A REFERENCE ARCHITECTURE FOR CLOUD COMPUTING AND ITS SECURITY APPLICATIONS. Keiko Hashizume. A Dissertation Submitted to the Faculty of

Transcription

1 A REFERENCE ARCHITECTURE FOR CLOUD COMPUTING AND ITS SECURITY APPLICATIONS by Keiko Hashizume A Dissertation Submitted to the Faculty of the College of Engineering and Computer Science in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy Florida Atlantic University Boca Raton, FL May 2013

2 Copyright by Keiko Hashizume 2013 ii

3

4 ACKNOWLEDGEMENTS I would like to thank my advisor, Dr. Eduardo B. Fernandez, for his guidance during these years. He has been a true mentor by supporting me not only during my research but also in my personal life. I would also like to express my gratitude to my committee members, Dr. Maria Petrie, Dr. Mihaela Cardei, Dr. Rainer Steinwandt, and the members of the Secure Systems Research Group for all their advice and constructive comments of this dissertation. I would like to thank also to Latin American and Caribbean Consortium of Engineering Institutions for its support during my studies. I want to thank the GSyA Research Group at the University of Castilla-La Mancha, Ciudad Real, Spain, and the GRACE Center of the National Institute of Informatics, in Tokyo, Japan, for hosting my visits to their institutions and collaborating with us. Those visits were supported by the PIRE Program of NSF (grant OISE ). iv

5 ABSTRACT Author: Title: Institution: Dissertation Advisor: Degree: Keiko Hashizume A Reference Architecture for Cloud Computing and Its Security Applications Florida Atlantic University Dr. Eduardo B. Fernandez Doctor of Philosophy Year: 2013 Cloud Computing is a relatively new computing model that provides on demand business or consumer IT services over the Internet. However, one of the main concerns in Cloud Computing is security. In complex systems such as Cloud Computing, parts of a system are secured by using specific products, but there is rarely a global security analysis of the complete system. We have described how to add security to cloud systems and evaluate its security levels using a reference architecture. A reference architecture provides a framework for relating threats to the structure of the system and makes their numeration more systematic and complete. In order to secure a cloud framework, we have enumerated cloud threats by combining several methods because it is not possible to prove that we have covered all the threats. We have done a systematic enumeration of cloud threats by first identifying them in the literature and then by analyzing the activities from each of their use cases in order to find possible threats. These threats are realized in the form of misuse cases in order to understand how an attack happens from the point of v

6 view of an attacker. The reference architecture is used as a framework to determine where to add security in order to stop or mitigate these threats. This approach also implies to develop some security patterns which will be added to the reference architecture to design a secure framework for clouds. We finally evaluate its security level by using misuse patterns and considering the threat coverage of the models. vi

7 A REFERENCE ARCHITECTURE FOR CLOUD COMPUTING AND ITS SECURITY APPLICATIONS TABLES... xi FIGURES... xii 1. INTRODUCTION BACKGROUND Cloud Service Models Infrastructure-as-a-Service Platform-as-a-Service Software-as-a-Service Cloud Service Deployment Public Cloud Private Cloud Community Cloud Hybrid Cloud Characteristics of Cloud Computing Key Technologies for Cloud Computing Service Oriented Architecture (SOA) Web Virtualization Reference Architectures Patterns ANALYSIS OF SECURITY ISSUES Systematic review of Security issues for Cloud Computing Question Formalization Selection of Sources Review Execution vii

8 Results and Discussion Security in the SPI model Software-as-a-Service (SaaS) Security Issues Platform-as-a-Service (PaaS) Security Issues Infrastructure-as-a-Service (IaaS) Security Issues Analysis of Security issues in Cloud Computing Countermeasures Summary REFERENCE ARCHITECTURE Cloud Architecture Overview Cloud Computing Standards Use Case Model Infrastructure-as-a-Service Intent Context Problem Forces Solution Implementation Known Uses Consequences Related Patterns Platform-as-a-Service Intent Context Problem Solution Implementation Known Uses Consequences Related Patterns viii

9 4.6. Software-as-a-Service Intent Context Problem Solution Implementation Known Uses Consequences Related Patterns Reference Architecture Environment Summary MISUSE PATTERNS Resource Usage Monitoring Inference in Cloud Computing Intent Context Problem Solution Consequences Countermeasures Forensics Related Patterns Malicious Virtual Machine Creation Intent Context Problem Solution Consequences Countermeasures Forensics Malicious Virtual Machine Migration Process Intent ix

10 Context Problem Solution Consequences Countermeasures Forensics Related Patterns Discussion Summary SECURE REFERENCE ARCHITECTURE Securing a cloud reference architecture Administration of Security Use Cases Identifying threats Cloud Defenses Secure virtual machine image repository system Secure Reference Architecture Evaluating security using a reference architecture Summary RELATED WORK CONCLUSIONS AND FUTURE WORK REFERENCES x

