Engineering Security into Cloud Systems
Note: This article was originally published by the author on November 26, 2018.
In the year 2018, there remains no such thing as a perfectly secure computer Information System (IS). Computer systems were designed by humans to automate processes and as such are vulnerable to human error. Until humans arrive at a point in the distant future when Artificial Intelligence (AI) is trusted enough to self-code, systems must continue to be engineered with security controls “baked” into the initial design concept and re-engineered with security enhancements as new vulnerabilities are discovered. When vulnerabilities are discovered, developers are required to quickly write software patches that provide fixes for security vulnerabilities which are then published for customers to download and install. System security engineering is already inherently difficult given the immense complexity of computer systems and software programming, a fact that is only exacerbated when developers face looming deadlines, personnel shortages, budget cuts, and a growing multitude of cyber threats. It is not difficult to see why mistakes are often made in software code. In recent years, organizations seeking to reduce overhead costs for Information Technology (IT) equipment and staff have begun flocking in droves to Cloud-based IT services that offer everything from basic file storage and backup solutions to E-mail and more advanced services like Software or Hardware-as-a-Service (Jacobs, 2016, p. 289).
This piece will explore some of the commonly offered Cloud computing system services and the processes used by industry to engineer security into those services. Some of the topics that will be covered include an overview of how Cloud computing systems work, common Cloud architectures and security concepts, as well as more detailed analyses of Software/Hardware-as-a-Service, Infrastructure-as-a-Service, Applications-as-a-Service, and the pros and cons of public versus private Clouds. With so many organizations switching to Cloud technology to manage their day-to-day business operations and the massive amount of sensitive information stored in Clouds, system security engineering is pivotal to ensuring that the confidentiality, integrity, and availability of the data remains intact.
Cloud Technology Concepts
The National Institute of Standards and Technology (NIST) defines Cloud computing as a “…model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (Mell & Grance, 2011, p. 2). There are several different practical applications of Cloud technology currently in use that have become ubiquitously implemented across the Internet. A common joke with Cloud computing used to be that there was no “Cloud” and that subscribers were just paying to store their files on someone else’s computer. Albeit somewhat humorous, Cloud computing has morphed into so much more than just sharing disk space on a server in functionality when all of the various types of Cloud services are taken into consideration. Most importantly, however, is the security concern associated with Cloud services.
Customer Benefits of Using Cloud Technology
Businesses and now even governments have begun transitioning their data and services to outsourced IT Cloud Service Providers (C-SP) to increase employee productivity and reduce the traditional costs of IT infrastructure and personnel. In exchange for a service fee, businesses get the reassurance that their IT services are being remotely managed by professionals without having to actually pay for all of the associated costs to procure, set up, and maintain that same IT infrastructure. Additionally, employee productivity and efficiency can be drastically improved by Cloud services due to the increased availability of data that is accessible anywhere at any time as long as there is a reliable Internet connection available (Fortinet, 2017, p. 2). Employees can work securely (i.e., using a Virtual Private Network connection) from home, the office, or while traveling the globe.
No business wants to suffer a data breach and it is for this simple reason that security is of such paramount importance. Businesses want to protect their brand name and comply with government and industry compliance regulations to prevent breaches as well as the secondary and tertiary breach effects of potential government fines and the loss of customer confidence. Businesses are and will continue to be prime targets for cyber attackers seeking to gain financial, customer, and proprietary or even sensitive government or military data with a recent report stating that there are over 470,000 network intrusion attempts on the Internet every minute (Fortinet, 2017, p. 2). With statistics like these, it is not difficult to understand why businesses are attracted to the idea that in today’s world of constantly evolving cyber threats, the security of their proprietary, financial, and customer data is being managed by a Managed Security Service Provider (MSSP) with the requisite IT infrastructure and qualified personnel resources to perform this task. The MSSP industry is expected to become a $35.5 billion industry by the year 2020 (Fortinet, 2017, p. 3).
There are several different techniques for virtualizing Cloud services. It is the virtualization technique that is the real cost savings to organizations because the amount of additional IT equipment necessary to perform virtualization costs significantly less than purchasing new servers and paying the manpower to configure and maintain the equipment. System resource virtualization allows multiple tasks or threads on a single computer to be performed simultaneously (Durairaj & Kannan, 2014, p. 147). Hardware factors such as processor speed and the amount of Read Access Memory (RAM) a computer or server possesses impacts the extent to which virtualization is possible.
