A Cloud Security Assessment System Based on Classifying and Grading

CLOUD SECURITY

A Cloud Security Assessment System Based on Classifying and Grading Xuexiu Chen, Alibaba Group, Beijing Chi Chen, Chinese Academy of Sciences, Beijing Yuan Tao, Third Research Institute of Ministry of Public Security, Shanghai Jiankun Hu, University of New South Wales, Australia

A classifying- and grading-based cloud security assessment indicator system combines forward and feedback assessment to determine a cloud’s security level.

58

loud security has become a key limitation in the development of cloud computing. To ensure the stability and reliability of a cloud service, cloud security should be assessed regularly using a practical indicator system. A cloud security assessment indicator system helps guide the cloud security assessment process and ensure the standardization of assessment results. Because different cloud services need to reach different security levels, such a system must offer different numbers of indicators and levels of assessment. Classifying and grading provide a

method to build a complete and sound cloud security assessment indicator system. This article proposes a complete cloud security assessment indicator system based on classifying and grading. The higher the security level, the more control points and requirements the system includes. A comprehensive assessment method that includes forward and feedback assessment is applied to an actual cloud system. In this way, we verify that the cloud security assessment indicator system is rational and practical. (For related work on cloud security assessment, see the sidebar, page 66.) Cloud computing has the characteristics of an

I EEE CLO U D CO M P U T I N G P U B L I S H ED BY T H E I EEE CO M P U T ER S O CI E T Y

2325-6095/15/$31 .00 © 2015 IEEE

Threats

Analyze

Analyze

Cloud computing information system

Export

Weakness

Determine

Protection requirements

Determine

Protection objects

Vulnerabilities

Protect be satisfied

Protection measures

be strengthened

Determine Security control points and requirements of the cloud computing information system Classify, grade, and quantize Verify

Cloud security assessment indicator system

Discover

FIGURE 1. Steps in establishing a cloud security assessment indicator system. The cloud security assessment

indicator system established eventually is universal, that is, anyone who knows the security assessment method can assess the security of all kinds of cloud computing information systems according to this indicator system.

information system, so cloud computing’s security objectives and concept are similar to those of traditional information systems. However, cloud computing introduces virtualization technologies and changes the service mode, which is bound to bring some specific security problems, such as virtualization security issues and security problems related to the multitenant service model. Thus, the cloud security assessment indicator system is the extension of a security assessment indicator system for a traditional information system.1

Assessment Steps and Method Figure 1 shows the four steps involved in establishing a cloud security assessment indicator system:

1. Determine the protection objects in the cloud. 2. Analyze the security threat, focusing on the protection objects’ security vulnerabilities and the security threats they face. 3. Put forward security protection measures based on the results of the security threat analysis, then propose the control points and requirements of cloud security. 4. Grade the indicators—that is, the control points M A R CH/A P R I L 201 5

and requirements based on classifying and grading—then quantify each indicator. As we’ll describe, these four steps allow us to put forward a complete cloud security assessment indicator system. Determine the Protection Objects We determine the protection objects according to the cloud service’s delivery mode—infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS)—and identify seven protection layers. Table 1 compares protection objects in cloud and traditional information systems. In cloud information systems, the control points include both the traditional control points and additional cloud-related control points. The abstract resource security and software platform layers should also be protected in the cloud system. The virtualization devices should be protected in the network security and host security layers. Analyze the Security Threats Based on a cloud system’s protection objects, we can analyze the system vulnerabilities and security threats I EEE CLO U D CO M P U T I N G

59

CLOUD SECURITY

Table 1. Comparison of protection objects in traditional information systems and cloud computing information systems. Delivery mode

Protection layer

Infrastructure as a service (IaaS)

Protection objects Traditional information system

Cloud computing information system

Physical security

Device, medium, environment

Device, medium, environment

Network security

Traditional network structure, traditional network device, traditional security device

+ Virtual network structure and virtual network device

Host security

Operating system, database

+ Virtual machine (VM)

Abstract resource security

N/A

Host, VM, VM monitor (VMM), VM management program, VM cluster

Platform as a service (PaaS)

Software platform security

N/A

Middleware, development framework

Software as a service (SaaS)

Application security

Business application system

Business application system

Data security

Data

Data

Table 2. Sample of security threats facing the cloud system. Protection object

Threat scene

Threat source

Threat object

Virtual machine

Malicious people use the vulnerabilities of the VMM or software implemented within VMs to launch attacks, so as to attack or control the VM host operating system.

