Security for Cloud Computing

Report to the National Science Foundation Directorate for Computer and Information Science and Engineering (CISE)

Security for Cloud Computing

Klara Nahrstedt and Roy Campbell University of Illinois at Urbana-Champaign

March 15-16, 2012 Arlington, Virginia

http://illinois.edu/blog/view/695/66281?count=1&ACTION=DIALOG

Any opinions, findings, conclusions, or recommendations expressed in this report are those of the authors, and do not necessarily reflect the views of the authors’ institutions or the National Science Foundation (NSF).

The NSF Workshop on “Security for Cloud Computing” was supported by the NSF under grant NSF 123373.

1

Participants The following were the participants of the NSF Workshop on “Security for Cloud Computing”, Arlington, Virginia, March 15-16, 2012, who contributed to writing of this report. Eric Burger Roy Campbell Mihai Christodorescu Leendert Van Doorn Nick Feamster Bryan Ford Jonathon Giffin Mohamed G. Gouda Xiaohui (Helen) Gu Susanne Hambrush Matti Hiltunen Farnam Jahanian Anthony D. Joseph Seny Kamara Eric Keller Tracy Kimbrel Di Ma Keith Marzullo Patrick McGeer Klara Nahrstedt Peng Ning Kui Ren Thomas Ristenpart Elaine (Runting) Shi Radu Sion Gene Tsudik Steve Tuecke Robbert Van Renesse Hakim Weatherspoon Nicholas Weaver Sam Weber Dongyan Xu Fen Zhao

Georgetown University University of Illinois at Urbana-Champaign (co-organizer) IBM Advanced Micro Devices, Inc Georgia Institute of Technology Yale University Georgia Institute of Technology National Science Foundation North Carolina State University National Science Foundation AT&T National Science Foundation University of California, Berkeley Microsoft Research University of Pennsylvania National Science Foundation University of Michigan National Science Foundation Hewlett-Packard University of Illinois at Urbana-Champaign (co-organizer) North Carolina State University Illinois Institute of Technology University of Wisconsin-Madison Carnegie Mellon University Stony Brook University University of California, Irvine Argone National Laboratory Cornell University Cornell University International Computer Science Institute/UC San Diego National Science Foundation Purdue University National Science Foundation

Acknowledgement The participation of all those who attended the workshop and their contributions to this report, are gratefully acknowledged. We would like to thank Lynette Lubben for her tremendous administrative support. We wish to thank the NSF Directorate for Computer and Information Science and Engineering (CISE) for the workshop support. We thank the program director of the Computer Systems Research Program, Mohamed Gouda, for his support and encouragement.

2

Table of Contents Title Page …………………………………………………………………………………………………..1 List of Participants ………………..………………………………………………………………………..2 Acknowledgement ………………………………………………………………………………………..2 Table of Content...…………………………………………………………………………………………..3 Executive Summary………………………………………………….……….……………….……………4 1. Introduction –Workshop Organization .………………………………………………………………..6 2. Securing the Cloud ……………………………………………………………………………….........8 3. Adversary Models in Cloud Computing …………………………………………………………..…...9 4. End-to-End Security in Cloud Computing……………………………………………………………10 5. Delegation and Authorization in Cloud Computing ……………………………………………….....12 6. New Problems in Security for Cloud Computing ……………………………………………………14 7. References and Further Reading……………………………………………………………………...18 Appendix: Detailed Workshop Program ………………………………………………………………….19

3

Executive Summary Cloud computing is becoming an integral part of our computing and communication ecosystem offering great opportunity for cost-effective large-scale processing and storage capabilities. Major serviceproviders including Google, HP, Amazon, Microsoft, and IBM are offering cloud computing services not only to corporations but also to general users and at affordable prices. As we step closer to utility computing and ‘cloud services for everybody’, a major question is ‘how secure are the cloud computing services and systems?’ Security is a major concern for many Information Technology (IT) systems and applications including Internet, super-computing, grid computing, scientific applications, military, government, and corporate systems and applications. However, the scale changes everything. It means that as we enter the mass-market for cloud computing services, the security and privacy of those services will become first class features that ensure broad usability and deployment. The goal of the NSF workshop was (a) to identify research challenges of ‘Security of Cloud Computing Services and Systems’, and (b) to rally a broader computer science and engineering research community behind the challenges that need to be solved. The NSF workshop participants aimed to answer several important questions: • • •

What are the unsolved challenges of “security of cloud computing”? What are the intellectual merits of these problems, why are these problems important in the scientific space? What is the broader impact of these problems if we solve them or we don’t solve them?

