A REFERENCE ARCHITECTURE FOR CLOUD COMPUTING AND ITS SECURITY APPLICATIONS by Keiko Hashizume A Dissertation Submitted to the Faculty of the College of Engineering and Computer Science in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy Florida Atlantic University Boca Raton, FL May 2013
Copyright by Keiko Hashizume 2013 ii
ACKNOWLEDGEMENTS I would like to thank my advisor, Dr. Eduardo B. Fernandez, for his guidance during these years. He has been a true mentor by supporting me not only during my research but also in my personal life. I would also like to express my gratitude to my committee members, Dr. Maria Petrie, Dr. Mihaela Cardei, Dr. Rainer Steinwandt, and the members of the Secure Systems Research Group for all their advice and constructive comments of this dissertation. I would like to thank also to Latin American and Caribbean Consortium of Engineering Institutions for its support during my studies. I want to thank the GSyA Research Group at the University of Castilla-La Mancha, Ciudad Real, Spain, and the GRACE Center of the National Institute of Informatics, in Tokyo, Japan, for hosting my visits to their institutions and collaborating with us. Those visits were supported by the PIRE Program of NSF (grant OISE-0730065). iv
ABSTRACT Author: Title: Institution: Dissertation Advisor: Degree: Keiko Hashizume A Reference Architecture for Cloud Computing and Its Security Applications Florida Atlantic University Dr. Eduardo B. Fernandez Doctor of Philosophy Year: 2013 Cloud Computing is a relatively new computing model that provides on demand business or consumer IT services over the Internet. However, one of the main concerns in Cloud Computing is security. In complex systems such as Cloud Computing, parts of a system are secured by using specific products, but there is rarely a global security analysis of the complete system. We have described how to add security to cloud systems and evaluate its security levels using a reference architecture. A reference architecture provides a framework for relating threats to the structure of the system and makes their numeration more systematic and complete. In order to secure a cloud framework, we have enumerated cloud threats by combining several methods because it is not possible to prove that we have covered all the threats. We have done a systematic enumeration of cloud threats by first identifying them in the literature and then by analyzing the activities from each of their use cases in order to find possible threats. These threats are realized in the form of misuse cases in order to understand how an attack happens from the point of v
view of an attacker. The reference architecture is used as a framework to determine where to add security in order to stop or mitigate these threats. This approach also implies to develop some security patterns which will be added to the reference architecture to design a secure framework for clouds. We finally evaluate its security level by using misuse patterns and considering the threat coverage of the models. vi
A REFERENCE ARCHITECTURE FOR CLOUD COMPUTING AND ITS SECURITY APPLICATIONS TABLES... xi FIGURES... xii 1. INTRODUCTION... 1 2. BACKGROUND... 5 2.1. Cloud Service Models... 5 2.1.1. Infrastructure-as-a-Service... 5 2.1.2. Platform-as-a-Service... 6 2.1.3. Software-as-a-Service... 6 2.2. Cloud Service Deployment... 7 2.2.1. Public Cloud... 7 2.2.2. Private Cloud... 8 2.2.3. Community Cloud... 9 2.2.4. Hybrid Cloud... 9 2.3. Characteristics of Cloud Computing... 10 2.4. Key Technologies for Cloud Computing... 11 2.4.1. Service Oriented Architecture (SOA)... 11 2.4.2. Web 2.0... 12 2.4.3. Virtualization... 12 2.4.4. Reference Architectures... 13 2.4.5. Patterns.... 14 3. ANALYSIS OF SECURITY ISSUES... 15 3.1. Systematic review of Security issues for Cloud Computing... 15 3.1.1. Question Formalization... 16 3.1.2. Selection of Sources... 16 3.1.3. Review Execution... 17 vii
3.1.4. Results and Discussion... 17 3.2. Security in the SPI model... 18 3.2.1. Software-as-a-Service (SaaS) Security Issues... 19 3.2.2. Platform-as-a-Service (PaaS) Security Issues... 21 3.2.3. Infrastructure-as-a-Service (IaaS) Security Issues... 23 3.3. Analysis of Security issues in Cloud Computing... 27 3.3.1. Countermeasures... 33 3.4. Summary... 38 4. REFERENCE ARCHITECTURE... 40 4.1. Cloud Architecture Overview... 41 4.2. Cloud Computing Standards... 42 4.3. Use Case Model... 44 4.4. Infrastructure-as-a-Service... 54 4.4.1. Intent... 54 4.4.2. Context... 54 4.4.3. Problem... 55 4.4.4. Forces... 55 4.4.5. Solution... 56 4.4.6. Implementation... 62 4.4.7. Known Uses... 64 4.4.8. Consequences... 64 4.4.9. Related Patterns... 67 4.5. Platform-as-a-Service... 67 4.5.1. Intent... 67 4.5.2. Context... 67 4.5.3. Problem... 68 4.5.4. Solution... 69 4.5.5. Implementation... 73 4.5.6. Known Uses... 78 4.5.7. Consequences... 79 4.5.8. Related Patterns... 80 viii
