accessibility: Cloud services can be accessed from anywhere at any time via
browsers or APIs by different client platforms such as laptops, desktops, mobile
phones and tablets. Cloud services are network dependent, so the network
(Internet, LAN, or WAN) has to work in order to access cloud services.
On demand self-service: Customers access cloud services when they need them
without going through a lengthy process.
Elasticity: Elasticity refers the ability of a service to adjust (increase or decrease
capacity) in order to meet the user’s needs.
Pay-as-you-go: Depending on the pricing model, customers only pay for the
services they consume (computing power, bandwidth, storage, number of users,
etc.). Sometimes, the services have flat rate, or they are free of charge.
10
Versatility: Cloud Computing supports different types of services: IaaS, PaaS,
and SaaS, and each service can provide various applications running at the same
time.
Shared Resources: Cloud resources such as infrastructure, platform and software
are shared among multiple customers (multi-tenant), which enable unused
resources to serve different needs for different customers.
Security: Cloud resources are centrally managed, so in theory security should be
improved in this type of environments. However, security in complex
environments is hard to undertake due to the fact data is stored and processed in
unknown places, resources are shared by unrelated users, and other concerns.
Reliability: Cloud Computing supports reliability by adding redundant sites in
case an error or attack happens.
Performance: The performance of applications can be better in clouds because
computing resources can be assigned to them when workloads surge. Clouds can
be suitable for intense-data applications since they require several computing
resources.
2.4. Key Technologies for Cloud Computing
Cloud computing combines a number of computing concepts and technologies such as SOA, Web 2.0, virtualization, and other Internet-based technologies.
2.4.1. Service Oriented Architecture (SOA)
Service Oriented Architecture (SOA) is an architectural concept based on a set of loosely coupled services which can be discovered through a repository. This repository 11 contains a set of interface descriptions that defines constraints and policies that need to be followed in order to consume the service. A service represents a group of logical business operations. SOA provides platform-independent enabling components to be implemented in different platforms, technologies, and languages. SOA can be implemented using different technologies such as web services (SOAP, REST), CORBA, DCOM, and others. Web services are the most typical implementation of SOA, and cloud services are normally exposed as web services such as Amazon’s EC2 [13]. Cloud Computing is a type of SOA which offers flexibility, extensibility, and reusability.
2.4.2. Web 2.0
Web 2.0 uses World Wide Web technology and Wed design that provides information sharing, collaboration and functionality of the Web. Web 2.0 allows the users not only to access content from a web site, but also to contribute to it. Major characteristics of Web 2.0 that differs from Web 1.0 include wikis, mashups, tagging, and social networking sites [15]. With Web 1.0, organizations have to make contractual arrangements with business partners in order to provide services such as payment services. However, PayPal offers services to individuals and organizations that require payment processing in their businesses without making any commitment and paying only for each transaction.
2.4.3. Virtualization
Virtualization is the simulation of a computer resource including servers, network, storage, and operating system [27]. It creates multiple logical resources where different systems, applications, or users can interact with them. Hardware virtualization has led 12 indisputably to the evolution of Cloud Computing. Hardware virtualization refers to the creation of virtual machines that can run different operating systems. The software that manages virtualization is called virtual machine monitor or hypervisor. There are different types of hardware virtualization: full virtualization, partial virtualization and para virtualization. Operating system-level virtualization is a server virtualization where the operating system runs on top of the hardware, instead of the hypervisor.
2.4.4. Reference Architectures
A reference architecture is a standardized, generic architecture, valid for a particular domain that does not contain implementation details [28]. It provides a template solution that can be instantiated into a specific software architecture by adding implementation- oriented aspects. There is no formal definition what a reference architecture should contain. However, Avgeriou [29] proposes a description for reference architectures which includes the following:
The system stakeholders that interacts with the system such as customers,
administrators, developers and IT staff.
The views describes in the RUP (use case model, analysis model, design model,
deployment model, and implementation model). These views should be developed
using Unified Modeling Language (UML).
The architectural patterns that characterize parts of the architecture.
The quality attributes that should be supported by the architecture.
13
A reference architecture should be described at an abstract level, and all details about implementation should only be considered for a specific software architecture instance.
2.4.5. Patterns
A pattern is an encapsulated solution to a recurrent problem in a given context [4][5].
It is a reusable template that captures knowledge and experience of software developers.
Analysis patterns can be used to build conceptual models [30][31], design and architectural patterns can be used to build flexible software [4][5], and security patterns are used to build secure systems [32][12][33][34]. A pattern can be used to build reference architectures, which we do in this work. Moreover, there is another type of pattern: a misuse pattern [11]. A misuse pattern describes how an attack happens from the point of view of an attacker. Typically a pattern provides a solution using UML diagrams such as class diagrams and sequence diagrams. These diagrams present a precise way of describing a system allowing designers to use them as guidelines. A pattern is described using a template. For this work, we follow the POSA template [4] which consists of the following components: intent, context, problem, solution, implementation, known uses, consequences, and related patterns.
14
3. ANALYSIS OF SECURITY ISSUES
We present here a categorization of security issues for Cloud Computing focused in the so-called SPI model (SaaS, PaaS and IaaS), identifying the main vulnerabilities in this kind of systems and the most important threats found in the literature related to Cloud
Computing and its environment. A threat is a potential attack that may lead to a misuse of information or resources, and the term vulnerability refers to the flaws in a system that allows an attack to be successful. There are some surveys where they focus on one service model, or they focus on listing cloud security issues in general without distinguishing among vulnerabilities and threats. Here, we present a list of vulnerabilities and threats, and we also indicate what cloud service models can be affected by them.
Furthermore, we describe the relationship between these vulnerabilities and threats; how these vulnerabilities can be exploited in order to perform an attack, and also present some countermeasures related to these threats which try to solve or improve the identified problems.
3.1. Systematic Review of Security Issues for Cloud Computing
We have carried out a systematic review [35][36][37] of the existing literature regarding security in Cloud Computing, not only in order to summarize the existing vulnerabilities and threats concerning this topic but also to identify and analyze the current state and the most important security issues for Cloud Computing.
15
3.1.1. Question Formalization
The question focus was to identify the most relevant issues in Cloud Computing which consider vulnerabilities, threats, risks, requirements and solutions of security for
Cloud Computing. This question had to be related with the aim of this work; that is to identify and relate vulnerabilities and threats with possible solutions. Therefore, the research question addressed by our research was the following: What security vulnerabilities and threats are the most important in Cloud Computing which have to be studied in depth with the purpose of handling them? The keywords and related concepts that make up this question and that were used during the review execution are: secure
Cloud systems, Cloud security, delivery models security, SPI security, SaaS security,
PaaS security, IaaS security, Cloud threats, Cloud vulnerabilities, Cloud recommendations, best practices in Cloud.
3.1.2. Selection of Sources
The selection criteria through which we evaluated study sources was based on the research experience of the author and contributors of this work, and in order to select these sources we have considered certain constraints: studies included in the selected sources must be written in English and these sources must be web-available. The following list of sources has been considered: ScienceDirect, ACM digital library, IEEE digital library, Scholar Google and DBLP. Later, the experts will refine the results and will include important works that had not been recovered in these sources and will update this work taking into account other constraints such as impact factor, received cites, important journals, renowned authors, etc. 16
Once the sources had been defined, it was necessary to describe the process and the criteria for study selection and evaluation. The inclusion and exclusion criteria of this study were based on the research question. We therefore established that the studies must contain issues and topics which consider security on Cloud Computing, and that these studies must describe threats, vulnerabilities, countermeasures, and risks.
3.1.3. Review Execution
During this phase, the search in the defined sources must be executed and the obtained studies must be evaluated according to the established criteria. After executing the search chain on the selected sources we obtained a set of about 120 results which were filtered with the inclusion criteria to give a set of about 40 relevant studies. This set of relevant studies was again filtered with the exclusion criteria to give a set of studies which corresponds with 15 primary proposals
[38][2][39][40][41][42][43][44][45][46][47][48][49][50][51].
3.1.4. Results and Discussion
The results of the systematic review are summarized in Table 1 which shows a summary of the topics and concepts considered for each approach.
Table 1: Summary of the topics considered in each approach
Topics / References [38] [2] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51] Vulnerabilities X X X X X X X X X Threats X X X X X X X X X X X X X Mechanisms/Recommendations X X X X X X X X Security Standards X X Data Security X X X X X X X
17
Topics / References [38] [2] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51] Trust X X X X X Security Requirements X X X X X X SaaS, PaaS, IaaS Security X X X
As it is shown in Table 1, most of the approaches discussed identify, classify, analyze, and list a number of vulnerabilities and threats focused on Cloud Computing.
The studies analyze the risks and threats, often give recommendations on how they can be avoided or covered, resulting in a direct relationship between vulnerability or threats and possible solutions and mechanisms to solve them. In addition, we can see that in our search, many of the approaches, in addition to speaking about threats and vulnerabilities, also discuss other issues related to security in the Cloud such as the data security, trust, or security recommendations and mechanisms for any of the problems encountered in these environments.
3.2. Security in the SPI Model
With SaaS, the burden of security lies with the cloud provider. In part, this is because of the degree of abstraction, the SaaS model is based on a high degree of integrated functionality with minimal customer control or extensibility. By contrast, the PaaS model offers greater extensibility and greater customer control. Largely because of the relatively lower degree of abstraction, IaaS offers greater tenant or customer control over security than do PaaS or SaaS [39].
Before analyzing security challenges in Cloud Computing, we need to understand the relationships and dependencies between these cloud service models [38]. PaaS as well as
SaaS are hosted on top of IaaS; thus, any breach in IaaS will impact the security of both
PaaS and SaaS services, but also it may be true on the other way around. However, we 18 have to take into account that PaaS offers a platform to build and deploy SaaS applications, which increases the security dependency between them. As a consequence of these deep dependencies, any attack to any cloud service layer can compromise the upper layers. Each cloud service model comprises its own inherent security flaws; however, they also share some challenges that affect all of them. These relationships and dependencies between cloud models may also be a source of security risks. A SaaS provider may rent a development environment from a PaaS provider, which might also rent an infrastructure from an IaaS provider. Each provider is responsible for securing his own services, which may result in an inconsistent combination of security models. It also creates confusion over which service provider is responsible once an attack happens.
3.2.1. Software-as-a-Service (SaaS) Security Issues
SaaS provides application services on demand such as email, conferencing software, and business applications such as ERP, CRM, and SCM [52]. SaaS users have less control over security among the three fundamental delivery models in the cloud. The adoption of SaaS applications may raise some security concerns.
3.2.1.1. Application security
These applications are typically delivered via the Internet through a Web browser
[53][46]. However, flaws in web applications may create vulnerabilities for the SaaS applications. Attackers have been using the web to compromise user’s computers and perform malicious activities such as steal sensitive data [54]. Security challenges in SaaS applications are not different from any web application technology, but traditional security solutions do not effectively protect it from attacks, so new approaches are 19 necessary [45]. The Open Web Application Security Project (OWASP) has identified the ten most critical web applications security threats [55]. There are more security issues, but it is a good start for securing web applications.
3.2.1.2. Multi-tenancy
SaaS applications can be grouped into maturity models that are determined by the following characteristics: scalability, configurability via metadata, and multi-tenancy
[52][56]. In the first maturity model, each customer has his own customized instance of the software. This model has drawbacks, but security issues are not so bad compared with the other models. In the second model, the vendor also provides different instances of the applications for each customer, but all instances use the same application code. In this model, customers can change some configuration options to meet their needs. In the third maturity model multi-tenancy is added, so a single instance serves all customers [57].
This approach enables more efficient use of the resources but scalability is limited. Since data from multiple tenants is likely to be stored in the same database, the risk of data leakage between these tenants is high. Security policies are needed to ensure that customer’s data are kept separate from other customers [58]. For the final model, applications can be scaled up by moving the application to a more powerful server if needed.
3.2.1.3. Data security
Data security is a common concern for any technology, but it becomes a major challenge when SaaS users have to rely on their providers for proper security
[53][45][59]. In SaaS, organizational data is often processed in plaintext and stored in the 20 cloud. The SaaS provider is the one responsible for the security of the data while is being processed and stored [30]. Also, data backup is a critical aspect in order to facilitate recovery in case of disaster, but it introduces security concerns as well [45]. Also cloud providers can subcontract other services such as backup from third-party service providers, which may raise concerns. Moreover, most compliance standards do not envision compliance with regulations in a world of Cloud Computing [53]. In the world of SaaS, the process of compliance is complex because data is located in the provider’s datacenters, which may introduce regulatory compliance issues such as data privacy, segregation, and security, that must be enforced by the provider.
3.2.1.4. Accessibility
Accessing applications over the internet via web browser makes access from any network device easier, including public computers and mobile devices. However, it also exposes the service to additional security risks. The Cloud Security Alliance [60] has released a document that describes the current state of mobile computing and the top threats in this area such as information stealing mobile malware, insecure networks
(WiFi), vulnerabilities found in the device OS and official applications, insecure marketplaces, and proximity-based hacking.
3.2.2. Platform-as-a-Service (PaaS) Security Issues
PaaS facilitates deployment of cloud-based applications without the cost of buying and maintaining the underlying hardware and software layers [45]. As with SaaS and
IaaS, PaaS depends on a secure and reliable network and secure web browser. PaaS application security comprises two software layers: Security of the PaaS platform itself 21
(i.e., runtime engine), and Security of customer applications deployed on a PaaS platform
[39]. PaaS providers are responsible for securing the platform software stack that includes the runtime engine that runs the customer applications. Same as SaaS, PaaS also brings data security issues and other challenges that are described as follows:
3.2.2.1. Third-party relationships
Moreover, PaaS does not only provide traditional programming languages, but also does it offer third-party web services components such as mashups [39][61]. Mashups combine more than one source element into a single integrated unit. Thus, PaaS models also inherit security issues related to mashups such as data and network security [62].
Also, PaaS users have to depend on both the security of web-hosted development tools and third-party services.
3.2.2.2. Development Life Cycle
From the perspective of the application development, developers face the complexity of building secure applications that may be hosted in the cloud. The speed at which applications will change in the cloud will affect both the System Development Life Cycle
(SDLC) and security [53][48]. Developers have to keep in mind that PaaS applications should be upgraded frequently, so they have to ensure that their application development processes are flexible enough to keep up with changes [43]. However, developers also have to understand that any changes in PaaS components can compromise the security of their applications. Besides secure development techniques, developers need to be educated about data legal issues as well, so that data is not stored in inappropriate
22 locations. Data may be stored on different places with different legal regimes that can compromise its privacy and security.
3.2.2.3. Underlying infrastructure security
In PaaS, developers do not usually have access to the underlying layers, so providers are responsible for securing the underlying infrastructure as well as the applications services [63]. Even when developers are in control of the security of their applications, they do not have the assurance that the development environment tools provided by a
PaaS provider are secure.
In conclusion, there is less material in the literature about security issues in PaaS.
SaaS provides software delivered over the web while PaaS offers development tools to create SaaS applications. However, both of them may use multi-tenant architecture so multiple concurrent users utilize the same software. Also, PaaS applications and user’s data are also stored in cloud servers which can be a security concern as discussed on the previous section. In both SaaS and PaaS, data is associated with an application running in the cloud. The security of this data while it is being processed, transferred, and stored depends on the provider.
3.2.3. Infrastructure-as-a-Service (IaaS) Security Issues
IaaS provides a pool of resources such as servers, storage, networks, and other computing resources in the form of virtualized systems, which are accessed through the
Internet [48]. Users are entitled to run any software with full control and management on the resources allocated to them [42]. With IaaS, cloud users have better control over the 23 security compared to the other models as long there is no security hole in the virtual machine monitor [45]. They control the software running in their virtual machines, and they are responsible to configure security policies correctly[64]. However, the underlying compute, network, and storage infrastructure is controlled by cloud providers. IaaS providers must undertake a substantial effort to secure their systems in order to minimize these threats that result from creation, communication, monitoring, modification, and mobility [65]. Here are some of the security issues associated to IaaS.
3.2.3.1. Virtualization
Virtualization allows users to create, copy, share, migrate, and roll back virtual machines, which may allow them to run a variety of applications [66][67]. However, it also introduces new opportunities for attackers because of the extra layer that must be secured [54]. Virtual machine security becomes as important as physical machine security, and any flaw in either one may affect the other [43]. Virtualized environments are vulnerable to all types of attacks for normal infrastructures; however, security is a greater challenge as virtualization adds more points of entry and more interconnection complexity [68]. Unlike physical servers, VMs have two boundaries: physical and virtual
[48].
3.2.3.2. Virtual Machine Monitor
The Virtual Machine Monitor (VMM) or hypervisor is responsible for virtual machines isolation; therefore, if the VMM is compromised, its virtual machines may potentially be compromised as well. The VMM is a low-level software that controls and monitors its virtual machines, so as any traditional software it entails security flaws [68]. 24
Keeping the VMM as simple and small as possible reduces the risk of security vulnerabilities, since it will be easier to find and fix any vulnerability.
Moreover, virtualization introduces the ability to migrate virtual machines between physical servers for fault tolerance, load balancing or maintenance [40][10]. This useful feature can also raise security problems [65][66][69]. An attacker can compromise the migration module in the VMM and transfer a victim virtual machine to a malicious server. Also, it is clear that VM migration exposes the content of the VM to the network, which can compromise its data integrity and confidentiality. A malicious virtual machine can be migrated to another host (with another VMM) compromising it.
3.2.3.3. Shared resource
VMs located on the same server can share CPU, memory, I/O, and others. Sharing resources between VMs may decrease the security of each VM. For example, a malicious
VM can infer some information about other VMs through shared memory or other shared resources without need of compromising the hypervisor [10]. Using covert channels, two
VMs can communicate bypassing all the rules defined by the security module of the
VMM [70]. Thus, a malicious Virtual Machine can monitor shared resources without being noticed by its VMM, so the attacker can infer some information about other virtual machines.
3.2.3.4. Public VM image repository
In IaaS environments, a VM image is a prepackaged software template containing the configurations files that are used to create VMs. Thus, these images are fundamental for the overall security of the cloud [10][71]. One can either create her own VM image from 25 scratch, or one can use any image stored in the provider’s repository. For example,
Amazon offers a public image repository where legitimate users can download or upload a VM image. Malicious users can store images containing malicious code into public repositories compromising other users or even the cloud system [44][48][49]. For example, an attacker with a valid account can create an image containing malicious code such as a Trojan horse. If another customer uses this image, the virtual machine that this customer creates will be infected with the hidden malware. Moreover, unintentionally data leakage can be introduced by VM replication [44]. Some confidential information such as passwords or cryptographic keys can be recorded while an image is being created. If the image is not “cleaned”, this sensitive information can be exposed to other users. VM images are dormant artifacts that are hard to patch while they are offline [72].
3.2.3.5. Virtual Machine Rollback
Furthermore, virtual machines are able to be rolled back to their previous states if an error happens. But rolling back virtual machines can re-expose them to security vulnerabilities that were patched or re-enable previously disabled accounts or passwords.
In order to provide rollbacks, we need to make a “copy” (snapshot) of the virtual machine, which can result in the propagation of configuration errors and other vulnerabilities [53][67].