The invited CISE researchers and NSF officers had very lively discussions about the questions and developed challenges and recommendations for further research in four major areas: Adversary models for cloud computing: The participants considered challenges such as “What are the new security threats?” “What does an adversary look like in cloud computing when different entities are involved such as when a client is a user, an owner, a storage provider and a compute provider and when some or all of the entities in the cloud can become adversaries? ”, “Is there a hierarchy of adversaries when attacking clouds?” Since clouds will be used by multiple tenants, challenges were discussed such as “Do all tenants need the same security or is leveled security sufficient at different prices?” Another challenge was brought up: “A cloud client builds a cloud application and must rely on many technologies that he/she did not create. What are the possible defenses if underlying cloud technologies are used by adversaries?” The recommendations were to: • consider new adversary models for new situations, • develop techniques to check cloud applications for vulnerabilities, and • explore protection techniques for data, and enable multi-level security. End-to-end security in cloud computing: Cloud computing is not an isolated entity in the computing ecosystem but it is always connected with a client(s) who wants certain work (storage, computation, response) from the cloud service. Hence, the participants looked at the security aspects of cloud computing from the end-to-end point of view. Discussed challenges were “How do we verify work on clouds on behalf of clients? What kind of checks do we put in place at the client’s and cloud side? How do we achieve trust and trustworthy relations between client and cloud?” Since a cloud can offer a utility 4

service, participants brought up points such as consideration of security as a service within a cloud and the need for policy-based security applied to end-to-end problem. Another challenge that was discussed was how to deal with end-to-end privacy and how to own data in the cloud. The recommendations were to • investigate systematically tradeoffs between security and efficiency at each component (clients, networks and clouds) of the end-to-end problem, • consider approaches towards securing data and applications on secure client devices against untrusted cloud platforms, • explore platforms for private data, • investigate policy-based security applied to end-to-end cloud computing. Delegation and authorization in cloud computing: With cloud computing, we will see more and more third parties accessing clouds on behalf of users. Discussion centered around cryptographic approaches and challenges for delegation and authorization such as attribute-based encryption for access control, secure comparison for complex policy enforcement, and encryption delegation for fine-grained temporal context (e.g, if authorization changes over time, or attributes expire over time). Another important issue was brought up “How do we support mobile device access to a cloud? “ Challenging aspects of computation over encrypted data were discussed when utilizing homomorphic encryption and homomorphic signatures. Challenges of end-to-end cloud life cycle was presented and with it the security challenges such as restricted delegation, secure service composition, multiple credential types and finegrained access control. The delegation challenge was further discussed, and reconsideration of capabilities was proposed. With capabilities one does authorization not based on ‘who you are’, but ‘what you have’. Hence, capabilities are unforgeable and delegation is simple, yielding an interesting approach towards restricted delegation challenge. The recommendations for further research were to • investigate efficient encryption and decryption delegation mechanisms, • explore extensively computation over encrypted and authenticated data, • research secure comparison mechanisms, access control with capabilities, and delegation and authorization challenges in scientific clouds. New problems in security for cloud computing: Many new security problems emerged and are emerging. The participants spent substantial time discussing new directions that we have not encountered in other security scenarios of IT systems. Examples of new directions were considerations of legal service level agreements (SLAs) and stronger privacy policies for content providers who collect large amount of personal data. Another major challenge and issue that emerged was attestation of mechanisms in clouds such as the trusted launch of virtual machines and the migration of virtual machines. Discussion addressed attestation of actions, proof-attestation of provider security mechanisms, and execution of algorithms on encrypted data. Further new challenges were presented on clouds usage of covert timing channels and other side channel attacks due to co-tenancy issues. Participants brought up reactive stability challenges, cross-layer robustness, pervasive virtualization, secure migration of data, storage, dependencies between services, placement and management vulnerabilities. Cloud forensics was another challenge to be solved, especially how to secure and correlate temporal and spatial evidence and how to use log-based events for reconstruction. The recommendations were to • investigate hardware and software virtualization architectures that would enable security and performance isolation at all levels; • explore dynamic platforms, dynamic verifications, dynamic attestation techniques, fine-grain logging for user-driven secure auditing; 5

•

• •

research customizable new security mechanisms, security of public clouds, security risks coming from side channels, reactive stability, and other risks we are not looking at yet or not carefully enough; investigate in an inter-disciplinary fashion cloud forensics; explore alternative solutions to securing the cloud, such as cheap and automated system operations for users.

6

1. Introduction On March 15-16, 2012, a workshop, sponsored by the National Science Foundation, was held in Arlington, Virginia, called “Security for Cloud Computing”. This report summarizes the challenges and problems that the workshop participants stressed to be considered by the interested community.

1.1.Rationale for Workshop As cloud computing is becoming an integral part of our society, we are seeing major problems not only with the performance of the available cloud computing due to the user scale, computational diversity and varying connectivity, but also with security and privacy. Over the last years several new conferences started to gather researchers to address performance and energy aspects of the cloud technology, as well as many existing conferences, covering high performance computing, grid computing, utility computing , started publishing results about performance and energy aspects of variations of cloud computing. At this point, new cloud computing conferences cover security and privacy only in a limited fashion. On the other hand, security has been and is extensively covered by grid computing, utility computing and highperformance computing environments for scientific and engineering communities which face different security issues than the current cloud computing services serving pervasively masses of users. Hence, we believe that this NSF workshop was very timely. Given the enormous societal impact of cloud computing services, the purpose of the workshop was to identify key security research issues in support of cloud computing services, infrastructures, applications, and environments. In particular, we sought to identify intellectually challenging issues that are most appropriate for academia to consider. Ultimately, given the increasingly near-term time horizon associated with industrially-funded developments, such an academic endeavor has the potential to strongly impact the nationwide deployment of advanced security capabilities for clouds over a long time horizon. The workshop has brought together leading researchers from academia and industry that have very active research in security and/or cloud computing areas. By combining a range of perspectives from these areas, we aimed to stimulate the development of a visionary agenda for integrated security-cloud computing research that could not be achieved otherwise.

