Dynamic Access Control in Cloud Services Vladimir Zaborovsky, Alexey Lukashin, Sergey Kupreenko, Vladimir Mulukha Telematics department, State Polytechnic University Saint-Petersburg, Russia
[email protected],
[email protected],
[email protected],
[email protected] The term “cloud computing” refers to the software services that are offered over the Internet. The problems of security of such services are becoming particularly important due to intricate structure and dynamic nature of distributed cloud environment. Complexity of the cloud platforms requires more functionality from the security devices, as well as their online configurability in accordance with the current state of network environment through which the users can access the information services. In this paper, we propose a specialized firewall solution implementing the access control using the hypervisor functionality, and describe a dynamic access model based on virtual connections management employing the mechanism of traffic filtering in transparent, also called "stealth", mode. A security appliance (firewall) in this mode is not visible to other participants (components) of the network interactions, allowing it to implement the access policy while remaining invulnerable to cyber crooks. Keywords – security; cloud computing; access policy; firewall; virtualization; NetGraph; hypervisor XEN.
I.
INTRODUCTION
Cloud computing services are quickly becoming the standard of choice for businesses everywhere therefore becoming particularly attractive to cyber crooks. Typical model of cloud computing focuses on describing the specific features of application service, but ignores some important aspects of security, making it difficult to implement access policies, or even makes it impossible to follow polices' recommendations. All attractive features of cloud paradigm are based on extended version of well-known technologies: virtualization of computing resources and on-demand heterogeneous resource allocation. First technology is a basis of infrastructure development and the second one is a perspective platform for distributed services. A lot of network providers offer such approach for public services (Amazon, Google) and even for corporative solutions that require more robust and scalable decisions (Eucalyptus, VMware, or Microsoft). But for both types of solutions ensuring information security of the cloud systems is a vital problem [1]. The goal of this research is to propose a cloud computing security model using well-known concept of “security through obscurity”, applied to the components of cloud infrastructure involved in the implementation of security policy, namely, to firewalls. The paper introduces a virtual connection between user and the services as a key component of essentially dynamic security model. The attractor of such dynamic model should coincide with the set of requirements generated by corporate security policy. According to this model, the network traffic is
978-1-4577-0653-0/11/$26.00 ©2011 IEEE
described as an aggregation of two classes of virtual connections – informational (IVC), and technological (TVC). In this case the cloud environment (distributed system itself) provides wide range of heterogeneous computing features for various types of services using IVC and TVC resources, therefore, it would be reasonable to use one of these resources to arrange the security service and protect the information from unauthorized access. Virtual connections, which belong to user sessions can be logically isolated from each other (information decomposition), as well as from the entire set of virtual connections of all cloud environment. Moreover, if the virtual connections don’t share the resources, it is possible to introduce additional level of separation (technological decomposition). Merging these decompositions, we can formulate the problem of access control in terms of parallel computing task implementing the filtering process in the security domain under consideration. This security domain would exist in the hypervisor, and can use the physically available resources (CPU cores, memory, and interfaces) to implement the firewall security rules. . Due to its inherent parallelism, this solution can be scalable and adaptable to different situations in parallel or concurrent modes. On a base of detailed analysis of the underlying technologies, security audits and risk analysis, we propose the firewall solutions that can be effective when the cloud components are rapidly allocated and released as the user requests resource or service access. Proposed solution delivers simplified end-to-end connectivity control between the users and cloud application that meets the requirements of the access policy. Discussed approach uses the high-performance virtual machines, which operate as firewalls in stealth mode. The firewall virtual machine is a part of cloud's channel infrastructure which provides services in accordance with the security policies and current state of cloud resources. Formalization of the security requirements to automate the generation of the firewall filtering rules is the basis of the adaptation process which in combination with multicore hardware and multithreaded software platforms can deliver high performance solutions. This firewall implements the filtering functions in the operating system kernel based on NetGraph subsystem [2] and multicore hardware platform. II.