One virtualization technique known as emulation involves converting computer hardware behaviors to a software program resident on the computer’s operating system (OS), but is a slower virtualization technique and requires higher-end hardware configuration to work properly (Durairaj & Kannan, 2014, p. 147). Another technique is to use a virtual machine monitor, also known as a hypervisor. A hypervisor might sound like something to protect against sun rays while playing tennis, but it is actually a native software layer that serves as a sort of engine behind virtual machines that both monitors and virtualizes a computer system’s resources to perform the desired tasks (Durairaj & Kannan, 2014, pp. 147–148). Paravirtualization only works with open source OS and is yet another virtualization technique that uses “…hypercalls that substitutes the instruction set architecture of [the] host machine,” whereby the hypercalls act as an intermediary between the guest OS and hypervisor to improve process performance (Durairaj & Kannan, 2014, p. 148). Full virtualization is a technique whereby the hypervisor creates a buffer zone between the virtual server and the host hardware so that the OS has no knowledge of the virtual server processes (Durairaj & Kannan, 2014, p. 148).
In addition to the various types of virtualization techniques, there are also three types of virtualization. Server virtualization refers to a single server essentially cloning itself and performing the work functions of multiple servers through resource apportionment (Durairaj & Kannan, 2014, p. 148). Client virtualization is performed via system administration and can be either remote or server-hosted, local or client-hosted virtualization, or application-hosted virtualization that runs the application in a sandboxed type of environment (Durairaj & Kannan, 2014, p. 148). The third type of virtualization is storage virtualization which virtualizes additional storage space using the abstraction of logical storage from physical memory. With storage virtualization, there are three types of virtualization techniques. Direct Attached Storage (DAS) involves physically-connected hard disk drives (HDD) which are attached to the server. Network Attached Storage (NAS) virtualizes additional data storage space by polling the entire network for host hardware resources it can use to create additional storage space (e.g., external HDDs, partitioned drives, etc.). Storage Area Network (SAN) are fast due to their high-speed network architecture which allows data storage to be shared with different servers (Durairaj & Kannan, 2014, p. 148).
Security Concerns with Cloud Technology
It is unsurprising that every C-SP customer is concerned with the security of sensitive and proprietary data, the concern mainly stemming from the fact that the data is not hosted within their local or corporate IT infrastructure that they can reach out and touch. In a recent study conducted by the International Data Corporation, an overwhelming majority of 244 IT executives stated that security was their most serious concern in adopting Cloud services followed closely by availability and performance concerns (Balding 2009). A similar study conducted by Cisco with over six times as many respondents revealed very similar results but interestingly also indicated other factors such as overall application performance and visibility and control of applications (Nicho & Hendy, 2013, p. 161). From a security professional perspective, it is difficult to relinquish certain security administrative privileges within a system such as the ability to review event logs in a Cloud service or configure the application a certain way. Some C-SPs will allow subscriber organizations some measure of control within their hosted Cloud services and there will always be a service-level agreement (SLA) that establishes agreed-upon expectations for both parties, the customer, and the C-SP.
Understandably there is also concern from businesses that a cyber-attack such as a Distributed Denial of Service (DDoS) attack could prevent access to the data hosted by a C-SP and the ability to conduct business online using relied upon Cloud services could come to a crashing halt as it did in 2016 for Amazon Web Services (AWS). On 21 October 2016, Dyn Managed DNS suffered a massive DDoS attack that measured close to 1TBps instigated by Mirai malware botnets which temporarily brought down some powerhouse Cloud servicer providers and retailers including “…Twitter, SoundCloud, Spotify, Netflix, Reddit, Pagerduty, Shopify, Disqus, Freshbooks, Vox Media, PayPal, Etsy, Github, Heroku, Time, Playstation, the Intercom app and more” (Moss, 2016). Businesses also have legal concerns in that if the C-SP is hacked and their customer Personally Identifiable Information (PII) or private data is leaked onto the Web, their business could face regulatory fines, legal lawsuits, and customer backlash (Nicho & Hendy, 2013, p. 162). The prohibitive cost of the Cloud services could be another factor for businesses hesitating to migrate to Cloud services.