3.2.3.6. Virtual Machine Life Cycle
Additionally, it is important to understand the lifecycle of the VMs and their changes in states as they move through the environment. VMs can be on, off, or suspended which makes it harder to detect malware. Also, even when virtual machines are offline, they can 26 be vulnerable [48]; that is, a virtual machine can be instantiated using an image that may contain malicious code. These malicious images can be the starting point of the proliferation of malware by injecting malicious code within other virtual machines in the creation process.
3.2.3.7. Virtual Networks
Network components are shared by different tenants due to resource pooling. As mentioned before, sharing resources allows attackers to launch cross-tenant attacks [44].
Virtual Networks increase the VMs interconnectivity, an important security challenge in
Cloud Computing [73]. The most secure way is to hook each VM with its host by using dedicated physical channels. However, most hypervisors use virtual networks to link
VMs to communicate more directly and efficiently. For instance, most virtualization platforms such as Xen provide two ways to configure virtual networks: bridged and routed, but these techniques increase the possibility to perform some attacks such as sniffing and spoofing virtual network [68][74].
3.3. Analysis of Security Issues in Cloud Computing
We systematically analyze now existing security vulnerabilities and threats of Cloud
Computing. For each vulnerability and threat, we identify what cloud service model or models are affected by these security problems.
Table 2 presents an analysis of vulnerabilities in Cloud Computing. This analysis offers a brief description of the vulnerabilities, and indicates what cloud service models
(SPI) can be affected by them. For this analysis, we focus mainly on technology-based vulnerabilities; however, there are other vulnerabilities that are common to any 27 organization, but they have to be taken in consideration since they can negatively impact the security of the cloud and its underlying platform. Some of these vulnerabilities are the following:
Lack of employee screening and poor hiring practices [40] – some cloud
providers may not perform background screening of their employees or providers.
Privileged users such as cloud administrators usually have unlimited access to the
cloud data.
Lack of customer background checks – most cloud providers do not check their
customer’s background, and almost anyone can open an account with a valid
credit card and email. Apocryphal accounts can let attackers perform any
malicious activity without being identified [40].
Lack of security education – people continue to be a weak point in information
security [75]. This is true in any type of organization; however, in the cloud, it has
a bigger impact because there are more people that interact with the cloud: cloud
providers, third-party providers, suppliers, organizational customers, and end-
users.
Cloud Computing leverages many existing technologies such as web services, web browsers, and virtualization, which contributes to the evolution of cloud environments.
Therefore, any vulnerability associated to these technologies also affects the cloud, and it can even have a significant impact.
28
Table 2. Vulnerabilities in Cloud Computing
ID Vulnerabilities Description Layer
Cloud providers offer services that can be accessed through APIs SPI (SOAP, REST, or HTTP with XML/JSON) [65]. The security of the cloud depends upon the security of these interfaces [40]. Some problems are: Insecure a) Weak credential V01 interfaces and b) Insufficient authorization checks APIs c) Insufficient input-data validation
Also, cloud APIs are still immature which means that are frequently updated. A fixed bug can introduce another security hole in the application [76].
Unlimited Inaccurate modeling of resource usage can lead to overbooking SPI V02 allocation of or over-provisioning [41]. resources
a) Data can be colocated with the data of unknown owners SPI (competitors, or intruders) with a weak separation [59] b) Data may be located in different jurisdictions which have different laws [43][76][77] c) Incomplete data deletion – data cannot be completely Data-related removed [43][44][49][78] V03 vulnerabilities d) Data backup done by untrusted third-party providers [78][79] e) Information about the location of the data usually is unavailable or not disclosed to users [49] f) Data is often stored, processed, and transferred in clear plain text
a) Possible covert channels in the colocation of VMs I [70][80][81] b) Unrestricted allocation and deallocation of resources with VMs [79] c) Uncontrolled Migration - VMs can be migrated from one server to another server due to fault tolerance, load balance, or hardware maintenance [65][67] Vulnerabilities in V04 d) Uncontrolled snapshots – VMs can be copied in order to Virtual Machines provide flexibility [53], which may lead to data leakage e) Uncontrolled rollback could lead to reset vulnerabilities - VMs can be backed up to a previous state for restoration [67], but patches applied after the previous state disappear f) VMs have IP addresses that are visible to anyone within the cloud - attackers can map where the target VM is located within the cloud (Cloud cartography [80])
29
ID Vulnerabilities Description Layer
a) Uncontrolled placement of VM images in public repositories I Vulnerabilities in [48] V05 Virtual Machine b) VM images are not able to be patched since they are dormant Images artifacts [67]
a) Complex hypervisor code [82] I Vulnerabilities in V06 b) Flexible configuration of VMs or hypervisors to meet Hypervisors organization needs can be exploited
Vulnerabilities in Sharing of virtual bridges by several virtual machines [73] I V07 Virtual Networks
From Table 2, we can conclude that data storage and virtualization are the most critical and an attack to them can do the most harm. Attacks to lower layers have more impact to the other layers. Table 3 presents an overview of threats in Cloud Computing.
Like Table 2 it also describes the threats that are related to the technology used in cloud environments, and it indicates what cloud service models are exposed to these threats.
We put more emphasis on threats that are associated with data being stored and processed remotely, sharing resources and the usage of virtualization.
Table 3. Threats in Cloud Computing
ID Threats Description Layer An account theft can be performed by different ways such as SPI social engineering and weak credentials. If an attacker gains Account or service T01 access to a user’s credential, he can perform malicious hijacking activities such as access sensitive data, manipulate data, and redirect any transaction [40]. Since data cannot be completely removed from unless the SPI T02 Data scavenging device is destroyed, attackers may be able to recover this data [41][49][39]. Data leakage happens when the data gets into the wrong hands SPI T03 Data leakage while it is being transferred, stored, audited or processed [40][41][44][80]. It is possible that a malicious user will take all the possible SPI T04 Denial of Service resources. Thus, the system cannot satisfy any request from other legitimate users due to resources being unavailable. 30
ID Threats Description Layer Users attack web applications by manipulating data sent from S Customer-data their application component to the server’s application T05 manipulation [44][55]. For example, SQL injection, command injection, insecure direct object references, and cross-site scripting. It is designed to exploit the hypervisor in order to take control I T06 VM escape of the underlying infrastructure [48][83]. It happens when a VM is able to gain access to another VM I T07 VM hopping (i.e by exploting some hypervisor vulnerability) [41][66] An attacker who creates a valid account can create a VM I Malicious VM T08 image containing malicious code such as a Trojan horse and creation store it in the provider repository [44]. Live migration of virtual machines exposes the contents of the I VM state files to the network. An attacker can do the following actions: Insecure VM T09 a) Access data illegally during migration [65] migration b) Transfer a VM to an untrusted host [67] c) Create and migrate several VM causing disruptions or DoS Sniffing/Spoofing A malicious VM can listen to the virtual network or even use I T10 virtual networks ARP spoofing to redirect packets from/to other VMs [68][73].
The relationship between threats and vulnerabilities is illustrated in
Table 4, which describes how a threat can take advantage of some vulnerability to compromise the system. The goal of this analysis is also to identify some existing defenses that can defeat these threats. This information can be expressed in a more detailed way using misuse patterns [11]. Misuse patterns describe how a misuse is performed from the point of view of the attacker. For instance, in threat T09, an attacker can read or tamper with the contents of the VM state files during live migration. This can be possible because VM migration transfer the data over network channels that are often insecure, such as the Internet. Insecure VM migration can be mitigated by the following proposed techniques: TCCP [84] provides confidential execution of VMs and secure migration operations as well. PALM [85] proposes a secure migration system that provides VM live migration capabilities under the condition that a VMM-protected system is present and active. Threat 08 is another cloud threat where an attacker creates 31 malicious VM image containing any type of virus or malware. This threat is feasible because any legitimate user can create a VM image and publish it on the provider’s repository where other users can retrieve them. If the malicious VM image contains malware, it will infect other VMs instantiated with this malicious VM image. In order to overcome this threat, an image management system was proposed, Mirage [71]. It provides the following security management features: access control framework, image filters, provenance tracking system, and repository maintenance services.
Table 4. Relationships between Threats, Vulnerabilities, and Countermeasures
Threat Vulnerabili Incidents Countermeasures ties V01 An attacker can use the victim’s account to get Identity and Access access to the target’s resources. Management Guidance T01 [86] Dynamic credential [87] V03a, V03c Data from hard drives that are shared by several Specify destruction T02 customers cannot be completely removed. strategies on Service- level Agreements (SLAs) V03a, V03c, Authors in [80] illustrated the steps necessary to FRS techniques [89] V03d, V03f, gain confidential information from other VMs Digital Signatures [90] T03 V04a-f, co-located in the same server as the attacker. Encryption [88] V05a, V07 Side channel [88] Homomorphic encryption [91] V01, V02 An attacker can request more computational Cloud providers can resources, so other legal users are not able to get force policies to offer T04 additional capacity. limited computational resources V01 Some examples are described in [55] such as Web application T05 SQL, command injection, and cross-site scanners [92] scripting V06a, V06b A zero-day exploit in the HyperVM HyperSafe [82] virtualization application that destroyed about TCCP (Trusted Cloud 100,000 websites [93] Computing Platform) T06 [84] TVDc (Trusted Virtual Datacenter) [94][95] V04b, V06b [96] presents a study that demonstrates security T07 flaws in most virtual machines monitors V05a, V05b An attacker can create a VM image containing Mirage [71] T08 malware and publish it in a public repository. V04d [97] has empirically showed attacks against the PALM [85] T09 migration functionality of the latest version of TCCP [84] 32
Threat Vulnerabili Incidents Countermeasures ties the Xen and VMware virtualization products. VNSS [74] V07 Sniffing and spoofing virtual networks [73] Virtual network framework based on Xen T10 network modes: “bridged” and “routed” [73]
3.3.1. Countermeasures
In this section, we provide a brief description of each countermeasure mentioned before, except for threats T02 and T07.
3.3.1.1. Countermeasures for T01: Account or service hijacking
Identity and Access Management Guidance: Cloud Security Alliance (CSA) is a
non-profit organization that promotes the use of best practices in order to provide
security in cloud environments. CSA has issued an Identity and Access
Management Guidance [86] which provides a list of recommended best practiced
to assure identities and secure access management. This report includes
centralized directory, access management, identity management, role-based
access control, user access certifications, privileged user and access management,
separation of duties, and identity and access reporting.
Dynamic Credentials: [87] presents an algorithm to create dynamic credentials for
mobile cloud computing systems. The dynamic credential changes its value once
a user changes its location or when he has exchanged a certain number of data
packets.
33
3.3.1.2. Countermeasures for T03: Data Leakage
Fragmentation-redundancy-scattering (FRS) technique [89]: This technique aims
to provide intrusion tolerance and, in consequence, secure storage. This technique
consists in first breaking down sensitive data into insignificant fragments, so any
fragment does not have any significant information by itself. Then, fragments are
scattered in a redundant fashion across different sites of the distributed system.
Digital Signatures: [90] proposes to secure data using digital signature with RSA
algorithm while data is being transferred over the Internet. They claimed that
RSA is the most recognizable algorithm, and it can be used to protect data in
cloud environments.
Homomorphic encryption: The three basic operations for cloud data are transfer,
store, and process. Encryption techniques can be used to secure data while it is
being transferred in and out of the cloud or stored in the provider’s premises.
Cloud providers have to decrypt cipher data in order to process it, which raises
privacy concerns. In [91], they propose a method based on the application of fully
homomorphic encryption to the security of clouds. Fully homomorphic encryption
allows performing arbitrary computation on ciphertexts without being decrypted.
Current homomorphic encryption schemes support limited number of
homomorphic operations such as addition and multiplication. The authors in [98]
provided some real-world cloud applications where some basic homomorphic
operations are needed. However, it requires a huge processing power which may
impact on user response time and power consumption.
34
Encryption: Encryption techniques have been used for long time to secure
sensitive data. Sending or storing encrypted data in the cloud will ensure that data
is secure. However, it is true assuming that the encryption algorithms are strong.
There are some well-known encryption schemes such as AES (Advanced
Encryption Standard). Also, SSL technology can be used to protect data while it is
in transit. Moreover, [88] describes that encryption can be used to stop side
channel attacks on cloud storage de-duplication, but it may lead to offline
dictionary attacks reveling personal keys.
3.3.1.3. Countermeasures for T05: Customer Data Manipulation
Web application scanners: Web applications can be an easy target because they
are exposed to the public including potential attackers. Web application scanners
[92] is a program which scans web applications through the web front-end in
order to identify security vulnerabilities. There are also other web application
security tools such as web application firewall. Web application firewall routes all
web traffic through the web application firewall which inspects specific threats.
3.3.1.4. Countermeasures for T06: VM Escape
HyperSafe [82]: It is an approach that provides hypervisor control-flow integrity.
HyperSafe’s goal is to protect type I hypervisors using two techniques: non-
bypassable memory lockdown which protects write-protected memory pages from
being modified, and restricted pointed indexing that converts control data into
pointer indexes. In order to evaluate the effectiveness of this approach, they have
conducted four types of attacks such as modify the hypervisor code, execute the 35
injected code, modify the page table, and tamper from a return table. They
concluded that HyperSafe successfully prevented all these attacks, and that the
performance overhead is low.
Trusted Cloud Computing Platform: TCCP [84] enables providers to offer closed
box execution environments, and allows users to determine if the environment is
secure before launching their VMs. The TCCP adds two fundamental elements: a
trusted virtual machine monitor (TVMM) and a trusted coordinator (TC). The TC
manages a set of trusted nodes that run TVMMs, and it is maintained but a trusted
third party. The TC participates in the process of launching or migrating a VM,
which verifies that a VM is running in a trusted platform. The authors in [99]
claimed that TCCP has a significant downside due to the fact that all the
transactions have to verify with the TC which creates an overload. They proposed
to use Direct Anonymous Attestation (DAA) and Privacy CA scheme to tackle
this issue.
Trusted Virtual Datacenter: TVDc [94][95] insures isolation and integrity in
cloud environments. It groups virtual machines that have common objectives into
workloads named Trusted Virtual Domains (TVDs). TVDc provides isolation
between workloads by enforcing mandatory access control, hypervisor-based
isolation, and protected communication channels such as VLANs. TVDc provides
integrity by employing load-time attestation mechanism to verify the integrity of
the system.
36
3.3.1.5. Countermeasures for T08: Malicious Virtual Machine Creation
Mirage: In [71], the authors propose a virtual machine image management system
in a cloud computing environment. This approach includes the following security
features: access control framework, image filters, a provenance tracking, and
repository maintenance services. However, one limitation of this approach is that
filters may not be able to scan all malware or remove all the sensitive data from
the images. Also, running these filters may raise privacy concerns because they
have access to the content of the images which can contain customer’s
confidential data.
3.3.1.6. Countermeasures for T09: Insecure Virtual Machine Migration
Protection Aegis for Live Migration of VMs (PALM): [85] proposes a secure live
migration framework that preserves integrity and privacy protection during and
after migration. The prototype of the system was implemented based on Xen and
GNU Linux, and the results of the evaluation showed that this scheme only adds
slight downtime and migration time due to encryption and decryption.
VNSS: [74] proposes a security framework that customizes security policies for
each virtual machine, and it provides continuous protection thorough virtual
machine live migration. They implemented a prototype system based on Xen
hypervisors using stateful firewall technologies and userspace tools such as
iptables, xm commands program and conntrack-tools. The authors conducted
some experiments to evaluate their framework, and the results revealed that the
security policies are in place throughout live migration.
37
3.3.1.7. Countermeasures for T010: Sniffing/Spoofing virtual networks
Virtual Network Security: Wu et al [73] presents a virtual network framework that
secures the communication among virtual machines. This framework is based on
Xen which offers two configuration modes for virtual networks: “bridged” and
“routed”. The virtual network model is composed of three layers: routing layers,
firewall, and shared networks, which can prevent VMs from sniffing and
spoofing. An evaluation of this approach was not performed when this publication
was published.
Furthermore, web services are the largest implementation technology in cloud environments. However, web services also lead to several challenges that need to be addressed. Security web services standards describe how to secure communication between applications through integrity, confidentiality, authentication and authorization.
There are several security standard specifications [12] such as Security Assertion Markup
Language (SAML), WS-Security, Extensible Access Control Markup (XACML), XML
Digital Signature, XML Encryption, Key Management Specification (XKMS), WS-
Federation, WS-Secure Conversation, WS-Security Policy and WS-Trust. The NIST
Cloud Computing Standards Roadmap Working Group has gathered high level standards that are relevant for Cloud Computing.
3.4. Summary
We have presented security issues for cloud models: IaaS, PaaS, and IaaS, which vary depending on the model. As described in this chapter, storage, virtualization, and
38 networks are the biggest security concerns in Cloud Computing. Virtualization which allows multiple users to share a physical server is one of the major concerns for cloud users. Also, another challenge is that there are different types of virtualization technologies, and each type may approach security mechanisms in different ways. Virtual networks are also target for some attacks especially when communicating with remote virtual machines.
Some surveys have discussed security issues about clouds without making any difference between vulnerabilities and threats. We have focused on this distinction, where we consider important to understand these issues. Enumerating these security issues was not enough; that is why we made a relationship between threats and vulnerabilities, so we can identify what vulnerabilities contribute to the execution of these threats and make the system more robust. Also, some current solutions were listed in order to mitigate these threats. However, new security techniques are needed as well as redesigned traditional solutions that can work with cloud architectures. Traditional security mechanisms may not work well in cloud environments because it is a complex architecture that is composed of a combination of different technologies.
39
4. REFERENCE ARCHITECTURE
Various reference architectures for clouds have been defined by IBM [6] , HP [7],
NIST [8], and Oracle [9][100]. However, these reference architectures mostly provide high level definitions and cloud components. Also, some of them provide implementation details using their proprietary solutions. They only focus on requirements for cloud as an entire system, but we believe that each service delivery model has its own requirements that need to take into consideration in order to define a precise reference architecture.
We develop a reference architecture that provides a conceptual model defining the three most fundamental delivery models: IaaS, PaaS, and SaaS.
Our proposed reference architecture includes use case models which represent the basic functions of cloud environments. These use cases help us to identify the main actors who interact with the system and are responsible for their actions. Use cases can be used to analyze the threats to its activities and to find where the system is vulnerable.
Therefore, we have listed common use cases that can be applied to any cloud delivery model. However, we also provide some use cases in detail for each cloud model.
Moreover, in order to identify what cloud components are compromised once an attack happens, we have developed a class diagram that shows the composition of a cloud. By defining precisely the units of a cloud architecture, we can observe the progression of an attack ad define ways to stop its advance. We have also developed patterns for the cloud service models that describe more detailed cloud units [101][102].
40
4.1. Cloud Architecture Overview
Figure 8 presents an overview of a cloud architecture, which shows its fundamental and support services. Later sections will describe detailed cloud services levels in the form of patterns.
As depicted in Figure 8, a cloud reference architecture is composed of four basic layers: hardware, IaaS, PaaS, and SaaS. The hardware layer represents the physical infrastructure including servers, network, and storage. These physical resources are grouped into nodes, and nodes which are physically close to each other form a cluster.
IaaS layer provides virtualized computer resources in the form of virtual machines
(VMs). A VM is created and managed by virtual machine monitors (VMMs), which access the underlying infrastructure on behalf of them. A virtual machine image is used for instantiating a VM. Typically a virtual machine image contains an operating system, basic configuration information such as number of CPUs, amount of memory, size of disk, and pre-installed applications. The PaaS layer is built on top of the IaaS layer which provides a set of virtual machines to create develop, deploy and test applications online.
