IaaS Cloud Model Security Issues on Behalf Cloud ... - Science Direct

Available online at www.sciencedirect.com Available online at www.sciencedirect.com

ScienceDirect ScienceDirect Available online at www.sciencedirect.com Procedia Computer Science 00 (2018) 000–000 Procedia Computer Science 00 (2018) 000–000

ScienceDirect

www.elsevier.com/locate/procedia www.elsevier.com/locate/procedia

Procedia Computer Science 134 (2018) 328–333

The 2nd International Workshop on Big Data and Networks Technologies (BDNT’2018) The 2nd International Workshop on Big Data and Networks Technologies (BDNT’2018)

IaaS Cloud Model Security Issues on Behalf Cloud Provider and IaaS Cloud Model Security Issues on Behalf Cloud Provider and User Security Behaviors User Security Behaviors El Balmany Chawkia* , Asimi Ahmeda, Tbatou Zakariaea El Balmany Chawkia*, Asimi Ahmeda, Tbatou Zakariaea LabSiv Laboratory, Faculty of Sciences, Ibn Zohr University, Agadir, Morocco. LabSiv Laboratory, Faculty of Sciences, Ibn Zohr University, Agadir, Morocco.

a a

Abstract Abstract

IaaS model is arguably the most fundamental service delivery model in cloud computing. It holds a wide variety of IaaS modelIT is resources arguably the fundamental service services. delivery Platform model in virtualization cloud computing. It holds wide variety of virtualized andmost furnished as on-demand represents thea quintessence virtualized resources services. Platform virtualization thephysical quintessence of this model IT whereby userand hasfurnished the abilityastoon-demand provision and manage its own environmentrepresents into remote servers this model whereby userwithin has the ability However, to provision andare manage its own to environment (CPU, storage servers) Internet. users still reluctant migrate its into ownremote privatephysical data intoservers cloud (CPU, storage within Internet. However, are still reluctant to migrategrowth. its own private data into cloud servers becauseservers) of security, which remains the mostusers inhibitor of cloud computing’s servers becausewe of thoroughly security, which remains the most issues inhibitor of cloud growth. on behalf CSP and user In this paper, explore the security within IaaScomputing’s model components In this paper, we thoroughly explore the Top security issuesthat within IaaSthemodel components on behalf CSPmodel. and user security behaviors. Furthermore, the CSA 12 threats hamper flexibility and scalability of IaaS security behaviors. Furthermore, the CSA Top 12 threats that hamper the flexibility and scalability of IaaS model.

© 2018 2018 The The Authors. Authors. Published Published by by Elsevier Elsevier Ltd. Ltd. © This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/3.0/) This is an open accessPublished article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/3.0/). © 2018 The Authors. by Elsevier Ltd. Peer-review under responsibility of the scientific committee of the 13th International Conference on Future Networks and This is an open access article under CCInternational BY-NC-NDConference license (http://creativecommons.org/licenses/by-nc-nd/3.0/). Communications, FNC-2018 and thethe 15th on Mobile Systems and Pervasive Computing, MobiSPC 2018. Keywords: IaaS ; Cloud; Security ; Issues ; Virtualization ; User ; CSP ; Behavior Keywords: IaaS ; Cloud; Security ; Issues ; Virtualization ; User ; CSP ; Behavior