The vulnerabilities of the VMM or software implemented within VMs

VM

Business application system

The development environment that PaaS provides includes a programming interface, operating system, database, and third-party applications. Malicious people can exploit security vulnerabilities in any of these elements to attack all applications developed based on that element.

Security vulnerabilities in the development environment that PaaS provides

All applications developed based on the development environment

Cloud data

Cloud administrators access user data stored in the cloud illegally.

Improper internal management measures

Confidentiality of user data

from three aspects: threat scene, threat source, and threat object (see Table 2). Because of space limitations, we only describe three possible security threats. Added Control Points for Cloud Security Assessment The control points and requirements of cloud security are based on the risk analysis results. In this article, we focus on the new added control points and requirements in the cloud. Based on China’s GB/T 222392008 standard,2 we describe the added control points in the seven protection layers of the cloud as follows: • Physical security: cloud security physical access control, cloud security electric power supply 60

• Network security: virtual network structure security, virtual access control, virtual network boundary integrity check, virtual network malicious code prevention, virtual network security audit, virtual network intrusion prevention, virtual network device protection • Host security: virtual machine (VM) identity authentication, VM access control, VM security audit, VM intrusion prevention, VM and host virtual machine resource control • Abstract resource security: virtual resource structure safety, virtual resource identity authentication, virtual resource access control, virtual resource intrusion prevention, virtual resource malicious code prevention, virtual resource secu-

I EEE CLO U D CO M P U T I N G W W W.CO M P U T ER .O RG /CLO U D CO M P U T I N G

Security assessment indicators of the abstract resource security layer

Virtual resource structure safety

Virtual resource identity authentication

Virtual resource access control

Virtual resource intrusion prevention

Virtual resource malicious code prevention

Virtual resource security audit

Resource control

Mirror and snapshot protection

General level Virtual resource subject and object security label

Residual virtual information protection

Virtual resource fault tolerance

Trusted path

Enhanced level

FIGURE 2. Sample of grading security assessment indicators. The higher a cloud information system’s security level, the stronger security protection ability it should have, and the more indicators are needed during the security assessment process, including more control points and more requirements.

rity audit, resource control, mirror and snapshot protection, virtual resource subject and object security label, residual virtual information protection, virtual resource fault tolerance, trusted path • Software platform security: middleware and development framework identity authentication, middleware and development framework security label, middleware and development framework access control, middleware and development framework security audit, residual information protection, communication integrity, communication confidentiality, middleware fault tolerance, resource control, trusted path • Application security: cloud application resource access control, virtual resource application security audit, residual information protection, application data resource control • Data security: user privacy data integrity verification, user privacy data confidentiality, backup and recovery of important cloud data, data security isolation Each control point includes a few requirements in the complete cloud security assessment indicator system. Because of space limitations, the table shows only some of the requirements for each control point. Virtualization is the key technology in cloud computing, so this article focuses on the M A R CH/A P R I L 201 5

corresponding control points and requirements in the layers of network security, host security, and abstract resource security.

Classifying- and Grading-Based Assessment The security level of cloud systems can be divided into two grades: general and enhanced. At the general level, the cloud system should be able to resist general natural disasters and malicious attacks launched by small organizations with limited resources. The system should be able to discover important security vulnerabilities and security events. After being destroyed, the system should be able to recover some functionality within a period of time. At the enhanced level, the cloud system should be able to resist serious natural disasters and malicious attacks launched by large organizations with abundant resources. The system should be able to discover most security vulnerabilities and security events. After being destroyed, the system should be able to recover all functionality as soon as possible. Using the principle of security grading, we take the added abstract resource security layer as an example. Figure 2 shows the result of grading security assessment indicators. Because of space limitations, Figure 2 shows only the result of grading the control points and not the grading requirements. I EEE CLO U D CO M P U T I N G