SaaS layer can be either built on top of IaaS or on top of PaaS, which provides a set of applications on demand over the network. All these cloud services and their components are managed through the Management Services unit, which provides functions that allow providers to set up, deliver, provision, and monitor their services. Also, this unit also provides business services that support cloud services such as pricing, metering, billing, account management, contracts and others. Non-functional services such as security,
41 availability, portability, interoperability and reliability must be implemented across all layers of the reference architecture.
Figure 8: Cloud Architecture Overview
4.2. Cloud Computing Standards
There is a need for a set of cloud standards including security, portability and interoperability standards in order to promote the adoption of Cloud Computing. Serious problems may arise when a customer wants to move his application or data to another cloud vendor. He can end up having his data or applications in a format that is not supported by other cloud provider. Many cloud vendors offer their own proprietary
42 services which makes difficult for customers to migrate to another vendor. There are few standards for clouds, but NIST is leading some work in this direction by identifying current standards and standard gaps [103]. Cloud computing leverages existing technologies including web services, the Internet, and virtualization. There are many standards that support these technologies. Existing web services standards have emerged to solve security, reliability and interoperability concerns. Other standards are under development in order to support cloud computing functions and requirements. A complete list of standards that are related to cloud computing and specific-cloud standards can be found in [104]. Some of them are:
Open Virtualization Format (OVF) [105] developed by Distributed Management
Task Force (DMTF) is an open standard for packaging and securely distributing
virtual appliances across different virtual environments. There are some vendors
that use OVF in their products such as VMware [106], IBM’s SmartCloud [107],
VirtualBox [108], and OpenStack [109].
Cloud Infrastructure Management Interface (CIMI) [110] developed by DMTF
standardizes interactions between clouds in order to achieve interoperable cloud
infrastructure management between cloud providers and consumers. This standard
has been released recently with the collaboration of Microsoft, Oracle, IBM,
Hitachi, VMware, and others.
Open Cloud Computing Interface (OCCI) [111] from Open Grid Forum describes
APIs that allow cloud providers to expose their services though standardized
interfaces. There are some cloud vendors such as OpenNebula [112] and
OpenStack [109] that offer APIs that are based on the OCCI standard.
43
Cloud Data Management Interface (CDMI) [113] from the Storage Networking
Industry Association (SNIA) defines the functional interface that applications will
use to create, retrieve, update and delete data elements from clouds. CDMI was
produced with the collaboration of different organizations.
Several private and government organizations have developed standards to ensure that some level of security is followed by an organization. However, some standards are not well adopted by organizations due to several reasons due to their ambiguities such as web services standards. We can eliminate or reduce confusion by defining precisely a reference architecture. This reference architecture can be used as a starting point for developing standards for clouds to ensure that the fundamental definitions and cloud components are well-understood.
4.3. Use Case Model
As part of the reference architecture for Cloud Computing, we define a use-case model which describes some common functions for cloud environments. The Standards
Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC) project at the NIST
[114] has produced a list of use cases related to portability, interoperability, and security.
Cloud Computing Use Case Discussion Group [115] defines common use case scenarios for Cloud Computing. This work describes the capabilities and requirements needed to be standardized in order to achieve interoperability, integration, and portability. This collaborative work describes seven typical scenarios in Cloud Computing such as cloud applications accessed by end users, cloud applications accessed by a company’s employees and end users, cloud applications integrated with a company’s internal
44 processes, cloud applications accessed by partners companies, private clouds, changing cloud vendors, and hybrid clouds. [116] provides a use-case model for SaaS which shows how a system behaves. Also, the authors in [117] describe a use-case model that shows functional requirements for PaaS models. Based on these previous works, we compile general functions that can be applied in all cloud services (Figure 9). However, the details from some use cases will vary from one cloud model to the other one. Thus, we produce use case models for each cloud service as well. Use cases can help to identify possible flaws in the system by analyzing their activities.
Also, use cases aims to identify actors that will interact with the system. An actor can be either a person or an institution. There are four main roles: cloud consumer, cloud provider, cloud auditor, and cloud broker.
Cloud Consumer: A cloud consumer is a person or an institution that uses a service from a cloud provider. If the cloud consumer is an institution, then there may be different sub-roles. For example, SaaS consumers can be end users who consumes directly the applications, service administrator who configures applications for end users, business manager who is responsible for the financial aspects, or IT manager who is responsible to integrate the cloud services with local processes. However, PaaS consumers can also be application developers, testers, and deployers, and IaaS consumers can be IT manager, system developers, and system administrators as well.
Cloud Provider: A cloud provider can be also a person or an institution that provides a service to the cloud consumer. The cloud administrator is a super role that can be divided into other three roles: IaaS administrator, PaaS administrator, and SaaS administrator. Each administrator can be divided into two main actors: service operations
45 administrator and service business administrator. A service operations administrator is responsible for setting up, monitoring, managing, deploying and provisioning cloud services. A service business administrator establishes business relationships with cloud consumers such as setting up accounts and signing contracts.
Cloud Auditor: A cloud auditor can be part of the cloud provider or it can be a third- party that evaluates cloud services offered by a cloud provider in terms of security, privacy, availability, performance, etc. They express an opinion whether a cloud service complies with certain standards. Many industries such as healthcare and finance, there are strong regulations such as HIPAA that dictates how data should be handled and where it should be stored. Auditors can verify if a cloud provider follows these regulations.
Cloud Broker: Multiple cloud providers offer disparate services that it may be too complex for consumers to integrate them. This is where a cloud broker appears. A cloud broker is an entity that intermediates between cloud consumers and providers, so instead of contacting a cloud provider directly, a cloud consumer contacts a cloud broker. A cloud broker can improve some functionalities or combine different services from different cloud providers.
The following use cases represent common functions for cloud services in general, where service represents IaaS, PaaS, or SaaS.
Open Account: A cloud consumer requests to open an account in order to
subscribe to a service. To open an account, a consumer typically provides his
email address and credit card information. The provider may verify that the
provided email address and credit card information are valid.
46
Request Service: A consumer requests a service to the cloud provider who
validates if the user has a valid account. The cloud provider deploys the service
based on the user’s request.
Consume Service: A consumer starts using the service. Once the consumer starts
consuming a service, the provider starts metering the consumer usage of the
service. The collected information will be passed to the billing process in order to
generate invoices for payments.
Modify Service: Consumers request to increase or decrease cloud resources or
change type of service.
Request Service Removal: A consumer requests to terminate the service. The
cloud provider releases the allocated resources. Also, the provider sends the final
billing.
Close Account: A consumer requests to close the account. He may also request to
return his data or to transfer the data to another cloud. Providers will terminate all
the services where the consumer was subscribed, and issue the last bill.
Pay Bill: A consumer pay either directly to the provider or through a financial
institution.
Setup Service: Cloud providers are responsible for the hardware and software
installation in order to deliver their services.
Register Service: Once the service is setup, cloud providers need to publish a list
of available services in some sort of catalog where users can locate them.
Monitor Service: Cloud providers monitor the status of the system and its
resources. In IaaS, providers monitor their underlying infrastructures (servers, 47
storage and network), and the virtual resources. In PaaS, provides monitor the
virtual development and deployment environments, and SaaS providers monitor
the performance of their applications.
Manage Service: Management operations include allocation of virtual and
physical resources and applications configurations and provisioning. Also, it
includes security management operations such as authentication, authorization,
data protection, and resource isolation.
Meter Usage: Depending on the pricing model, there may be a need to meter
customer usage of the service such as processing power, network bandwidth and
storage space. The collected information will be passed to the billing process in
order to generate invoices for payments.
Update Service: Cloud providers handle the update of their current services such
as patching and upgrading current versions of software, and acquisition of new
software or hardware.
Generate reports: Generate reports to provide the status of the service, resource
usage, resource available, etc.
Audit Service: Cloud providers can request to audit their facilities and operations
to third-party auditors to evaluate their services in terms of security, privacy,
performance and others. Auditors can also certify that a cloud service is compliant
with certain standards.
48
Figure 9: Common Use Cases for Cloud Computing
Figure 10 shows some typical use cases for Infrastructure-as-a-Service.
Setup Infrastructure: IaaS providers setup all underlying infrastructure: hardware
(servers, storage and network) and the virtualization software.
49
Create VMI: Both users and IaaS providers can create Virtual Machine Images
(VMI) from scratch. A VMI contains the initial configuration files which may
include operating system, number of CPUs, amount of memory, size of disk, and
pre-installed applications. VMIs are used to instantiate Virtual Machines.
Register VMI: VMIs are stored into a repository where they can be accessed by
users.
Modify VMI: Users may need to modify existing VMIs to meet their requirements.
Request VM: Users specify the amount of computational resources and types of
software components needed in a new VM.
Create VM: IaaS Provider allocates resources and creates a VM with the
requirements specified by the user such as memory size, CPU size, storage size,
and other customization information.
Consume VM: A party starts using it by installing and configuring any
application. The cloud provider also starts metering the usage of the service in
order to send this information to the billing process.
Modify VM: Parties request to their providers to increase/decrease computing and
storage resource.
Manage VM: There are some management operations that a party can perform on
their virtual machine once it is created such as: start, migrate, suspend, shutdown,
resume, rollback, and restart.
Manage set of VMs: The Cloud Administrator can also perform some
management operations on the virtual machines that are under his supervision due
to fault tolerance, hardware maintenance, workload balancing, and elastic scaling. 50
Figure 10: Use Case Diagram for IaaS
Figure 11 shows the use case diagram for Platform-as-a-Service.
Setup Environment: The PaaS provider configures the environment that hosts
development languages, databases, libraries, and other components and tools in
order to develop and deploy applications. If the PaaS provider does not own the
underlying infrastructure including network, servers and storage, he has to rent
the infrastructure where environments will be hosted.
51
Manage Environment: The PaaS provider manages the installation, upgrading,
configuration, and patching of all the development and deployment tools.
Request Environment: A user requests an environment to develop, test, or deploy
his own application.
Consume Environment: Developers (users) can start coding, testing, or deploying
their custom applications. Developers may have the option to work offline where
they have to install a client application in their local machines. While the party
uses the environment, it is metered in order to generate the bill for the service
usage.
Figure 11: Use Case Diagram for PaaS
52
Figure 12 shows the use case diagram for Software-as-a-Service.
Setup Application: The SaaS provider installs the application on the cloud, so it
can be accessible on demand. The SaaS provider does not necessarily own the
physical infrastructure where the application is running. In this case, the SaaS
provider has to rent the infrastructure or platform for hosting its applications.
Manage Application: The SaaS provider is in charge of the configuration, updates
and patches of the SaaS applications.
Register Application: The SaaS provider registers applications so they can be
accessible to SaaS users.
Request Application: A user requests to use an application.
Consume Application: A user starts consuming the application and the data is
saved on the cloud. The user may need to download a client application on his
local machine and then the data is synchronized with the data in the cloud.
53
Figure 12: Use Case Diagram for SaaS
4.4. Infrastructure-as-a-Service
4.4.1. Intent
Describe the infrastructure to allow the sharing of distributed virtualized computational resources such as servers, storage, and network.
4.4.2. Context
Distributed systems where we want to improve the utilization of resources and provide convenient access to all users.
54
4.4.3. Problem
Some organizations do not have the resources to invest in infrastructure, middleware, or applications needed to run their businesses. Also, they may not be able to handle higher demands, or they cannot afford to maintain and store unused resources. How can they get access to computational resources?
4.4.4. Forces
Transparency - The underlying architecture should be transparent to its users.
Users should be able to use the provider’s services without understanding its
infrastructure.
Flexibility - Different infrastructure configurations and amounts of resources can
be demanded by users.
Elasticity - Users should be able to expand or reduce resources in order to meet
the different needs of their applications.
Pay-per-use - Users should only pay for the resources they consume.
On demand service – Services should be provided on demand.
Manageability - In order to manage a large amount of service requests, the cloud
resources must be easy to deploy and manage.
Accessibility - Users should access resources from anywhere at anytime.
Testability - We intend to develop system programs in this environment and we
need to test them conveniently.
Shared resources - Many users should be able to share resources in order to
increase the amount of resource utilization and thus reduce costs.
55
Isolation - Different user execution instances should be isolated from each other.
Shared Non-functional requirements provision (NFRs) – Sharing of the costs to
provide NFRs is necessary to allow providers to offer a higher level of NFRs.
Security—This level is the basis for execution of the complete cloud system and
its degree of security will affect all the applications running on it. We should
provide a convenient and measurable structure to define security requirements.
4.4.5. Solution
The solution to this problem is a structure that is composed of many servers, storage, and a network, which can be shared by multiple users and accessible through the Internet.
These resources are provided to the users as a form of service called Infrastructure-as-a-
Service (IaaS). IaaS is based on virtualization technology which creates unified resources that can be shared by different applications. This foundation layer – IaaS – can be used as a reference for non-functional requirements.
Structure
Figure 13 shows a class diagram for a cloud infrastructure. The Cloud Controller is the main component which processes requests from a Party (actor) through a Portal. A
Portal is the external interface where a Party makes requests to the cloud provider. A
Party can be an institution or a user (customers and administrators). A Party can have one or more Accounts. The Cloud Controller receives requests from the users. A Cloud
Controller controls a set of Cluster Controllers, and the Cluster Controller is composed of Node Controllers, which consist of a pool of Hardware (Servers, Storage and
Network). The Cluster Controller handles the state information of its Node Controllers,
56 and schedules incoming requests to run instances. A Node Controller controls the execution, monitoring, and termination of the VMs through a Virtual Machine Monitor
(VMM) which is the one responsible to create and run Virtual Machines (VM) instances. The Cloud Controller retrieves and stores user data and Virtual Machine
Images (VMI). The Virtual Machine Image Repository contains a collection of Virtual
Machine Images that are used to instantiate a VM. The Dynamic Host Configuration
Protocol (DHCP) server assigns a MAC/IP (Media Access Control/Internet Protocol) pair address for each VM through the Cloud Controller, and requests the Domain Name
System (DNS) server to translate domain names into IP addresses in order to locate cloud resources.
57
Figure 13: Class Diagram for Infrastructure-as-a-Service architecture
Dynamics
UC1: Create a Virtual Machine (Error! Reference source not found.)
For the creation of a VM, a party can provide the location for his VM, or it can be assigned by the provider. For this use case, we assume that the party provides the location.
Summary: Create of a Virtual Machine for a party who provides the list of resources needed, virtual machine image, and the location for his VM.
Actor: Party
Precondition: The party has a valid account
58
Description:
a) A party requests a set of computational resources and chooses the virtual machine
image and the location where the VM is going to be located.
b) The Cloud Controller verifies whether the requester has a valid account.
c) The Cloud Controller requests to the Cluster Controller that controls the specified
location to create a VM.
d) The Cluster Controller chooses the first Node Controller that can support the
computational resources requirements.
e) The Cluster Controller requests the Node Controller to create a VM.
f) The Node Controller sends the requests to the VMM that is in charge to actually
create the VM.
g) The VMM creates a VM with the requested resources and assigns it to the party’s
account.
h) The Cloud Controller acknowledges the Party through the portal that the VM has
been created.
Postcondition: A virtual machine is created and assigned to an account and to the hardware.
59
e Case Create a Virtual Machine Create Virtual Case a e
: Sequence Diagram for Us for Diagram Sequence :
14 Figure Figure
60
UC2: Migrate a Virtual Machine (Figure 15)
The administrator can migrate a VM to a specific Node Controller that can be located in the same or in a different Cluster Controller. The administrator can also migrate a VM to a specific location or to the first node that has the available resources. For the scenario below, we assume that the administrator will move a VM to the first available Node
Controller within the same Cluster Controller.
Summary: A VM is migrated from one Node Controller to another one
Actor: Administrator
Precondition: a VM resides in some Node Controller (Compute Node Source)
Description:
a) The Administrator requests to the Cloud Controller to migrate a VM. However,
the migration process can be automatic due to load balancing for example.
b) The Cloud Controller sends a request to the Cluster Controller to start the
migration of the VM.
c) The Cluster Controller requests the Node Controller Source to stop the VM. The
Node Controller Source forwards this request to the VMM Source.
d) The VMM Source stops the VM and copies the content of the VM.
e) Do the same as UC1
f) The VMM Source sends the content of the VM to the VMM destination.
g) The VMM destination copies the content into the new VM
Postcondition: The VM has migrated to another host
61
Figure 15: Sequence Diagram for Use Case Migrate a Virtual Machine
4.4.6. Implementation
As an example, we show the implementation of one of the known uses of this pattern.
There are many ways to implement our conceptual models and this is just a possible way to do it. Eucalyptus [14] is an open source software that allows to implement
Infrastructure as a Service in order to run and control virtual machine instances via Xen and KVM. Eucalyptus consists of five main components that are described in Figure 16
[118].
62
Figure 16: Eucalyptus’ main components
The two higher level components are: the Cloud Controller and Walrus. The Cloud
Controller is a Java program that offers EC2-compatible SOAP and web interfaces.
Walrus is a data storage where users can store and access virtual machine images and their data. Walrus can be accessed through S3-compatible SOAP and REST interfaces.
Top-level components can aggregate resources from several clusters. Each cluster needs a
Cluster Controller which is typically deployed on the head-node of a cluster. Each node will also need a Node Controller for controlling the hypervisor. Cluster Controller and
Node Controllers are deployed as web services, and communications between them takes place over SOAP with WS-Security [119].
A cloud can be setup as a single-cluster where the Cloud Controller and the Cluster
Controller are located on the same machine, which are referred to front-end. All other machines running the Node Controllers are referred as back-end. However, there could be also a more advanced configuration which comprises several Cluster Controller or
Walrus deployed in different machines.
63
A typical configuration includes [120]:
1 Cloud Controller (CPU-1GHz, Memory-512MB, Disk-5400rpm IDE, Disk
space-40GB)
1 Walrus Controller (CPU-1GHz, Memory-512MB, Disk-5400rpm IDE, Disk
space-40GB)
1 Cluster Controller + Storage Controller (CPU-1GHz, Memory-512MB, Disk-
5400rpm IDE, Disk space-40GB)
Nodes (VT extensions, Memory-1GB, Disk-5400rpm IDE, Disk space-40GB)
4.4.7. Known Uses
Eucalyptus [14] is an open source framework used for hybrid and private cloud
computing.
OpenNebula [15] is an open source toolkit to build clouds.
Nimbus [121] is an open source set of tools that offers IaaS capabilities to the
scientific community.
Amazon’s EC2 [13] provides compute capacity though web services.
HP Cloud Services [122] is a public cloud solution that provides scalable virtual
servers on demand.
IBM SmartCloud Foundation [123] offers servers, storage and virtualization
components in order to build private, public and hybrid clouds.
4.4.8. Consequences
The Cloud Infrastructure Pattern provides the following benefits:
64
Transparency – Cloud users are usually not aware where their virtual machines
are running or where their data is stored. However, in some cases users can
request a general location zone for virtual machines or data.
Flexibility - Cloud users can request different types of computational and storage
resources. For instance, Amazon’s EC2 [13] provides a variety of instance types
and operating systems.
Elasticity - Resources provided to users can be scaled up or down depending on
their needs. Multiple virtual machines can be initiated and stopped in order to
handle increased or decreased workloads.