1.2.Workshop Organization The workshop was organized by Klara Nahrstedt, Roy Campbell and Mohamed Gouda who developed the workshop program and list of invitees. The program was divided into topical panels. The panels and overall workshop discussion were started and very well motivated by a group of NSF researchers as well as the keynote talk by Dr. van Doorn from AMD. The panels were divided as follows: Panel 1: Adversary Models in Cloud Computing Panel 2: End-to-End Security in Cloud Computing Panel 3: Delegation and Authorization in Cloud Computing Panel 4&5: New Problems in Security for Cloud Computing A detailed technical program for the workshop is included in the Appendix of this document.

7

The panel discussions consisted of a short position presentation by each panelist, followed by a general discussion. Each panel discussion yielded detailed exchange of intellectual challenges, ideas and problems in each area and proposed key positions. Each panelist was asked to address three important points: (a) why and what the new security issues in cloud computing are, (b) what the scientific challenges are in this space, and (c) what problems need to be solved (and funded) from panelist’s point of view. The remainder of this document attempts to summarize all of these discussions.

1.3.Report Organization This report summarizes key challenges discussed at the workshops, as well as key problems that participants stressed to be considered by the academic community to consider finding solutions. There were different viewpoints and it is out intent in this report to represent these different viewpoints through discussion, proposition, challenge and problem recommendation items. In this report, these items are organized semantically into four sections in roughly the same way as the panel topics, ordered from problems with threat models, to problems in existing end-to-end security domains, and authentication/delegation domains, and finishing with new problems that are coming up with new cloud computing services, infrastructure, applications, and environments. Disclaimer: Any opinions, findings, conclusions, or recommendations in this report are those of the authors and do not necessarily reflect the views of the authors’ institutions or the National Science Foundation (NSF). The NSF Workshop on “Security for Cloud Computing” was supported by NSF under grant NSF 123373.

2. Securing the Cloud Disruptive technologies such as multi-sensory phones and mobile Internet have a major impact on distributed computing. The reason is that mobile clients and their applications want to have access to data and computation anytime and anywhere. Due to these demands, and the Total Cost of Ownership (TCO), we are seeing major industry trends shifting traditional distributed computing to large-scale megadatacenters, from desktop PCs to thin/mobile cloud clients, from low level of abstractions to programming models with much higher level of abstractions, from high-performance computing to lowpower and ‘good enough’ computing, and other shifting paradigms and processes. Furthermore, with new hardware trends, including heterogeneous computing support (GPU, FPGA, accelerators), new solid state memory techniques, racks a unit for interchange, rack fabric utilizing innovations such as softwaredefined networking. Hence, the emerging clouds that we discuss in this workshop are the Mega Data Centers that have huge demands on power and must satisfy changing workload requirements and allow access to data and computation from variety of cloud clients. Furthermore, we assume that the next generation cloud systems have no coherency and one must assume many independent nodes. Power (Joule) is an accountable entity, virtualization (CPU and I/O) presents the technology to provide flexibility, racks deploy software-defined networking, and datacenter is the operating system [Doorn2012]. Under these new trends, and assumptions, security must become a first order design principle, and the major challenge is how do we secure the cloud, and what are the technical challenges securing the cloud. 8

It is important to stress that scale changes everything. Rare attacks today might become feasible at scale. At larger scale of systems, side channel attacks might become much more prevalent. The concern is that attestation processes, done very well for current smaller scale systems, will not scale well for large scale open systems. Current trusted platform modules (TPMs) are too passive and might be inadequate for large scale systems. For large scale systems, hierarchical trust will need to be reconsidered (Can we really trust the cloud service provider?). With large scale, nodes will be disposable in clouds, which may disrupt cloud security infrastructure put in place. Hence, we will need careful security considerations to address cloud dynamics [Doorn2012]. The next four sections of this report will discuss variety of security issues for the cloud computing, including cloud users, owners, and providers. In Section 3, we discuss adversary models in cloud computing with new security issues, challenges and recommended problems, Section 4 presents end-toend security issues, challenges and problems, in Section 5 we describe panel discussion about the delegation and authorization problems, and Section 6 presents new problems outside of the traditional information security area. Each section describes new security issues in cloud computing corresponding to the panels expertise and discussion, the challenges and questions that speakers and audience raised, and recommended problems that the community may consider investigating and NSF may consider funding.