The top 12 Cloud security threats of 2016 were data breaches; compromised credentials and broken authentication; hacked interfaces and Application Programming Interfaces (API); exploited system vulnerabilities; account hijacking; malicious insiders; Advanced Persistent Threats (APT); permanent data loss; inadequate diligence; Cloud service abuses; Denial of Service (DoS) attacks; and the shared danger involved with sharing technology (Rashid, 2016). The lowest common denominator in this equation of security threats is the human element combined with the fact that each of these threats requires Internet connectivity. One method to mitigate risk is to implement multi-factor authentication on all hosts, implement host-based and network-based intrusion detection systems, apply the principle of least privilege, segment the network, and patch any and all shared resources (Rashid, 2016).
The Hardware-as-a-Service model allows customers to utilize the hardware infrastructure of a C-SP through virtualization instead of having to purchase and maintain their own equipment. The rented Cloud-based hardware capacity could be used as a primary business driver or possibly also configured as a backup or overflow service for the customer’s IT business process needs (Jacobs, 2016, p. 289). The customer provides or selects the OS and application(s) to be used on the Virtual Machine (VM). As with all of the Cloud technology-as-a-service models, special care must be taken to outline boundaries and responsibilities within the SLA (Jacobs, 2016, p. 290).
Sometimes also called Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS) allows customers to rent space on data server hardware which can be tailored to whatever size the customer needs. In the IaaS service model, the customer pays the C-SP to use their IT infrastructure (e.g., processors, storage space, networks, etc.) to run the customer-configured software, applications, and/or an OS (Mell & Grance, 2011, p. 3). The C-SP manages the Cloud infrastructure as in other service models, and the customer has control over the software applications running on the Cloud-based infrastructure. A practical example of IaaS would be an individual or business that pays to store data on the Google Cloud.
It is much cheaper and faster for companies to rent ready-to-install software from a C-SP than to pay to develop their own software from scratch. In the SaaS service model, the C-SP customer pays to use Web-based applications or possibly a program interface from a thin client computer and may have the ability to configure some application settings. However, all other Cloud service infrastructure is managed by the C-SP (Mell & Grance, 2011, p. 2). A practical example of SaaS might include a tax preparation company paying to use H&R Block Web-based tax preparation software to prepare tax forms for individual client customers. Another example of SaaS could also be the popular Steam video game hosting site or Microsoft’s Office 365 in which customers must pay to use video games or MS Office applications (i.e., software applications) that are hosted by the C-SP.
Some organizations prefer to outsource the security management of their network which has evolved over the years entirely into another C-SP sub-industry known as Security-as-a-Service. In this scenario, Managed Security Service Providers (MSSP) like Cisco, Dell, Check Point, Fortinet, Sophos, or WatchGuard remotely manage security for subscribers (Fortinet, 2017, p. 4). Figure 1 demonstrates how the Fortinet MSSP provides Cloud-based portal services such as E-mail, Web content hosting/browsing, and application sandboxing that is all remotely managed, audited, and analyzed by the MSSP’s certified Cloud security expert in various physical, virtual, or hybrid configurations (Fortinet, 2017). Practical examples of Security-as-a-Service may include both large and small businesses that can afford to outsource the security of the networks to an MSSP because they may not be able to afford their own IT infrastructure and associated employee costs.
Rackspace, an MSSP, published a sample privilege escalation incident “Flash” report in which the C-SP thoroughly details how it can remotely manage security for a customer’s network and provide real-time customer security operations center (CSOC)-level analysis of active system threats, perform direct hunt missions and provide customers with flash (i.e., immediate), weekly, and monthly reports that show the statistical analysis by threat type (2017). Some businesses that can afford to pay for these types of MSSP services can transfer much of their risk to an MSSP like Rackspace which is contractually bound to perform security management services for clients.
Cloud System Security Engineering: Encrypting Data Stored in the Cloud
Two major concerns with storing any type of data in a Cloud environment are confidentiality and integrity. C-SP subscribers want security reassurances that no one else will be able to access, read, or modify their information. Both the core cybersecurity tenets of confidentiality and integrity can be engineered into Cloud computing by implementing encryption of the various types of data such as data-at-rest, data-in-transit, and data-in-use. Encryption is a very important aspect of any IS defense-in-depth security strategy because it provides data confidentiality and integrity should it fall into the wrong hands.