Pay-per-Use – Cloud users can save on hardware investment because they do not
need to purchase more servers. They just need to pay for the services that they
use. Cloud services are usually charged using a fee-for-service billing model [2].
For instance, users pay for the storage, bandwidth or computing resources they
consume per month.
On demand services – IaaS providers deliver computational resources, storage
and network as services with one click.
Manageability - Users place their requests to the cloud administrator who
allocates, migrates, and monitors VMs.
Accessibility - Cloud services are delivered using user-centric interfaces via the
Internet [124] from anywhere and anytime.
Testability—Having an isolated environment allows testing system programs
without affecting the execution of other virtual machines.
65
Shared resources - Virtualization enables to share a pool of resources such as
processing capacity, storage, and networks. Thus, higher utilization rate can be
reached [125].
Isolation – A VMM provides strong isolation between different virtual machines,
whose guest operating systems are then protected from one another [126].
Shared Non-functional requirements (NFRs) provision – Some IaaS providers
offer security features such as authentication and authorization to customers that
can be added as part of the service. Sharing allows the provider to offer a higher
degree of NFRs at a reasonable cost.
Security - Security defenses can be defined wih respect to this architecture. For
example, connection of users to the cloud controller may be mutually
authenticated to avoid impostors from either side.
The Cloud Infrastructure Pattern has the following liabilities:
Cloud computing is dependent on network connections. While using cloud
services, users must be connected to the Internet, although a limited amount of
work can be done offline.
The Cloud may bring security risks associated to privacy and confidentiality areas
since the users do not have the control of the underlying infrastructure.
The isolation between VMs may not be so strong [10].
Virtualization increases some performance overhead.
66
4.4.9. Related Patterns
The Virtual Machine Operating System [127] describes the VMM and its created
VMs from the point of view of an OS architecture.
The Grid Architectural Pattern [128] allows the sharing of distributed and
heterogeneous computational resources such as CPU, memory, and disk storage
for a grid environment.
Misuse patterns [10] describe possible attacks to cloud infrastructures.
The Platform-as-a-Service (PaaS) pattern describes development platforms that
provide virtual environments for developing applications in the cloud.
Party [31] indicates that users can be individuals or institutions.
4.5. Platform-as-a-Service
4.5.1. Intent
Provide virtual environments for developing, deploying, monitoring, and managing applications online without the cost of buying and managing the corresponding software tools or hardware.
4.5.2. Context
PaaS services are built on top of the cloud’s Infrastructure-as-a-Service (IaaS), which provides the underlying infrastructure.
67
4.5.3. Problem
Organizations may want to develop their own custom applications without buying and maintaining the developing tools, databases, operating systems, and infrastructure underneath them. Also, when the team is spread across several places, it is necessary to have a convenient way to coordinate their work. How do we provide these functions?
This problem is affected by the following forces:
Collaboration – sometimes teams of developers are located in different
geographic locations. When working on a project, they all should have access to
the development tools, code, and data.
Coordination – When many developers work on a complex project, we need to
coordinate their work.
Elasticity – There should be a way to increase or decrease resources for more
compute-intense development and deployment tasks.
Pay-for-use – Party should only pay for the resources that they use.
Transparency – Developers should not be concerned about the underlying
infrastructure including hardware and operating systems, and its configuration for
development and deployment.
On demand services – The developers should have the ability to request for an
application tool and start using it.
Accessibility – Developers should be able to access the tools via standard
networks and from anywhere at any time.
Testability - We intend to develop application programs in this environment and
we need to test them conveniently. 68
Versatility – The platform should be able to be used to build applications for any
domain or type of application. Also, different options for developing tools should
be offered to the users.
Simplification – Developers should be able to build applications without installing
any specialized tools or software in their computers.
Security - The platform should offer facilities to develop secure programs and
itself should be protected from attacks.
4.5.4. Solution
PaaS offers virtual execution environments with shared tools and libraries for application development, deployment and testing into the cloud. PaaS uses IaaS as a foundation layer (servers, storage, and network). PaaS hides the complexity of managing the infrastructure underneath.
Structure
Figure 17 shows a class diagram for a cloud Platform-as-a-Service (PaaS). The
Portal is an external interface where a party makes requests to the PaaS Provider that checks if the party has a valid account. A Party can be an Institution or a User
(developers, administrators). The Party will choose the developing tools from the
Software Repository which contains a list of developing tools available for the users.
The PaaS provider offers Virtual Environments such as Development Environment,
Deployment Environment, and Testing Environment. The Development Environment is composed of Development Tools, Libraries, and Databases. The Virtual
69
Environments are built upon the IaaS (Infrastructure-as-a-Service) which provides the underlying hardware. The same PaaS Provider can manage the IaaS, or it can be managed by a third-party service provider.
Figure 17: Class Diagram for PaaS Pattern
Dynamics
UC1: Request Environment (Figure 18)
Summary: A party requests a development environment in order to build his own application
Actor: Party
Precondition: The Party has an account
Description: 70
a) The Party requests to use a development environment
b) The PaaS Provider checks if the Party has a valid account
c) The PaaS Provider instantiates the development environment
d) The PaaS Provider assigns the development environment to the Party’s account
e) The PaaS Provider sends the client application to the Party.
f) The Party downloads the client applications on his machine
Postcondition: The client application is download in the party’s machine
Figure 18: Sequence Diagram for Consuming Development Software
UC2: Deploy an Application (Figure 19)
Summary: A party requests to deploy his application into the cloud, so the application can be accessed by anyone from anywhere at any time.
Actor: Party (developer)
71
Precondition: The party has an account
Description:
a) A party requests to deploy his application into the cloud.
b) The PaaS Provider checks if the party has a valid account.
c) The PaaS Provider instantiates a Deployment Environment.
d) The PaaS Provider installs and runs the code.
e) The PaaS Provider acknowledges the Party through the Portal that his application
is deployed.
Postcondition: The application is running and ready to be accessed by the end-users
Figure 19: Sequence Diagram for Deploying an Application
72
4.5.5. Implementation
As an example of implementation of a typical PaaS approach we present here the approach used by Force.com. Force.com [19] is a cloud Platform-as-a-Service system from Salesforce.com. Force.com’s platform provides PaaS services as a stack of technologies and services covering from infrastructure, database as a service, integration as a service, logic as a service, user interface as a service, development as a service, and
AppExchange [18] in order to create business applications. Figure 20 shows the stack of
Force.com’s technologies and services, and it includes:
Infrastructure - The foundation of Force.com platform is the infrastructure that supports the other layers. Force.com uses of three geographically dispersed data centers and a production-class development lab which use replication to mirror the data at each location.
Database as a service – It enables customers to create customized data objects, such as relational tables, and the use of metadata to describes those objects. Force.com provides data security by providing features such as user authentication, administrative permissions, object-level permissions, and field-level permissions.
73
Figure 20: The Force.com stack and services (from [18])
Integration as a service – Force.com provides integration technologies that are compliant with open Web services and service-oriented architecture (SOA) standards, including SOAP, WSDL, and WS-I Basic Profile [129]. Force.com offers different prepackaged integration solutions such as Web Services API, Web Services Apex, callouts and mashups, and outbound messaging.
Logic as a service – Force.com provides three options for implementing an application’s business processing logic: declarative logic (unique fields, audit history tracking, history tracking, and approval processes), formula-based logic (formula fields, data validation rules, workflow rules, and approval processes), and procedural logic
(Apex triggers and classes).
User Interface as a Service – Force.com provides two types of tools for creating the user interface of applications built on the platform applications: Force.com’s Builder and
74
Visualforce. Builder creates metadata, which Forces.com uses to generate a default user interface for each database object with its corresponding methods such as create, edit, and delete. With Visualforce, developers can use standard web development technologies such as HTML, Ajax, and Adobe Flex to create user interfaces for their cloud applications.
Development as a Service - Force.com offers some features to create cloud applications: Metadata API, Integrated Development Environment (IDE), Force.com
Sandbox, and Code Share. Metadata API allows modifying the XML files that control an organization’s metadata. The IDE provides a code editor for adding, modifying and testing Apex applications. Apex is the Force.com proprietary programming language.
Also, multiple developers can share a code source repository using the synchronization features of the IDE. Force.com Sandbox provides a separate cloud-based application environment for development, quality assurance, and training. Force.com Code Share allows developers from different organizations to collaborate on the development, testing, and deployment of cloud applications.
Force.com IDE [130] is a client application for creating, modifying, and deploying applications. Once the user downloads the IDE in his local machine, he can start coding.
The IDE is in communication with the Force.com platform servers. There are two types of operations: online and offline. For example, in the online mode, when a class is saved, the IDE sends the class to the Force.com servers that compile the class and return any result (error message). In the offline mode, all changes you performed on a local machine, and once you connect to Force.com, all those changes are submitted and committed. Force.com provides a built-in support for automated testing. Once an
75 application is developed in the development environment, it may be migrated to another environment such as testing, or production. The Force.com IDE provides an easy way to deploy; just right click on the component and select Deploy to Server.
Application Exchange – AppExchange is a cloud application marketplace where users can find applications which are delivered by partners or third-party developers.
Force.com offers environments [131] where users can start developing, testing, and deploying cloud computing applications. There are different types of environments such as Production, Development, and Test Environments. The Production environment stores live data, while the Development Environment stores test data and are used for developing and testing applications. The Development Environment has two types:
Developer Edition and Sandbox. Sandbox is a copy of the production environment that can include data, configurations, or both. A Developer Edition environment [132] includes the following developer technologies: Apex programming language, Visualforce for building custom user interface and controllers, the Integration APIs, and more. Figure
21 depicts the platform for the Developer Edition environment. The Force.com’s virtual environments run on Salesforce’s infrastructure.
76
Figure 21: Class Diagram of Force.com’s PaaS architecture
Force.com uses different security techniques to defense its platform from different types of threats [133].
User authentication: Most users are authenticated on the login page, but also there
are other forms of user authentication: delegated authentication, and Security
Assertion Markup Language (SAML).
An authenticated session needs to be established before accessing the Force.com
SOAP API and Metadata API.
77
Force.com secure its network using different mechanisms such as Stateful packet
inspection (SPI), bastion hosts, two-factor authentication processes, and end-to-
end TLS/SSL cryptographic protocols.
For sensitive data such as customer passwords, Force.com applies an MD5 one-
way cryptographic hash function, and supports encryption of field data.
At an infrastructure and network level, salesforce.com applies rigorous security
standards, such as SysTrust SAS 70 Type II.
Salesforce.com implements industry best practices to harden the host computers.
For example, all hosts use Linux or Solaris distribution with non-default
configurations and minimal processes, user accounts, and network protocols.
4.5.6. Known Uses
Google App Engine [17] provides an environment to build and host web
applications on Google’s infrastructure. Google App Engine supports two
application environments: Java and Python.
Microsoft Azure [16] provides a platform to build, deploy, and manage
applications. It provides different programming languages such as .Net, Java, PHP
and others in order to build applications.
Salesforce [19] offers a development platform to build custom applications. (See
Implementation)
IBM SmartCloud Applications Services [134] delivers a collaborative
environment that supports the full lifecycle for software development,
deployment, and delivery.
78
4.5.7. Consequences
The PaaS pattern provides the following benefits:
Collaboration – Geographically dispersed developers can collaborate on the same
project because the code is managed online [135].
Coordination – A project can be conveniently administered from a central point.
Elasticity – The resources (storage, networking resources, and servers) needed to
develop and deploy an application can grow or shrink to accommodate varying
workload volumes.
Pay-for-use – Parties only pay for the services they consume. Parties do not need
to buy any developing tools or full year license.
Transparency – The PaaS provider manages upgrades, patches, and other
maintenance as well as the infrastructure. The user does not need to worry about
compatibility issues between the server configurations and the development
software.
On demand services – PaaS providers offer software development tools that can
be used by developers when needed.
Accessibility – PaaS services are accessed through the Internet via web browsers
from anywhere at any time.
Testability—The variety of tools that we can use makes testing application
programs in this environment more convenient.
Versatility – PaaS offers different programming languages and databases. For
instance, using Microsoft Azure, you can build applications using .Net, Java, PHP
and others. 79
Simplification – Developers do not need to buy or install any specialized software
or tools, but they may need to install some client applications if they choose to
work offline. The development applications are managed and maintained by the
PaaS providers.
Security - The development tools should include tools to develop, test, and deploy
secure applications, supporting some secure methodology [136]. The platform
itself should have protection against its identified threats.
The Platform-as-a-Service pattern has the following liabilities:
PaaS providers usually offer their own proprietary development software which
makes hard to migrate an application from one vendor to another one. Also, APIs
from different providers vary, which raises portability issues as well.
The availability of the PaaS products depends mostly on the Internet. Thus, those
services are available as long there are network connections.
A PaaS provider can either own or sub-contract the underlying infrastructure to an
IaaS provider. In either case, the security or availability of PaaS services may not
be assured.
4.5.8. Related Patterns
Cloud infrastructure Pattern describes the infrastructure to allow sharing of
distributed virtualized computational resources.
Misuse Patterns in [10] describe possible attacks to cloud environments, which
may affect the security of PaaS.
80
Cloud Computing: Platform as a Service (PaaS) Pattern [117] describes execution
environments for PaaS applications.
Party [31] indicates that users can be individuals or institutions.
4.6. Software-as-a-Service
4.6.1. Intent
Provide a set of software applications available in a cloud system that can be accessed by client devices through the Internet.
4.6.2. Context
SaaS applications are hosted by the provider and accessed through the Internet via user interfaces or APIs (application programmable interfaces).
4.6.3. Problem
Customers may need to use software products that do not require local installation and maintenance of the software. How can software be delivered over the network?
This problem is affected by the following forces:
Pay-for-use – Customers should be charged on a per-use basis like utility
services.
Transparency – Customers should not be concerned about the maintenance or
updates of the software.
On demand services – Customers should have the ability to start using an
application when needed.
81
Accessibility – Customers should be able to access the software applications
anytime and anywhere.
Flexibility – Customers should be able to configure the software application to
their needs such as currency or date formats.
Elasticity – Applications should be able to scale down or up depending of the
customers’ needs [52]. For example, a customer can increase or decrease the
number of users using the application.
Simplification – Customers do not need to install any special software in their
local machine.
Security - The software offered to the users must be a secure application. It should
be built following a secure methodology [136].
4.6.4. Solution
SaaS applications are delivered as a service to users typically thorough the Internet via web browsers or APIs. SaaS in clouds enables users to access applications on demand, in which both computation and storage are hosted in the cloud without installing any software in their local machines. SaaS can be developed and deployed using underlying Platform-as-a-Service or Infrastructure-as-a-Service offerings.
Structure
Figure 22 shows a class diagram for a Software-as-a-Service (SaaS). A SaaS
Provider processes requests from parties through a Portal. A Party can be either a User or a group of users (Institution). A Party can have one or more Accounts. A SaaS
82
Provider offers a set of SaaS Applications. SaaS Catalog contains the list of the SaaS
Applications that are offered to the users. There can be a single Application Instance of the application that is shared by different users, or single instance per user. The SaaS
Provider offers a set of Software Applications that resides on a Platform. SaaS applications can be deployed using underlying Platform-as-a-Service or Infrastructure-as- a-Service offerings. The platform can be owned or rented to a third-party provider.
Figure 22: Class Diagram for SaaS Pattern
Dynamics
UC1: Subscribe to an application (Figure 23)
83
Summary: A User requests to buy a subscription in order to access an application from the SaaS provider
Actor: User
Precondition: The User has a valid account
Description:
a) A User requests to subscribe to an application thorough the Provider’s Portal.
b) The SaaS Provider checks if the user has a valid account.
c) The SaaS Provider creates an instance of the software application. For this case,
we assume that each application instance serves one party.
d) The SaaS Provider acknowledges the user that his subscription to the application
is done.
Postcondition: The user can start using the application
Figure 23: Sequence Diagram for UC1 - Subscribe to an application
UC2: Consume an application (Figure 24)
Summary: A User requests to consume a subscribed application
Actor: User 84
Precondition: The User has an account and he has subscribed to the application
Description:
a) A User requests to consume an application that he was subscribed before
b) The SaaS Provider checks if the user has a valid account.
c) The User starts consuming the application
d) The User requests to save his data
Postcondition: The user’s data is stored in the cloud
Figure 24: Sequence Diagram for UC2 - Consume an application
4.6.5. Implementation
SaaS can be categorized into four distinct levels [137]. The first level services are Ad
Hoc/Custom where each customer has its own customized version of the hosted application. For the second level services, Configurable, provider’s servers host a
85 separate instance of the application for each customer similar to the previous level.
However, the instances are not customized for each customer, but they provide some configuration options. The third level services are Configurable, Multi-Tenant Efficient which a single instance serves all customers, with configurable metadata. At the fourth level, Scalable, Configurable, Multi-tenant-Efficient, multiple identical instances that are controlled by the load balancer.
In order to manage multitenant data, there are three approaches for databases [138].
The simplest approach is to store data in different databases. For the second approach, the same database hosts multiple customers where each customer has their own tables and schema. In the third approach, customer’s data are stored in the same database and set of tables.
In Salesforce’s model, a single instance of an application is shared among many customers, and customers’ data is stored in a shared database. For customization purpose, a metadata can be used to configure the way an application appears and behaves such as look of the screen and data fields.
4.6.6. Known Uses
Salesforce.com’s CRM (Customer Relationship Management) [19] is an online
web-based software that records, tracks, manages, and analyzes sales data.
Google apps such as Gmail, Google Calendar, and Google Docs [20] are web-
based applications that can be accessed through different thin clients with Internet
connection.
86
Freshbooks.com [21] is an online invoicing service that mainly serves to small
business.
IBM SmartCloud Solutions [139] provides a set of software and business
processes delivered by IBM as a service including Business Analytics and
Optimization, Social Business, Smarter Commerce, and Smarter Cities.
4.6.7. Consequences
The SaaS pattern provides the following benefits:
Pay-for-use – SaaS providers often charges their applications based on some
parameters such as number or users [140]. For example, Salesforce’s Enterprise
CRM costs $125 per user per month. Google Apps for business costs $5 per user
per month, but it is free for individuals and small teams.
Transparency – SaaS applications are deployed, supported, maintained, and
upgraded by the provider. Due to the fact that SaaS applications are hosted on the
cloud, updates and upgrades are available immediately to the users [52]. Users
typically do not need to install or setup any application in their local machines.
Also, SaaS applications can be used from any operating system.
On demand services – SaaS applications can be used once they are needed. For
example, to get access to the Gmail (Google App), a user just opens a browser,
logins in his account, and starts using the application.
Accessibility – SaaS applications can be accessed across the Internet by a user at
anytime.
87
Flexibility – SaaS applications can be customized to a certain degree depending
how they were designed. Not all providers offer customization. For instance, a
customer may modify the page layout.
Elasticity – SaaS applications are hosted in the cloud, so the users do not need to
install it in their local machines.
Simplification – Typically SaaS applications are access through web browsers or
APIs, which do not require specific software on the client.
Security - It is possible to deploy secure applications if they have been built using
a secure development methodology [136].
The Software-as-a-Service pattern has the following liabilities:
There are some applications that demand high user interaction; in that case the
SaaS model may not be suitable because of the network latency.
Since customers’ data is stored on the vendor’s servers or even on a third-party’s
servers, data security becomes an issue.