11 TABLES Table 1: Summary of the topics considered in each approach Table 2. Vulnerabilities in Cloud Computing Table 3. Threats in Cloud Computing Table 4. Relationships between Threats, Vulnerabilities, and Countermeasures Table 5: Misuse Activities Analysis Table 6: Threat List vs. Mitigation Defenses xi

12 FIGURES Figure 1: Infrastructure-as-a-Service Model... 6 Figure 2: Platform-as-a-Service Model... 6 Figure 3: Software-as-a-Service Model... 7 Figure 4: Public Cloud... 8 Figure 5: Private Cloud... 8 Figure 6: Community Cloud... 9 Figure 7: Hybrid Cloud Figure 8: Cloud Architecture Overview Figure 9: Common Use Cases for Cloud Computing Figure 10: Use Case Diagram for IaaS Figure 11: Use Case Diagram for PaaS Figure 12: Use Case Diagram for SaaS Figure 13: Class Diagram for Infrastructure-as-a-Service architecture Figure 14: Sequence Diagram for Use Case Create a Virtual Machine Figure 15: Sequence Diagram for Use Case Migrate a Virtual Machine Figure 16: Eucalyptus main components Figure 17: Class Diagram for PaaS Pattern Figure 18: Sequence Diagram for Consuming Development Software Figure 19: Sequence Diagram for Deploying an Application Figure 20: The Force.com stack and services (from [18]) Figure 21: Class Diagram of Force.com s PaaS architecture Figure 22: Class Diagram for SaaS Pattern Figure 23: Sequence Diagram for UC1 - Subscribe to an application Figure 24: Sequence Diagram for UC2 - Consume an application Figure 25: Class Diagram for a Cloud Computing Environment Figure 26: Class Diagram for virtualization in Cloud Computing xii

13 Figure 27: Co-locate attacker s VM besides the Victim s VM Figure 28: Sequence Diagram for the use case Infer some of the victim s information by monitoring his resource usage Figure 29: Class diagram for VM Image Misuse Pattern Figure 30: Sequence Diagram for the Use Case Publish a Malicious VM Image Figure 31: Sequence Diagram for the use case Launch a VM using a malicious VM Image Figure 32: Class Diagram for VM Migration Process Figure 33: Sequence Diagram for the use case Man-in-the-middle attack during VM migration process Figure 34: Sequence Diagram for the use case Migrate several VMs to a victim VMM Figure 35: Securing a cloud reference architecture Figure 36: Security Use Case Model Figure 37: Activity Diagram for Use Cases Create VMI and Publish VMI Figure 38: Secure VMI Repository System Figure 39: Secure IaaS pattern Figure 40: Sequence Diagram for the use case Publish a Malicious VM Image Figure 41: Sequence Diagram for the Use Case Securely Publish VM Images xiii

14 1. INTRODUCTION Cloud Computing is a relatively new computing paradigm that improves the utilization of resources and decreases the power consumption of hardware while increasing flexibility and scalability as well as advantages for users such as paying for only used resources and access everywhere. Due to the immaturity of this computing model, there are a lot of definitions for Cloud Computing, but we consider that NIST provides a broad definition which states that a Cloud Computing is a model for enabling convenient, on demand network access to a shared of pool configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [1]. The core of Cloud Computing is a variety of resources, software, and information that are provided on demand to the customers from a browser. Cloud Computing leverages a number of computing models and technologies such as Service Oriented Architecture (SOA), Web 2.0, virtualization and other Internet-based technologies. In some respects, Cloud Computing represents the maturing of these technologies and is a marketing term to represent that maturity and the services they provide [2]. Cloud Computing offers three fundamental delivery models: Infrastructure-as-a- Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). IaaS 1

15 provides processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. PaaS offers platform layer resources, including operating system support and software development frameworks to build, deploy and deliver applications into the cloud. SaaS provides end-user applications that are running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based ). Even though there are several benefits to adopting Cloud Computing, there are also some significant barriers to its acceptance. One important issue is security, followed by privacy, standardization and legal matters. There are several security challenges that are specific for each delivery model. Also, Cloud Computing inherits security issues from its underlying technologies and presents its own security challenges as well. This makes even harder to secure the entire system. Most security measures have been developed to mitigate or stop parts of a system, but there is rarely a global security analysis of the complete cloud system. Thus, our goal is to develop a secure reference architecture to manage these security issues. In this work, we make the following contributions: 1. An analysis of vulnerabilities and threats (Chapter 3 and [3]) for cloud environments. This analysis helps to understand security implications when adopting Cloud Computing. Starting with an overview of the challenges identified in the literature, the analysis identifies the main vulnerabilities and threats of Cloud Computing and how service models can be affected by them. Also, we 2