Google, a popular C-SP for data storage, employs encryption at several layers of the Open System Interconnection (OSI) stack, such as the application and physical layers (Jacobs, 2016, p. 270). Google encrypts data-at-rest at the storage device (i.e., the physical) layer with Solid State Drives (SSD) using the Advanced Encryption Standard (AES) symmetric encryption at either the 128-bit or 256-bit encryption levels (Google, 2017). Google Cloud storage works by data being uploaded to the Google Cloud by the subscriber. The data is then broken down into smaller, more manageable chunks of data which are each encrypted with unique encryption keys. Then the chunks are distributed across Google’s proprietary storage infrastructure and accessed by the C-SP subscriber as needed with their private encryption key (Google, 2017). Google data storage backups are also encrypted with unique AES256 data encryption keys (DEK) for each backup file using a sophisticated key management system (KMS) (Google, 2017).
Encryption of data-in-transit such as in the case of a C-SP subscriber uploading data securely to the Cloud or accessing it at another time may be accomplished from the Web browser on port 443 using Hypertext Transfer Protocol (HTTP) coupled with either the additional Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols for data as it transits the Web to form HTTPS (Jacobs, 2016, p. 574). Encryption of data-in-use is accomplished by generating layers of abstraction and although the technique does add a degree of network latency due to the constant decryption and re-encryption of data being used, it is well worth it because encrypting data-in-use prevents attackers from being able to access or read the data should a breach occur when the data is an unlocked open state and in use (Linthicum, 2017).
Identity and Access Management
In Cloud security, the software engineers must program or “bake” Identity and Access Management (IAM) security controls directly into the Cloud application while simultaneously keeping the core business processes at the forefront of the Cloud service model. With Cloud computing, software developers can no longer just write code and shift the responsibility of applying security Band-Aid software patches for Cloud applications to someone else to develop. The reason is that Cloud application programming is more complicated than traditional software programming in that there are layers of security that have to be interwoven with different APIs and business drivers (Linthicum, 2017).
It is possible to engineer Single Sign-On (SSO) into Cloud services using industry standards such as Open Authorization (OAuth) 2.0 which enables token-based authentication to sites on the Internet to include Cloud services without exposing the user’s password (Leger, 2017). The problem, however, is that company employees log into websites with their company credentials unknowingly giving these Web apps API access to their corporate networks, essentially giving an attacker the proverbial “keys to the kingdom.” The best practice for reducing this threat is to have employees revoke permissions from these apps and not log in with their corporate credentials in the first place, it is just bad practice all the way around (Leger, 2017).
Application Programming Interfaces
Application Programming Interfaces (API) are the language or code interpreters for how software applications interact with one another, the application platform, and with Cloud services (Jacobs, 2016, p. 687). There are APIs for all types of processes such as APIs for third-party extensions within Web browsers; authentication and access control; communications security; and even for cryptography in OpenSSL; Java; Microsoft IIS, CA, and .NET (Jacobs, 2016, p. 422). The applications make API connections to an OS to use services such as explicit services the application may need to perform a functional task.
Cloud Security Architectures: Public Cloud Architecture
A public Cloud architecture denotes that the C-SP (e.g., Google Cloud Platform, Amazon Web Services, Microsoft Azure, HP Helion, IBM SoftLayer, etc.) has multiple customers for which it externally hosts data and/or provides shared resources or services. Anyone is free to subscribe to and use Public Cloud services that are typically managed by some type of government, business, or academic institution (Mell & Grance, 2011, p. 3). Similar to the public Cloud architecture, the community Cloud architecture is provisioned by a particular community for exclusive use that has similar security, policy, mission requirements, and/or compliance considerations in mind (Mell & Grance, 2011, p. 3).
Private Cloud Architecture
When a Cloud infrastructure is owned and operated by the organization using it or multiple customers of one third-party C-SP infrastructure it is categorized as a private Cloud architecture. The infrastructure may be located on-site or off-site as is usually the case if the services are being provided by a third-party C-SP (Mell & Grance, 2011, p. 3). Some examples of private C-SPs are OpenStack, VMware, Microsoft, IBM, HP, Dell, and Oracle.
