ECS781P

CLOUD COMPUTING
Cloud Security

Lecturer: Dr. Sukhpal Singh Gill

School of Electronic Engineering and Computer Science

Ignacio Castro| Cloud Computing 1

Cloud Computing: roadmap for this module

▪Network layer:
▪ Networking
▪Application layer:
▪ Client/server, RPC, Web Services
▪ REST
▪Performance:
▪ SLA
▪ Management
▪Security
▪Trends
▪ Monolithic applications → microservices
▪ Serverless: “hide complexity”
Contents

▪ Security concepts
▪ Attacks
▪ Security mechanisms
Information security

▪ Hard to deliver: needs to protect services &

assets against:
▪ accidental threats (e.g. software flaw, power-
outage)
▪ “malicious” threats (e.g., virus, DDoS attack)

https://xkcd.com/844/
Cloud security is challenging

▪Hard to establish well-demarcated security

“perimeters” (vs. traditional on-premise solution of hiding
everything behind firewalls)
▪Ubiquitous connectivity
▪Constant exchange of information
Fundamental security attributes

Referred to as the CIA (or AIC) triad of InfoSec:

▪ Confidentiality: information is not disclosed to (i.e., viewed by)
unauthorized entities
▪ Integrity: information is not altered by unauthorized entities
▪ Availability: information/service is reachable, usable and
accessible to authorized entities
Other security attributes

▪ Data Origin Authentication: assurance that data is originally

created/sent by a given entity
▪ Non-Repudiation: assurance that an entity cannot
deny a previous commitment/action (signature)
▪ For example, if you take a pen and sign a (legal) contract your signature is a
nonrepudiation device
▪ Entity-Authentication: assurance that a given entity is involved
& active in a current session
▪ Other derivative/compound attributes:
▪ anonymity, privacy, etc.
Elements of security-risk assessment

▪ Asset: anything that has a value (or can cause loss

if compromised) and needs to be protected
▪ Threat: any potential for occurrence of a violation of security
▪ Threat Agent: an entity that poses a threat
▪ Attack: a threat that is carried out (using exploits)
▪ exploit: software/commands that take advantage of vulnerabilities to
enable an attack
Vulnerabilities

A weakness (e.g. bug) that can be exploited by an attacker to

perform its attack. Examples:
▪ Buffer Overflow or overrun
▪ Stack Overflow
▪ Weak Crypto-Suites
▪ Hard-coded Credentials
▪ Flawed Implementation of cryptographic primitives/algorithms
▪ Flawed Key Management
▪ Weak password policy
▪ Side Channels
▪ Unused Open Ports/Services
Risk

The expected loss/harm/damage that can result of security

attacks. Depends on:
▪ Asset Profile of an organization
▪ Vulnerability Profile: list/profile of known vulnerabilities in the
organization
▪ Impact of each vulnerability: expected losses/damages if the
vulnerability is successfully exploited
▪ Threat Profile: probability that the organization will be the target of
different types of attackers
Examples of (Cloud-related) Threat-Agent types

▪ Anonymous Attacker: non-trusted cloud service consumer

without permission in the cloud
▪ Malicious Service Agent: rogue service agent (with compromised
or malicious logic) able to intercept and forward network traffic
flowing in the cloud
▪ Trusted Attacker (a.k.a. Malicious Tenant): shares IT resources in
the same cloud environment as the cloud consumer, has
legitimate credentials and targets the cloud provider or other
tenants
▪ Malicious Insider: human threat agents with access to the cloud
provider’s premises (e.g. disgruntled or bribed current or former
employees of the cloud service provider with admin privilege)
Examples of (Cloud-related) Threats

▪ Insufficient Authorization: granting an attacker access to IT

resources erroneously or too broadly.
▪ Weak authentication: a variation e.g. when weak passwords or shared
accounts are used to protect IT resources
▪ Overlapping Trust Boundaries: when the same physical
resource or cloud service is shared by different cloud
consumers, their trust boundaries overlap, which can be
exploited by one of the consumers to compromise the security
of others
Contents

▪ Security concepts
▪ Attacks
▪ Security mechanisms
Examples of (Cloud-related) Attacks

▪ Traffic Eavesdropping

▪ Malicious Intermediary (aka Main-In-The-Middle)