61

CLOUD SECURITY

Table 3. Results of the unit assessment. Assessment layer

Assessment objects

Assessment indicators

Physical security

Physics room (OP1)

Cloud security physical access control √ Cloud security of electricity supply √

Operation and maintenance of the physical environment (OP2)

Cloud security physical access control √ Cloud security of electricity supply √

Business office environment (OP3)

Cloud security physical access control √ Cloud security of electricity supply √

Global network (ON1)

Virtual network security architecture X Virtual network boundary integrity checks √ Virtual network malicious code prevention √ Virtual network intrusion prevention X

Virtual Internet boundary firewall (ON2)

Virtual access control X Virtual network security audit √ Virtual network device protection X

Core switch (ON3)

Virtual access control √ Virtual network security audit √ Virtual network device protection √

Border router (ON4)

Virtual access control √ Virtual network security audit √ Virtual network device protection √

Web application virtual machines (OH1)

Identity authentication of virtual machine √ Virtual access control √ Virtual network security audit √ Virtual machine intrusion prevention X Virtual machine resource control √ Virtual machine malicious code prevention √ Virtual machine remaining information protection √

Host (OH2)

Host of resource control √

Database virtual machine (OH3)

Identity authentication of virtual machine X Virtual access control √ Virtual network security audit X Virtual machine intrusion prevention X Virtual machine resource control √ Virtual machine malicious code prevention √ Virtual machine remaining information protection √

Operation and maintenance terminal (OH4)

Identity authentication of virtual machine √ Virtual access control √ Virtual machine malicious code prevention √ Virtual machine intrusion prevention √

Business terminal (OH5)

IIdentity authentication of virtual machine √ Virtual access control √ Virtual machine malicious code prevention √ Virtual machine intrusion prevention √

Network security

Host security

Notes: O = object, N = network, P = physical; OH/OR/OS/OA/OD represent the assessment object in the corresponding assessment layer, respectively; √ = satisfied and X = not satisfied

To verify that the cloud security assessment indicator system is reasonable and practical, we use it to assess an actual cloud system. The security level of this system is defined as enhanced. We assess the cloud system’s security using a comprehensive assessment method, which has two parts: forward assessment, which includes unit assessment and entirety assessment, and feedback assessment. Forward Assessment We used the enhanced assessment indicator system to assess the selected cloud system’s security. We selected 20 assessment objects from the seven assess62

ment layers of the cloud system, and a total of 100 assessment indicators to assess the system’s security. Table 3 shows the result of the unit assessment. The results of unit assessment show that of 100 assessment indicators, 73 indicators were satisfied and 27 indicators weren’t satisfied. Therefore, the compliance rate of unit assessment is 73 percent. Figure 3 shows the architecture of the assessed cloud system. The system is divided into six regions: Internet access area (H1), core area (H2), safety management area (H3), internal user area (H4), cloud service and data area (H5), and other system areas (H6). The assessment areas listed in

I EEE CLO U D CO M P U T I N G W W W.CO M P U T ER .O RG /CLO U D CO M P U T I N G

Assessment layer

Assessment objects

Assessment indicators

Abstract resource security

Globally abstract resources (among virtual machines) (OR1)

Virtual resource security architecture X Multitenant security isolation X Virtual resource intrusion prevention X Virtual resource malicious code prevention √ Trusted path √

Virtual machine monitor (OR2)

Identify authentication of virtual resource √ Virtual resource access control √ Virtual resource security audit √ The remaining virtual information protection X Virtual resource intrusion prevention X Virtual resource malicious code prevention √ Fault tolerant of virtual resource √ Virtual resource control √ Machine mirroring and snapshot protection √ Trusted path √

Cloud security management platform (OR3)

Identify authentication of virtual resource X Virtual resource access control √ Virtual host-guest security tag X Virtual resource security audit √ The remaining virtual information protection X Virtual resource intrusion prevention X Virtual resource malicious code prevention X Fault tolerant of virtual resource √ Virtual resource control √ Machine mirroring and snapshot protection √ Trusted path X

Software platform security

Independently developed middleware (OS1)