1. Introduction and notations 1. Introduction and notations Cloud Computing is a new ubiquitous technology where IT resources are delivered to users as services, reachable Computing is acloud new ubiquitous where IT resources are delivered to users services, reachable viaCloud Internet. Moreover, computing technology has given the opportunity for users to migrate there as data and applications via Internet. Moreover, cloud computing given with the opportunity for users and to migrate there data towards the cloud. Instead of working on has a station expensive resources applications, usersand takeapplications advantage towards the cloud. on-demand Instead of working a station with expensive resources and applications, users take advantage of cloud-delivered resourcesonand applications with low cost. of cloud-delivered on-demand resources applications with low cost. highlighted cloud and resource-exposure models as: i) Infrastructure-as-a-Service (IaaS), where IT Thus, NIST [1] has [1] has highlighted cloud and resource-exposure models as: i) Infrastructure-as-a-Service where IT Thus, NIST resources (computation, data storage, networking) are delivered as services, so that users(IaaS), can benefit of resources data storage, and networking) are delivered as services, so that users can benefit of managing (computation, OS and applications. ii) Platform-as-a-Service (PaaS) is a model where CSP provides a development managing OSinand applications. ii) create Platform-as-a-Service (PaaS) is a modeliii)where CSP provides a development environment hands of users to and run their own applications. Software-as-a-Service (SaaS) is a environment in hands of usersmodel to create and users run their own applications. iii) Software-as-a-Service (SaaS) is a software licensing and delivery in which benefit from remote applications. software licensing and delivery model in which users benefit from remote applications. * Corresponding author. Tel.: +212-648-727-210; Fax: +212-522-820696 * Corresponding author. Tel.: +212-648-727-210; Fax: +212-522-820696 E-mail address: [email protected] E-mail address: [email protected] 1877-0509 © 2018 The Authors. Published by Elsevier Ltd. This is an © open access article under theby CCElsevier license (http://creativecommons.org/licenses/by-nc-nd/3.0/). 1877-0509 The Published Ltd. Ltd. 1877-0509 © 2018 2018 TheAuthors. Authors. Published byBY-NC-ND Elsevier This article under under the the CC CC BY-NC-ND BY-NC-NDlicense license(http://creativecommons.org/licenses/by-nc-nd/3.0/) (http://creativecommons.org/licenses/by-nc-nd/3.0/). This is is an an open open access access article Peer-review under responsibility of the scientific committee of the 13th International Conference on Future Networks and Communications, FNC-2018 and the 15th International Conference on Mobile Systems and Pervasive Computing, MobiSPC 2018. 10.1016/j.procs.2018.07.180

2

El Balmany Chawki et al. / Procedia Computer Science 134 (2018) 328–333 C.EL BALMANY A. ASIMI Z. TBATOU / Procedia Computer Science 00 (2015) 000–000

329

The governance of cloud security [2] is significant in the SaaS and PaaS models where the CSP is the unique responsible of managing and administrating the IT stack from the application or platform to the physical layer. Regardless, IaaS model remains a topic of discussion the fact of preserving security requirements is handled with a shared accountability between user and CSP respectively. Furthermore, the main intention of this review is to appraise the security issues and vulnerabilities hampering the well-functioning of several IaaS model components on behalf the CSP and user behaviors and responsibilities in order to fulfill expected security requirements. This paper is structured as following, in section II, an overview of IaaS model and security properties, section III, the security issues in IaaS components. Finally, in section IV, representing the CSA Top 12 threats and risks among the different layers of IaaS (VMs, data storage, network) besides the role of each of user and CSP involved to deal with. Beneath, the notations that will be used along this paper. Nomenclature IaaS CSP VM VMM QoS SLA CSA

Infrastructure-as-a-Service Cloud Service Provider Virtual Machine Virtual Machine Monitor Quality of Service Service Level Agreement Cloud Security Alliance

2. Literature overview. 2.1. Overview cloud IaaS model components Infrastructure-as-a-Service (IaaS) model is the most cloud service model. It holds a wide variety of resources aggregated and managed over a full control of consumers. Services are delivered with advanced capabilities which are the most relevant in forms of storage, network, computation, pay-per-use and on-demand provisioning [3]. In the literature, most researches broach IaaS model which its services are situated upper infrastructure layer and the physical hardware or network implemented in the infrastructure layer as illustrated in Fig. 1.