INFORMATION SEQURITY IN CLOUD SYSTEMS
Today, many commercial companies, as well as leading universities and government institutions, are transferring their computing resources to the virtual infrastructures, using both open systems (Eucalyptus, Open Nebula) and commercial solutions (VMWare, Microsoft, IBM). Due to this trend, the information security of cloud systems becomes an acute
1400
problem. The major differences between the cloud systems and the distributed networks are the following: o
o
o
Information processing takes place on the virtual machines under full hypervisor control; the hypervisor has access to all data processed by its virtual machines;
Corporative network
Transfer of the instance memory occurs when virtual machines migrate between hypervisors; this memory may contain confidential information;
A
The cloud software controls the resource planning and provision; it is a new entity in the information environment which has to be protected from the information security threats;
o
In virtualized environments, files serve as virtual storage devices; these files are located in the network storages and are more exposed to threats than hard disks;
D Firewall rules generator
B
o
Unauthorized access to the virtualization node;
o
Attacks against the virtual machine management tools, controllers of the computing environment (cloud controller), or cluster and data storage, where the virtual machine images and user data are located;
o
Usage of the virtual network for data transfer not allowed by the information security policy.
The major specificity of the virtual infrastructure is that an attack or an attempt of unauthorized access can come from within the virtual network, where such devices as switches, hardware firewalls, and physical connections are absent. This specificity makes it difficult to apply the information security methods and tools existing in computer networks and GRID systems to the information security protection of cloud systems. The distributed and virtual computing environments do not have effective methods of information security protection. One of the problems is the lack of firewalls, which can operate in virtual environment as efficiently as the existing on the market software and hardware solutions for protection of information resources and repulsion of cyber-attacks. Another problem is the description of the access policy requirements that can reduce the semantic gap between the corporate security policy description and filtering rules content implemented via security environment (firewalls). This problem can be solved by introducing multiple levels of description. For a number of cloud products, for example, free and open source cloud environment Eucalyptus, based on hypervisors XEN or KVM,
Filtering rules
Firewall
E
Module implementing Filtering rules the algebra enforcement of filtering rules
Access policy Service description providing module in Information high-level resource programming model language
C
Figure 1. Dynamic security system architecture.
Dynamic structure of environment makes static firewall rules useless.
Therefore, due to the above specifics, new information security threats appear, including:
Feedback due to access policy enforcement
Network monitor
User Shared Network activity hardware state resources LDAP/ IDS AD SNMP
Traditional information security components such as hardware firewalls cannot control the internal virtual traffic between virtual machines in one hypervisor;
o
o
there are no efficient solutions for the virtual resource protection, despite of rapidly growing popularity of this environment due to its compatibility with the interfaces of Amazon (Amazon EC2, Amazon S3) products.
III.