The network used to accessed SaaS applications can be insecure such as the
Internet. It can raise some security problems such as integrity and confidentiality.
SaaS applications typically are unique to each provider, which makes harder for
users to switch to a different vendor.
SaaS applications may be updated frequently by the providers, which may be
difficult for users to manage the integration of SaaS applications with their
business processes.
88
Cloud applications may introduce compliance concerns because the users’ data is
stored and managed by the provider.
4.6.8. Related Patterns
Infrastructure-as-a-Service Pattern [101] describes the infrastructure to allow
sharing of distributed virtualized computational resources.
Platform-as-a-Service Pattern [101] describes virtual environments for
developing, deploying, testing, and managing applications online.
Misuse Patterns in [10] describe possible attacks to cloud environments.
Party [31] indicates that users can be individuals or institutions.
4.7. Reference Architecture Environment
Error! Reference source not found. shows a class diagram for a Cloud Computing nvironment. A Cloud Computing Environment is a global view of a cloud, which describes the main cloud components such as cloud services, hardware, and support services. The Portal is the gate to access cloud services to cloud provider. A Cloud is composed of services, infrastructure, and support services such as operational, business and security services. Cloud physical resources can be located in different zones,
Clusters. A Cluster is a collection of Nodes that are located within close physical proximity. A Node is made up of a set of Hardware (Servers, Storage and Network),
Virtual Machines (VMs), and a Virtual Machine Monitor (VMM). A VMM creates and manages virtual machines and makes direct access to the hardware on behalf of them.
The fundamental cloud services are Software-as-a-Service (SaaS), Platform-as-a-Service
(PaaS), and Infrastructure-as-a-Service (IaaS). The SaaS provides on demand 89
Applications while the PaaS offers Virtual Environments such as Development,
Deployment and Testing Environments which includes programming languages, databases, libraries, and other tools. IaaS provides virtualized resources such as servers and storage as Virtual Machines. Support services are needed to provision the creation, implementation and management of cloud services. Business Support Services provides centralized management of cloud resources, including metering, billing, reporting, and account administration. Operational Support Services are responsible for monitoring, provisioning, and other management functions such as configuration, upgrades, and installations of the system. Non-Functional Services consist of security, availability, reliability, interoperability etc.
90
Class Diagram for a Cloud Environment Computing a for ClassDiagram
:
25 Figure Figure
91
4.8. Summary
Since Cloud Computing has impacted organization strategies, we need some guidance in order to have a good understanding of this computing model. We have developed a reference architecture which defines the basic cloud units and their service models. This reference architecture includes common uses cases for clouds in general, but also for each service model. Since clouds are complex environments and each service model has their own requirements and characteristics, we describe them separately using patterns. There are many reference architecture developed by different vendors and organizations, which some of them describe cloud architecture using their own products. A reference architecture should not include implementation details, but some guidance in order to understand what is a cloud and not how is it deployed. Our goal is to produce a systematic methodology to add security to cloud systems which will be discussed in
Chapter 6. This approach will be based on this reference architecture and a catalog of security patterns.
92
5. MISUSE PATTERNS
In order to design a secure system, we need to understand possible threats to our system. Several methods have been developed to identify threats, e.g. [141]. Once identified, we need to describe how these threats are realized to accomplish a misuse according to the goals of the attacker. A misuse pattern describes how a misuse is performed from the point of view of the attacker [11]. It defines the environment where the attack is performed, countermeasures to stop it, and it provides forensic information in order to trace the attack once it happens. Misuse patterns are useful for developers because once they determine that a possible attack can happen in the environment, a corresponding misuse pattern will indicate what security mechanisms are needed as countermeasures. Also, misuse patterns can be very useful for forensic examiners to determine how an attack is performed, and where they can find useful evidence information after the attack is done. An important value of misuse patterns is that they describe the components of the system where the attack is performed using class diagrams and sequence diagrams, relating the attack to specific system units.
We present in this chapter three examples of misuse patterns that describe some threats found in cloud computing environments. One of the vulnerabilities that is inherent in cloud computing is the co-location of virtual machines, where an attacker’s virtual machine tries to reside in the same server of the victim’s virtual machine with purposes of misuse, such as information inference based on resource usage (leakage of
93 information). Moreover, sharing virtual machine images is one of the new threats that cloud computing is facing. Virtual machine images are prepackaged software templates that are used to instantiate virtual machines. Thus, these images have a significant effect on the overall security of the cloud [71]. Cloud providers offer a repository service where providers and users can store their images. Users can either create their own image, or they can use any image stored in the repository. An attacker who creates a valid account can create an image containing malicious code such as a Trojan horse. If another customer uses this image, the virtual machine that he creates will be infected with the hidden malware, which can then perform a variety of misuses. Furthermore, the contents of virtual machines such as the kernel, applications, and data being used by these applications can be compromised during live migration.
5.1. Resource Usage Monitoring Inference in Cloud Computing
5.1.1. Intent
Cloud systems allow many virtual machines to share the same physical infrastructure.
An attacker’s virtual machine may be placed in the same hardware as the victim’s virtual machine to obtain some information such as estimate traffic rates or detect cache activity spikes.
5.1.2. Context
Infrastructure-a-as-Service (IaaS) provides a set of virtualized resources such as servers, network, and storage that are accessible through the Internet. In IaaS, physical infrastructure is shared by multiple virtual machines (VMs) that are created and managed
94 by a Virtual Machine Monitor (VMM). The VMM is responsible for the isolation of its
VM.
5.1.3. Problem
To perform some types of misuse it is necessary to have a virtual machine co-located with the target’s virtual machine in the same physical structure. How to assign a machine to be located in the same hardware as the victim’s virtual machine? Once the attacker’s virtual machine is placed on the same hardware as the victim’s virtual machine, how the attacker can deduce information by monitoring the victim’s behavior?
The attack can be performed by taking advantage of the following vulnerabilities:
Any person can open an account and create a VM.
Knowing when a VM is running helps the attacker by informing him when the
victim is running.
The attacker should be able to receive unlimited resources as needed.
Any resource that is shared by different virtual machines can become a covert
channel that will provide some information that can be useful to infer something
about any co-located virtual machine.
5.1.4. Solution
When the user requests a virtual machine, he can specify the location where his VM will be located or it can assigned on his behalf. Also, the user specifies a VM instance type that indicates a combination of computational power, memory and persistent storage. The VMM creates a virtual machine that is assigned to a particular server located in the region specified by the user. 95
Like any other customers, an attacker can simply request to rent an infrastructure, and he can run and control virtual machines in the cloud. The attacker can successfully locate his virtual machine in the same hardware as the victim, and then learn some information by monitoring some channels. For example, In Amazon’s EC2 and other clouds, it is more likely that an availability zone corresponds to a certain range of IP addresses [80].
Knowing the IP address of the victim, the attacker can determine the location of the VM and create his VM in the same zone. The attacker can observe the behavior of the victim, such as traffic rate or cache activity and deduce some information. In order for the attacker to determine the victim’s IP address, systems such as EC2 map public IP addresses to private IP addresses through their DNS services. As a result, the attacker can make DNS queries in EC2 in order to find the required internal IP addresses. In [80], they conducted a survey of public servers on EC2 and they identified four distinct IP address prefixes. Then, they performed a TCP either to port 80 or port 443. From the IP addresses that corresponded to these ports, they performed a DNS lookup using the EC2's DNS.
Structure
Figure 26 shows a class diagram for the virtual machine structure in cloud computing.
A Party can be either a User or an Institution which is composed of several Users. A
Party creates one or more Accounts in order to use the Cloud’s services. A Party makes a request to the Cloud Controller by a Portal which is the interface to access cloud services. The Cloud is composed of a set of Clusters which consists of a set of Nodes.
Each Node is a collection of Hardware (server, storage and network), and it runs a number of Virtual Machines (VMs) which are created by a Virtual Machine Monitor
96
(VMM). A VMM creates VMS and assigns their instances to the Party who requested them. When the instance is launched, it is assigned to the Party’s account and to the physical resources. The VM passes system calls to the VMM which executes those calls in the Hardware. In theory, a VMM isolates its Virtual Machines be defining a set of communication restrictions between them. However, using covert channels, two VMs can communicate bypassing all the rules defined by the VMM [70]. Thus, a malicious Virtual
Machine can monitor shared resources without being noticed by its VMM, so the attacker can infer some information about other virtual machines.
Figure 26: Class Diagram for virtualization in Cloud Computing
97
Dynamics
UC1: Co-locate attacker’s VM besides the Victim’s VM (Figure 27)
Summary: An attacker requests a VM that will be co-located on the same physical machine as the victim’s VM.
Actor: Attacker
Precondition: The attacker must have a valid account, and he can choose the location where his VM will be located.
Description:
a) The attacker finds where his victim’s VM is located. Amazon’s EC2 [13] allows
users to choose the location of his VM (region and availability zone).
b) The attacker requests to rent a VM to the provider.
c) Do the same as UC: Create a VM (from IaaS pattern)
d) The attacker verifies if both VMs runs in the same hardware. For example, virtual
machines running on top of a Xen hypervisor have matching Dom0 IP address
(privileged domain) [1], or they have close internal IP addresses.
Postcondition: A Virtual Machine is created in the specified location and assigned to the same physical hardware as the victim’s VM.
98
Figure 27: Co-locate attacker’s VM besides the Victim’s VM
UC2: Infer some of the victim’s information by monitoring his resource usage (Figure
28)
Summary: An attacker who has compromised the victim’s VM with a malicious application inspects the shared resource in order to obtain some useful information.
Actor: Attacker
Precondition: The attacker must have an account and his VM runs on the same hardware as his victim’s VM.
Description:
a) The attacker injects a malicious application inside the victim’s VM.
b) The attacker monitors the shared resource.
99
c) The malicious application sends sensitive information through a shared resource
such as the network without being notice by the VMM.
d) The attacker reads the sensitive information.
e) Repeat steps b) – d)
Postcondition: The attacker gets some confidential information.
Figure 28: Sequence Diagram for the use case Infer some of the victim’s information by
monitoring his resource usage
5.1.5. Consequences
The success of this attack implies:
Basically, anyone who has a valid credit can request a virtual machine from a
provider. For example, in Amazon’s EC2, a user creates an account using his
email account and a valid credit card. Thus, an attacker can create and control
virtual machines in the cloud. 100
Attackers can take advantage of knowledge about the target location because the
DNS provides such information. A DNS’s provider can map public IP addresses
to local IP addresses.
Amazon’s EC2 uses a regular pattern when assigning IP addresses to VMs
depending on the type of an instance and the location of the VM. This can be used
to infer where a VM is located.
Any physical resource that multiplexes between the attacker and the target can be
a potentially useful channel: L2 cache, CPU load, data cache, network access,
CPU branch predictors and instruction cache, DRAM memory bus, CPU
pipelines, scheduling of CPU cores and time slices, disk access, etc. This
information could be used by a competitor to deduce an imminent product
announcement, a company’s reorganization, or another significant institution
event.
Servers in cloud computing environments only run when needed, so an attacker
can look at the status of the server and see if any virtual machine instances are
running. This can make his work more efficient.
Possible sources of failure include:
There is a possibility that an attacker’s instance is not assigned to the same server
as the victim’s instance even when we know the location and the type of the
victim’s instance. That location can be composed of many servers and the same
types of instances can be assigned to different servers.
Some defenses described in the next section can stop this attack.
101
In some clouds, users could request their virtual machines to be assigned on
hardware that only can be occupied by virtual machines of their accounts.
5.1.6. Countermeasures
Resource Usage Monitoring Inference can be stopped by the following countermeasures:
Verify the background of the user when opening an account; however, this is very
hard to do and may reduce the economic incentives of the provider.
Enforce security policies in the VMM to minimize covert channels. For example,
sHype [142] is a security enforcement module implemented for Xen hypervisors.
sHype controls the sharing of resources between virtual machines according to
formal policies. Authors in [143] proposes a model called Prioritized Chinese
Wall model (PCW) to reduce the risk of covert information flows among virtual
machines.
Assign random local IP addresses to the instances, so the attacker will not
associate a local IP address to a certain location or instance type.
Control access to the DNS map.
Monitor the utilization of the infrastructure so all users get some portion of the
computing in the cloud.
From the victim’s perspective, cloud customers cannot monitor other customers’ computations to protect themselves against timing side-channel, and the provider cannot
102 monitor their customers’ computations due to privacy concerns. However, [144] proposes a new approach to reduce the risk of timing channel in clouds.
From the point of view of the cloud provider, covert channel and side channel attacks cannot be detected since they rely on legitimate use of the system [145]. However, cloud providers can mitigate these types of attacks; two possible solutions are proposed in
[145].
5.1.7. Forensics
Where can we find evidence of this attack?
Providers can keep logs of the requests made by the users.
Providers can keep logs of the co-located virtual machines that are assigned to the
same server.
5.1.8. Related Patterns
The Virtual Machine Monitor [127] provides isolation between different virtual
machines that execute different operating systems.
Resource Assignment patterns can be used for assigning servers to users.
5.2. Malicious Virtual Machine Creation
5.2.1. Intent
A Virtual Machine Image is a type of virtual appliance that is used to instantiate a
Virtual Machine (VM). Virtual Machine Images contain initial file system state and software for the machine. An attacker may create a virtual machine image that contains malicious code so it can infect other users when they create their virtual machines. The 103 attacker may read also confidential data from images that are publicly stored in the provider’s repository.
5.2.2. Context
Some IaaS (Infrastructure as a Service) providers offer a VM image repository where users can retrieve images in order to initialize their VM. These VM Images can be created and published by the provider or by a client.
5.2.3. Problem
To perform some types of misuse it is necessary to be able to create and publish VM images.
The attack can be performed by taking advantage of the following vulnerabilities:
Any person who has a valid account can create and register a VM image.
There should be a common place where the users can share VM images.
VM images contain prepackaged software components for an application. Thus,
an attacker can create a VM image with malicious code.
VM images contain installed and fully configured applications. The configuration
may require sensitive operations such as creating username and password [71].
5.2.4. Solution
When a user publishes a VM image as public, any other user of the cloud is able to use it to instantiate his VM. This VM image can contain malicious code. The Virtual
Machine Monitor (VMM) will run this image in order to instantiate the user’s VM. Now, the attacker can have control of the virtual machine and perform malicious activities such
104 as infect other computers. Infected virtual machines may appear briefly, infect other virtual machines, and disappear before they can be detected [67].
Structure
Figure 29 shows a class diagram for the repository for VM images in cloud computing. A Party can be either a User or an Institution (set of users). A Party can have several Accounts. A Party requests to the Cloud Controller through a Portal in order to access a cloud service. The Cloud is composed of a set of Clusters, and each
Cluster is composed of Nodes. A Node is a collection of Hardware (Server, Storage, and Network), a Virtual Machine Monitor (VMM) and a set of Virtual Machines (VMs) running on top of its VMM. A Virtual Machine (VM) is an isolated software container that has a CPU, RAM, hard disk, and network controllers. The VMM creates VMs by instantiating a Virtual Machine Image (VM Image), and it assigns their instances to the users who requested them. A VM Image is a pre-installed operating system and application stack. When the instance is launched, it is assigned to a physical server and given other hardware resources. The VM passes system calls to the VMM which executes those calls in the Hardware. A Party retrieves a VM Image from the Provider’s VMI
Repository. These images can be created and published by any user or by the provider.
105
Figure 29: Class diagram for VM Image Misuse Pattern
`
Dynamics
UC1: Publish a Malicious Virtual Machine Image (Figure 30)
Summary: The attacker publishes a Virtual Machine Image that contains malicious code.
Actor: Attacker
Precondition: The attacker must have an account with the Cloud Provider
Description:
a) The attacker creates a VM Image.
b) The attacker installs malicious software within the VM image
c) The attacker requests to the Cloud to upload the VM Image.
106
d) The Cloud Controller checks if the attacker (legal user) has an account.
e) The Cloud Controller uploads the VM Image into the repository.
f) The Cloud Controller sends an acknowledgement to the attacker.
Postcondition: A VM Image is created and placed into the Cloud Provider’s repository, so any other user can use it and get infected.
Figure 30: Sequence Diagram for the Use Case Publish a Malicious VM Image
UC2: Launch a VM using an infected VM Image (Figure 31)
Summary: A user launches a VM using an infected VM Image.
Actor: User
107
Precondition: The user must have an account, and the attacker has published her VM
Image into the Cloud Provider’s repository. Also, the user should choose the VM Image created by the attacker.
Description:
a) The User request to the Cloud Controller to retrieve a list of VM Images
available.
b) The Cloud Controller checks if the user has a valid account.
c) If the user is valid, the Cloud sends the list of VM Images.
d) The User chooses the VM Image, and he requests to launch a VM to the Cloud
Controller. Do the same steps as UC: Create a VM from IaaS Pattern
e) Once the VM is launched, it executes the malicious code.
Postcondition: The user’s VM is infected and it may infect other VMs.
Figure 31: Sequence Diagram for the use case Launch a VM using a malicious VM
Image
108
5.2.5. Consequences
Some of the benefits of the misuse pattern are the following:
An attacker can open an account using a valid credit card and register malicious
VM images into the provider’s repository.
VM Images contain all the software dependencies needed to run the Trojan horse,
so the attacker does not need to worry whether the victims’ software stacks
satisfies the Trojan horse’s dependencies [71].
An attacker can get control of the infected virtual machines and obtain some
confidential information.
Repositories that contain malicious VM images can be a way to distribute
malware.
Infected virtual machines may infect other virtual machines. For example, an
attacker may create a malicious VM image in order to infect other machines
creating a collection of infected machines, Botnet [146].
Possible sources of failure include:
There is a possibility that the users choose to create their own VM images instead
of using a public VM Image.
Since VM images are dormant artifacts that reside in the repository, they are not
harmful if they are not executed.
Users can only retrieve images that are from certified owners.
109
5.2.6. Countermeasures
Malicious VM Images can be stopped by the following countermeasures:
Authors in [71] proposed an image management system that control access to
images, tracks the origin of images, and provides image filters and scanners that
detect and repair security violations.
Verify the background of the user when opening an account; however, this is very
hard to do.
Users can only retrieve or publish certified VM Images.
Use an Intrusion Detection System (IDS) to identify malicious activities such as
in [147].
5.2.7. Forensics
Where can we find evidence of this attack?
Providers can keep logs of the users that publish/retrieve VM Images.
We can audit a suspicious VM Image.
5.3. Malicious Virtual Machine Migration Process
5.3.1. Intent
The attacker tries to provoke leakage of sensitive information or modify the virtual machine (VM) content while it is in transit.
110
5.3.2. Context
Cloud environments mostly rely on virtualization. The virtual machine monitor
(VMM) provides the foundation for virtualization management. One important feature is the migration of a VM from one VMM to another one due to high availability, hardware maintenance, fault tolerance, and load balancing [148].
5.3.3. Problem
To perform some types of misuse it is necessary to be able to monitor and intercept the transfer of a VM from one server to another.
The attack can be performed by taking advantage of the following vulnerabilities:
The migration process involves transferring the VM content across a network that
can be insecure such as the Internet.
The VM may be transferred in clear text. Thus, its information can be captured or
modified by an attacker.
The module that handles migration operations can be compromised.
A VM can be transferred to an insecure host.
The content of the transferred VM may have malicious code.