3. Adversary Models in Cloud Computing 3.1. New Security Issues in Cloud Computing As the cloud computing ubiquity increases, we are seeing traditional adversaries inside and outside of cloud computing, as well as new insider and outsider adversary models.The panel discussed adversary models in cloud computing that come from many different directions inside and outside of cloud such as (a) new adversaries inside the clouds: clients (tenants, data owners, data users) of cloud computing, cloud providers (storage and compute cloud providers, rogue employees, (b) traditional adversaries outside of cloud: hackers, botnets, spammers, malware, (d) new opportunities for external adversaries: attacks on software applications, running on untrusted platforms, running variety of technologies, programming languages, web servers, load balancers, and application frameworks.

3.2. Scientific Challenges and Questions Various challenges have been discussed among the panelists and audience: 1. Let us consider the four major players in cloud computing, the clients-owners, clients-users, storage providers and compute providers: (a) How do we provide security at the cloud storage level such as secrecy, privacy, integrity and availability? For example, if we don’t design new approaches, there might not be hope for secrecy/privacy. With periodic refreshing, we may achieve some level of integrity, but is it enough? (b) How do we provide cloud computation over secret cloud storage? (c) In case of all players, any of them can be an adversary, or any combination up to any three of them can collude and present a very powerful adversary. How do we protect against such adversaries? Are some combinations of players more likely than others? [Tsudik2012].

9

2. Let us consider building applications on the cloud such as web servers, load balancers: (a) current cloud applications do not defend against zero-day attacks, programmer errors, (b) current cloud applications must trust underlying hardware and software, hence there is no protection once the application account is compromised. Hence, how do we build in defenses into cloud applications? (c) One may isolate application sessions in a virtual machine (VM), but then we incur significant performance overhead. Hence, is VM technology the way to go? [Feamster2012]. 3. In systems security, multi-level security is well understood, i.e., “different clients require different levels of security against different adversaries”. However, in crypto only worst case security is considered and weaker adversarial models are not acceptable. On the other hand, the cloud is a business, and it needs different levels of security at different prices. Hence, the worst case crypto model is not economically viable. How do we augment crypto algorithms to enable weaker adversarial models? [Kamara2012]

3.3. Recommended Problems The major problems discussed by the panelists and recommended were: 1. Consider new adversary models for new situations (a) if one considers combinations of cloud computing players as adversaries[Tsudik2012], (b) if one considers “foreign” code base, and attacks within data, not just applications [Feamster2012]. 2. Develop techniques to check cloud applications for vulnerabilities such as zero-day attacks, and investigate more efficient VM techniques for application isolations. 3. Explore protection techniques for data in addition to applications; for example, one could consider a data firewall for cloud-based web applications, and apply network-level information flow control to data, hosted by web applications [Feamster2012]. 4. Explore leveled security (i.e., weaker security models), which currently enable (a) fast search on encrypted data by leaking access patterns; (b) very efficient two-party computation by leaking one bit; ( c) efficient cloud-assisted multi-party computation by considering non-colluding adversaries [Kamara2012]. 5. Investigate alternatives to fully-homomorphic encryption (e.g., secure multi-party computation and garbled-circuit-based homomorphic encryption); cryptographic storage techniques; and weaker adversarial models (e.g., covert, rational) [Kamara2012].

4. End-to-End Security in Cloud Computing 4.1. New Security Issues in Cloud Computing To make cloud computing robust and fully successful for end users, end-to-end security must be an integral part of the overall cloud computing design. Currently, with the cloud computing paradigm, the end users have a major choice to make, to do computation/data outsourcing to the cloud, and lose protection, or to keep computation/data locally, but protected. The reasons are: (a) Current cloud computing allows end users to perform computations over their data on the cloud, but the cloud providers do not offer any security guarantees. Threats come from vulnerable software, insider attacks [Guynn2010], misuse [BBCNews2012], and lack of multi-organizational security policies. 10

(b) The current clouds concentrate on providing end-users results, but there is no assurance that the computation is correct, since there is no control if the cloud software has software bugs; there is no reporting if any hardware failures occurred; and there is no reporting if any outsider attacks occurred. (c) The current cloud providers may tradeoff between computational result accuracy and monetary cost, which may yield weak or wrong results to end-users. (d) In current end-to-end cloud computing landscape, it is not clear what identities are, where the cloud domains and their international boundaries start and end, what the right risk analysis is, what kind of privacy laws should be instantiated.

