2014 2nd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering
A secure cloud computing architecture design Abir Khaldi1, Kamel Karoui2, Nada Tanabène3 and Henda Ben Ghezala4 1RIADI, ENSI, University of Manouba, Manouba, Tunisia
[email protected] 2RIADI, ENSI, University of Manouba, Manouba, Tunisia
[email protected] 3INSAT
[email protected] 3RIADI, ENSI, University of Manouba, Manouba, Tunisia
[email protected]
propose secure cloud architecture that protects services, data and customer’s access. This paper is organized as follows: section 2 introduces a literature review of cloud computing and its security issues. Section 3 presents the related work. In section 4, we propose the secure cloud architecture. Section 5 is a case study for cloud architecture. Finally, section 6 concludes and recommends future trends.
Abstract—The high costs of network platforms, growth in customer requirements, data volumes and pressures on response time pushed companies to migrate to Cloud Computing providing on demand internet hosted IT services. Cloud computing is based essentially on platforms and servers virtualization and promises the reduction of costs and the increase of flexibility. However, there are still some challenges to be solved. Amongst these are security and trust issues, since the user's data has to be released to the Cloud and thus leaves the protection-sphere of the data owner. In this paper, we propose a cloud computing architecture offering the ease of resources management, access security and service availability in a reliable structure with lower cost.
II.
In this section , we will present the cloud computing concept, vulnerabilities and attacks. A. Cloud computing NIST [3] defines Cloud computing as a “model for enabling ubiquitous, convenient, on demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and delivered with minimal managerial effort or service provider interaction” . NIST offers a list of components of what comprises cloud computing illustrated in figure 1. The essential characteristics of cloud computing are [3]: • On-demand self-service : A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. • Broad network access : Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations ). • Resource Pooling: The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different resources dynamically assigned and reassigned according to consumer demand. • Rapid elasticity : Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly out ward and inward commensurate with demand.
Keywords— Cloud computing, security, vulnerabilities, attacks, secure cloud architecture.
I.
INTRODUCTION
Cloud computing is an evolving computing paradigm. It is becoming progressively more popular. It is a model for delivering information technology services in which resources are retrieved from the internet through webbased tools and applications, rather than a direct connection to a server. Cloud Computing is becoming a popular term in the information technology (IT) market, security and accountability. There are some security issues associated with cloud computing but these issues fall into two broad categories: Security issues faced by cloud providers and security issues faced by customers [1]. In most cases, the providers must ensure that their infrastructure is secure and that their clients’ data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information [2]. Cloud providers should offer the customers’ services requirements. For that the cloud computing architecture should implement various techniques to secure data, applications, resources and infrastructures. In this paper, we study the different security issues arising from the usage of cloud services in order to 978-1-4799-4425-5/14 $31.00 © 2014 IEEE DOI 10.1109/MobileCloud.2014.44
LITERATURE REVIEW
289
• Measured service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). •
infrastructures (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability. Community cloud : The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
B. Cloud Computing Vulnerabilities Vulnerabilities in Cloud can be defined as the loopholes in the security architecture of Cloud, which can be exploited by an adversary via sophisticated techniques to gain access to the network and other infrastructure resources. In this section, we discuss major cloud specific vulnerabilities, which constitute serious threats to Cloud computing. • Session Riding and Hijacking [4] :Session hijacking refers to use of a valid session key to gain unauthorized access for the information or services residing on a computer system, it also refers to theft of a cookie used to authenticate a user to a remote server and it is relevant to web application technologies weaknesses in the web application structure at their disposal that gives the chance to hackers in order to accomplish a wide variety of malicious activities. While session riding refers to the hackers sending commands to a web application on behalf of the targeted user by just sending to that user an email or tricking the user into visiting a specially crafted website. • Reliability and Availability of Service [5]: In terms of reliability and availability, cloud computing is not a perfect technology. For example in February 2008, Amazon's Web Service (Amazons-S3) cloud storage infrastructure went down for several hours, causing data loss and access issues with multiple Web 2.0 services. • Insecure Cryptography: It’s common to find crucial flaws in cryptographic algorithm implementations, which can twist strong encryption into weak encryption or sometimes no encryption at all. For example in cloud virtualization providers use virtualization software to partition servers into images that are provided to the users as on-demand services [6].Although utilization of those VMs into cloud providers' data center provides more flexible and efficient setup than traditional servers[7]. • Data Protection and Portability [8]: The contract between a customer and a cloud service provider is jeopardized by reaching its end of life. This concern could be the same in case the provider
Figure 1. Cloud Computing Overview Model
The service models of cloud computing are [3]: • Software as a Service (SaaS) : The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email),or a program interface. • Platform as a Service (PaaS) : The capability provided to the consumer is to deploy onto the cloud infrastructure consumer - created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. • Infrastructure as a Service (IaaS) :The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The deployment models of cloud computing are [3]: • Public cloud : The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. • Private cloud: The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. • Hybrid cloud: The cloud infrastructure is a composition of two or more distinct cloud
290
went out of business due to any reason, what would be the fate of customer services and data? would this be transparent from a customer perspective provider will hand over the client data of client to a fail over ‘trusted’ provider ? In regard to these questions, obviously, data protection and portability remains as a major weakness of cloud computing.