Identify authentication √ Safety mark √ Access control X Security audit √ The remaining information protection √ Integrity of communication √ Confidentiality of communication √ Fault tolerant of middleware √ Resource control √ Trusted path X

Application security

Content management and publishing business systems (OA1)

Access control √ Identify authentication X Security audit X The remaining information protection √ Code security √ Application data X Resource control √ Software fault tolerant √ Integrity of communication √ Confidentiality of communication √

Data security

Business data (including users’ privacy) (OD1)

User privacy data integrity verification √ Confidentiality of user privacy data √ Backup and restore important cloud data √ Isolation of user data √ Data transplant X

Data management (including virtual machine image file) (OD2)

User privacy data integrity verification √ Confidentiality of user privacy data √ Backup and recovery of image file management √ Data transplant X

User authentication information (OD3)

User privacy data integrity verification √ Confidentiality of user privacy data X

Notes: O = object, N = network, P = physical; OH/OR/OS/OA/OD represent the assessment object in the corresponding assessment layer, respectively; √ = satisfied and X = not satisfied

Table 4 are distributed in each area from H1 to H6. In the entirety assessment, the system is assessed from three aspects: between different security control points in the same assessment layer, between different assessment layers, and between different regions. Table 4 gives partial results of the entirety assessment. Feedback Assessment In the feedback assessment, we designed five attack paths using the vulnerability scanning, internal penetration testing, and external penetration testing methods, as shown in Figure 4: M A R CH/A P R I L 201 5

• Attack path 1: The attack source is in the Internet. The attack is from H1 to H2, and from H2 to H3, H4, and H5. When it finds the weak password of the administrator of the Internet boundary virtual firewall ON2 in H1, it cracks the password and gets firewall administrator privileges. In this path, exploitable vulnerabilities in other areas aren’t discovered, so the crossregional penetration attack isn’t a success. • Attack path 2: The attack source is in the user office area. The penetration attack goes from H4, through H2 to H3 and H5. An exploitable vulnerability of Web application virtual machine OH1 I EEE CLO U D CO M P U T I N G

63

CLOUD SECURITY

Internet

ON2, ON4 Internet access area (H1)

Other system areas (H6)

OH4, OR3

Safety management area (H3)

ON1, ON3 Core area (H2)

OH5 OH1, OH2, OH3, OR1, OR2, OS1, OA1, OD1, OD2, OD3

Internal user area (H4)

Cloud service and data area (H2)

FIGURE 3. Architecture of the assessed cloud system.

Table 4. Partial results for the entirety assessment. Analysis aspect

Assessment areas

Analysis content

Detail

Between security control points

Network security

Virtual identity authentication and virtual access control

Weak password of Internet boundary virtual firewall ON2 can weaken the virtual access control function of the device.

Host security

Virtual identity authentication and virtual access control

Weak password of virtual database OH3 can weaken the virtual access control function of the device.

Between layers

Network security and host security; network security and abstract resource security

Virtual network access control and virtual host intrusion prevention, virtual network access control, and virtual resource intrusion prevention

The configuration of the network access control policy is strict, which makes hosts’ vulnerabilities invisible to the outside, thus reducing the associated risk.

Between regions

H1 and H5

Internet boundary virtual firewall access control of H1 and host intrusion prevention of H5

The configuration of the network access control policy of Internet boundary virtual firewall ON2 is strict, making the local common vulnerabilities and exposures (CVE) and high-risk vulnerabilities of H5 invisible to the outside, thus reducing the associated risk.

in H5 is discovered. Using the vulnerability, the attacker gains general user rights of OH1. After privilege escalation, it acquires system administrator privileges and then steals user privacy data. 64

• Attack path 3: The attack source is in the safety management area. The penetration attack goes from H3, through H2 to H5. It discovers an exploitable vulnerability of OH1.

I EEE CLO U D CO M P U T I N G W W W.CO M P U T ER .O RG /CLO U D CO M P U T I N G

Internet

A1

ON2, ON4 A3 Internet access area (H1)

OH4, OR3

A4 Other system areas (H6)

Safety management area (H3)

ON1, ON3 Core area (H2)

A2 OH5

OH1, OH2, OH3, OR1, OR2, OS1, OA1, OD1, OD2, OD3

A5

Internal user area (H4)

Cloud service and data area (H2)

FIGURE 4. Potential attack paths (A1–A5) designed during the feedback assessment.