16 describe the relationship between these vulnerabilities and threats, and how there vulnerabilities can be exploited in order to perform an attack. 2. A reference architecture (Chapter 4) to understand the fundamental structures of clouds. A reference architecture is a generic architecture, valid for a particular domain [4][5]. Various reference architectures have been defined by different organizations such as IBM [6], HP [7], NIST [8], and Oracle [9], giving their proprietary solutions or not considering security aspects. The majority of these reference architectures describe a high level of the main components of clouds. Even when we think that they provide useful information, we need to describe cloud architectures in a more precise way. Thus, we need a semi-formal approach like UML which describes architectures in a relatively precise way. Our cloud architecture defines each delivery service model through patterns and demonstrates how it helps in explaining the overall Cloud Computing environment. 3. Listing possible attack for cloud environments is not enough; we need to understand how these attacks can compromise cloud components. For this, we developed some misuse patterns (Chapter 5, [10]) that describe how an attack happens from the point of view of the attacker [11]. With a complete catalog of misuse patterns, we can apply them systematically and use the reference architecture to find where to add security measures to mitigate or stop an attack. 4. Identification of security patterns for some of the threats listed previously in the analysis (Chapter 6). Some cloud services are exposed as web services. We developed some security patterns for Web services [12], and we can also use 3

17 existing security defenses which can be tailored for cloud systems. We also identified new patterns. 5. A secure reference architecture (Chapter 6) that includes defensive measures to secure cloud environments, which combines both security and misuse patterns in order to add security features in the reference architecture. By checking if a threat (misuse pattern) can be stopped or mitigated in the secure reference architecture, we can evaluate its level of security. Our approach aims towards a reference architecture that can be used as secure framework that can be used for architects or designers before opting for any type of cloud system model. This work is based primarily in identifying main threats and describing them using misuse patterns, and also providing security defenses as forms of security patterns. Chapter 2 presents some background information that will be useful for the reader to understand better this work. In Chapter 3, we present a categorization of security issues for clouds focused in its delivery models, identifying the main vulnerabilities and threats found in the literature. In Chapter 4, a reference architecture is presented which provides a conceptual model defining the three most fundamental delivery models. Chapter 5 illustrates three misuse patterns including Resource Usage Monitoring Inference, Malicious Virtual Machine Creation and Malicious Virtual Machine Migration Process. Chapter 6 presents a secure reference architecture and an evaluation of the architecture using both misuse and security patterns. Chapter 7 provides some related work. In Chapter 8, we present some conclusions and possible future work. 4

18 2. BACKGROUND work. This section presents basic concepts in order to have a better understanding of this 2.1. Cloud Service Models Cloud computing providers offer three fundamental services according to the following service models: Infrastructure-as-a-Service IaaS is the most basic cloud service model where cloud providers offer servers, storage and network, typically in a form of virtual appliances. Consumers can deploy and run any software such as operating systems and applications. IaaS providers are responsible for the underlying infrastructure including housing, running, and maintaining these resources while consumers are responsible for maintaining the operating system and their applications. Examples of IaaS providers include Amazon s EC2 [13], Eucalyptus [14], and Open Nebula [15]. 5

19 Figure 1: Infrastructure-as-a-Service Model Platform-as-a-Service In the PaaS, providers offer environments for developing, deploying, hosting, and testing software applications. Typically it includes programming language, database, libraries, and other development tools. Consumers are not responsible for the underlying infrastructure, operating systems, or storage, but they are responsible for their deployed applications. Microsoft Azure [16], Google App Engine [17], and Force.com [18] are some examples of PaaS providers. Figure 2: Platform-as-a-Service Model Software-as-a-Service In SaaS, cloud providers offer applications on demand that are hosted on the cloud and can be accessed through thin clients. Consumers do not manage or control the 6

20 underlying infrastructure. Some SaaS applications allow limited user-specific customization. Salesforce.com s CRM (Customer Relationship Management) [19], Google apps [20], and Freshbooks [21] are some examples of SaaS providers. Figure 3: Software-as-a-Service Model 2.2. Cloud Service Deployment Cloud Computing can be deployed in different ways such as public, private, hybrid and community clouds Public Cloud A Public Cloud is deployed by an organization (Cloud Provider), in which it offers its services to the general public over the Internet. The infrastructure is owned and managed by the service provider, and it is located in his facilities. These services are usually offered on a pay-as-you-go model. Cloud providers are responsible for the installation, management, provisioning and maintenance of the cloud services. For the users, their data is stored and processed in the cloud which may raise security and privacy issues. 7

21 Figure 4: Public Cloud Private Cloud A Private Cloud is deployed for a single organization and is dedicated only to that organization s internal users. A private cloud resides in the organization s facilities; however, it can be hosted and managed by a third party provider. Organizations are in charge of the operation, maintenance and management of the cloud, so that data security and availability can be controlled by them. Figure 5: Private Cloud 8