cloud security architecture is proposed in this article. The key point of this architecture is based on the Single Signon (SSO). Its line of defense includes firewall, intrusion detection and prevention, integrity monitoring, log inspection and malware protection. But in this proposed architecture, the intrusion prevention system is limited to the virtual management traffic zone. In fact we need this system to control the cloud externals customer. The authors in [11] discussed the security issues in all the models of cloud computing. They detailed these issues in SaaS models and they focused on the data security in the cloud. At the end of the article they presented some current security solutions mainly based on the web application security and the control of the cloud traffic . Tripathi and Mishra [12] discussed the security issues that arises in a cloud computing framework. They focused on technical security issues arising from the usage of cloud services and also provides an overview of key security issues related to cloud computing with the view of a secure cloud architecture environment. The authors in [13] proposed a cloud security model and security framework that demystifies security challenges in cloud computing. The authors considered cloud orchestration environments and Single Sign-On token to provide seamless experience to user. Hashizume et al [14] identified the main vulnerabilities and major threats found in the literature related to Cloud Computing with proposal of their vision of a possible solution. Mathisen in [15] discussed some vital issues to ensure a secure cloud environment. This included a basic view of security policies (e.g., inside threats, access control and system portability), software security (e.g., virtualization technology, host operating system, guest operating system and data encryption) and hardware security (e.g., backup, server location and firewall). The author concluded that an important potential issue of cloud security would be the use of open standards. Furthermore, nevertheless there are no specific security standards for cloud computing, conventional security concepts could be applied. Ubhale and Sahuin [16] proposed a model called “Integrated Intrusion Detection and Prevention System (IIDPS)” which merges both IDS and IPS in a single mechanism. The mechanism also integrates the Anomaly Detection (AD) and the Signature Detection (SD) in order to detect various numbers of attacks and stop them through the capability of IPS.
C. Attacks on cloud computing By exploring vulnerabilities in Cloud , attacks on cloud computing can be classified according to cloud service models and they are described below with its service model and mitigation [6, 7]: • Wrapping attacks: these attacks occur between the web browser and the server by altering the Simple Object Access Protocol (SOAP) messages for two persons, the user and the attacker. Mitigation: Increase security during message passing from the web server to the web browser by using the SOAP message. • Browser-based attacks: a browser attack alters the signature and encryption of SOAP messages. The security of Web browsers is defended against some types of attack such as phishing attack, SSL certificate spoofing, and attacks on browser caches. Mitigation: Strong authentication and access controls should be implemented. • Cloud injection attacks [9]: attempt to create malicious service implementation modules or virtual machine instances for the opponent to be executed against intention. Examples for these modules are SQL injection, OS command injection and cross site scripting. Mitigation: To defend against this type of attack, service integrity checking module should be implemented and Use hash algorithms. • Denial of service attacks [10]: occur when an attacker sends a lot of malicious requests to the server and consumes its available resources, CPU and memory. In cloud computing, due to the large number of cloud users (multi tenancy) who share the cloud infrastructure the problem of Distributed DoS (DDoS) attacks becomes of much greater impact than that in single tenant architecture. Mitigation: Use intrusion detection or prevention system to detect or to avoid DOS and DDOS attacks. • Privilege escalation: utilizes a vulnerability that comes from any programming errors and aims to access the protected resources without permission. Mitigation: Employ strong authentication, access control and encryption techniques. III.