DYNAMIC SECURITY SYSTEM IN DISTRIBUTED ENVIRONMENT
Security is the main issue of modern information infrastructure. Described cloud infrastructures store information in the form of distributed virtualized resources which have to be protected against unauthorized access. However, the implementations of this protection are far from simple due to the dynamic nature of the environment and users activity [4]. Below we describe a new approach to configuration of the security network appliances, which allows an administrator to overcome the semantic gap between security policy requirements and the ability to configure the firewall filtering rules [2]. The architecture of proposed system is presented in Figure 1. Network monitor controls the whole system. Network environment state consists of three main parts:
“User activity” is the information about what computer is currently used by what user. This information can be obtained from Microsoft Active Directory (AD) by means of LDAP protocol. “Shared hardware resources” is the information about network infrastructure and shared internal resources; “Network state” is the information about external network channel received from Intrusion Detection Systems (IDS). The filtering rules of a firewall are a formalized expression of an access policy. An access policy may simply specify some restrictions, e.g., “Mr. Smith shouldn’t work with gmail” without the refinement of the nature of “Mr. Smith” and “work”. There is a common structure of access policy requirements which uses the notions of subject, action and object. Thus, the informally described requirement “Mr. Smith shouldn’t work with gmail” can be formally represented as the
1401
combination of the subject “Mr. Smith”, the action “read”, the object “www.gmail.com” and the decision “prohibit”. This base can also be augmented by a context, which specifies various additional requirements restricting the cases of rule application, e.g., time, previous actions of the subject, attribute values of the subject or object, etc. However, access rules which are based on the notions of subject, action and object are not sufficient to implement complex real-world policies. As a result, new approaches have been developed. One of them, Role Based Access Control (RBAC) [5], uses the notion of role. A role replaces a subject in access rules and it’s more invariant. Identical roles may be used in multiple information systems while subjects are specific to a particular system. As an example, recall the roles of a system administrator and an unprivileged user that are commonly used while configuring various systems. Administrator-subjects (persons) may be added or removed while an administrator-role and its rules are not changing. Every role must be associated with some subjects as only rules with subjects can be finally enforced. During the policy specification, roles must be created first, then access rules must be specified with references to these roles, then the roles must be associated with subjects. IV.
VIRTUAL CONNECTION MANAGEMENT IN THE ACESS CONTRTOL TASKS
Virtual connection (VC) is a logically ordered exchange of messages between the network nodes [5]. Computer network is a set of virtual connections. Figure 2 shows how virtual connections are classified as technological virtual connections (TVC) and informational virtual connections (IVC).
(1) TVC { pti }, i 1, N , N [1, ) P T This model is characterized by a finite set of parameters that describes the access subject and the access object, as well as action between them in the form of packet stream within the interconnection. The model parameters are the identifiers of the subject and the object, such as addresses, ports, and other characteristics of network protocols. For efficient traffic classification, the IVC model is used along with the TVC model. The IVC model describes the interaction between the access object and the access subject at the application services level. The IVC model is a set of technical virtual connections (TVC); the number and characteristics of these TVCs are determined by the Cartesian product of the information interaction access model (IIM), the access subject model (IMS), and the access object model (IMO) (2). (2) IVC {TVCi }, i 1, N ( IIM IMS IMO) This formalization allows us to represent the access IIM as a finite subset. The size of this subset is determined on the base of the description of interconnection subjects permitted within given access control policy. IMO is characterized by a finite subset of information and network resources, the access to which is permitted in accordance with the access control policies. IMS describes the operations performed by the access subject within the bounds of IMO. In accordance with the access control policies, IMS describes the operations performed by the access subject within the bounds of IMO. V.
PARALLEL PROCESSING OF VIRTUAL CONNECTIONS
Virtual connection (VC), as some abstraction, exists in parallel to and independently from other virtual connections. Virtual connections do not share any resources, which allow parallel processing of the virtual connections [6]. The suggested approach to the network traffic filtering is based on the concept of a virtual connection and allows extracting the connection context. The connection context can be represented as a vector Yi, of parameters, for example, source and destination addresses, port, connection status (for TCP protocol), etc. Controlling the virtual connection amounts to calculating the indicator function F, which requires resources such as computing processors and operating memory (3).
F(Yi ) { 1,0,*} Figure 2. Layers of access control policies.
To implement an access control policy, the filtering rules are decomposed in the form of TVC and the IVC. These filtering rules can be configured for different levels of data flow description based on the network packet fields on the levels of channel, transport, and application protocols. In terms of the access control, the TVC model can be defined as a stream of packets generated by the network applications during communication. The TVC model is presented in the form of potentially countable subset of the Cartesian product set of packets P and timestamp T (1).
(3)
The indicator function F produces the following values: 1 – if VC is allowed, 0 – if VC is forbidden, * – if at the current moment it is impossible to clearly determine whether the connection is prohibited or not, the decision is postponed and VC is temporarily allowed.