22 Community Cloud Community clouds are deployed for a group of organizations that share common computing concerns. It may be owned, managed and operated by one or some of the organization members. Figure 6: Community Cloud Hybrid Cloud It is a combination of the previous types of clouds (private, public, or community). In order to ensure security, an organization should migrate some of its process to a public cloud while remaining its critical process in-house. 9

23 Figure 7: Hybrid Cloud 2.3. Characteristics of Cloud Computing In general, Cloud Computing has the following characteristics [22][23][1][24][25]: Accessibility: Cloud services can be accessed from anywhere at any time via browsers or APIs by different client platforms such as laptops, desktops, mobile phones and tablets. Cloud services are network dependent, so the network (Internet, LAN, or WAN) has to work in order to access cloud services. On demand self-service: Customers access cloud services when they need them without going through a lengthy process. Elasticity: Elasticity refers the ability of a service to adjust (increase or decrease capacity) in order to meet the user s needs. Pay-as-you-go: Depending on the pricing model, customers only pay for the services they consume (computing power, bandwidth, storage, number of users, etc.). Sometimes, the services have flat rate, or they are free of charge. 10

24 Versatility: Cloud Computing supports different types of services: IaaS, PaaS, and SaaS, and each service can provide various applications running at the same time. Shared Resources: Cloud resources such as infrastructure, platform and software are shared among multiple customers (multi-tenant), which enable unused resources to serve different needs for different customers. Security: Cloud resources are centrally managed, so in theory security should be improved in this type of environments. However, security in complex environments is hard to undertake due to the fact data is stored and processed in unknown places, resources are shared by unrelated users, and other concerns. Reliability: Cloud Computing supports reliability by adding redundant sites in case an error or attack happens. Performance: The performance of applications can be better in clouds because computing resources can be assigned to them when workloads surge. Clouds can be suitable for intense-data applications since they require several computing resources Key Technologies for Cloud Computing Cloud computing combines a number of computing concepts and technologies such as SOA, Web 2.0, virtualization, and other Internet-based technologies Service Oriented Architecture (SOA) Service Oriented Architecture (SOA) is an architectural concept based on a set of loosely coupled services which can be discovered through a repository. This repository 11

25 contains a set of interface descriptions that defines constraints and policies that need to be followed in order to consume the service. A service represents a group of logical business operations. SOA provides platform-independent enabling components to be implemented in different platforms, technologies, and languages. SOA can be implemented using different technologies such as web services (SOAP, REST), CORBA, DCOM, and others. Web services are the most typical implementation of SOA, and cloud services are normally exposed as web services such as Amazon s EC2 [13]. Cloud Computing is a type of SOA which offers flexibility, extensibility, and reusability Web 2.0 Web 2.0 uses World Wide Web technology and Wed design that provides information sharing, collaboration and functionality of the Web. Web 2.0 allows the users not only to access content from a web site, but also to contribute to it. Major characteristics of Web 2.0 that differs from Web 1.0 include wikis, mashups, tagging, and social networking sites [15]. With Web 1.0, organizations have to make contractual arrangements with business partners in order to provide services such as payment services. However, PayPal offers services to individuals and organizations that require payment processing in their businesses without making any commitment and paying only for each transaction Virtualization Virtualization is the simulation of a computer resource including servers, network, storage, and operating system [27]. It creates multiple logical resources where different systems, applications, or users can interact with them. Hardware virtualization has led 12

26 indisputably to the evolution of Cloud Computing. Hardware virtualization refers to the creation of virtual machines that can run different operating systems. The software that manages virtualization is called virtual machine monitor or hypervisor. There are different types of hardware virtualization: full virtualization, partial virtualization and para virtualization. Operating system-level virtualization is a server virtualization where the operating system runs on top of the hardware, instead of the hypervisor Reference Architectures A reference architecture is a standardized, generic architecture, valid for a particular domain that does not contain implementation details [28]. It provides a template solution that can be instantiated into a specific software architecture by adding implementationoriented aspects. There is no formal definition what a reference architecture should contain. However, Avgeriou [29] proposes a description for reference architectures which includes the following: The system stakeholders that interacts with the system such as customers, administrators, developers and IT staff. The views describes in the RUP (use case model, analysis model, design model, deployment model, and implementation model). These views should be developed using Unified Modeling Language (UML). The architectural patterns that characterize parts of the architecture. The quality attributes that should be supported by the architecture. 13