• Attack path 4: The attack source is in other system areas. The penetration attack goes from H6, through H2 to H5. It discovers an exploitable vulnerability of OH1 in H5. • Attack path 5: The attack source is in the physical machine room. Using local scanning in H5, an exploitable vulnerability of OH1 is discovered. In addition, the attack finds that a user can easily access the resources belonging to other users.

policy in H2 isn’t strict enough. This conclusion is consistent with the unit assessment results. The results of attack path 5 show that virtual resource structure safety and multitenant isolation are unrealized in this system. This conclusion is consistent with the unit assessment results. The entire attack process isn’t detected, warned, or blocked, which shows that the system’s security protection ability should be improved in the future.

The feedback assessment leads to several conclusions. In attack path 1, firewall administrator privileges can be acquired using the weak password of the Internet boundary virtual firewall, which shows that poor identity authentication can weaken the access control function. The cross-regional penetration attack failed, showing that virtual network access control can enhance a virtual machine’s intrusion prevention ability. The results of attack paths 2, 3, 4, and 5 show that the exploitable vulnerability of Web application virtual machine OH1 in H5 has a significant impact on the system’s security protection ability. Attack paths 2, 3, and 4 all cross H2, which shows that the access control

Assessment Conclusion We used the comprehensive assessment method to verify the cloud security assessment indicator system’s reasonability and validity. First, the unit assessment calculated that the safety index of this system is 73 percent, indicating that the assessed cloud system has some security risks. Then, in the entirety assessment, we divided the system into six assessment regions, each region including some assessment objects, and then assessed the system according to the indicator system from three aspects: between security control points in the same assessment layer, between assessment layers, and between regions. The entirety assessment determines the system’s concrete security risks.

M A R CH/A P R I L 201 5

I EEE CLO U D CO M P U T I N G

65

CLOUD SECURITY

RELATED WORK IN CLOUD SECURITY ASSESSMENT any organizations are paying increasing attention to cloud security assessment. In 2009, the European Network and Information Security Agency (ENISA) issued the Cloud Computing Information Assurance Framework (IAF). In 2010, the United States began the Federal Risk and Authorization Management Program (FedRAMP). In the same year, the Cloud Security Alliance (CSA) issued the Cloud Control Matrix (CCM). However, all of these standards lack associativity and a systematic approach. In 2011, CSA issued its third version of Security Guidance for Critical Areas of Focus in Cloud Computing,1 which proposes a reference model for cloud computing, but doesn’t embody the idea of classified protection. Marco Anisetti and his colleagues proposed a test-based security certification scheme, but it’s still in theoretical research stage.2 Much research on cloud security assessment has been conducted. Prasad Saripalli and Ben Walters proposed a cloud security quantitative assessment framework, but the indicators proposed can’t reflect the characteristics of the cloud observably.3 Others proposed a framework for monitoring, identifying, assessing, and reducing the risk for cloud platforms, but the risk assessment is imperfect.4,5 Z. Jiang and his colleagues proposed a cloud security assessment indicator system, but this indicator system cannot fully reflect the demands of cloud security; it especially fails to consider the virtualization security assessment.6 Therefore, there’s an immediate need for a

complete cloud security assessment indicator system that can meet the needs of cloud security. References 1. Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing Version 3.0, CSA, 2011; https://cloudsecurityalliance.org/ research/security-guidance. 2. M. Anisetti, C.A. Ardagna, and E. Damiani, “A TestBased Security Certification Scheme for Web Services,” J. ACM Trans. Web (TWEB), vol. 7, no. 2, 2013, article 5; doi:10.1145/2460383.2460384. 3. P. Saripalli and B. Walters, “QUIRC: A Quantitative Impact and Risk Assessment Framework for Cloud Security,” Proc. IEEE 3rd Int’l Conf. Cloud Computing (CLOUD), 2010, pp. 280–288. 4. K. Djemame et al., “A Risk Assessment Framework and Software Toolkit for Cloud Service Ecosystems,” Proc. 2nd Int’l Conf. Cloud Computing, Grids, and Virtualization, 2011, pp. 119–126. 5. M. Kiran et al., “Towards a Service Lifecycle Based Methodology for Risk Assessment in Cloud Computing,” Proc. IEEE 9th Int’l Conf. Dependable, Autonomic and Secure Computing (DASC), 2011, pp. 449–456. 6. Z. Jiang, W. Zhao, and Y. Liu, “Security Assessment Model for Cloud Computing Based on Classified Protection,” J. Computer Science, vol. 40, no. 8, 2013, pp. 151–156.