1402
Computing problems could be divided into two groups: 1. Stream-related tasks that can be calculated with SIMD processing elements (for example, using graphic processors and CUDA technology). 2. Computational problems solved on the standard multicore MIMD processors.
Because the distributed environment is heterogeneous with respect to the available processing elements, both the streaming SIMD processors and the classic MIMD multicore processors can be used for the firewall tasks in the cloud systems. Firewalls that protect the hypervisor operate in the virtualized environment; thus, the configuration (computing cores, memory, and streaming processing elements) of the protection device can be changed depending on the loading options, access policies, and the amount of available resources.
the combination with the virtualization technology, allows us to improve performance of the network traffic monitoring and use only those computing components that are required to solve current access control problems.
Calculation of the indicator function F can be decomposed into multiple computing processes – {Fi}. In this case, the problem of VC control can be described using the graph G(Q,X), which is called the VC control information graph (you can find the detailed description of graph representation of the stream tasks in [7]). The VC control information graph consists of the set of nodes; each of these nodes is attributed to the operation Fi . If two nodes qi and qi+1 are connected with an arc, then result of operation Fi is the input for the operation Fi+1. Each node has a terminal arc, which corresponds to the case when Fi = 0. Then VC is considered prohibited and no further analysis is performed. The multiprocessor computing system that solves the firewall problems can be presented as a full mesh computation system graph with MIMD and stream computers as its nodes. This graph is a full mesh, because the communications between CPUs are provided by the hardware and operating system, and there is no predefined path between the cores, data can pass directly from one node to another. Usually the computation system graph and the control information graph do not match because the amount of computing resources is limited and is less than the amount of computational processes. We can split the VC control graph in N non-crossing sub graphs and thus build a VC operating pipeline. Because the virtual connections exist separately from each other, we can process them in parallel. With C compute nodes of MIMD type, the operating time of VC processing would be limited by (4).
TVC
max( z ( f i )) max( j )
Figure 3. Information graph of the virtual connection management
VI.
ARCHITECTURE OF A SECURE CLOUD COMPUTING ENVIRONMENT
A distributed computing environment (cloud system) consists of the following software and hardware components: 1.
virtualization nodes;
2.
storage of virtual machines and user data;
3.
cluster controller;
4.
cloud controller.
The distributed computing environment intended for solving scientific and engineering problems is a set of various computing resources such as virtual machines, and has the following features [9]
(4)
o
The environment is used by a wide range of users, who are solving problems of various nature;
o
Virtual machines of various user groups can operate within one hypervisor;
o
Wide range of software components (CAD/CAE applications, development tools) and operating systems is used;
o
Different hardware configurations are used, including virtual multicore computing machines and virtual machines that perform computations using the streaming technology CUDA.
C
z(fi) – number of CPU clocks, required for calculation, τi – real time of CPU clock. The inequality in the given formula appears because the decision on the VC classification (allowed/forbidden) can be made before traversing all nodes of the graph. Due to the heterogeneity and re-configurability of the computing environments, in some cases the configuration of the firewall can be adapted to the access control tasks being solved just-in-time. This can be achieved by using the graph models for network traffic processing and Netgraph [8] technology. This technology allows us to organize the network traffic processing in the context of the operating system [6]. Figure 3 shows an example of the virtual connections information control graph with decomposition of the indicator control function into components. The presented approach, in
Virtualization node is the hypervisor software which is running on a powerful multicore computing node. Within a virtualization node, the domain level 0 (dom0 in terms of hypervisor XEN or service console in terms of other hypervisors) and virtual computing machines (domain level U, domU) operate. For information security and access control (AC) between the virtual machines that operate under a single hypervisor, the internal (“virtual”) traffic and the external traffic (incoming from other hypervisors and from public networks) must be controlled. The solution of the access control problem could be achieved through the integration of a virtual firewall into the
1403
hypervisor; this firewall would function under the hypervisor, but separately from the user virtual machines. The virtual firewall domain can be defined as “security domain” (domS). Invisible traffic filtering is an important aspect of the network monitoring; the firewall must not change the topology of the hypervisor network subsystem. This can be achieved by using “Stealth” [10] technology – a packet traffic control invisible to other network components.