27 A reference architecture should be described at an abstract level, and all details about implementation should only be considered for a specific software architecture instance Patterns A pattern is an encapsulated solution to a recurrent problem in a given context [4][5]. It is a reusable template that captures knowledge and experience of software developers. Analysis patterns can be used to build conceptual models [30][31], design and architectural patterns can be used to build flexible software [4][5], and security patterns are used to build secure systems [32][12][33][34]. A pattern can be used to build reference architectures, which we do in this work. Moreover, there is another type of pattern: a misuse pattern [11]. A misuse pattern describes how an attack happens from the point of view of an attacker. Typically a pattern provides a solution using UML diagrams such as class diagrams and sequence diagrams. These diagrams present a precise way of describing a system allowing designers to use them as guidelines. A pattern is described using a template. For this work, we follow the POSA template [4] which consists of the following components: intent, context, problem, solution, implementation, known uses, consequences, and related patterns. 14

28 3. ANALYSIS OF SECURITY ISSUES We present here a categorization of security issues for Cloud Computing focused in the so-called SPI model (SaaS, PaaS and IaaS), identifying the main vulnerabilities in this kind of systems and the most important threats found in the literature related to Cloud Computing and its environment. A threat is a potential attack that may lead to a misuse of information or resources, and the term vulnerability refers to the flaws in a system that allows an attack to be successful. There are some surveys where they focus on one service model, or they focus on listing cloud security issues in general without distinguishing among vulnerabilities and threats. Here, we present a list of vulnerabilities and threats, and we also indicate what cloud service models can be affected by them. Furthermore, we describe the relationship between these vulnerabilities and threats; how these vulnerabilities can be exploited in order to perform an attack, and also present some countermeasures related to these threats which try to solve or improve the identified problems Systematic Review of Security Issues for Cloud Computing We have carried out a systematic review [35][36][37] of the existing literature regarding security in Cloud Computing, not only in order to summarize the existing vulnerabilities and threats concerning this topic but also to identify and analyze the current state and the most important security issues for Cloud Computing. 15

29 Question Formalization The question focus was to identify the most relevant issues in Cloud Computing which consider vulnerabilities, threats, risks, requirements and solutions of security for Cloud Computing. This question had to be related with the aim of this work; that is to identify and relate vulnerabilities and threats with possible solutions. Therefore, the research question addressed by our research was the following: What security vulnerabilities and threats are the most important in Cloud Computing which have to be studied in depth with the purpose of handling them? The keywords and related concepts that make up this question and that were used during the review execution are: secure Cloud systems, Cloud security, delivery models security, SPI security, SaaS security, PaaS security, IaaS security, Cloud threats, Cloud vulnerabilities, Cloud recommendations, best practices in Cloud Selection of Sources The selection criteria through which we evaluated study sources was based on the research experience of the author and contributors of this work, and in order to select these sources we have considered certain constraints: studies included in the selected sources must be written in English and these sources must be web-available. The following list of sources has been considered: ScienceDirect, ACM digital library, IEEE digital library, Scholar Google and DBLP. Later, the experts will refine the results and will include important works that had not been recovered in these sources and will update this work taking into account other constraints such as impact factor, received cites, important journals, renowned authors, etc. 16

30 Once the sources had been defined, it was necessary to describe the process and the criteria for study selection and evaluation. The inclusion and exclusion criteria of this study were based on the research question. We therefore established that the studies must contain issues and topics which consider security on Cloud Computing, and that these studies must describe threats, vulnerabilities, countermeasures, and risks Review Execution During this phase, the search in the defined sources must be executed and the obtained studies must be evaluated according to the established criteria. After executing the search chain on the selected sources we obtained a set of about 120 results which were filtered with the inclusion criteria to give a set of about 40 relevant studies. This set of relevant studies was again filtered with the exclusion criteria to give a set of studies which corresponds with 15 primary proposals [38][2][39][40][41][42][43][44][45][46][47][48][49][50][51] Results and Discussion The results of the systematic review are summarized in Table 1 which shows a summary of the topics and concepts considered for each approach. Table 1: Summary of the topics considered in each approach Topics / References [38] [2] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51] Vulnerabilities X X X X X X X X X Threats X X X X X X X X X X X X X Mechanisms/Recommendations X X X X X X X X Security Standards X X Data Security X X X X X X X 17

31 Topics / References [38] [2] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51] Trust X X X X X Security Requirements X X X X X X SaaS, PaaS, IaaS Security X X X As it is shown in Table 1, most of the approaches discussed identify, classify, analyze, and list a number of vulnerabilities and threats focused on Cloud Computing. The studies analyze the risks and threats, often give recommendations on how they can be avoided or covered, resulting in a direct relationship between vulnerability or threats and possible solutions and mechanisms to solve them. In addition, we can see that in our search, many of the approaches, in addition to speaking about threats and vulnerabilities, also discuss other issues related to security in the Cloud such as the data security, trust, or security recommendations and mechanisms for any of the problems encountered in these environments Security in the SPI Model With SaaS, the burden of security lies with the cloud provider. In part, this is because of the degree of abstraction, the SaaS model is based on a high degree of integrated functionality with minimal customer control or extensibility. By contrast, the PaaS model offers greater extensibility and greater customer control. Largely because of the relatively lower degree of abstraction, IaaS offers greater tenant or customer control over security than do PaaS or SaaS [39]. Before analyzing security challenges in Cloud Computing, we need to understand the relationships and dependencies between these cloud service models [38]. PaaS as well as SaaS are hosted on top of IaaS; thus, any breach in IaaS will impact the security of both PaaS and SaaS services, but also it may be true on the other way around. However, we 18