IV.
PROPOSAL OF A SECURE CLOUD ARCHITECTURE DESIGN
In the sections 2 and 3 we outlined cloud computing security over literature views and related works. In this section, we propose a secure cloud architecture illustrated in figure 2 based on 4 axis: Cloud architecture zone, Cloud architecture policy, Cloud security requirements, Cloud architecture components. We will further explain the different architecture axis:
RELATED WORK
In this section, we summarize some related works about cloud computing security. In [8] the authors analyzed some cloud computing vulnerabilities and threats. Then they resumed the most attacks which can explore these vulnerabilities. They presented every attack and the mitigation to avoid it. A
291
The zone 1, 2 and 3 in the cloud environment constitute the CSP (Cloud Service Provider) and the zone 4 is its external client accessed via internet.
A. Cloud Architecture Zones We divided our architecture into 4 zones (figure 2) as explained below:
B. Cloud Security policy This section will focus on the implemented security policy. Additionally, we will specify relevant authorized and unauthorized cloud access (figure 3). The DMZ Security policy implementation is as follows: 9 All traffic from the external network to the DMZÆauthorized 9 Traffic sent from the internal network to the DMZÆauthorized 9 Traffic from the DMZ to the external networkÆrefused 9 Traffic from the DMZ to the internal network Ærefused Other internal zones security policy implementation (zone 2 and zone 3): 9 Traffic from the external customer zone to the internal network (zone 2 and zone 3) Æ refused 9 Traffic to critical servers is authorized only from the authorized administrator in zone 2.
Figure 2. Secure cloud architecture design proposed
•
Zone 1 Demilitarized Zone (DMZ) :It hosts the services offered by the cloud to its clients, such as web server, e-mail and FTP file sharing. This zone contains machines potentially accessed from the outside. • Zone 2 Internal Customer Zone :as shown in figure 2 the zone is composed of the hosting company workstations. It is also used to perform internal tests to validate servers and the provided level of security. • Zone 3 Management Zone :We can consider this zone as a trust zone. It is composed of critical servers which control and manage all the cloud architecture. This zone can include : 9 A server which manage the users authentication. 9 A data base server hosting dynamic pages and critical business data. 9 A machine that will be used for the management of safety equipment. • Zone 4 External Customer Zone : external client accessing the cloud services via internet uses this zone. We consider it as ‘untrust’ zone that could be a source of attacks.
Figure 3.Cloud security policy
C. Cloud Security requirements In the cloud architecture we need to protect virtual machines, traffics and provided services. This section will focus on major points when securing the cloud: • Virtual Machine Protection: Every VM (Virtual machine) in the cloud is vulnerable like its physical counterparts. So to protect the VMs, a firewall and antivirus software should be installed on a cloud-based virtual machine. • Control network traffic: It is used by network administrators, to reduce latency, congestion and
292
packet loss. In order to use these tools effectively, it is necessary to measure the network traffic to determine the network congestion root causes and solve them appropriately. To control the internal and the external traffic in the Cloud, we deploy an IPS (Intrusion prevention System) in front of the DMZ. • Cloud Segmentation: Planning segmentation carefully lowers the chances of packet transmissions between virtual machine zones, which prevent sniffing attacks. We have implemented segmentation by using VLANs (Virtual local Area Network). We set up VLANs to help safeguard the Cloud. So every zone (zone 1,2, and 3) of the CSP is a separated vlan. • High Availability: Availability is a reoccurring and a growing concern in software intensive systems. Availability needs to be analyzed through the use of presence information, forecasting usage patterns and dynamic resource scaling [17].. In the proposed architecture shown in figure 2, we implement a clustering firewall to increase its availability because it is a critical security component in our architecture . • Data Privacy :Cloud data privacy problem will be found at every stage of its life cycle. For the data storage and use, Mow bray et al. [18] proposed a client-based privacy management tool that provides a user-centric trust model to help users control their critical information during the cloud storage and use. Data loss prevention (DLP) tools can help control migration of data to the cloud and also find sensitive data leaked from the cloud. • Authorization and access control: The challenge here is how to control access priorities, permissions and resource ownerships of authenticated users on the cloud. Also, one of the most difficult problems is how to monitor and control the activities of those privileged users [19]. Illegal internal access should be restricted by implementing intrusion prevention systems and unauthorized external access should be using secure remote access technologies such as SSL/VPN tunnel implemented in our cloud architecture. Additionally, We can also use an authentication server like Radius.