5.3.4. Solution
When a VM is transferred from one server to another, an attacker can monitor the network and obtain some confidential information or manipulate the VM content while it is in transit. Also, the attacker can compromise the VMM and gain full control of the migration process.
111
Structure
Figure 32 shows a class diagram for VM Migration Process. A Party can be either a
User or an Institution (set of users). A Party can have several Accounts. A Party makes requests to the Cloud Controller via a Portal. A Cloud is composed of Clusters, where each Cluster comprises a set of Nodes. A Node is a collection of Hardware (Servers,
Network, and Storage), a VMM, and a set of VMs. A Virtual Machine Monitor (VMM) creates and manages Virtual Machines (VMs). A VM is a software implementation of a machine that executes programs. Its kernel operations are performed by calls to the
VMM. VMMs assign instances of the Virtual Machine to a physical server, which includes other Hardware resources. The VMM manages the migration process of a VM from one server (VMM) to another.
Figure 32: Class Diagram for VM Migration Process
112
UC1: Man-in-the-middle attack during VM migration process (Figure 33)
Summary: An attacker listens to the network during a migration process to obtain some confidential data.
Actor: Attacker, Cloud Manager
Precondition: The attacker has impersonated both the source and the destination VMM
Description:
a) The attacker starts monitoring the network traffic
b) The Cloud Manager requests to migrate a VM from one VMM to another one.
The request will be forwarded from Cloud Controller to Cluster Controller, and
then to the Node Controller, and finally the VMM will perform the migration
process.
c) The source VMM requests VM migration to the destination VMM
d) The source VMM starts transferring the VM to the destination VMM
e) The attacker captures the traffic being transmitted
f) The attacker modifies the VM
g) The destination VMM receives the VM and starts the new VM
Postcondition: The attacker captured and modified the VM.
113
Figure 33: Sequence Diagram for the use case Man-in-the-middle attack during VM
migration process
UC2: Migrate several VMs to a victim VMM (Figure 34)
Summary: A large number of VMs are transferred from a compromised VMM to the victim VMM.
Actor: Attacker
Precondition: The source VMM (VMMc) has been compromised and the attacker has gained control of the migration module
Description:
a) The attacker requests to migrate a list of VMs to the victim VMM. The request
will be forwarded from Cloud Controller to Cluster Controller, and then to the
Node Controller, and finally the VMM will perform the migration process.
b) The compromised VMM requests VM migration to the victim VMM (VMMv)
c) The destination VMM accepts the request 114
d) The compromised VMM starts transferring several VMs
e) The victim VMM receives the VMs and starts the new VMs
Postcondition: The attacker has overwhelmed the victim machine by migrating a large number of VMs to the destination machine.
Figure 34: Sequence Diagram for the use case Migrate several VMs to a victim VMM
5.4. Consequences
Some benefits of the misuse pattern are the following:
The attacker can intercept the VM and obtain some confidential information, or
he can modify the content of the VM while it is crossing the network.
After the attacker compromises a VMM, he may send a large number of VMs to a
victim’s machine, causing disruptions or denial of service.
115
A compromised VMM can transfer the victim’s VM to the attacker’s machine,
gaining full control of the VM.
A transferred VM may contain malicious code that can infect other VMs that are
under the control of the target VMM.
Possible sources of failure include:
When the attacker eavesdrops on the communication channel, he may not get all
the necessary data.
Some defenses described in the next section can stop this attack.
5.4.1. Countermeasures
Insecure VM Migration can be stopped by the following countermeasures:
[84] proposes a Trusted Cloud Computing Platform (TCCP) that provides
confidential execution of guest virtual machines. It provides secure VM launch
and migration operations.
[85] proposes a secure migration system that provides VM live migration
capabilities under the condition that a VMM-protected system is present and
active.
The connection between the source and the destination VMMs should be
authenticated and encrypted during the migration process.
Isolate VM migration traffic to prevent eavesdropping attacks.
5.4.2. Forensics
Where can we find evidence of this attack? 116
The provider can keep logs of the VMs that are transferred from one machine to
another. Also, it can store information about the source and destination VMMs.
5.4.3. Related Patterns
The Virtual Machine Monitor provides isolation between different virtual
machines that execute different operating systems.
5.5. Discussion
Designers need to understand the possible threats before designing secure systems.
Our misuse patterns show that clouds are also vulnerable to attacks targeting some of its features such as shared virtual machine images, virtual machine live migration, and isolation. Identifying only threats is not enough; we need to understand how an attack is performed. These misuse patterns can help designers to understand how an attack is performed and what components of the system were used and compromised during an attack. Misuse patterns follow a template that contain different sections: context that describes the environment that the attack is performed, problem that includes forces which describes the vulnerabilities of the system, solution that depicts the components of the system using a class diagram and how an attack is performed using sequence diagrams. Also, misuse patterns describe the consequences which discuss the benefits and drawbacks of the misuse pattern from the attacker’s point of view, countermeasures that enumerate security mechanisms which can be applied to mitigate the threat, and forensics that indicate how to trace an attack once it happens or where to search for forensic data. .
It is possible to build a relatively complete catalog of misuse patterns for cloud computing. Having such a catalog we can analyze a specific cloud architecture and 117 evaluate its degree of resistance to these misuses. The architecture (existing or under construction) must have a way to prevent or at least mitigate all the misuses that apply to it. When potential cloud customers buy cloud services they negotiate a Service Level
Agreement (SLA) with the provider. This SLA could indicate what misuses the provider is explicitly able to control. Many providers do not want to show their security architectures; showing their list of misuse patterns would give them a way to prove a degree of resistance to misuses without having to show their security details.
5.5.1. Summary
We have presented some cloud computing threats as misuse patterns which describe in a systematic way how a misuse is performed from the attacker point of view.
Virtualization, a key component for clouds, enables clouds to improve the utilization of physical resources by sharing resources by different users. Sharing resources among different virtual machines gives some opportunities to an attacker to monitor confidential information. Also, virtual machines can be transferred from one server to another.
Migration process uses a network such as the Internet to transport virtual machines; thus, attackers can exploit this vulnerability by listening to the network in order to obtain some confidential data. Also, sharing virtual machine images, virtual appliances that contain pre packaged software used to initialize the virtual machine, raises security concerns.
Virtual machine images may contain malicious code that can be propagated once a user executes one of these malicious images.
118
6. SECURE REFERENCE ARCHITECTURE
Different cloud deployment models and cloud services creates different concerns about how security is enforced. A Private cloud is deployed for a specific company while public clouds serve many customers sharing the same resources. For private clouds, multi-tenancy is not a concern, but it introduces many security issues when working with public clouds. In the same way, cloud services also create different security issues. For example, SaaS services are provided typically though the Internet via web browsers. This type of security issues is also true for any kind of system that uses web applications; however, the result could be more catastrophic because an attacker may also compromise data from many users. For the PaaS model, a user gets a development environment where he can develop any kind of application even containing malicious code. Once that application is deployed into the cloud, it can attack other users. IaaS services provide virtual machines which may create other points of attack through the hypervisor and its virtual resources.
The basic approach we use adds security to cloud systems by applying a systematic methodology from [149], which can be used as a guideline to build secure cloud systems and evaluate the security level of the secure framework. We use as starting point our reference architecture [150]. We combine security and misuse patterns to build a secure reference architecture. By checking if a threat (misuse pattern) can be stopped or mitigated in the secure reference architecture, we can evaluate its level of security. We
119 have done a systematic enumeration of cloud threats [3] and have started building a catalog of cloud misuse patterns [10]; with a complete catalog we can apply them systematically and use the reference architecture to find where we should add corresponding security patterns to stop them [149].
6.1. Securing a Cloud Reference Architecture
We build here a secure reference architecture by using a methodology developed in
[149] which integrates security patterns in the application life cycle. Figure 35 describes how to secure a reference architecture:
We analyze each use case looking for vulnerabilities and threats as in [141].
We use the list of threats from [3] to find further vulnerabilities and threats.
These threats are expressed in the form of misuse patterns [11] that describes how
an attack happens from the point of view of the attacker. We developed some
misuse patterns for Cloud Computing in [10].
We apply policies to handle the threats and we identify security patterns to realize
the policies. There are some defenses that come from best practices and others
that handle specific threats.
We evaluate the security level of the of the reference architecture by using misuse
cases.
120
Figure 35: Securing a cloud reference architecture
6.2. Administration of Security Use Cases
We assume Role-Based Access Control (RBAC) as authorization model. In RBAC, a user is assigned to roles, and rights are assigned to a role. There are some security functions that can be applied to all cloud models (Figure 36). This is just an illustrative list; it is necessary to define a structured governance function from which security functions and policies can be derived.
Login – Provide a portal for users to access cloud services.
Create a user – A user can be a single individual or an institution (collection of
users). There are two types of users: cloud provider’s users and cloud consumer’s
users.
121
Delete user – Once a cloud employee leaves the company or a customer closes his
account, the user that corresponds to him is erased.
Create role – A role defines a task that a person performs in his job. For example,
a cloud employee can be an IT administrator, security administrator, cloud
administrator, node administrator, and cluster administrator. A customer can be an
end-user, developer, IT manager, and institution manager. Roles are assigned
rights.
Delete role – A role can be deleted if there are not associated user to it.
Assign rights to a role – Rights are functions that a role can perform in the
system. For instance, a cluster administrator can migrate virtual machines within
his jurisdiction.
Assign roles to a user – Users must be given roles before interacting with the
system.
Define security mechanisms – Security administrators define what cryptographic
measures will be implemented across all cloud layers. For example, define
algorithms that will secure data while it is being transferred, stored or processed.
122
Figure 36: Security Use Case Model
6.3. Identifying Threats
We can enumerate threats systematically by using uses cases and activity diagrams.
We have identified use cases for cloud environments in [150]. This systematic approach implies a detailed investigation of each activity from each use in order to find possible threats [141]. However, this approach can be combined with the analysis of security
123 threats done in [3], which lists threats in the literature. Figure 37 describes an activity diagram that shows several threats:
Figure 37: Activity Diagram for Use Cases “Create VMI” and “Publish VMI”
We have identified some threats by analyzing the flow of events in a use case (Figure
37). Table 5 depicts an analysis of each action in the activity diagram according to main security attributes, the source of the threat, and assets that can be compromised. The standard main security attributes are confidentiality (CO), integrity (IN), availability 124
(AV), and accountability (AC). The source of the threat can be an authorized insider
(AIn), unauthorized insider (UIn), or outsider (Out).
Table 5: Misuse Activities Analysis
Misuse Activity Sec. Att. Source Asset Actor Action # CO/IN/AV/AC AIn/UIn/Out Description Cloud Create IN Out Insert malicious code VMI Customer VMI T1 within the image CO Out VMI may be read while VMI T2 being transmitted Cloud Send IN Out VMI may be modified VMI Customer VMI T3 while in transit T4 AC Out Disavows sending a VMI VMI CO AIn/UIn Collects sensitive VMI T5 information from VMI IaaS Receive AV AIn VMI Administrator VMI T6 Disavows receiving a VMI IN UIn/AIn Modify VMI - insert VMI T7 malicious code
6.4. Cloud Defenses
There are a variety of security patterns for all architectural levels of the system [151]; however, these security patterns may need to be adapted for cloud environments. In this section, we provide a list of some security patterns for clouds and provide some examples. These security patterns are not sufficient to secure the entire cloud system, but it can be used as general guidance. Here are some of the security patterns which are selected to handle specific threats:
Secure migration process – provides a continuous protection for live and offline
migration processes.
125
Secure hypervisor – reinforces the security of the hypervisor in order to avoid
attacks.
Secure virtual networks – secures the communication among virtual machines.
Secure virtual machine image repository – offers secure control of virtual
machine images.
Virtualized Trusted Platform Module – determines if the environment is secure
before creating and launching a virtual machine.
Web application scanners – scans web applications to identify security
vulnerabilities.
Cloud data protection – protects sensitive data while it is processed, stored or
transferred (encryption, digital signature, fragmentation-redundancy-scattering,
homomorphic encryption)
For this work, we develop a pattern to secure virtual machine image repository that can be used to mitigate or stops some of the threats identified in Section 4.
6.4.1. Secure Virtual Machine Image Repository System
Intent
The secure virtual machine image (VMI) repository system offers secure control of virtual machine images by removing or hiding unwanted information. It also provides logging, authentication and authorization.
126
Context
Cloud consumers and providers can publish and retrieve VMI in order to instantiate a virtual machine (VM)
Problem
A VMI can contain sensitive information without being noticed by the publisher or it can contain malicious code infecting virtual machines that are created using it.
The solution will be affected by the following forces:
Virtual machine images should be filtered when they are being published or
retrieved.
The user who wants to publish or retrieve a VMI should be authenticated.
We should keep track of any actions applied to the VMI such as who accessed it,
type of access, and date.
We should control what actions a user can perform.
The security controls should not affect the performance of the system.
Solution
The Secure VMI Repository System provides a mechanism to filter virtual machine images in order to hide or remove confidential information or detect malware and remove it. It also provides authentication, authorization, and logging. For the authorization, we use a Role-Based Access Control (RBAC) model [127][34] which assigns rights to roles to perform some actions in a resource. Individual users may be assigned one or more roles.
127
Structure
Figure 38 shows a class model for the secure VM images repository system. The
Virtual Machine Image Repository holds a set of virtual machine images (VMI) that can be used to instantiate a virtual machine. The repository uses a Filter that scans all VM images before being published, but also it can scan them before retrieving a VMI. The subsystem Authenticator is an instance of the Authenticator Pattern [34] that allows the repository to authenticate the users before publishing or retrieving an image. The Log keeps tracks of any accesses to the repository. The Role and Right are instances of the
RBAC pattern. A Role has the Rights to perform some actions in a VMI. The Reference
Monitor subsystem enforces the authorization rights defined by the RBAC.
Figure 38: Secure VMI Repository System
128
6.5. Secure Reference Architecture
Once security patterns are identified, we apply them into the reference architecture in order to stop or mitigate the threats. Security mechanisms are added to the Infrastructure- as-a-Service Pattern in [150] including authenticator, authorization, logging and other security mechanisms that mitigates specific threats. To avoid impostors we can use the authentication module so every action with the cloud needs to be authenticated. The logging instance can be used to trace all activities that can be used for auditing at a later time. For the authorization, we use a Role-Based Access Control (RBAC), so only authorized users can perform some actions to assets. These security mechanisms are shown in blue color. Figure 39 shows a secure IaaS architecture pattern. In this model, the subsystem Authenticator is an instance of the Authenticator pattern [34] and allows the Cloud Controller to authenticate Cloud Consumers/Administrators. Log indicates instances of the Logging pattern, and it is used to keep track of any access to a cloud resource such as VM, VMM, and VM Image Repository. The Reference Monitor reinforces authorization rights defined by the RBAC instances [34]. The Filter scans all virtual machines in order to remove malicious code.
129
Figure 39: Secure IaaS pattern
6.6. Evaluating Security using a Reference Architecture
In previous sections, we have identified some threats by analyzing the activities of use cases. Then, we have described some security patterns that mitigate or stop these threats. Therefore, we can now evaluate whether these security patterns (defenses) cover the threats. For instance, as shown in Table 6, we can apply the secure virtual machine
130 image repository system to mitigate or stop some of the threats identified in previous sections. The authenticator and authorization modules can stop T1 and T4, in which only authenticated and authorized users can publish a VMI. The filter module mitigates threat
T2 and T5. Any authorized user can store his VMI in the public repository, but it will be scanned to remove any malicious code before being stored. The secure network mitigates
T2, which provides integrity and confidentiality while the VMI is being transmitted.
Table 6: Threat List vs. Mitigation Defenses
ID Threats Defense T1 The cloud customer is an impostor and publishes Authenticator - Authorization a VMI T2 The cloud consumer inserts malicious code Filter module within a VMI T3 An external attacker listens to the network to Secure network obtain information about the VMI T4 The IaaS administrator is an impostor and Authenticator - Authorization collects information within the VMI T5 The IaaS administrator creates a malicious VMI Filter module
Listing threats is not enough; we need a way to understand how an attack happens.
Misuse patterns describe how an attack happens from the point of view of an attacker.
We can use misuse patterns to test security of the reference architecture. We have developed some misuse patterns including Malicious Virtual Machine Creation [10]. This misuse pattern describes how an attacker may create a virtual machine image which can contain malicious code so it can infect other users when they create their virtual machine.
Figure 40 describes how an attacker can publish a virtual machine image that contains malicious code.
131
Figure 40: Sequence Diagram for the use case Publish a Malicious VM Image
We can use the sequence diagram to show how the secure reference architecture can stop some threats described in the misuse pattern (Figure 41). In this example, we can see if the attacker is not a valid user; the attack cannot go any further since the authentication will fail. If the attacker has a valid user, his attempt to publish an image will then be intercepted by the reference monitor to check whether he is authorized or not. Even if the attacker is authorized since he is a valid user and he has rights to publish an image, his image will then be filtered to scan for malicious code. If the image has a malicious code, then it is removed before being stored.
132
Figure 41: Sequence Diagram for the Use Case Securely Publish VM Images
6.7. Summary
We have shown how to build a secure reference architecture for Cloud Computing.
We have followed the methodology in [149] to match the application requirements to the cloud security. In order to develop a secure framework, we have identified a list of threats by analyzing the activities of use cases [141], but we also have done systematic enumeration of cloud threats in [3]. Identifying cloud threats is not enough; we need a way to describe how an attack is performed and what cloud units are compromised. We have developed misuse patterns that describe from the point of view of the attacker how an attack (misuse of information) is performed. We have started building a catalog of misuse patterns [10], which can be used to find where to add security patterns to stop
133 them using a reference architecture. The security patterns are selected from the analysis of threats. For this work, we have developed a security pattern in order to demonstrate how it mitigates or stops some threats identified in previous sections.
134
7. RELATED WORK
A reference architecture is a standardized, generic architecture, valid for a particular domain that does not contain implementation details [28]. It provides a template solution that can be instantiated into a specific software architecture by adding implementation- oriented aspects. There is no formal definition what a reference architecture should contain. However, an approach to defining reference architectures is provided in [29]. A reference architecture should be described at an abstract level, and all details about implementation should only be considered for a specific software architecture instance.
Moreover, the authors in [152] proposed a pattern-based reference architecture which describes a framework which allows the consideration of different types of service-based systems. There are different reference architectures developed or being developed for
Cloud Computing, and some of them are generic while others focus on specific areas or products.
A report by IBM [6] describes a Cloud Computing Reference Architecture that is based on their cloud implementation. They describe the architectural components using high level block diagrams where main characteristics of cloud stand out such as: roles
(cloud service consumer, cloud service provider, and cloud service creator), cloud services (IaaS, PaaS, SaaS, and BPaaS – Business Process-as-a-Service), common cloud management platform (operational and business support services), infrastructure (servers, storage, network and facilities), and portals (service consumer portal, service developer
135 portals, and service provider portal). The most noticeable component in this reference architecture is the Management Platform. They only state that non-functional requirements such as security, resiliency and consumability must be considered across all layers of the model. Also, NIST [8] has produced a reference architecture which is similar to IBM’s. The purpose of their reference architecture is to develop an architecture that is not tied to any vendor and to address the US Government needs. The NIST reference architecture introduces three more actors: Cloud Broker, Cloud Auditor, and
Cloud Carrier. NIST focuses only on the three basic delivery models (SaaS, PaaS, and
IaaS). Regarding security, they state that security is a shared responsibility between cloud providers and consumers. Cloud service and deployment models have differing degrees of security implications. Our proposed reference architecture has the same goals as IBM and NIST; provide a cloud model that can be used as guidance for designers or architects without any implementation details. However, they do not provide sufficient information about how different cloud services are composed.