4.2. Scientific Challenges and Questions To ensure secure end-to-end cloud computation, the following challenges and questions need to be answered: (1) How do we enable an end-to-end trustworthy computing environment? Are solutions, such as trusted hypervisor boot/VM launch, strong isolation via virtualization, or continuous and dynamic attestation of platform sufficient and satisfactory? [Ren2012] (2) If we assume that the end-user owns her/his data, do we have to secure ALL clients, applications and platforms together to achieve end-to-end security? Can we just provide a platform for private data with trusted user interface to applications and users via privacy policy access control? Should we secure applications on top of platform for private data? Can we secure just parts of the end-to-end path, but then monitor privacy policies and punish violations? [Shi2012] (3) Can we achieve a full trustworthy end-to-end computing environment if we perform computing over encrypted data? If one considers the bottom-up approach, is it a practical approach? If one considers the top-down approach, and encrypt, for example, data search, aggregation functions, can we achieve the right tradeoff for security, efficiency and functionality? [Ren2012] (4) Under the available set of available services such as Infrastructure as a Service (IaaS), Audit as a Service, Network as a Service and others, how do we enable end-to-end security? How do we take into account domain-specific security issues coming with new technologies such as virtual cloud, open stack, software-defined networks, software-defined security and others? [Campbell2012]

4.3. Recommended Problems The end-to-end trustworthy cloud computing space presents many diverse problems: 1. Investigate end-system, network and cloud-based techniques that would systematically tradeoff between security and efficiency which may mean to interpret optimization computations at different abstraction levels depending on end-to-end security requirements [Ren2012]. 2. Consider the case when end-users would own their data, and develop techniques, technologies that would secure data against untrusted cloud platforms, secure client devices, secure data intelligence applications, and secure silo-based applications [Shi2012]. 3. Explore platform(s) for private data, (a) its theory issues such as practical computation over encrypted data, privacy-preserving data mining, alternative privacy notions, (b) its systems issues 11

such as scalability, legacy compatibility and securing “implicit” data, (c) its eco-systems and business models, and (d) its usability for both end-users and programmers [Shi2012]. 4. Investigate policy-based security, applied to end-to-end cloud computing. This means we will need (a) policies for components and devices of infrastructure-measuring conformance, i.e., finegrain policy monitoring, (b) policies for access control, (c) attestations that policies are applied, and (d) much better understanding of multi-organizational security policies [Campbell2012].

5. Delegation and Authorization in Cloud Computing 5.1. New Security Issues in Cloud Computing We are seeing the cloud as a new data sharing platform with multiple owners, multiple users at large scale, with data sharing through the resourceful cloud- but highly untrusted. Delegation and authorization enable clients the leverage of resourceful clouds. But these services also need to very carefully understand the adversary models in order to deal with untrusted client-owners, client-users, cloud compute, and cloud storage providers, and be an integral part of the end-to-end security framework to secure access and/or safely delegate access to various resources. There are several important issues to consider in the space of delegation and authorization. First, it is important to consider fine-grained access control, i.e., authorization. We will need (a) strong access policies to support fine-grained authorization,(b) extensive delegations of privileges from owner to cloud to achieve fine-grained temporal access control, and (c) extensive delegations of privileges from user to cloud to support mobile device access. This is the problem of end-to-end authorization. One approach in this space could be the attribute-based encryption (ABE) for fine-grained access control of encrypted data in clouds. With this approach, we would require owners to define access policy, not the servers within the cloud. Furthermore, once the access policy is defined, it would need to be enforced by the encryption algorithm, not the servers in the cloud. However, this approach will need to deal with the issue of scalability since its complexity is very dependent on number of attributes. Second, it is important to consider computation over encrypted/authenticated data. Third, the access control at the cloud, utilizing today’s access control lists (ACLs), might be reconsidered. Current solutions require authentication of users which makes delegation difficult and there are many privacy concerns. Often, the traditional approach using access control lists violates “Principle of Least Privilege”, since client process gets all rights of the end-user. And ACLs complicate abstractions for programmer’s toolbox. The abstractions with ACLs are inefficient, insecure and hard to scale. Fourth, services at the cloud are changing, especially when accessing scientific data, and Software as a Service (SaaS) is at the front, since client-users want to (a) place data where they want, (b) access data from anywhere via different protocols, (c) update data, version data, and take snapshots, (d) share versions with who they want, and (e) synchronize data among locations. To achieve SaaS, it will present major security issues, especially delegation issues since many identities, providers and relying parties, will exist.

12

5.2.Scientific Challenges and Questions Several challenges need to be addressed to enable strong and efficient delegation and authorization functionalities: 1. If we consider ABE systems for fine-grained access control, the current ABE systems lack an efficient mechanism to support a complete set of comparison relations in policy specifications; it means access (authorization) policies can be complex and attributes can be multi-dimensional. Hence how do we support various comparison elations, range of attributes, and multi-dimensional attributes? [Ma2012] 2. In fine-grained temporal access control, time is an important access control parameter, i.e., the access policy could change with time. Hence, how would the client-owner generate an efficient encryption delegation mechanism to create one copy of a document for an entire time period and the cloud would transform the encryption in such a way that it would reflect access policy at the current time? [Ma2012] 3. Since cloud computing services will be accessed anytime, anywhere and from any networked devices, how do we deal with access of cloud services through mobile devices which are resource constrained and may want to access services in real-time? [Ma2012] 4. Since today’s access control with ACLs has its own issues, would abstractions with capabilities work better? Should we revisit capabilities, and authorize access not based on who you are, but what you have? [Renesse2012] 5. If we want to enable Software as a Service (SaaS) for clouds, especially those holding scientific data, how do we protect delegated credentials in SaaS? How do we provide restricted delegation to yield better access policies than “all or nothing access to resources”? [Tuecke2012] 6. If we consider SaaS, how do we balance between allowing fine-grain access control and keeping it understandable to users? How do we support multiple levels of assurance, with centralized or distributed authorization control? [Tuecke2012]