Fig. 1. IaaS model physical and software layers

Fig. 2. Hypervisor in IaaS model

Basically Cloud IaaS model shapes two of the main features of components [4]: First, physical components reflected in computer hardware, storage servers and network. Second, software components such as cloud software or API (Application Program Interface) are thought of as a front door for users to reach the bunch of cloud services. Furthermore, existing software technologies embraced in cloud computing such as utility computing whose providing IT resources are delivered through an on-demand, pay-per-use billing method reachable by web services [5] for main purpose to reduce the total cost of users’s use resources. Likewise, a legal contract offered by CSP as

El Balmany Chawki et al. / Procedia Computer Science 134 (2018) 328–333 C.EL BALMANY A.ASIMI Z.TBATOU / Procedia Computer Science 00 (2015) 000–000

330

3

part of agreements with the end user which represents a solution to guarantee suitable level of Quality of Service [6] (QoS) and to determine each party’s benefits and liabilities is described within SLA. Finally, the platform virtualization which remains the quintessence of this paradigm whereby CSP gets benefits from this feature as shown in Fig. 2, where several operating systems and applications are run on a single physical system and common resources are shared among users. 2.2. IaaS model security requirements The fundamental perspective of this paper is to pinpoint IaaS model security. Security governance remains a complicated task since several components and parties are involved. In order to appraise security issues over IaaS model components, it is primordially an obligation to understand and give an assessment in which security in IaaS model rather than other cloud services is a corporate task between User and CSP [7]. As well as, CSP has basically limited responsibilities in the IaaS model. It is supposed to have a full control over the beneath hypervisor layer, while end user is responsible to adjust his own environment and secure his virtual guest OS. As shown in TABLE 1, IaaS model components are related to qualitative security requirements that should be established on behalf users and CSP responsibilities in order to fulfill a well-functioning of the whole architecture and guarantee the expected properties in each component with the appropriate behavior of the involved actor. Table 1. Security properties required in each IaaS model component on behalf user and CSP behaviors. Security Requirements Authentication Encryption Integrity Availability Computing Hardware

Access Control

CSP

-

-

CSP

-

Virtualization

CSP/USER

-

CSP/USER

CSP

CSP/USER

Data Storage

-

CSP/USER

USER

CSP

CSP/USER

Networking

-

-

-

CSP

CSP/USER

Cloud Software

CSP

-

-

CSP

-

Utility Computing

-

-

CSP

-

CSP

SLA

-

-

-

CSP

CSP

3. IaaS model security issues 3.1. SLA security issues. Despite of the paramount necessary of SLA to depict the availability and user’s data privacy, unfortunately, there exists no standardization to perform an SLA between involved parties. According to Modi et al [8] many cloud providers like Google, Amazon and SalesForce hide many parameters of the full proposed SLA to be clearly for users that data is safety preserved. In the literature, several researches broach SLA security solutions, as well as proposing Web Service level Agreement framework [9] performed for SLA monitoring and enforcement in SOA. Some determine SLA in a trusted third party between CSP and user. Besides, Carvalho et al [10] has proposed a state of art concerning security issues of SLA for cloud computing. 3.2. Utility Computing security issues First obstacle that cripples usage this concept is the complexity of the cloud computing architecture. Well, it needs a higher provisioning of metered services and permanent control of user’s usage. Furthermore, attackers intrude resources without paying. Some attackers gain access to storage servers or for data mining. Either, a compromised user can execute FRC Fraudulent Resource Consumption attack [11] using the metered bandwidth of web-based service.

4

El Balmany Chawki et al. / Procedia Computer Science 134 (2018) 328–333 C.EL BALMANY A. ASIMI Z. TBATOU / Procedia Computer Science 00 (2015) 000–000