32 have to take into account that PaaS offers a platform to build and deploy SaaS applications, which increases the security dependency between them. As a consequence of these deep dependencies, any attack to any cloud service layer can compromise the upper layers. Each cloud service model comprises its own inherent security flaws; however, they also share some challenges that affect all of them. These relationships and dependencies between cloud models may also be a source of security risks. A SaaS provider may rent a development environment from a PaaS provider, which might also rent an infrastructure from an IaaS provider. Each provider is responsible for securing his own services, which may result in an inconsistent combination of security models. It also creates confusion over which service provider is responsible once an attack happens Software-as-a-Service (SaaS) Security Issues SaaS provides application services on demand such as , conferencing software, and business applications such as ERP, CRM, and SCM [52]. SaaS users have less control over security among the three fundamental delivery models in the cloud. The adoption of SaaS applications may raise some security concerns Application security These applications are typically delivered via the Internet through a Web browser [53][46]. However, flaws in web applications may create vulnerabilities for the SaaS applications. Attackers have been using the web to compromise user s computers and perform malicious activities such as steal sensitive data [54]. Security challenges in SaaS applications are not different from any web application technology, but traditional security solutions do not effectively protect it from attacks, so new approaches are 19

33 necessary [45]. The Open Web Application Security Project (OWASP) has identified the ten most critical web applications security threats [55]. There are more security issues, but it is a good start for securing web applications Multi-tenancy SaaS applications can be grouped into maturity models that are determined by the following characteristics: scalability, configurability via metadata, and multi-tenancy [52][56]. In the first maturity model, each customer has his own customized instance of the software. This model has drawbacks, but security issues are not so bad compared with the other models. In the second model, the vendor also provides different instances of the applications for each customer, but all instances use the same application code. In this model, customers can change some configuration options to meet their needs. In the third maturity model multi-tenancy is added, so a single instance serves all customers [57]. This approach enables more efficient use of the resources but scalability is limited. Since data from multiple tenants is likely to be stored in the same database, the risk of data leakage between these tenants is high. Security policies are needed to ensure that customer s data are kept separate from other customers [58]. For the final model, applications can be scaled up by moving the application to a more powerful server if needed Data security Data security is a common concern for any technology, but it becomes a major challenge when SaaS users have to rely on their providers for proper security [53][45][59]. In SaaS, organizational data is often processed in plaintext and stored in the 20

34 cloud. The SaaS provider is the one responsible for the security of the data while is being processed and stored [30]. Also, data backup is a critical aspect in order to facilitate recovery in case of disaster, but it introduces security concerns as well [45]. Also cloud providers can subcontract other services such as backup from third-party service providers, which may raise concerns. Moreover, most compliance standards do not envision compliance with regulations in a world of Cloud Computing [53]. In the world of SaaS, the process of compliance is complex because data is located in the provider s datacenters, which may introduce regulatory compliance issues such as data privacy, segregation, and security, that must be enforced by the provider Accessibility Accessing applications over the internet via web browser makes access from any network device easier, including public computers and mobile devices. However, it also exposes the service to additional security risks. The Cloud Security Alliance [60] has released a document that describes the current state of mobile computing and the top threats in this area such as information stealing mobile malware, insecure networks (WiFi), vulnerabilities found in the device OS and official applications, insecure marketplaces, and proximity-based hacking Platform-as-a-Service (PaaS) Security Issues PaaS facilitates deployment of cloud-based applications without the cost of buying and maintaining the underlying hardware and software layers [45]. As with SaaS and IaaS, PaaS depends on a secure and reliable network and secure web browser. PaaS application security comprises two software layers: Security of the PaaS platform itself 21