5.3. Recommended Problems The various security issues in delegation and authorization yield the following problems that were recommended by the panel to consider: 1. Investigate an efficient secure comparison mechanism, needed to express complex policy required by fine-grained access control, the support for various cryptographic comparisons, and the support of multi-dimensional attributes in fine-grained access control [Ma2012]. 2. Investigate an efficient encryption delegation mechanism, needed to achieve fine-grained temporal access control, and/or to transform cipher-text with a more restrictive policy [Ma2012]. 3. Investigate an efficient decryption delegation mechanism, needed to shift majority decryption from mobile device to cloud and to reduce user-side computation overall [Ma2012]. 4. Explore the computation over encrypted/authenticated data since cloud data will be encrypted and/or authenticated. Recent approaches on homomorphic encryption for computation over encrypted data and homomorphic signature for computation over authenticated data are promising, but new investigations need to be done, exploring, for example, single key versus multiple-key models, that would yield practical and efficient solutions [Ma2012]. 13

5. Explore new approaches for two-party computation secure against an active adversary. This would lead beyond approaches in prior practical protocols based on Yao’s garbled circuits [Campbell2012]. 6. Research access control with capabilities, since capabilities are unforgeable, and delegation of privileges is much easier. With capabilities, one can achieve restricted capabilities. Exploration of the onion-like capability model may allow that with each layer one would gain additional rights function, capture provenance, simplify revocation, support fine-grained access control, and other functions [Renesse2012]. 7. Investigate delegation and authorization challenges in scientific data cloud, especially if one considers “Software as a Service (SaaS)” organization within the cloud [Tuecke2012].

6. New Problems in Security for Cloud Computing 6.1. New Security Issues in Cloud Computing Several new problems have been identified by the speakers and audience and the speakers/audience discussed variety of related security issues in cloud computing: First, previously with the utility computing, we have worked on dedicated hardware, i.e., physically isolated machines and networks which then utilized the traditional security model. With cloud computing, we get shared infrastructure, where servers are shared through hardware (HW) and software (SW) virtualization, and networks are shared through VLANs (Virtual Local Area Networks). In the new cloud computing shared and virtualized infrastructure, it is not clear what the new security model should be. Second, the new cloud computing environment presents itself to the users as (a) homogeneous with limited customization of security properties, and (b) opaque since users do not know exactly where their virtual machines (VM) are running and data are located, how exactly the cloud provider providers security, and other properties. Furthermore, cloud providers can co-locate VMs with very different security requirements on the same machines; client-users cannot protect data or applications from cloud providers and must trust compute and storage providers, the hypervisor and dom0. Hence, overall applications and data can be easily moved to the cloud, but users must consider the security risks and benefits as their applications and data coexist with other applications and data. Third, many cloud computing environments operational exposure to allow multi-tenancy, utilizing virtualization, dynamism and pricing, operational aggregation and monetary rewards. and new security issues for all parties involved.

represent public infrastructure-as-a-service with (a) elasticity and aggregation, (b) deployment paradigms and (c) attacker incentives coming from multi-tenancy, Hence, public clouds provide new attacks opportunities

Fourth, attacks on cloud may not be always prevented, hence we need to consider cloud forensics to gather and analyze temporal and spatial evidence after an attack happened on cloud(s) and data/computation on any of the cloud servers has been compromised. Fifth, often as we explore new cloud computing environments, we may concentrate on traditional information security, including security, integrity, availability of data, integrity of computation, malware 14

defenses, and pay less attention to other cloud security risks that might come from the side, and unexpected. Examples of potential security risks, where vulnerabilities might come from, are side channels, reactive stability, cross-layer robustness, digital artifact preservation. Sixth, the new cloud computing environment has a legal side too. We know about attackers, co-resident on the network and on the physical machines. We also know that attackers can corrupt the hosting infrastructure. One can defend cloud client machines and networks internally (via measurements, inference engines) and externally (via lawyers) against some of the attackers, but it takes time, effort, and expense. However, it is not clear that the hosting cloud provider will defend the infrastructure against attackers, since it is not clear that there is a “Legal Service Agreement” in the contract. Seventh, the new cloud computing environment needs to consider monetary issues, such as an abuse from a cloud provider, and protection against such monetary abuse if a cloud provider misuses users’ data for their own monetary profit.