•
policy that is input based on the traffic filtering. The High availability in our architecture is provided by the firewall clustering technique, which involves the use of two firewalls. One in active mode and the other in Stand By mode. This technique provides transparent load balancing between nodes. It allows to switch connections on an available node in case the original node is overloaded. a Tunnel SSL/VPN: the VPN (virtual private network) technology offers solutions partitioning through the use of SSL(Secure Sockets Layer) protocol. The flow of data flowing between the cloud and the outside is encrypted with SSL to ensure confidentiality. V.
CASE STUDY
To implement our architecture, we opted for the VMware vSphere Hypervisor 5 composed of an ESXi and vSphereClient. The different virtual machines composing the cloud architecture divided into 4 zones. We separated these zones using the VMWareVlan and we adopted the security policies in the firewall. The first zone (Zone 1 DMZ) is composed of two servers one for mail and the other is for the ftp and the web. The second zone (Zone 2 Internal customer zone) is composed of one internal client. The third zone (Zone 3 Cloud management zone) is composed of an active directory machine, a SMC machine, an administrator machine and a data base server. The cluster firewall is composed of 2 nodes of firewall and we installed the IPS in a separated virtual machine. We tested bellow the functionality of this architecture and the performance of the security components like the cluster firewall, the IPS and the tunnel SSL/VPN in the cloud. A. Test Cluster firewall To test the failover between firewall nodes , we disabled the first node and we examined the log of the firewall. We found that the second node took place as supposed (figure 4).
D. Cloud Security components The architecture will contain the following components in order to enhance security aspect. • an IPS : The Intrusion Prevention System (IPS) allows to audit the information system, detect intrusion, save intrusion in log and be able to reactif data seem suspicious. Given that most attacks are public servers, we decided to place the IPS in front of the DMZ. In this case only the traffic between the DMZ and the internal network or internet is analyzed. In addition, we placed a sensor in this location which allows us to detect attacks unfiltered by the firewall. This minimized network traffic analysis. • a Cluster Firewall: A firewall is a system or group of systems that manages access control between two networks. All firewalls require a control
Figure 4. Balancing firewall
B. Test IPS To test the IPS, we have to simulate an attack from an external customer on the cloud in order to examine IPS detection. The Metasploit Framework is a battery of attacks to test the vulnerability of a remote machine. So we use the backtrack to explore the vulnerability “ms08_067” detected in the mail server. Before using the IPS, the attack succeeded and the session is opened. After using and deploying the IPS the attack is detected and the IPS stops it (figure 5).
293
We plan to pursue research on auditing the cloud computing architecture to analyze the security level. In a future work, we will try to propose a framework for automated audit. So, that audit process could become an independent service “Audit as a service”. REFERENCES [1] Figure 5. Attacks failed within IPS [2]
C. Test SSL-VPN From an external customer (zone 4) we send a mail in the first time without SSL-VPN and in the second time over SSL-VPN to verify that the mail will be encrypted. To capture traffic, we use this command of tcpdump. tcpdump -i eth0 dst host 192.168.1.10 –A when : 192.168.1.10: The destination ip address of the mail server -A : to display the contents of the packet capture
[3]
[4]
[5]
[6]
This is the result of the sniffing using tcpdump in figure 6.a and figure 6.b.