35 (i.e., runtime engine), and Security of customer applications deployed on a PaaS platform [39]. PaaS providers are responsible for securing the platform software stack that includes the runtime engine that runs the customer applications. Same as SaaS, PaaS also brings data security issues and other challenges that are described as follows: Third-party relationships Moreover, PaaS does not only provide traditional programming languages, but also does it offer third-party web services components such as mashups [39][61]. Mashups combine more than one source element into a single integrated unit. Thus, PaaS models also inherit security issues related to mashups such as data and network security [62]. Also, PaaS users have to depend on both the security of web-hosted development tools and third-party services Development Life Cycle From the perspective of the application development, developers face the complexity of building secure applications that may be hosted in the cloud. The speed at which applications will change in the cloud will affect both the System Development Life Cycle (SDLC) and security [53][48]. Developers have to keep in mind that PaaS applications should be upgraded frequently, so they have to ensure that their application development processes are flexible enough to keep up with changes [43]. However, developers also have to understand that any changes in PaaS components can compromise the security of their applications. Besides secure development techniques, developers need to be educated about data legal issues as well, so that data is not stored in inappropriate 22

36 locations. Data may be stored on different places with different legal regimes that can compromise its privacy and security Underlying infrastructure security In PaaS, developers do not usually have access to the underlying layers, so providers are responsible for securing the underlying infrastructure as well as the applications services [63]. Even when developers are in control of the security of their applications, they do not have the assurance that the development environment tools provided by a PaaS provider are secure. In conclusion, there is less material in the literature about security issues in PaaS. SaaS provides software delivered over the web while PaaS offers development tools to create SaaS applications. However, both of them may use multi-tenant architecture so multiple concurrent users utilize the same software. Also, PaaS applications and user s data are also stored in cloud servers which can be a security concern as discussed on the previous section. In both SaaS and PaaS, data is associated with an application running in the cloud. The security of this data while it is being processed, transferred, and stored depends on the provider Infrastructure-as-a-Service (IaaS) Security Issues IaaS provides a pool of resources such as servers, storage, networks, and other computing resources in the form of virtualized systems, which are accessed through the Internet [48]. Users are entitled to run any software with full control and management on the resources allocated to them [42]. With IaaS, cloud users have better control over the 23

37 security compared to the other models as long there is no security hole in the virtual machine monitor [45]. They control the software running in their virtual machines, and they are responsible to configure security policies correctly[64]. However, the underlying compute, network, and storage infrastructure is controlled by cloud providers. IaaS providers must undertake a substantial effort to secure their systems in order to minimize these threats that result from creation, communication, monitoring, modification, and mobility [65]. Here are some of the security issues associated to IaaS Virtualization Virtualization allows users to create, copy, share, migrate, and roll back virtual machines, which may allow them to run a variety of applications [66][67]. However, it also introduces new opportunities for attackers because of the extra layer that must be secured [54]. Virtual machine security becomes as important as physical machine security, and any flaw in either one may affect the other [43]. Virtualized environments are vulnerable to all types of attacks for normal infrastructures; however, security is a greater challenge as virtualization adds more points of entry and more interconnection complexity [68]. Unlike physical servers, VMs have two boundaries: physical and virtual [48] Virtual Machine Monitor The Virtual Machine Monitor (VMM) or hypervisor is responsible for virtual machines isolation; therefore, if the VMM is compromised, its virtual machines may potentially be compromised as well. The VMM is a low-level software that controls and monitors its virtual machines, so as any traditional software it entails security flaws [68]. 24

38 Keeping the VMM as simple and small as possible reduces the risk of security vulnerabilities, since it will be easier to find and fix any vulnerability. Moreover, virtualization introduces the ability to migrate virtual machines between physical servers for fault tolerance, load balancing or maintenance [40][10]. This useful feature can also raise security problems [65][66][69]. An attacker can compromise the migration module in the VMM and transfer a victim virtual machine to a malicious server. Also, it is clear that VM migration exposes the content of the VM to the network, which can compromise its data integrity and confidentiality. A malicious virtual machine can be migrated to another host (with another VMM) compromising it Shared resource VMs located on the same server can share CPU, memory, I/O, and others. Sharing resources between VMs may decrease the security of each VM. For example, a malicious VM can infer some information about other VMs through shared memory or other shared resources without need of compromising the hypervisor [10]. Using covert channels, two VMs can communicate bypassing all the rules defined by the security module of the VMM [70]. Thus, a malicious Virtual Machine can monitor shared resources without being noticed by its VMM, so the attacker can infer some information about other virtual machines Public VM image repository In IaaS environments, a VM image is a prepackaged software template containing the configurations files that are used to create VMs. Thus, these images are fundamental for the overall security of the cloud [10][71]. One can either create her own VM image from 25