▪ Denial of Service (DoS)

▪ Virtualisation Attack
Traffic Eavesdropping Attack

▪ Attack when data traversing to, from or within the cloud is “passively” viewed
illegitimately, compromising confidentiality
Malicious Intermediary or Man-In-The-Middle Attack (MITM)

▪ Attack when messages/data are intercepted & potentially altered by a

malicious service agent,
compromising ‘confidentiality’, and potentially
‘integrity’
Denial of Service (DoS) Attack

▪ Maliciously over-loading IT resources so they cannot function properly,

compromising their ‘availability’:
▪ Network overloading with traffic: huge number of requests and/or transmitting huge files,
leaving no bandwidth or web server capacity for legitimate requests
▪ Excessive number of cloud service requests: consuming memory and processing resources
 Distributed-Denial-of-Service (DDoS) Attack
▪ DDoS attack from many locations, frequently by ‘zombie’ devices (bots),
complicating detection and filtering of malicious requests

DoS: where a computer is used to flood a server with TCP and UDP packets.
DDoS: where multiple systems target a single system with a DoS attack. The targeted network is then bombarded with packets from multiple locations
Virtualisation Attack (VM Escape)

▪ The services running in a Virtual Machine gain direct access and manipulate the
underlying physical resources using vulnerabilities in the virtualization
platform (compromising confidentiality, integrity or availability)
20
Contents

▪ Security concepts
▪ Attacks
▪ Security mechanisms
▪ Hashing
▪ Encryption
▪ Public Key Infrastructure (PKI)
▪ Other mechanisms
Security Controls

Counter-measures preventing the exploitation of a vulnerability, decrease its

probability of successful exploitation, or mitigate its impact if successfully
exploited (security response)
▪ Security Mechanisms: technology/tools/procedures that perform Security
Controls (used interchangeably with Security Controls)
▪ Security Policy: security rules and regulations (what is allowed/disallowed).
Enforced through security controls
▪ Security Plan: description of the implementation of the Information Security
Policy (list of security controls to be implemented & detail of
implementation)
Critical Security Controls

http://www.sans.org/critical-security-controls
Contents

▪ Security concepts
▪ Attacks
▪ Security mechanisms
▪ Hashing
▪ Encryption
▪ Other mechanisms
Hashing

A (Cryptographic) Hash (function) is a one-way function

from a piece of data of arbitrary length to a data of fixed
length (referred to as the message, digest, hash value,
hash code, or simply, the hash)

000e793db
70c59309fa
cloud 6f0f36d004
SHA1 6d110f3be3
c
Hashing, characteristics

▪ Should be easy to compute but practically impossible to invert

▪ A small change in the input should lead to significant change in the output
(avalanche effect)
▪ Same input will always yield the same hash value
▪ Computationally impractical to compute an inverse (otherwise, one can
exhaustively compute the hash of every possible input & store the results for
inverse lookup)
Desired Security Properties of a Hash function

▪ For hash value z = h(x), x is pre-image of z.

▪ z has multiple pre-images.
▪ Collision occurs if x ≠ y and H(x) = H (y)

▪ Preimage resistance:
▪ For any given z, it is difficult (computationally infeasible) to find an x such that h(x) = z
▪ Second Preimage resistance:
▪ For any given x & h(x), it is difficult (computationally infeasible) to find y ≠ x such that h(y) =
h(x) ---- weak collision resistant
▪ Collision-resistance:
▪ It is difficult (computationally infeasible) to find any pair (x, y), x ≠ y such that h(x) = h(y) ---
Strong collision resistant
Notable examples of hash functions

▪ MD-5 (Merkle-Damgard-5)
▪ output length = 128 bits
▪ Broken: no collision resistance
▪ SHA-1 (SHA: Secure Hash Algorithm)
▪ Output length = 160 bits
▪ Broken: no collision resistance (Google researchers)
▪ 110 years on a GPU, 4 days on a grid of 10,000 GPUs
▪ SHA-2
▪ Group including SHA-224, SHA-256, SHA-384, SHA-512
▪ The number specifies the length of the output in bits
▪ Current standard
▪ SHA-3
▪ Output length: can be set arbitrary
▪ expected to replace SHA-2 as the standard
Hash is broadly used (beyond security)