HP [7] provides an overview of their CloudSystem’s architecture, including three
CloudSystem offerings: HP CloudSystem Matrix, HP CloudSystem Enterprise, and HP
Cloud Service Provider. This solution employs a three-layer architecture: supply, delivery and demand layers. The supply layer provides the delivery of infrastructure elements such as compute, network, storage, and other resources both physical and virtual. The delivery layer enables and manages the delivery of application services. The demand layer provides portal services for requesting services. Also, they describe some security solutions such as HP TippingPoint Intrusion Prevention System (IPS) that inspects all traffic moving in/out of the datacenter, Virtual Management Center which monitors
136 virtual resources in each host, and virtual controller plus virtual firewall combination that controls traffic in/out of each virtual machine. This document describes a specific solution using HP technologies. However, our goal is to describe what the main components for cloud services are, not how to implement clouds using some specific solutions.
The Oracle Reference Architecture comprises of two documents: Cloud Foundation
[100] and Cloud Infrastructure [9]. The Cloud Foundation provides a conceptual architecture which defines architectural characteristics and requirements of clouds. The
Cloud Infrastructure defines architecture views based on the conceptual architecture.
Their objective was to present a reference architecture that is supported by their products.
The PCI-Compliant Cloud Reference Architecture defines a basic framework for building clouds that are compliant with Payment Card Industry (PCI) Data Security
Standard (DSS). It provides a cloud architecture using products such as VMware, Cisco,
Trend Micro, and HyTrust. It shows how these products additional security controls can meet the PCI DSS requirements. This architecture consists of four fundamental layers: cloud application, business orchestration, service orchestration, and infrastructure layers.
The cloud application represents the external interface that allows to access the cloud services. The business orchestration layer consists of the configuration of the cloud entities and the governance policies for controlling the cloud deployment. Service orchestration represents the provisioning logic for the cloud infrastructure. Infrastructure layer consists of the virtual and physical servers, network, storage, hypervisor, security and management resources. This architecture only provides security requirements that
137 cloud providers should follow in order to meet the PCI DSS standards using specific products.
138
8. CONCLUSIONS AND FUTURE WORK
Cloud Computing systems are complex systems that leverage different technologies and can be deployed in different ways such as public, private and hybrid, as well as provide services such as IaaS, PaaS, and SaaS. All this implies that it can be a challenge to understand how to make a cloud secure. We need to understand its security issues and how to make cloud environments secure. In this work, we have provided the following contributions:
1. We performed a systematic review of security issues for cloud environments
where we enumerated the main cloud threats and vulnerabilities found in the
literature [3]. In this analysis, we presented a categorization of security issues
focused in each service model (SaaS, PaaS, and IaaS), and we identified which
service model can be affected by these security issues. Also, we described the
relationship between these threats and vulnerabilities and provided possible
countermeasures for each identified threat identified.
2. We developed a reference architecture to have a precise view of cloud systems
[150]. Since clouds are complex systems, we presented each service model in the
form of patterns which describe their requirements, characteristics, main units,
and the relationship between these units. We also included some use cases that
describe common functions for cloud services in general as well as for each
service model.
139
3. We described three specific cloud threats in the form of misuse patterns: Resource
Usage Monitoring Inference, Malicious Virtual Machine Creation, and Malicious
Virtual Machine Migration. The Resource Usage Monitoring Inference misuse
pattern describes how an attacker tries to co-locate his virtual machine in the same
server as the victim in order to infer some information. The Malicious Virtual
Machine Creation misuse pattern depicts how an attacker can create a virtual
machine image which contains malicious code in order to infect other virtual
machines that use this image. Malicious Virtual Machine Migration describes
how a virtual machine can be compromised while being migrated.
4. We showed how to secure a reference architecture by applying security patterns to
add security defenses and misuse patterns to evaluate its security level. Besides
the systematic review of security issues mentioned in 1), we also followed an
approach from [141] in order to find possible threats by analyzing the activities
from each use case. We analyzed an activity diagram for use cases create and
publish a virtual machine image in order to identify possible threats. Once
identified the threats, we followed the approach in [149] in order to find a
matching security pattern to defend against these threats.
5. We developed a pattern for a secure virtual machine repository system which
offers a secure control of virtual machine images by removing or hiding unwanted
information. Then, we evaluated the level of security by showing how this
security stops or mitigates these threats.
140
This work can be extended by completing the catalog of misuse patterns to include those threats identified in [3]. From Table 3, we can identify some threats that can be described as misuse patterns:
Covert channels in clouds – covert channels allow inter-VM communication
bypassing the security rules of the hypervisor.
Virtual machine escape – describes how to exploit the hypervisor in order to take
control of the underlying platform.
Virtual machine hopping – describes how a virtual machine can access other
virtual machines by exploiting the hypervisor for example.
Sniffing virtual networks – describes how a virtual machine can listen to the
virtual network traffic in order to get confidential information.
Spoofing virtual networks – describes how a malicious virtual machine can
intercept information in the virtual network with the purpose of altering its routing
function.
A good number of security patterns have been produced [151], but we still need to adjust them to be valid for cloud environments or to develop new security patterns that are specific for clouds. Also from Table 4, we can identify some security mechanism and represent them as security patterns:
Secure migration process – provides a continuous protection for live migration
and offline migration as well.
Secure hypervisor – reinforces the security of the hypervisor to avoid some
attacks.
141
Secure virtual networks – secures the communication among virtual machines.
Virtualized trusted platform module – provides a framework to determine whether
the environment is secure before launching a virtual machine.
Web applications scanners – scans web applications in order to identify security
vulnerabilities.
Cloud data protection – protects sensitive data while it is processed, stored or
transferred. (encryption, digital signature, fragmentation-redundancy-scattering,
homomorphic encryption)
Developing a good catalog for both security and misuse patterns can help designers and architects to use the reference architecture in order to add security and evaluate its security.
Another use of this cloud architecture is to be a reference for security certification of services. A cloud provider can show that his services can handle the corresponding threats which can increase customer trust. Also, a reference architecture can be used to support standards. It helps architects or designers to identify what components of the cloud system are associated with the standard and can be used to comply with the specific rules of the standard.
Moreover, hybrid clouds are becoming more popular due to security and privacy issues associated to public clouds. This reference architecture also provides general information for organizations wishing to integrate their existing IT processes and system with cloud infrastructure. Before migrating any process or system, organizations should refer to the cloud architecture to plan a strategy for integrating existing resources to
142 clouds, to understand the inherent issues and limitations, and to think in terms to moving some processes and data to the cloud.
143
REFERENCES
[1] P. Mell and T. Grance, “The NIST Definition of Cloud Computing,” NIST, Special Publication 800-145, Sep. 2011. Available: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf [2] Centre for the Protection of National Infrastructure, “Information Security Briefing 01/2010 Cloud Computing,” Mar-2010. Available: http://www.cpni.gov.uk/Documents/Publications/2010/2010007- ISB_cloud_computing.pdf [3] K. Hashizume, D. G. Rosado, E. Fernandez-Medina, and E. B. Fernandez, “An Analysis of Security issues for Cloud Computing,” accepted for the Journal of Internet Computing. [4] F. Buschmann, R. Meunier, H. Rohnert, P. Sommerland, and M. Stal, Pattern- Oriented Software Architecture Volume 1: A System of Patterns, Volume 1. Wiley, 1996. [5] E. Gamma, R. Helm, R. Johnson, and J. Vlissides, Design patterns: elements of reusable object-oriented software. Boston, MA, USA: Addison-Wesley Longman Publishing Co., Inc., 1995. [6] M. Behrendt, B. Glasner, P. Kopp, R. Dieckmann, G. Breiter, S. Pappe, H. Kreger, and A. Arsanjani, “IBM Cloud Computing Reference Architecture 2.0.” 2011.Available: http://thoughtsoncloud.com/index.php/2011/08/ibm-cloud- computing-reference-architecture-whats-in-it-for-me/ [7] HP, “Understanding the HP CloudSystem Reference Architecture.” 2011. Available: http://www.techrepublic.com/whitepapers/understanding-the-hp- cloudsystem-reference-architecture/3391071 [8] F. Liu, J. Tong, J. Mao, R. B. Bohn, J. V. Messina, M. L. Badger, and D. Leaf, “NIST Cloud Computing Reference Architecture.” 2011. Available: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505 144
[9] Anbu Krishnaswamy Anbarasu, “Oracle Reference Architecture - Cloud Infrastructure, Release 3.0.” Oracle, Nov-2011. Available: http://www.oracle.com/technetwork/topics/entarch/oracle-ra-cloud-infrastructure- r3-0-1395892.pdf [10] K. Hashizume, N. Yoshioka, and E. B. Fernandez, “Three Misuse Patterns for Cloud Computing,” in Security Engineering for Cloud Computing: Approaches and Tools, D. G. Rosado, D. Mellado, E. Fernandez-Medina, and M. Piattini, Eds. IGI Global, 2013, pp. 36–53. [11] E. B. Fernandez, N. Yoshioka, and H. Washizaki, “Modeling Misuse Patterns,” in Proceedings of the 4th Int. Workshop on Dependability Aspects of Data Warehousing and Mining Applications (DAWAM 2009), in conjunction with the 4th Int.Conf. on Availability, Reliability, and Security (ARES 2009), Fukuoka, Japan, 2009, pp. 566 –571. [12] E. B. Fernandez, O. Ajaj, I. Buckley, N. Delessy-Gassant, K. Hashizume, and M. M. Larrondo-Petrie, “A Survey of Patterns for Web Services Security and Reliability Standards,” Future Internet, vol. 4, no. 2, pp. 430–450, Apr. 2012. [13] Amazon Web Services LLC, “Amazon Elastic Compute Cloud.” [Online]. Available: http://aws.amazon.com/ec2/. [Accessed: 20-Jan-2012]. [14] Eucalyptus Systems, “Eucalyptus Cloud.” [Online]. Available: http://www.eucalyptus.com/eucalyptus-cloud. [Accessed: 02-Feb-2012]. [15] OpenNebula Project, “About the OpenNebula.org Project.” [Online]. Available: http://opennebula.org/about:about. [Accessed: 01-Mar-2012]. [16] Microsoft, “Windows Azure.” [Online]. Available: http://www.windowsazure.com/en-us. [Accessed: 19-Feb-2012]. [17] Google, “Google App Engine.” [Online]. Available: https://developers.google.com/appengine/. [Accessed: 09-Mar-2012]. [18] Salesforce, “Force.com: A comprehensive look at the World’s Premier Cloud- Computing Platform.” . [19] Salesforce, “Salesforce product overview,” Salesforce.com. [Online]. Available: http://www.salesforce.com/products/. [Accessed: 28-Sep-2012].
145
[20] Google, “Welcome to Google Enterprise.” [Online]. Available: http://www.google.com/enterprise/apps/. [Accessed: 29-Sep-2012]. [21] FreshBooks, “Say Hello to Cloud Accounting.” [Online]. Available: http://www.freshbooks.com/. [Accessed: 30-Sep-2012]. [22] H. Leigang and X. Mingqing, “The future of automatic test system (ATS) brought by Cloud Computing,” in 2009 IEEE AUTOTESTCON, 2009, pp. 412 –414. [23] S. Zhang, S. Zhang, X. Chen, and X. Huo, “Cloud Computing Research and Development Trend,” in Second International Conference on Future Networks (ICFN ’10), Sanya, Hainan, China, 2010, pp. 93 –97. [24] C. Gong, J. Liu, Q. Zhang, H. Chen, and Z. Gong, “The Characteristics of Cloud Computing,” in 2010 39th International Conference on Parallel Processing Workshops (ICPPW), 2010, pp. 275 –279. [25] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. H. Katz, A. Konwinski, G. Lee, D. A. Patterson, A. Rabkin, and M. Zaharia, “Above the Clouds: A Berkeley View of Cloud Computing,” 2009. [26] S. Murugesan, “Understanding Web 2.0,” IT Professional, vol. 9, no. 4, pp. 34–41, Aug. 2007. [27] “Virtualization,” Wikipedia. 14-Dec-2012. [28] P. Reed, “Reference Architecture: The best of best practices,” Sep-2002. [Online]. Available: http://www.ibm.com/developerworks/rational/library/2774.html#author1. [Accessed: 10-Dec-2012]. [29] P. Avgeriou, “Describing, Instantiating and Evaluating a Reference Architecture: A Case Study,” Enterprise Architect Journal, Fawcette Technical Publications, Jun. 2003. [30] E. B. Fernandez and X. Yuan, “Semantic Analysis Patterns,” in Proceedings of the 19th Int. Conf. on Conceptual Modeling, ER2000, 2000, pp. 183–195. [31] M. Fowler, Analysis Patterns: Reusable Object Models, 1st ed. Addison-Wesley Professional, 1997. [32] E. B. Fernandez, “Security Patterns,” in Proceedings of the Eight International Symposium on System and Information Security, 2006.
146
[33] M. Schumacher and U. Roedig, “Security Engineering with Patterns,” in PLoP 2001, 2001. [34] M. Schumacher, E. B. Fernandez, D. Hybertson, F. Buschmann, and P. Sommerlad, Security Patterns Integrating Security & Systems Engineering. Wiley Series on Software Design Patterns, 2006. [35] B. Kitchenham, “Procedures for Perfoming Systematic Review,” Software Engineering Group, Department of Computer Scinece Keele University, United Kingdom and Empirical Software Engineering, National ICT Australia Ltd., Australia, TR/SE-0401, 2004. [36] B. Kitchenham and S. Charters, “Guidelines for performing Systematic Literature Reviews in Software Engineering. Version 2.3,” University of Keele (Software Engineering Group, School of Computer Science and Mathematics) and Durham (Department of Conputer Science), UK, 2007. [37] P. Brereton, B. A. Kitchenham, D. Budgen, M. Turner, and M. Khalil, “Lessons from applying the systematic literature review process within the software engineering domain,” Journal of Systems and Software, vol. 80, no. 4, pp. 571–583, 2007. [38] Cloud Security Alliance, “Security Guidance for Critical Areas of Focus in Cloud Computing V3.0.” 2011. Available: https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf [39] T. Mather, S. Kumaraswamy, and S. Latif, Cloud Security and Privacy. O’Reilly Media, Inc., 2009. [40] Cloud Security Alliance, “Top Threats to Cloud Computing V1.0.” 2010. [41] ENISA, “Cloud Computing: Benefits, Risks and Recommendations for Information Security.” 2009. Available: http://www.enisa.europa.eu/activities/risk- management/files/deliverables/cloud-computing-risk-assessment [42] K. Dahbur, B. Mohammad, and A. B. Tarakji, “A survey of risks, threats and vulnerabilities in cloud computing,” in Proceedings of the 2011 International Conference on Intelligent Semantic Web-Services and Applications, Amman, Jordan, 2011, pp. 1–6.
147
[43] L. Ertaul, S. Singhal, and S. Gökay, “Security Challenges in Cloud Computing,” in Proceedings of the 2010 International Conference on Security and Management SAM’10, Las Vegas, US, 2010, pp. 36–42. [44] B. Grobauer, T. Walloschek, and E. Stocker, “Understanding Cloud Computing Vulnerabilities,” IEEE Security Privacy, vol. 9, no. 2, pp. 50 –57, 2011. [45] S. Subashini and V. Kavitha, “A survey on security issues in service delivery models of cloud computing,” Journal of Network and Computer Applications, vol. 34, no. 1, pp. 1–11, Jan. 2011. [46] M. Jensen, J. Schwenk, N. Gruschka, and L. L. Iacono, “On Technical Security Issues in Cloud Computing,” in IEEE International Conference on Cloud Computing (CLOUD ’09), 2009, pp. 109 –116. [47] C. Onwubiko, “Security Issues to Cloud Computing,” in Cloud Computing: Principles, Systems & Applications, N. Antonopoulos and L. Gillam, Eds. Springer- Verlag, 2010. [48] M. A. Morsy, J. Grundy, and I. Müller, “An Analysis of The Cloud Computing Security Problem,” in Proceedings of APSEC 2010 Cloud Workshop, Sydney, Australia, 2010. [49] W. A. Jansen, “Cloud Hooks: Security and Privacy Issues in Cloud Computing,” in Proceedings of the 44th Hawaii International Conference on System Sciences, Koloa, Kauai, HI, 2011, pp. 1–10. [50] D. Zissis and D. Lekkas, “Addressing cloud computing security issues,” Future Generation Computer Systems, vol. 28, no. 3, pp. 583–592, 2012. [51] W. Jansen and T. Grance, “Guidelines on Security and Privacy in Public Cloud Computing,” NIST, Special Publication 800-144, 2011. [52] J. Ju, Y. Wang, J. Fu, J. Wu, and Z. Lin, “Research on Key Technology in SaaS,” in International Conference on Intelligent Computing and Cognitive Informatics (ICICCI), 2010, pp. 384 –387. [53] J. W. Rittinghouse and J. F. Ransome, “Security in the Cloud,” in Cloud Computing: Implementation, Management, and Security, CRC Press, 2009. [54] D. Owens, “Securing Elasticity in the Cloud,” Communications of the ACM, vol. 53, no. 6, pp. 46–51, May-2010. 148
[55] OWASP, “The Ten Most Critical Web Application Security Risks.” 2010. Available: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project [56] Y. Zhang, S. Liu, and X. Meng, “Towards high level SaaS maturity model: Methods and case study,” in Services Computing Conference. APSCC 2009. IEEE Asia-Pacific, 2009, pp. 273 –278. [57] F. Chong, G. Carraro, and R. Wolter, “Multi-Tenant Data Architecture,” Jun-2006. [Online]. Available: http://msdn.microsoft.com/en-us/library/aa479086.aspx. [Accessed: 05-Jun-2011]. [58] C.-P. Bezemer and A. Zaidman, “Multi-tenant SaaS applications: maintenance dream or nightmare?,” in Proceedings of the Joint ERCIM Workshop on Software Evolution (EVOL) and International Workshop on Principles of Software Evolution (IWPSE), Antwerp, Belgium, 2010, pp. 88–92. [59] J. Viega, “Cloud Computing and the Common Man,” Computer, vol. 42, no. 8, pp. 106–108, Aug-2009. [60] Cloud Security Alliance, “Security Guidance for Critical Areas of Mobile Computing.” Nov-2012. Available: https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile_Guidance_v1 .pdf [61] C. Keene, “The Keene View on Cloud Computing,” 18-Mar-2009. [Online]. Available: http://www.keeneview.com/2009/03/what-is-platform-as-service- paas.html. [Accessed: 16-Jul-2011]. [62] K. Xu, X. Zhang, M. Song, and J. Song, “Mobile Mashup: Architecture, Challenges and Suggestions,” in International Conference on Management and Service Science. MASS ’09, 2009, pp. 1 –4. [63] R. Chandramouli and P. Mell, “State of security readiness,” Crossroads, vol. 16, no. 3, pp. 23–25, Mar-2010. [64] T. Jaeger and J. Schiffman, “Outlook: Cloudy with a Chance of Security Challenges and Improvements,” IEEE Security Privacy, vol. 8, no. 1, pp. 77 –80, 2010.