6.2. Scientific Challenges and Questions Several important challenges and questions emerge due to the new cloud computing platforms and security demands: 1. In VM-based trusted cloud computing environments (TCC), (a) how do we provide strong VM isolation without leaks, side channel attacks, (b) how do we provide continuous and full attestation of unmodified platform and hypervisor, and trusted launch, (c) how do we compose and connect islands of trust within untrusted environments, including services, I/O, network, storage? [Joseph2012] 2. In VM-based TCC, how do we ensure user-driven secure auditing and enable users to audit platform and hypervisor security, performance, and end-to-end billing? [Joseph2012]. 3. In VM-based TCC, how do we (a) allow users to customize their security services; (b) guarantee that user’s data once stored in a cloud is really completely deleted from the cloud; (c) ensure multiple levels of security policies on any VMs, created on behalf of clients’ organization? [Hiltunen2012] 4. In a VM-based TCC, (a) how do users know that their VMs are hosted where they want them to be hosted, and the users’ data/computation was not outsourced to some other cloud provider in country X; (b) is it possible to perform realistic confidential computations on untrusted cloud? [Hiltunen2012] 5. In public VM-based clouds, due to operational exposure, how do we perform network reconnaissance, how do we detect placement vulnerabilities due to co-tenancy issues, and how do we detect and/or avoid vulnerabilities in the management fabric of cloud? [Ristenpart2012] 6. In public VM-based clouds, virtualization deployment mechanism changes the way how software is deployed. Hence, legacy assumptions might not be valid due to VM deployment reality, and the computational supply chains might have very different characteristics than in traditional distributed environments. How do these different deployment paradigms impact security of cloud-users? [Ristenpart2012] 7. In addition to traditional security challenges, there might be risks that we are not looking at yet and enough. For example, how would we defend clouds against risks of side channels attacks which could come through timing channels? The cloud exacerbates timing channel risks due to 15

8.

9.

10.

11.

12.

routine co-residency, massive parallelism, and no intrusion alarms. How would we defend clouds against risks of reactive stability which is built into load-balancing and other adaptive techniques? How would one defend against the cross-layer robustness problem if cloud application provider requires 99.999% reliability, but uses only network and storage cloud providers with service of 99.9% reliability? [Ford2012] Attacks will happen on data/computation in clouds, hence it is of great importance that cloud providers consider cloud forensics very seriously. However, with cloud forensics, challenges emerge such as ‘How does one support digital forensics workflow in the flow?’ It means, (a) how does one provide timely crime/attack detection and response, (b) how does one preserve logs, memory dumps, disk images and deal with privacy, completeness, efficiency, (c) how does one examine the various logs, correlate temporal and spatial evidence, and (d) how does one present the findings? [Xu2012] Many culturally important artifacts are and will be cloud-based applications and services. How will we preserve them if corrupted, modified, enhanced? Will the Library of Congress have a copy of Google 1.0 or Facebook 1.0? [Ford2012] As presented above, attacks will happen in a trusted cloud computing environment. The next challenge and question comes up, ‘How well is a hosting cloud provider legally protected?’. How does the cloud user finds if there is a “Legal Service Level Agreement” in the contract, if any? How does the cloud provider deal with wiretapping of customers, law enforcement, and search warrants? [Weaver2012] Often cloud providers will need to balance security risk in cloud and cost of resource provisioning to mitigate and minimize risks. However, in a trusted cloud computing environment it is not clear, what is the cloud-specific risk versus cost? Can money solve problems of network co-resident attackers, VM interference, or are good contracts enough within Layer 8 (service level agreement, contracts, legal decisions)? [Weaver2012] The same way as cloud providers may utilize monetary gains to compromise cloud security, attackers may consider monetary gains to exhibit adversarial behavior. Furthermore, because of operational aggregation on clouds, attacks on public clouds might represent higher value targets and present higher attacker incentives and wins. How does one protect against such attacker incentives and avoids catastrophic and systemic failures? [Ristenpart2012]

6.3. Recommended Problems The panelists outlined several interesting new problems that need to be investigated as cloud computing platforms, services, software and concepts take off: 1. Investigate HW/SW virtualization architectures for VM-based TCC to enable full security/performance isolation at all levels (e.g., I/O, memory, TLB, cache), HW/SW static and dynamic verification of VM-based TCC, as well as data flow analysis in hypervisors applying statistical machine learning to detect novel and zero-day attacks [Joseph2012]. 2. Investigate dynamic platforms, dynamic verifications, dynamic attestations techniques, and scalable, fine-grain logging for user-driven secure auditing when working in VM-based TCC [Joseph2012]. 3. Investigate VM-based TCC with customizable (new) security mechanisms that (a) only cloud provider could implement, (b) would yield transparency to cloud users (translucent cloud) to 16

4.

5.

6.