331

3.3. Platform Virtualization security issues Virtualization represents the quintessence of cloud computing particularly embraced in IaaS model. Consequently, it remains the primary requirement widely discussed in several security researches due to its importance. According to Vaquero et al [12], virtualization should be studied on its whole lifecycle, from VM image definition to its undeployment. Some studies divide virtualization security issues in two categories: i) threats sourced from host OS, ii) threats sourced from VM. Thus, platform virtualization is prone to attacks across different layers and scenarios. First, in VMM [13] (hypervisor) where cloud provider is the first responsible on maintaining the availability of virtual machines by performing automate hypervisor for scheduling multi-tenant resources and managing the isolation of each running VMs. VMM is exposure to DoS attacks due to the lack of bandwidth under-provisioning problems, further, performing cross-VM side-channel attacks due to its co-location. Further, VM escape, rollback, migration, isolation [14] vulnerabilities whereby attacker can get full control of the hypervisor. VMM is directly compromised with the VM-based rootkits attack which imperils trustworthy VMs, whereas it reveals the single point of failure or unauthorized parties according to the authors [13] and [15] In a nutshell, several vulnerabilities have been raised to falsify the confidentiality and integrity of tenant’s data because of its dynamicity across VMs. Hypervisor is responsible on providing system’s flexibility in a large size of available and maintained VMs. Hence, sharing resources between VMs might expose security of each VM since the attacker can at least reach only one compromised virtual machine image. Network Virtualization is another security challenge in the virtualization since most VM monitors use network virtualization to interconnect directly and efficiently between VMs. Network virtualization is prone to some attacks as sniffing and spoofing virtual network. Unless, hanging each VM to its related host by devoted physical channels remains the most secure way to protect network virtualization [16]. 3.4. Networking and cloud software security issues In IaaS model, network monitoring is the liability of CSP in order to sustain suitable level of QoS. Network is exposure to several attacks due to the complexity of cloud computing architecture in priory. Otherwise, vulnerabilities are intruded from cloud software and APIs within Internet protocols. Authentication, intrusion backdoor attack and session hijacking are the major security threats provoking the scalability of network. A survey [17] has discussed thoroughly security risks on network and intrusion detection and prevention as a services in cloud computing Other researchers propose Network based Intrusion Detection System (NIDS) as a solution for listening and provisioning network traffic by suggesting erasure codes and Intrusion prevention systems IPS to not only detect vulnerabilities but also to correct it simultaneously. Moreover, loopholes in programming interfaces deployed on guest VM and instruction processing are the primary targets and also exposure to vulnerabilities, in which malicious codes can conflict with VMM or other VMs [18]. 4. Cloud Security Alliance TOP 12 threats Cloud Security Alliance (CSA) [19], the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced an updated. ‘Treacherous 12: Top 12 threats to Cloud Computing and Industry Insights”, a refreshed release to the 2016 report that includes new real-world anecdotes and examples of recent incidents that relate to each of the 12 cloud computing threat categories identified in the original paper. In this section, according to the last communication of Cloud Security Alliance, we determine the impact of the published risks related to the security properties by mapping the compromised IaaS component mentioned earlier. Furthermore, we propose in brief some required solutions to achieve a certain level of security as mentioned in TABLE 2.

C.EL BALMANY A.ASIMI Z.TBATOU / Procedia Computer Science 00 (2015) 000–000 332

5

El Balmany Chawki et al. / Procedia Computer Science 134 (2018) 328–333

Table 2. Impact of CSA TOP 12 threats on IaaS model security Risks and Effects

Impact on IaaS model

Data Breach: is an incident in which sensitive, protected or confidential data is released, viewed, stolen or used by an unauthorized individual or a result of human error or poor security practice.

‘Confidentiality of Data Storage’

Insufficient Identity, Credential and Access Management: Users should be uniquely identifiable with a federated authentication (e.g. SAML) that works across the cloud providers.

‘Authentication and access control - Virtualization level.’ Use strong multi-tier passwords and authentication mechanisms.

Insecure Interfaces and APIs: Due to open nature of cloud services, interfaces and APIs often use an anonymous access, clear text authentication of content transmission and cloud Software vulnerabilities [22].

‘Authentication - Network and API Level’

System Vulnerabilities: are exploitable bugs in programs that attackers use to infiltrate a computer system for the purpose of stealing data, taking control of the system / disrupting service operations

‘Confidentiality’.

Account or Service Hijacking: Infrastructure Security, Using social engineering, phishing, fraud or vulnerability exploits.

‘Confidentiality, integrity and availability’ Adoption of strong authentication mechanisms, PDP [23], PoR [24] and secure communication channel.

Malicious Insiders: A malicious insider threat to an organization is a current or former employee who has authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the Advanced Persistent Threats: (APTs) are a parasitical form of cyberattack that infiltrates systems to establish a foothold in the computing infrastructure of target companies from which they smuggle data and intellectual property.