▪ Hash-tables:
▪ extensive use in database systems
▪ the hash immediately gives the index where something is stored
▪ Image hashing:
▪ Used for image recognition
▪ A database of hashed images (e.g., illegal content) is used to identify matches against a
stream of images (e.g., in Facebook)
Hashing for Password Storage Protection

▪ Storing user-names/passwords in plain-text is risky

▪ Instead, store user-names with the hash of the passwords
▪ To verify identity: compare the hash of what is entered with the stored hash
▪ Even better: use “salting” + hashing:
▪ each password is padded with a randomly generated string (called the “salt”)
▪ Hash it all (the salt is saved along with the hash).
Hashing for data integrity/protection

▪ Hash of a piece of data (e.g. message) == unique ID

▪ If the data is (accidentally or maliciously) altered (even slightly), then its hash
will be different
▪ Do not store/transmit the hash(data) + data:
▪ an adversary can change the data and compute its hash and replace both the data and the
hash
Contents

▪ Security concepts
▪ Attacks
▪ Security mechanisms
▪ Hashing
▪ Encryption
▪ Other mechanisms
Encryption

▪ Conversion of the intelligible data –plaintext – into unintelligible data

(apparently random sequence of bits) – ciphertext – that can only be
recovered –decrypted – using a secret key
▪ Hashing vs. encryption:
▪ hashing is one-way: no computationally feasible way to get the original message
▪ encryption can be easily reversed (decryption) with the secret key
▪ Classes of encryption:
▪ Symmetric Key Encryption
▪ Asymmetric (Public-Key) Encryption
Symmetric Encryption

▪ “symmetric key”:
▪ Plain-text + key → cipher-text
▪ Plain-text  cipher-text + + key
▪ Both parties need to know the secret key
Symmetric Encryption

▪ Sequence of (non-destructive) “substitutions” (replacing the original alphabet

with a new one) and “transpositions” (permutation or shuffling the order of the
original characters)
▪ The shared secret key, intuitively, is the “recipe” of doing the substitutions and
permutations, so by “undoing” them in the reverse order (and only by
following that recipe), the original message can be retrieved
Classes of symmetric key ciphers

▪ Block-Cipher:
▪ data is divided into “blocks” (fixed-length chunks, i.e., n-bits)
▪ encryption/decryption on blocks independent of each other
using the shared “key” for each block
▪ Stream-Cipher:
▪ 2 streams:
▪ stream of input text: encryption of 1 byte of plaintext at a time
▪ stream of key data: key data stream is generated by a function whose seed is
the encryption key
▪ Encryption: a byte from the input stream and a byte from the key stream
and combining them using some function
Classes of symmetric key ciphers

▪Block-Cipher:

▪Stream-Cipher:
Symmetric key encryption, pros and cons

▪Advantages
▪ Simple and efficient algorithms
▪ Can even be implemented directly in the hardware (e.g. using
electronic circuits such as XOR gates)
▪Disadvantages
▪ Requires a mechanism to “securely” establish the shared key
▪ In a multi-party setting, it is impossible to establish the
identity of each party (everyone has the same key)
▪ Non-repudiation is impossible: same key is used for
encryption and decryption, the recipient can fraudulently
claim a message is encrypted and sent by the sender
Asymmetric encryption: public key cryptography

▪ No need to share a secret key!

▪ A breakthrough that revolutionized
email and ecommerce
▪ Computationally intensive (MUCH
more than symmetric encryption)
▪ Discovered in the late 70s in the US
and UK
https://www.wired.com/1999/04/crypto/
https://math.berkeley.edu/~kpmann/encryption.pdf
Public-key cryptography usages

▪Public-key encryption: message is encrypted with a

recipient's public key
▪ The message can only be decrypted by the owner of the
matching private key
▪ Properties: confidentiality and integrity
▪Private-key encryption: message is signed with
sender's private key
▪ verifiable by anyone with the sender's public key
▪ Can be used as a “signature”
▪ Properties: integrity, data-origin authentication, non-
repudation
Public-key Encryption

B A

B B

A B

A A

3. Encryption with 5. Receiver decrypts the

1. Generate Keys
receiver’s public key message with its private key
2. Exchange public 4. Exchange ciphered text
keys
Public-key encryption in HTTPs