39 scratch, or one can use any image stored in the provider s repository. For example, Amazon offers a public image repository where legitimate users can download or upload a VM image. Malicious users can store images containing malicious code into public repositories compromising other users or even the cloud system [44][48][49]. For example, an attacker with a valid account can create an image containing malicious code such as a Trojan horse. If another customer uses this image, the virtual machine that this customer creates will be infected with the hidden malware. Moreover, unintentionally data leakage can be introduced by VM replication [44]. Some confidential information such as passwords or cryptographic keys can be recorded while an image is being created. If the image is not cleaned, this sensitive information can be exposed to other users. VM images are dormant artifacts that are hard to patch while they are offline [72] Virtual Machine Rollback Furthermore, virtual machines are able to be rolled back to their previous states if an error happens. But rolling back virtual machines can re-expose them to security vulnerabilities that were patched or re-enable previously disabled accounts or passwords. In order to provide rollbacks, we need to make a copy (snapshot) of the virtual machine, which can result in the propagation of configuration errors and other vulnerabilities [53][67] Virtual Machine Life Cycle Additionally, it is important to understand the lifecycle of the VMs and their changes in states as they move through the environment. VMs can be on, off, or suspended which makes it harder to detect malware. Also, even when virtual machines are offline, they can 26

40 be vulnerable [48]; that is, a virtual machine can be instantiated using an image that may contain malicious code. These malicious images can be the starting point of the proliferation of malware by injecting malicious code within other virtual machines in the creation process Virtual Networks Network components are shared by different tenants due to resource pooling. As mentioned before, sharing resources allows attackers to launch cross-tenant attacks [44]. Virtual Networks increase the VMs interconnectivity, an important security challenge in Cloud Computing [73]. The most secure way is to hook each VM with its host by using dedicated physical channels. However, most hypervisors use virtual networks to link VMs to communicate more directly and efficiently. For instance, most virtualization platforms such as Xen provide two ways to configure virtual networks: bridged and routed, but these techniques increase the possibility to perform some attacks such as sniffing and spoofing virtual network [68][74] Analysis of Security Issues in Cloud Computing We systematically analyze now existing security vulnerabilities and threats of Cloud Computing. For each vulnerability and threat, we identify what cloud service model or models are affected by these security problems. Table 2 presents an analysis of vulnerabilities in Cloud Computing. This analysis offers a brief description of the vulnerabilities, and indicates what cloud service models (SPI) can be affected by them. For this analysis, we focus mainly on technology-based vulnerabilities; however, there are other vulnerabilities that are common to any 27

41 organization, but they have to be taken in consideration since they can negatively impact the security of the cloud and its underlying platform. Some of these vulnerabilities are the following: Lack of employee screening and poor hiring practices [40] some cloud providers may not perform background screening of their employees or providers. Privileged users such as cloud administrators usually have unlimited access to the cloud data. Lack of customer background checks most cloud providers do not check their customer s background, and almost anyone can open an account with a valid credit card and . Apocryphal accounts can let attackers perform any malicious activity without being identified [40]. Lack of security education people continue to be a weak point in information security [75]. This is true in any type of organization; however, in the cloud, it has a bigger impact because there are more people that interact with the cloud: cloud providers, third-party providers, suppliers, organizational customers, and endusers. Cloud Computing leverages many existing technologies such as web services, web browsers, and virtualization, which contributes to the evolution of cloud environments. Therefore, any vulnerability associated to these technologies also affects the cloud, and it can even have a significant impact. 28

42 Table 2. Vulnerabilities in Cloud Computing ID Vulnerabilities Description Layer V01 Insecure interfaces and APIs Cloud providers offer services that can be accessed through APIs (SOAP, REST, or HTTP with XML/JSON) [65]. The security of the cloud depends upon the security of these interfaces [40]. Some problems are: a) Weak credential b) Insufficient authorization checks c) Insufficient input-data validation SPI Also, cloud APIs are still immature which means that are frequently updated. A fixed bug can introduce another security hole in the application [76]. V02 Unlimited allocation of resources Inaccurate modeling of resource usage can lead to overbooking or over-provisioning [41]. SPI V03 Data-related vulnerabilities a) Data can be colocated with the data of unknown owners (competitors, or intruders) with a weak separation [59] b) Data may be located in different jurisdictions which have different laws [43][76][77] c) Incomplete data deletion data cannot be completely removed [43][44][49][78] d) Data backup done by untrusted third-party providers [78][79] e) Information about the location of the data usually is unavailable or not disclosed to users [49] f) Data is often stored, processed, and transferred in clear plain text SPI V04 Vulnerabilities in Virtual Machines a) Possible covert channels in the colocation of VMs [70][80][81] b) Unrestricted allocation and deallocation of resources with VMs [79] c) Uncontrolled Migration - VMs can be migrated from one server to another server due to fault tolerance, load balance, or hardware maintenance [65][67] d) Uncontrolled snapshots VMs can be copied in order to provide flexibility [53], which may lead to data leakage e) Uncontrolled rollback could lead to reset vulnerabilities - VMs can be backed up to a previous state for restoration [67], but patches applied after the previous state disappear f) VMs have IP addresses that are visible to anyone within the cloud - attackers can map where the target VM is located within the cloud (Cloud cartography [80]) I 29