‘Confidentiality, integrity, or availability of data.’

Data loss: Data ownership, encryption, transmission, operational failure, data disposal/data deletion and availability are all challenges in a cloud environment/

‘Data Privacy & Availability’ Encryption: Homomorphism [25], ABE, Provide data storage and backup mechanisms.

Insufficient Due Diligence: Developing a good roadmap and checklist for due diligence when evaluating technologies and CSPs is essential for the greatest chance of success. (Administrative)

These risk is different from the others mentioned above. Administrative risks that only cloud administrator and government have to deal with.

Abuse and Nefarious Use of Cloud Services: Due to the often anonymous nature of some cloud services, they attract use by criminal elements.

‘Authentication’ Observe the network status, provide robust registration and authentication techniques. PaaS & IaaS.

Denial of Service: forcing the targeted cloud service to consume inordinate amounts of finite system resources such as processor power, memory, and disk space or network bandwidth

‘Availability’ Service availability affected, may be create a fake service, Strong authentication and authorization.

Shared Technology: sharing of resources and services among multiple clients. It increases dependence on logical segregation and other controls to ensure that one tenant cannot interfere with the security of the other tenants.

Virtualization availability Isolation of data and copy must be ensured. Strong authentication and access control are some mechanisms to prevent this issue.

Solution; Cryptographic Mechanisms [20], ABE [21] Provide data storage and backup mechanisms.

Data transmission is in encrypted form, strong access control and authentication mechanism. Afforded Services under control & Monitoring.

Use agreement reporting and breach notifications, security and management process is transparent ‘Intrusion detection’ Intrusion detection, Focus on outbound traffic, Understand the changing threat, Manage the endpoint.

Conclusion IaaS model knows several security issues across its hardware and physical layers. As virtualization represents the core of this model, this issues fall into two broad categories CSP and cloud user responsibilities. First, CSP provisions, manages the entire IT stack, and have full control over hypervisor for listening and foreseeing network traffic. Moreover, cloud users have to secure its self environment from in/outsider threats. IaaS model is an interesting field of research; several studies have been proposed to achieve IaaS model security. In this paper, we worked on proposing cryptographic and security techniques based on the aforementioned security issues in order to interrupt threats and attacks on IaaS model components.

6

C.EL BALMANY A. ASIMI Z. TBATOU / Procedia Computer Science 00 (2015) 000–000 El Balmany Chawki et al. / Procedia Computer Science 134 (2018) 328–333