7.

show where users’ data is located, where VMs are located, and how to audit, prove and attest providers’ security mechanisms, actions; and (c) could automatically capture corporate security policies and translate them into cloud domains [Hiltunen2012]. Investigate security of public clouds, especially (a) improve understanding of new vulnerabilities (e.g., are cryptographic cross-VM side channels feasible), (b) explore countermeasures for new threats (e.g., placement algorithms), and (c) seek out new opportunities for old problems (e.g., aggregation and pricing) [Ristenpart2012]. Investigate security risks in cloud computing that might appear, but we are not looking at yet or carefully enough. Examples are side-channels, reactive stability, cross-layer robustness and digital preservation [Ford2012]. Put together an interdisciplinary team to address multi-disciplinary research agenda for cloud forensics. This area will require (a) computer scientists with their understanding of systems, networks, data security, program analysis, data mining, privacy; (b) cyber-forensics experts with their expertise in forensic psychology, criminal behavior modeling and legal aspects; and (c) economists that bring to the table their knowledge of cost and revenue analysis and risk analysis. It is of crucial importance to study better risk analyses tools and approaches of cloud applications [Xu2012]. Explore possible solutions which do not secure cloud, but enable cheap system operations, i.e., one could consider alternatives to outsourcing data/computation to cloud which saves money, and consider savings elsewhere, such as considering automated system operations on personal clouds with automatic configurations, automatic repair, standard replacement modules, power-saving systems and others [Weaver2012].

17

References [Doorn2012] L. van Doorn, “Securing the Cloud: Scale changes everything”, Keynote Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012. [Tsudik2012] G. Tsudik, “Adversaries in clouds”, Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012. [Feamster2012] N. Feamster, “Adversaries in Clouds: Protecting Data in Cloud-Based Applications”, Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012. [Kamara2012] S. Kamara, “Cloud Adversary Models”, Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012. [Ren2012] K. Ren, “End-to-End Security & Cloud Computation”, Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012. [Shi2012] E. Shi, “Own Your Data In the Cloud! An End-to-End Approach”, Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012. [Campbell2012] R. Campbell, “End-to-end Security in Cloud Computing”, Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012. [Guynn2010] J. Guynn, “Google fires employee for snooping on users”, September 16, 2010, Los Angeles Times [BBCNews2012] BBC News, “Social apps ‘harvest smartphone contacts’, February 15, 2012, http://www.bbc.co.uk/news/technology-17051910 [Ma2012] D. Ma, “Cryptographic Approach for Delegation and Authorization in Cloud Computing”, Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012. [Renesse2012} R. van Renesse, “Delegation and Authorization in Cloud Computing”, Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012. [Tuecke2012] S. Tuecke, “Delegation and Authorization: Challenges with SaaS”, Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012. [Hiltunen2012] M. Hiltunen, “Cloud Security: One Size Does not Fit All”, Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012. [Joseph2012] A.D. Joseph, “New Problems in Cloud Security”, Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012. [Weaver2012] N. Weaver, “Lawyers, Guns, and Money”, Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012. [Xu2012], D. Xu, “Cloud Forensics”, Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012. [Ford2012] B. Ford, “Icebergs in the Clouds: the Other Risks of Cloud Computing”, Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012. [Ristenpart2012] T. Ristenpart, “New Problems in Security for Cloud Computing”, Presentation at NSF Workshop on Security for Cloud Computing, March 14-16, 2012.

18

Appendix March 15, 2012 7:00 - 8:15 Continental Breakfast 8:15 - 9:30 NSF Perspective 8:30 - 8:50 Farnam Jahanian: Opening remarks and CISE 8:50 – 9:10 Keith Mazulo: CNS Division 9:10 - 9:20 Mohamed Gouda: CSR Program 9:20 - 9:30 Samuel Weber: SaTC Program 9:30-10:30

Keynote - Securing the Cloud Speaker: Dr. Leendert van Doorn, AMD Corporate Fellow/ Corporate VP

10:30-11:00 Break 11:00-12:30 Session 1: "Adversary Models in Cloud Computing" Moderator: Leendert van Doorn Panelists: Gene Tsudik, Seny Kamara, Nick Feamster, Scribe: Jonathan Giffin 12:30-1:30 Lunch - Introduction and Discussion 1:30-3:00

Session 2: "New Problems in Security for Cloud Computing" (First Round) Moderator: Radu Sion Panelists: Nicholas Weaver, Matti Hiltunen, Anthony Joseph Scribe: Eric Keller 3:00-3:30 Break 3:30-5:00 Session 3: "End-to-end Security in Cloud Computing” Moderator: Kui Ren Panelists: Roy Campbell, Elaine Shi, Scribe: Helen Gu 6:00 Dinner

March 16, 2012 7:00 - 8:15 Hot Breakfast 8:15 - 9:45 Session 4: “Delegation and Authorization in Cloud Computing” Moderator: Patrick McGeer Panelists: Di Ma, Robbert van Renesse, Steve Tuecke Scribe: Klara Nahrstedt 9:45-10:15 Break 10:15-11:45 Session 5: "New Problems in Security for Cloud Computing" (Second Round) Moderator: Peng Ning Panelists: Dongyan Xu, Bryan Ford, Thomas Ristenpart Scribe: Klara Nahrstedt 11:45-12:00 Wrap-Up 12:00-1:00 Lunch - Adjourn

19