Hybrid Cloud Architecture
A hybrid Cloud architecture utilizes a combination of two or more Cloud architectures, such as public, private, or community are separate but intertwined to facilitate some type of proprietary technology such as cloud bursting to prevent overloads on a particular Cloud service platform (Mell & Grance, 2011, p. 3). Some practical examples of hybrid C-SPs are Microsoft, Amazon, WMware, Google, Rackspace, HP Enterprise, Verizon, and EMC.
In conclusion, Cloud technology is a practical and affordable force multiplier alternative to traditional IT infrastructure paradigms with manageable risk provided system security engineering industry best practices are followed. No system will ever be 100% safe from all types of vulnerabilities, but Cloud technology has enabled many organizations to increase employee productivity and efficiency while simultaneously reducing overhead costs. With Cloud technology, there are many different implementations possible but security engineering must be factored in from the design concept to ensure that data is properly protected. If layered security is not implemented in Cloud architecture, the examples presented have shown that attackers will find a way to exploit vulnerabilities by any means necessary. C-SP customers cannot afford to only rely on C-SPs, they must also have backup redundancy of both data and capability to the greatest extent possible to continue performing business processes in the event of a major DDoS attack or Internet connectivity failure.
If you enjoyed reading my work, please consider supporting my privacy and security research by subscribing to my site
for $5/mo. or $50/yr. as there are costs involved with researching paywalled content, online tools and services, as well as hosting this content on a personal website that I make freely available. Every little bit helps. Thank you.
(2017). Sample flash report. Retrieved from https://www.rackspace.com/sites/default/files/white-papers/7_rackspace_managed_security_-_sample_reports_copy.pdf
Balding, C. (2009). New IDC IT Cloud services survey: Top benefits and challenges. Retrieved from http://cloudsecurity.org/blog/2008/10/14/biggest-cloud-challenge-security.html
Candrlic, G. (2013, March 19). Cloud computing — types of Cloud. Retrieved from http://www.globaldots.com/cloud-computing-types-of-cloud/
“Cloud Security in an Agile World.” (2017, March 10). Retrieved from https://support.rackspace.com/whitepapers/cloud-security-in-an-agile-world/
Durairaj, M., & Kannan, P. (2014). A Study on Virtualization Techniques And Challenges in Cloud Computing. International Journal of Scientific & Technology Research, 3(11), 147–151. Retrieved from http://www.ijstr.org/final-print/nov2014/A-Study-On-Virtualization-Techniques-And-Challenges-In-Cloud-Computing.pdf
Fortinet. (2017, March 21). Security solutions for managed security service providers and Cloud providers. Retrieved from https://www.fortinet.com/content/dam/fortinet/.../sg-mssp-cloud-security-solution.pdf
Google. (2017, July 5). Encryption at rest in Google cloud platform. Retrieved from https://cloud.google.com/security/encryption-at-rest/default-encryption/
Jacobs, S. (2016). Engineering Information Security: The Application of Systems Engineering Co. John Wiley & Sons.
Leger, B. (2017, May 3). The OAuth attack goes mainstream. Retrieved from https://www.cloudlock.com/blog/the-oauth-attack-goes-mainstream/
Linthicum, D. (2017). Cloud app security: How not to fail. Retrieved from https://techbeacon.com/cloud-application-security-how-not-fail
Mell, P., & Grance, T. (2011, September). NIST Special Publication 800–145: The NIST definition of Cloud computing. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
Moss, S. (2016, October 21). Major DDoS attack on Dyn disrupts AWS, Twitter, Spotify and more. Retrieved from http://www.datacenterdynamics.com/content-tracks/security-risk/major-ddos-attack-on-dyn-disrupts-aws-twitter-spotify-and-more/97176.fullarticle
Nicho, M., & Hendy, M. (2013). Dimensions of security threats in cloud computing: A case study. The Review of Business Information Systems (Online), 17(4), 159-n/a. Retrieved from https://search-proquest-com.ezproxy2.apus.edu/docview/1458944582?accountid=8289
Rashid, F. Y. (2016, March 11). The dirty dozen: 12 cloud security threats. Retrieved from https://www.infoworld.com/article/3041078/security/the-dirty-dozen-12-cloud-security-threats.html