▪ HTTPS = HTTP secured via SSL/TLS

▪ Public key encryption used to establish a common key securely
▪ Then use symmetric key encryption
▪ Due to public-key encryption computational overhead!
▪ These established (symmetric) keys are “ephemeral”:
frequently changed (to ensure their freshness) using the same public key pairs
Private-key Encryption

B A

B B

A B

A A

3. Encryption with 5. Receiver with

1. Generate Keys
sender private key senders public key
2. Exchange public 4. Exchange ciphered text
keys
Private-key cryptography: Digital Signature

▪ Bob signs his message by using his private key to

encrypt the message
▪ Hashing to reduce computational overhead
▪ Bob signature:
▪ hash of his message → shorter
▪ encrypt the hash with his private key and appends it to the message
▪ Alice verification:
▪ decrypt the encrypted hash using Bob’s public key
▪ compute the hash of the message
▪ Check if the two digests match
Public key’s trust problem

▪ Anyone can generate pairs of public-private keys:

an imposter could claim ownership of a public key
▪ Solution: trust by hierarchy
▪ digital certificates: public key, information about owner’s identity, validity period
▪ All of these are digitally signed by (the private key) of the Certificate Authority (CA)
▪ CA’s public key is easier to ascertain (e.g. pre-installed in the browser)
Public Key Infrastructure (PKI)

▪ Protocols, data formats, roles, rules, practices and policies that enable a large-
scale system to reliably use public key cryptography
▪ Key-pairs’ creation, access control, back-up, monitoring, revocation/expiration,
archival/destruction
▪ Establishes trust and of public key identification through digital certificates
issued by Certificate Authorities (e.g., Verisign, COMODO, Thwate)
▪ Alternatives to Cas: “block-chain-based PKI”
Contents

▪ Security concepts
▪ Attacks
▪ Security mechanisms
▪ Hashing
▪ Encryption
▪ Other mechanisms
IAM (Identity and Access Management)

▪ Security mechanism controlling user identities & access privileges

▪ Components:
▪ Authentication: verifying the identity of each entity
▪ Authorization: defines roles/responsibilities, attributes and access control rules
▪ Management:
▪ User: how new user identities & access groups are created, how/when passwords are reset,
password policies
▪ Credentials: how credentials are securely stored, retrieved, modified
SSO (Single-Sign-On)

▪ Persistent authentication: security broker

▪ No re-authentication: propagates authentication and authorization across multiple cloud
services
▪ Security broker generates “tokens”
▪ based on the credentials provided by the user (e.g. session token/cookie)
▪ Can remain valid for the duration of the user’s session
▪ Security context information is shared with the needed & trusted IT resources
SSO’s: security vs usability

▪ Advantages:
▪ greater efficiency & ease of use
▪ Disadvantages:
▪ Single point of failure: security broker
▪ Mismanagement of tokens can compromise security
▪ If a malicious agent steals a token, it can assume the identity of its user without having to know
its credentials
▪ If tokens are not destroyed sensitive information of the users might be inferred
Cloud-Based Security Groups

▪ Improves data protection by placing barriers between IT resources

▪ Resource segmentation: creates cloud-based security group mechanisms that are
determined through security policies → virtual network perimeters
▪ Each cloud-based IT resource is assigned to at least one cloud-based security group
▪ Each logical cloud-based security group is assigned specific rules that govern the
communication between the security groups.
Cloud-Based Security Groups in AWS

▪ Associated with EC2 instances

▪ Provide security at the protocol and port access level
▪ Each security group contains a set of rules that filter traffic coming into and out
of an EC2 instance (e.g. similarly to a firewall)
Hardened virtual server image

▪ A VM image that has been subjected to a hardening process (and saved in the
VM images repository)
▪ Hardening: stripping unnecessary software from a system to limit potential vulnerabilities
that can be exploited by attackers (i.e., reducing its attack surface)
▪ This results in a VM template that is significantly more secure than the original standard
image
58
Cloud Computing: roadmap for this module

▪Network layer:
▪ Networking
▪Application layer:
▪ Client/server, RPC, Web Services
▪ REST
▪Performance:
▪ SLA
▪ Management
▪Security
▪Trends
▪ Monolithic applications → microservices
▪ Serverless: “hide complexity”
Ignacio Castro| Cloud Computing 60