implemented due to application of role-based information access models and characteristics of specific firewalls. The security domain can be quickly adapted to the current situation in the cloud and scaled if necessary. The traffic filtering process in the kernel using Netgraph network system shows good scalability and can be linearly scaled up to eight cores [8,9,10]. It is necessary to mention that proposed solution doesn’t solve all security problems of virtualized resources in cloud environment. Described model can be merged easily with low level methods of network control, for example with flow-based traffic measurement or packet priority queuing management. The prototype of such secure cloud environment based on Eucalyptus and adopted for CAD/CAE computation tasks, was created and currently is tested at the Telematics department of the Saint-Petersburg Polytechnic University. VIII. REFERENCES [1]
Figure 4. Secure cloud architectrure.
Figure 4 shows the common architecture of a distributed cloud system with integrated AC components. Abbreviations: FW – hardware firewall; VFW – virtual firewall; FSCS – the central control system of all firewalls in the cloud; VM – virtual machine; ClC – cloud controller; CC – cluster controller; SC – storage controller. The FSCS distributes the access control policies to all firewalls in the system. When the information security policy changes, new access rules are generated and replicated to all components. The security domain isolates virtual machines from the hypervisor, which prevents the possibility of attack against the hypervisor from within the cloud. The hardware firewall isolates the private cloud components from the external threats. VII. CONCLUSIONS The presented architecture is a distributed heterogeneous computing environment that provides computing resources of different configurations; this allows one to arrange the information protection for this system in the form of a dedicated security domain (domS). Firewall configuration can be largely automated based on specifying high-level access rules and parameters of corporate DNS, AD/LDAP, SNMP and IDS services. Proposed system architecture can be easily
Cloud Security Alliance, Top Threats to Cloud Computing, 2010. URL: http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf [2] Zaborovsky V., Lukashin A., Kupreenko S., 2010. Multicore platform for high performance firewalls. High performance systems // Materials of VII International conference – Taganrog, Russia. [3] Mulukha V.. Access Control in Computer Networks Based on Classification and Priority Queuing of the Packet Traffic, PhD. Thesis, SPbSPU, Saint-Petersburg, Russia, 2010. [4] M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia. 2010. A view of cloud computing. Commun. ACM 53, 4 (April 2010), pp.50-58. [5] D.F. Ferraiolo and D.R. Kuhn. Role-Based Access Control. 15th National Computer Security Conference. (October 1992), pp. 554–563. (http://csrc.nist.gov/groups/SNS/rbac/documents/ferraiolo-kuhn-92.pdf) [6] Silinenko A., 2010. Access control in IP networks based on virtual connection control models: PhD thesis SPbSPU, Saint-Petersburg, Russia, 2010. [7] Cobbs A., 2003. All about Netgraph URL: http://www.daemonnews.org/200003/netgraph.html [8] Lukashin A., Roshupking I., 2010. Methods and strategies of developing distributed computation systems for CAD/CAE problems solving // ХХХIX Week of science SPbSTU, Part XV, 2010, Saint-Petersburg, Russia. [9] Zaborovsky V., Titov A., 2009. Specialized Solutions for Improvement of Firewall Performance and Conformity to Security Policy. Proceedings of the 2009 International Conference on Security & Management. v. 2. p. 603-608. July 13-16, 2009. [10] Mukhtarov M., Miloslavskaya N., Tolstoy A. 2011. Network Security Threats and Cloud Infrastructure Services Monitoring. // ICNS 2011, The Seventh International Conference on Networking and Services, p. 141-145. – Venice/Mestre, Italy.
1404