Finally, in the feedback assessment, we designed five attack paths to perform penetration tests on the system. The conclusions of the feedback assessment and the results of forward assessment further verify the cloud security assessment indicator system’s reasonability and validity.

considered medical data insofar as privacy is concerned, and must be compliant with the Health Insurance Portability and Accountability Act (HIPAA).6 Determining how to incorporate the protection of this data into the cloud assessment system will be an interesting research issue in the future.

Acknowledgments ur future work will investigate how to use the taxonomy framework of dependability3 for the systematical assessment of cloud security. In addition, more and more biometrics security applications are being introduced into the cloud.4,5 Biometrics are 66

This work was supported by Strategic Priority Research Program of the Chinese Academy of Sciences (number XDA06040602) and the Xinjiang Uygur Autonomous Region Science and Technology Plan (number 201230121).

I EEE CLO U D CO M P U T I N G W W W.CO M P U T ER .O RG /CLO U D CO M P U T I N G

References 1. D.G. Feng et al., “Study on Cloud Computing Security,” J. Software, vol. 22, no. 1, 2011, pp. 71–83. 2. Basic Requirements of Information Security Protection Technology of Information System Security, Chinese Standards GB/T 22239-2008, 2008. 3. J. Hu et al., “Seamless Integration of Dependability and Security Concepts in SOA: A Feedback Control System Based Framework and Taxonomy,” J. Network and Computer Applications, vol. 34, no. 4, 2011, pp. 1150–1159. 4. J. Hu, D. Gingrich, and A. Sentosa, “A k-Nearest Neighbor Approach for User Authentication through Biometric Keystroke Dynamics,” Proc. IEEE Int’l Conf. Comm. (ICC), 2008, pp. 1556–1560. 5. K. Xi, Y. Tang, and J.Hu, “Correlation Keystroke Verification Scheme for User Access Control in Cloud Computing Environment,” The Computer J., vol. 54, no.10, 2014, pp. 1632–1644. 6. J. Hu, H.H. Chen, and T.W. Hou, “A Hybrid Public Key Infrastructure Solution (HPKI) for HIPAA Privacy/Security Regulations,” Computer Standards & Interfaces, vol. 32, nos. 5–6, 2010, pp. 274–280.

XUEXIU CHEN is an advanced security expert in the security department at the Alibaba Group. Her research interests include cloud security. Chen has an MS in communication engineering from the Univer-

sity of Electronic Science and Technology, Chengdu, China. Contact her at [email protected].

CHI CHEN is an associate research fellow at the Institute of Information Engineering, Chinese Academy of Sciences. His research interests include cloud security and database security. Chen has a PhD in information security from the Institute of Software Chinese Academy of Sciences, Beijing. Contact him at [email protected].

YUAN TAO is a research assistant at the MPS Information Classified Security Protection Evaluation Center, the Third Research Institute of the Ministry of Public Security. His research interests include classified security protection, cloud security, and Internet of Things security. Tao has a PhD in control theory and control engineering from the University of Science and Technology, Beijing. Contact him at [email protected].

JIANKUN HU is a professor and research director at the Cyber Security Lab at the University of New South Wales, Canberra, Australia. He also serves on the Panel of Mathematics, Information and Computing Sciences for the Australian Research Council’s Excellence in Research for Australia (ERA) Evaluation Committee. His research interests include biometric security and network security. Hu has a PhD in control engineering from Harbin Shipbuilding University. Contact him at [email protected].

Newsletters

Stay Informed on Hot Topics

computer.org/newsletters

M A R CH/A P R I L 201 5

I EEE CLO U D CO M P U T I N G

67