149
[65] W. Dawoud, I. Takouna, and C. Meinel, “Infrastructure as a service security: Challenges and solutions,” in the 7th International Conference on Informatics and Systems (INFOS), 2010, pp. 1 –8. [66] A. Jasti, P. Shah, R. Nagaraj, and R. Pendse, “Security in multi-tenancy cloud,” in IEEE International Carnahan Conference on Security Technology (ICCST), 2010, pp. 35 –41. [67] T. Garfinkel and M. Rosenblum, “When virtual is harder than real: Security challenges in virtual machine based computing environments,” in Proceedings of the 10th conference on Hot Topics in Operating Systems, Santa Fe, NM, 2005, vol. 10, pp. 227–229. [68] J. S. Reuben, “A survey on virtual machine security,” Seminar on Network Security, 2007. [69] S. Venkatesha, “Survey of Virtual Machine Migration Techniques,” 2009. Available: http://www.academia.edu/760613/Survey_of_Virtual_Machine_Migration_Techniq ues [70] P. Ranjith, P. Chandran, and S. Kaleeswaran, “On Covert Channels between Virtual Machines,” Journal in Computer Virology, Springer, vol. 8, pp. 85–97, 2012. [71] J. Wei, X. Zhang, G. Ammons, V. Bala, and P. Ning, “Managing security of virtual machine images in a cloud environment,” in Proceedings of the 2009 ACM workshop on Cloud computing security, 2009, pp. 91–96. [72] K. Owens, “Securing Virtual Compute Infrastructure in the Cloud.” SAVVIS. Available: http://www.savvis.com/en-us/info_center/documents/hos-whitepaper- securingvirutalcomputeinfrastructureinthecloud.pdf [73] H. Wu, Y. Ding, C. Winer, and L. Yao, “Network security for virtual machine in cloud computing,” in 5th International Conference on Computer Sciences and Convergence Information Technology (ICCIT), 2010, pp. 18 –21. [74] G. Xiaopeng, W. Sumei, and C. Xianqin, “VNSS: A network security sandbox for virtual computing environment,” in IEEE Youth Conference on Information Computing and Telecommunications (YC-ICT), 2010, pp. 395 –398.
150
[75] K. Popovic and Z. Hocenski, “Cloud computing security issues and challenges,” in Proceedings of the 33rd International Convention MIPRO, 2010, pp. 344 –349. [76] S. Carlin and K. Curran, “Cloud Computing Security,” International Journal of Ambient Computing and Intelligence, vol. 3, no. 1, pp. 38–46, 2011. [77] A. Bisong and S. Rahman, “An Overview of the Security Concerns in Enterprise Cloud Computing,” International Journal of Network Security & Its Applications (IJNSA), vol. 3, no. 1, pp. 30–45, Jan. 2011. [78] M. Townsend, “Managing a security program in a cloud computing environment,” in Information Security Curriculum Development Conference, Kennesaw, Georgia, 2009, pp. 128–133. [79] V. Winkler, Securing the cloud: Cloud computer security techniques and tactics. Elsevier Inc., 2011. [80] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, “Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds,” in Proceedings of the 16th ACM conference on Computer and communications security, Chicago, Illinois, USA, 2009, pp. 199–212. [81] Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, “Cross-VM side channels and their use to extract private keys,” in Proceedings of the 2012 ACM conference on Computer and communications security, New York, NY, USA, 2012, pp. 305–316. [82] Z. Wang and X. Jiang, “HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity,” presented at the Proceedings of the IEEE Symposium on Security and Privacy, 2010, pp. 380–395. [83] C. Wang, Q. Wang, K. Ren, and W. Lou, “Ensuring data storage security in Cloud Computing,” presented at the 17th International Workshop on Quality of Service, 2009, pp. 1–9. [84] N. Santos, K. P. Gummadi, and R. Rodrigues, “Towards Trusted Cloud Computing,” in Proceedings of the 2009 conference on Hot topics in cloud computing, San Diego, California, 2009. [85] F. Zhang, Y. Huang, H. Wang, H. Chen, and B. Zang, “PALM: Security Preserving VM Live Migration for Systems with VMM-enforced Protection,” in Trusted
151
Infrastructure Technologies Conference, 2008. APTC ’08. Third Asia-Pacific, 2008, pp. 9 –18. [86] Cloud Security Alliance, “SecaaS Implementation Guidance, Category 1: Identity and Access Managament.” 2012. Available: https://downloads.cloudsecurityalliance.org/initiatives/secaas/SecaaS_Cat_1_IAM_I mplementation_Guidance.pdf [87] S. Xiao and W. Gong, “Mobility Can Help: Protect User Identity with Dynamic Credential,” in Eleventh International Conference on Mobile Data Management (MDM), 2010, pp. 378 –380. [88] D. Harnik, B. Pinkas, and A. Shulman-Peleg, “Side Channels in Cloud Services: Deduplication in Cloud Storage,” IEEE Security Privacy, vol. 8, no. 6, pp. 40 –47, 2010. [89] J. Wylie, M. Bakkaloglu, V. Pandurangan, M. Bigrigg, S. Oguz, K. Tew, C. Williams, G. Ganger, and P. Khosla, “Selecting the right data distribution scheme for a survivable storage system,” CMU-CS-01-120, May 2001. [90] U. Somani, K. Lakhani, and M. Mundra, “Implementing digital signature with RSA encryption algorithm to enhance the Data Security of cloud in Cloud Computing,” in 1st International Conference on Parallel Distributed and Grid Computing (PDGC), 2010, pp. 211 –216. [91] M. Tebaa, S. El Hajji, and A. El Ghazi, “Homomorphic encryption method applied to Cloud Computing,” in National Days of Network Security and Systems (JNS2), 2012, pp. 86 –89. [92] E. Fong and V. Okun, “Web Application Scanners: Definitions and Functions,” in Proceedings of the 40th Annual Hawaii International Conference on System Sciences, 2007. [93] D. Goodin, “Webhost hack wipes out data for 100,000 sites,” The Register, 08-Jun- 2009. [Online]. Available: http://www.theregister.co.uk/2009/06/08/webhost_attack/. [Accessed: 02-Aug- 2011].
152
[94] S. Berger, R. Cáceres, D. Pendarakis, R. Sailer, E. Valdez, R. Perez, W. Schildhauer, and D. Srinivasan, “TVDc: managing security in the trusted virtual datacenter,” SIGOPS Oper. Syst. Rev., vol. 42, no. 1, pp. 40–47, Jan. 2008. [95] S. Berger, R. Cáceres, K. Goldman, D. Pendarakis, R. Perez, J. R. Rao, E. Rom, R. Sailer, W. Schildhauer, D. Srinivasan, S. Tal, and E. Valdez, “Security for the cloud infrastructure: trusted virtual data center implementation,” IBM Journal of Research and Development, vol. 53, no. 4, pp. 560–571, Jul. 2009. [96] T. Ormandy, “An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments,” in CanSecWest Applied Security Conference, Vancouver, 2007. [97] J. Oberheide, E. Cooke, and F. Jahanian, “Empirical Exploitation of Live Virtual Machine Migration,” in Proceedings of BlackHat DC convention, 2008. [98] M. Naehrig, K. Lauter, and V. Vaikuntanathan, “Can homomorphic encryption be practical?,” in Proceedings of the 3rd ACM workshop on Cloud computing security workshop, 2011, pp. 113–124. [99] W. Han-zhang and H. Liu-sheng, “An improved trusted cloud computing platform model based on DAA and privacy CA scheme,” in International Conference on Computer Application and System Modeling (ICCASM), 2010, vol. 13, pp. V13–33 –V13–39. [100] M. Wilkins, “Oracle Reference Architecture - Cloud Foundation Architecture, Release 3.0.”. Available: http://www.oracle.com/technetwork/topics/entarch/oracle- ra-cloud-infrastructure-r3-0-1395892.pdf [101] K. Hashizume, E. B. Fernandez, and M. M. Larrondo-Petrie, “Cloud Service Model Patterns,” in 19th Conference on Pattern Languages of Programs, 2012. [102] K. Hashizume, E. B. Fernandez, and M. M. Larrondo-Petrie, “A pattern for Software-as-a-Service in Clouds,” in Workshop on Redefining and Integrating Security Engineering (RISE’12), Washington, DC, USA, 2012. [103] M. Hogan, F. Liu, A. Sokol, and J. Tong, “NIST Cloud Computing Standards Roadmap.” National Institute of Standards and Technology, Jul-2011. Available: http://collaborate.nist.gov/twiki-cloud- computing/pub/CloudComputing/StandardsRoadmap/NIST_SP_500-291_Jul5A.pdf 153
[104] National Institute of Standards and Technology, “Inventory of Standards Relevant to Cloud Computing,” Cloud Computing Collaboration Site. [Online]. Available: http://collaborate.nist.gov/twiki-cloud- computing/bin/view/CloudComputing/StandardsInventory. [Accessed: 15-Oct- 2012]. [105] Distributed Management Task Force, INC, “Open Virtualization Format (OVF).” [Online]. Available: http://www.dmtf.org/standards/ovf. [Accessed: 04-Dec-2012]. [106] VMware, “Virtual Appliances,” 07-Dec-2012. [Online]. Available: http://www.vmware.com/technical-resources/virtualization-topics/virtual- appliances/ovf. [107] IBM, “Deploying the virtual machine images.” [Online]. Available: http://pic.dhe.ibm.com/infocenter/tivihelp/v51r1/index.jsp?topic=%2Fcom.ibm.tusc. doc%2Fvm_install%2Fc_ctr_deploy_vms.html. [Accessed: 07-Dec-2012]. [108] “VirtualBox now supports OVF.” [Online]. Available: http://blog.virtualarchitect.nl/2009/04/virtualbox-now-supports-ovf/. [Accessed: 08- Dec-2012]. [109] OpenStack, “Open source software for building private and public clouds.” [Online]. Available: http://www.openstack.org/. [Accessed: 07-Dec-2012]. [110] Distributed Management Task Force, INC, “DMTF Releases Specification for Simplifying Cloud Infrastructure Management.” [Online]. Available: http://www.dmtf.org/news/pr/2012/8/dmtf-releases-specification-simplifying-cloud- infrastructure-management. [Accessed: 04-Dec-2012]. [111] Open Grid Forum, “Open Cloud Computing Interface WG (OCCI-WG).” [Online]. Available: http://www.ogf.org/gf/group_info/view.php?group=occi-wg. [Accessed: 04-Dec-2012]. [112] OpenNebula, “OpenNebula OCCI API Specification.” [Online]. Available: http://opennebula.org/documentation:archives:rel2.0:occidd. [Accessed: 08-Dec- 2012]. [113] Storage Networking Industry Association, “Cloud Data Management Interface (CDMI).” [Online]. Available: http://www.snia.org/cdmi. [Accessed: 04-Dec-2012].
154
[114] L. Badger, R. B. Bohn, R. Chandramouli, T. Grance, T. Karygiannis, R. Patt- Corner, and J. Voas, “Cloud Computing Use Cases.” [Online]. Available: http://www.nist.gov/itl/cloud/use-cases.cfm. [Accessed: 01-Jul-2012]. [115] Cloud Computing Use Case Discussion Group, “Cloud Computing Use Cases Version 4.0.” Jul-2010. Available: http://opencloudmanifesto.org/Cloud_Computing_Use_Cases_Whitepaper-4_0.pdf [116] C. Spence, J. Devoys, and S. Chahal, “Architecting Software as a Service for the Enterprise.” IBM, Oct-2009. Available: http://www.intel.com/content/www/us/en/cloud-computing/cloud-computing-intel- it-architecting-software-as-a-service-paper.html [117] Nexof, “Cloud Computing: Platform as a Service (PaaS).” 2010. Available: http://www.nexof-ra.eu/?q=node/669 [118] C. Baun and M. Kunze, “Building a private cloud with Eucalyptus,” in The 5th IEEE International Conference on E-Science Workshops, 2009, pp. 33 –38. [119] K. Hashizume and E. B. Fernandez, “A Pattern for WS-Security,” in First IEEE Int. Workshop on Security Eng. Environments, Shanghai, China, 2009. [120] Ubuntu, “UEC Package Install Separate.” [Online]. Available: https://help.ubuntu.com/community/UEC/PackageInstallSeparate#Overview. [Accessed: 03-Feb-2012]. [121] “About Nimbus,” 12-Feb-2012. [Online]. Available: http://www.nimbusproject.org/about/. [122] Hewlett-Packard Development Company, “HP Cloud Service.” [Online]. Available: http://hpcloud.com/. [Accessed: 02-Feb-2012]. [123] IBM, “IBMSmart Cloud.” [Online]. Available: http://www.ibm.com/cloud- computing/us/en/. [Accessed: 12-Sep-2012]. [124] L. Wang, J. Tao, M. Kunze, A. C. Castellanos, D. Kramer, and W. Karl, “Scientific Cloud Computing: Early Definition and Experience,” in 10th IEEE International Conference on High Performance Computing and Communications, 2008. HPCC ’08, 2008, pp. 825 –830. [125] D. Amrheim, “Forget Defining Cloud Computing.” [Online]. Available: http://soa.sys-con.com/node/1018801. [Accessed: 15-Jan-2012]. 155
[126] P. A. Karger and D. R. Safford, “I/O for Virtual Machine Monitors: Security and Performance Issues,” IEEE Security Privacy, vol. 6, no. 5, pp. 16 –23, Oct. 2008. [127] E. B. Fernandez and T. Sorgente, “A Pattern Language for Secure Operating System Architectures,” in Procs. of the 5th Latin American Conference on Pattern Languages of Programs, Campos do Jordao, Brazil, 2005, pp. 68–88. [128] R. Y. D. Camargo, A. Goldchleger, M. Carneiro, and F. Kon, “The Grid architectural pattern: Leveraging distributed processing capabilities,” in Procs. of the International Conference on Pattern Languages of Program Design 5, 2006, pp. 337–356. [129] E. B. Fernandez, K. Hashizume, I. Buckley, M. M. Larrondo-Petrie, and M. VanHilst, “Web services security: Standards and products,” in Web Services Security Development and Architecture: Theoretical and Practical Issues, C. A. Gutierrez, E. Fernandez-Medina, and M. Piattini, Eds. IGI Global Group, 2010, pp. 152–177. [130] Salesforce, “An Introduction to the Force.com IDE.” [Online]. Available: http://wiki.developerforce.com/page/An_Introduction_to_Force_IDE. [Accessed: 06-Mar-2012]. [131] Salesforce, “An Introduction to Environments.” [Online]. Available: http://wiki.developerforce.com/page/An_Introduction_to_Environments. [Accessed: 06-Mar-2012]. [132] Salesforce, “About the Force.com Developer Edition Environments.” [Online]. Available: http://wiki.developerforce.com/page/Developer_Edition. [Accessed: 06- Mar-2012]. [133] Salesforce, “Secure, private, and trustworthy: enterprise cloud computing with Force.com,” 06-Mar-2012. [Online]. Available: http://www.salesforce.com/assets/pdf/misc/WP_Forcedotcom-Security.pdf. [134] M. Dodani, “On ‘Cloud Nine’ Through Architecture,” The Journal of Object Technology, vol. 9, no. 3, 2010. [135] G. Lawton, “Developing Software Online With Platform-as-a-Service Technology,” Computer, vol. 41, no. 6, pp. 13 –15, Jun. 2008.
156
[136] A. V. Uzunov and E. B. Fernandez, “Engineering Security into Distributed Systems: A Survey of Methodologies,” to appear in Journal of Universal Computer Science. [137] Z. Pervez, S. Lee, and Y.-K. Lee, “Multi-tenant, secure, load disseminated SaaS architecture,” in Proceedings of the 12th international conference on Advanced communication technology, Piscataway, NJ, USA, 2010, pp. 214–219. [138] G. Liu, “Research on independent SaaS platform,” in 2010 The 2nd IEEE International Conference on Information Management and Engineering (ICIME), 2010, pp. 110 –113. [139] “IBM Cloud Computing: SaaS.” [Online]. Available: http://www.ibm.com/cloud- computing/us/en/saas.html. [Accessed: 09-Nov-2012]. [140] “Software as a service,” Wikipedia, the free encyclopedia. 25-Sep-2012. [141] F. A. Braz, E. B. Fernandez, and M. VanHilst, “Eliciting Security Requirements through Misuse Activities,” in Proceedings of the 2nd Int. Workshop on Secure Systems Methodologies using Patterns (SPattern’08). In conjunction with the 4th International Conference onTrust, Privacy & Security in Digital Busines(TrustBus’08), Turin, Italy, 2008, pp. 328 –333. [142] R. Sailer, T. Jaeger, E. Valdez, R. Caceres, R. Perez, S. Berger, J. L. Griffin, and L. van Doorn, “Building a MAC-based security architecture for the Xen open- source hypervisor,” in Computer Security Applications Conference, 21st Annual, 2005. [143] G. Cheng, H. Jin, D. Zou, A. K. Ohoussou, and F. Zhao, “A Prioritized Chinese Wall Model for Managing the Covert Information Flows in Virtual Machine Systems,” in The 9th International Conference for Young Computer Scientists, 2008. ICYCS 2008., 2008, pp. 1481 –1487. [144] A. Aviram, S. Hu, B. Ford, and R. Gummadi, “Determinating Timing Channels in Compute Clouds,” in Proceedings of the 2010 ACM workshop on Cloud computing security workshop, Chicago, Illinois, USA, 2010. [145] Z. Wang and R. B. Lee, “Covert and Side Channels Due to Processor Architecture,” in Proceedings of the 22nd Annual Computer Security Applications Conference, Washington, DC, USA, 2006, pp. 473–482. 157
[146] J. Chandrashekar, S. Orrin, C. Livadas, and E. M. Schooler, “The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware,” Intel Technology Journal, vol. 13, no. 2, 2009. [147] K. Vieira, A. Schulter, C. B. Westphall, and C. M. Westphall, “Intrusion Detection for Grid and Cloud Computing,” IT Professional, vol. 12, no. 4, pp. 38 – 43, Aug. 2010. [148] W. Voorsluys, J. Broberg, S. Venugopal, and R. Buyya, “Cost of Virtual Machine Live Migration in Clouds: A Performance Evaluation,” in Proceedings of the 1st International Conference on Cloud Computing, Berlin, Heidelberg, 2009, pp. 254–265. [149] E. B. Fernandez, M. M. Larrondo-Petrie, T. Sorgente, and M. VanHilst, “A methodology to develop secure systems using patterns,” in Integrating security and software engineering: Advances and future vision, H. Mouratidis and P. Giorgini, Eds. IDEA Press, 2006, pp. 107–126. [150] K. Hashizume, E. B. Fernandez, and M. M. Larrondo-Petrie, “A Reference Architecture for Cloud Computing,” to be sent for publication. [151] E. B. Fernandez, Security patterns in practice - Designing secure architectures using software patterns. Wiley Series on Software Design Patterns (to appear). [152] V. Stricker, K. Lauenroth, P. Corte, F. Gittler, S. De Panfilis, and K. Pohl, “Creating a Reference Architecture for Service-Based Systems – A Pattern-Based Approach,” in Towards the Future Internet - Emerging Trends from European Research, G. Tselentis, A. Galis, A. Gavras, S. Krco, V. Lotz, E. Simperl, B. Stiller, and T. Zahariadis, Eds. IOS Press, 2010.
158