333

References [1] Peter Mell, Timothy Grance, Recommendations of the National Institute of Standards and Technology. The NIST Definition of Cloud Computing, NIST Special Publication 800-1452. [2] Moura, J., Hutchison, D., Review and Analysis of Networking Challenges in Cloud Computing. [3] F. Xhafa and N. Bessis (eds.), Inter-cooperative Collective Intelligence: Techniques and Applications, Studies in Computational Intelligence 495, DOI: 10.1007/978-3-642-35016-0_2, Springer-Verlag Berlin Heidelberg 2014 [4] Dawoud, W., Takouna, I., Meinel, C. Infrastructure as a service security: Challenges and solutions. Informatics and Systems (INFOS), The 7th International Conference on , vol., no., pp.1-8, 28-30 March 2010 [5] Dale D. Reitze, Using Commercial Web Services to Build Automated Test Equipment Cloud Based Applications, IEEE 2014. [6] Syed Hamid Hussain Madni, Muhammad Shafie Abd Latiff, Yahaya Coulibaly and Shafi’i Muhammad Abdulhamid, Resource Scheduling for Infrastructure as a Service (IaaS) in Cloud Computing: Challenges and Opportunities, Journal of Network and Computer Applications, http://dx.doi.org/10.1016/j.jnca.2016.04.016 [7] Ravi Kumar, P., Herbert Raj, P., Jelciana, P., Exploring Data Security Issues and Solutions in Cloud Computing. The 6th International Conference on Smart Computing and Communications. Volume 125, 2018, Pages 691-697. https://doi.org/10.1016/j.procs.2017.12.089 [8] Modi, C., Patel, D., Borisaniya, B. et al. J Supercomput (2013) 63: 561. https://doi.org/10.1007/s11227-012-0831-5 [9] Halboob W., Abbas H., Haouam K., Yaseen A. (2014) Dynamically Changing Service Level Agreements (SLAs) Management in Cloud Computing. In: Huang DS., Jo KH., Wang L. (eds) Intelligent Computing Methodologies. ICIC 2014. Lecture Notes in Computer Science, vol 8589. Springer, Cham [10] C.Carvalho, R.M. Andrade, M.F De Castro, E. Coutinho, N.Agoulmine, State of the art and challenges of security SLA for cloud computing. Computers and Electrical Engineering 000 (2017) 1–12. http://dx.doi.org/10.1016/j.compeleceng.2016.12.030 [11] Bhushan, K. & Gupta, B.B. Multimed Tools Appl (2017). https://doi.org/10.1007/s11042-017-5522-z. [12] Vaquero, L.M., Rodero-Merino, L. & Morán, D. Computing (2011) 91: 93. https://doi.org/10.1007/s00607-010-0140-x [13] Ashish Singh and Kakali Chatterjee, Cloud security issues and challenges: a survey, Journal of Network and Computer Applications, http://dx.doi.org/10.1016/j.jnca.2016.11.027 [14] Varun Krishna Veeramachaneni, Security Issues and Countermeasures in Cloud Computing Environment, International Journal of Engineering Science and Innovative Technology (IJESIT) Volume 4, Issue 5, September 2015 [15] Perez-Botero D, Szefer J, Lee RB. Characterizing hypervisor vulnerabilities in cloud computing servers. InProceedings of the 2013 international workshop on Security in cloud computing 2013 May 8 (pp. 3-10). ACM. [16] Hashizume, K., Rosado, D.G., Fernández-Medina, E. et al. J Internet Serv Appl (2013) 4: 5. https://doi.org/10.1186/1869-0238-4-5 [17] S. Iqbal, L. Mat Kiah, B. Dhaghighi, M. Hussain, S. khan, M. Khurram Khan and K.K.R Choo, On Cloud Security Attacks: A Taxonomy and Intrusion Detection and Prevention as a Service, Journal of Network and Computer Applications, http://dx.doi.org/10.1016/j.jnca.2016.08.016 [18] Syed. H, Mehwish. F, Atif. S, Imran. R, Raja. S, Multilevel classification if security concerns in cloud computing. Applied Computing and Informatics, Volume 13, issue 1, January 2017 [19] CLOUD SECURITY ALLIANCE The Treacherous 12 - Cloud Computing Top Threats in 2016. [20] Nesrine Kaaniche, Maryline Laurent, Data Security and Privacy preservation in Cloud Storage Environments based on Cryptographic Mechanisms, Computer Communications (2017), doi: 10.1016/j.comcom.2017.07.006. [21] Saravana Kumar Na,Rajya Lakshmi G.Vb,Balamurugan Ba,*. Enhanced Attribute Based Encryption for Cloud Computing. International Conference on Information and Communication Technologies (ICICT 2014). [22] S. Subashini, V. Kavitha. A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications Volume 34, Issue 1, January 2011. [23] Selvamani K, Jayanthi.S, A Review on Cloud Data Security and Its mitigation Techniques. International Conference on Computer, Communication and Convergence (ICCC 2015). [24] Shubham S, Surmila T. Public integrity auditing for shared dynamic cloud data. 6th International Conference on Smart Computing and Communications, ICSCC 2017, 7-8 December 2017, Kurukshetra, India [25] Oppermann A., Yurchenko A., Esche M., Seifert JP. (2017) Secure Cloud Computing: Multithreaded Fully Homomorphic Encryption for Legal Metrology. In: Traore I., Woungang I., Awad A. (eds) Intelligent, Secure, and Dependable Systems in Distributed and Cloud Environments. ISDDC 2017. Lecture Notes in Computer Science, vol 10618. Springer, Cham