[7] [8]
[9]
[10] Figure 6.a Sending Mail without SSL-VPN [11]
[12]
[13] Figure 6.b Sending Mail over SSL-VPN
The mail passed clearly in figure 6.a. But in figure 6.b , the mail passed encrypted in the Cloud and tcpdump could not capture anything. So when we use SSL-VPN, we can get any inside protocol (SMTP,IMAP, HTTP, ...) without the risk of traffic interception. All data exchanged will be automatically encrypted. VI.
[14]
[15]
[16]
CONCLUSION
In this paper, we have presented the literature view of cloud computing and discussed major cloud security issues including attacks and vulnerabilities. A cloud computing secure architecture design is proposed. This architecture is based on four zones (DMZ, management zone, internal Customers and external Customers) separated by a cluster firewall and an IPS to prevent the attacks aiming the DMZ.
[17] [18]
[19]
294
"Swamp Computing a.k.a. Cloud Computing", Web Security Journal, 2009-12-28, Retrieved 2013-10-25.). "Thunderclouds: Managing SOA-Cloud Risk", Philip Wik, Service Technology Magazine, 2011-10. Mell, P. &Grance, T., 2011, “The NIST Definition of Cloud Computing”, NIST Special Publication 800-145 (Draft). Retrieved 2013-10-11) T. Schreiber, “Session Riding a Widespread Vulnerability in Today'sWeb Applications”, white paper, SecureNet GmbH, Dec 2004,. [Accessed:03-Jul-2013]. J. M. Grimes, P. T. Jaeger and J. Lin,” Weathering the Storm: The Policy Implications of Cloud Computing”, 2009, [Accessed: 19Jul-2011]. B. Grobauer, T. Walloschek, and E. Stocker, “Understanding Cloud Computing Vulnerabilities,” Security & Privacy, IEEE, vol. 9, no. 2, pp.50-57, 2011. A., Greenberg, “Why Cloud Computing Needs More Chaos” [Online], 2009, [Accessed: 20-Jul-2013]. KashifMunir and SellapanPalaniappan, “SECURE CLOUD ARCHITECTURE”, Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013, [Accessed: 13-052013]. VadymMukhin, ArtemVolokyta, “Security Risk Analysis for Cloud Computing Systems” The 6th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, Prague, Czech Republic, 15-17 September 2011. Sabahi, F., “Cloud computing security threats and responses”, IEEE 3rd International Conference on Communication Software and Networks (ICCSN), 27-29 May 2011 S. Subashini n, V.Kavitha, “A survey on security issues in service delivery models of cloud computing”, Journal of Network and Computer Applications, Elsevier , January 2011,[Accessed: 20-042013]. A. Tripathi and A. Mishra, “Cloud computing security considerations” IEEE Int. conference on Signal processing, communication and computing (ICSPCC), 14-16 Sept., Xi'an, Shaanxi, China 2011. KashifMunir and SellapanPalaniappan, “FRAMEWORK FOR SECURE CLOUD COMPUTING” Advanced International Journal on Cloud Computing: Services and Architecture (IJCCSA),Vol.3, No.2, April 2013, [Accessed: 14-Jul-2013]. K. Hashizume, D. G Rosado, E.Fernández-Medina, E. B. Fernandez,”An analysis of security issues for cloud computing”, Journal of Internet Services and Applications 2013. Mathisen, “Security Challenges and Solutions in Cloud Computing” 5th IEEE International Conference on Digital Ecosystems and Technologies (IEEE DEST2011) ,Daejeon, Korea, 31, May -3 June 2011 Mr. P. R Ubhale, Proff. A. M. Sahu, ”Securing Cloud Computing Environment by means of Intrusion Detection and Prevention System (IDPS)” , International Journal of Computer Science and Management Research, May 2013. M. Armbrust, et al.,” A view of cloud computing”.Commun. ACM, vol. 53 (2010), pp. 50-58 Miranda Mowbray and Siani Pearson, A client-based privacy manager for cloud computing. In Proc. Fourth International Conference on Communication System Software and Middleware (ComsWare),Dublin, Ireland, 16-19 June 2009. David Teneyuca, “Internet cloud security: The illusion of inclusion”, Information Security Technical Report, pp. 1-6, 2011.