4.6. Software-as-a-Service... 81 4.6.1. Intent... 81 4.6.2. Context... 81 4.6.3. Problem... 81 4.6.4. Solution... 82 4.6.5. Implementation... 85 4.6.6. Known Uses... 86 4.6.7. Consequences... 87 4.6.8. Related Patterns... 89 4.7. Reference Architecture Environment... 89 4.8. Summary... 92 5. MISUSE PATTERNS... 93 5.1. Resource Usage Monitoring Inference in Cloud Computing... 94 5.1.1. Intent... 94 5.1.2. Context... 94 5.1.3. Problem... 95 5.1.4. Solution... 95 5.1.5. Consequences... 100 5.1.6. Countermeasures... 102 5.1.7. Forensics... 103 5.1.8. Related Patterns... 103 5.2. Malicious Virtual Machine Creation... 103 5.2.1. Intent... 103 5.2.2. Context... 104 5.2.3. Problem... 104 5.2.4. Solution... 104 5.2.5. Consequences... 109 5.2.6. Countermeasures... 110 5.2.7. Forensics... 110 5.3. Malicious Virtual Machine Migration Process... 110 5.3.1. Intent... 110 ix
5.3.2. Context... 111 5.3.3. Problem... 111 5.3.4. Solution... 111 5.4. Consequences... 115 5.4.1. Countermeasures... 116 5.4.2. Forensics... 116 5.4.3. Related Patterns... 117 5.5. Discussion... 117 5.5.1. Summary... 118 6. SECURE REFERENCE ARCHITECTURE... 119 6.1. Securing a cloud reference architecture... 120 6.2. Administration of Security Use Cases... 121 6.3. Identifying threats... 123 6.4. Cloud Defenses... 125 6.4.1. Secure virtual machine image repository system... 126 6.5. Secure Reference Architecture... 129 6.6. Evaluating security using a reference architecture... 130 6.7. Summary... 133 7. RELATED WORK... 135 8. CONCLUSIONS AND FUTURE WORK... 139 REFERENCES... 144 x
TABLES Table 1: Summary of the topics considered in each approach... 17 Table 2. Vulnerabilities in Cloud Computing... 29 Table 3. Threats in Cloud Computing... 30 Table 4. Relationships between Threats, Vulnerabilities, and Countermeasures... 32 Table 5: Misuse Activities Analysis... 125 Table 6: Threat List vs. Mitigation Defenses... 131 xi
FIGURES Figure 1: Infrastructure-as-a-Service Model... 6 Figure 2: Platform-as-a-Service Model... 6 Figure 3: Software-as-a-Service Model... 7 Figure 4: Public Cloud... 8 Figure 5: Private Cloud... 8 Figure 6: Community Cloud... 9 Figure 7: Hybrid Cloud... 10 Figure 8: Cloud Architecture Overview... 42 Figure 9: Common Use Cases for Cloud Computing... 49 Figure 10: Use Case Diagram for IaaS... 51 Figure 11: Use Case Diagram for PaaS... 52 Figure 12: Use Case Diagram for SaaS... 54 Figure 13: Class Diagram for Infrastructure-as-a-Service architecture... 58 Figure 14: Sequence Diagram for Use Case Create a Virtual Machine... 60 Figure 15: Sequence Diagram for Use Case Migrate a Virtual Machine... 62 Figure 16: Eucalyptus main components... 63 Figure 17: Class Diagram for PaaS Pattern... 70 Figure 18: Sequence Diagram for Consuming Development Software... 71 Figure 19: Sequence Diagram for Deploying an Application... 72 Figure 20: The Force.com stack and services (from [18])... 74 Figure 21: Class Diagram of Force.com s PaaS architecture... 77 Figure 22: Class Diagram for SaaS Pattern... 83 Figure 23: Sequence Diagram for UC1 - Subscribe to an application... 84 Figure 24: Sequence Diagram for UC2 - Consume an application... 85 Figure 25: Class Diagram for a Cloud Computing Environment... 91 Figure 26: Class Diagram for virtualization in Cloud Computing... 97 xii
Figure 27: Co-locate attacker s VM besides the Victim s VM... 99 Figure 28: Sequence Diagram for the use case Infer some of the victim s information by monitoring his resource usage... 100 Figure 29: Class diagram for VM Image Misuse Pattern... 106 Figure 30: Sequence Diagram for the Use Case Publish a Malicious VM Image... 107 Figure 31: Sequence Diagram for the use case Launch a VM using a malicious VM Image... 108 Figure 32: Class Diagram for VM Migration Process... 112 Figure 33: Sequence Diagram for the use case Man-in-the-middle attack during VM migration process... 114 Figure 34: Sequence Diagram for the use case Migrate several VMs to a victim VMM... 115 Figure 35: Securing a cloud reference architecture... 121 Figure 36: Security Use Case Model... 123 Figure 37: Activity Diagram for Use Cases Create VMI and Publish VMI... 124 Figure 38: Secure VMI Repository System... 128 Figure 39: Secure IaaS pattern... 130 Figure 40: Sequence Diagram for the use case Publish a Malicious VM Image... 132 Figure 41: Sequence Diagram for the Use Case Securely Publish VM Images... 133 xiii
1. INTRODUCTION Cloud Computing is a relatively new computing paradigm that improves the utilization of resources and decreases the power consumption of hardware while increasing flexibility and scalability as well as advantages for users such as paying for only used resources and access everywhere. Due to the immaturity of this computing model, there are a lot of definitions for Cloud Computing, but we consider that NIST provides a broad definition which states that a Cloud Computing is a model for enabling convenient, on demand network access to a shared of pool configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [1]. The core of Cloud Computing is a variety of resources, software, and information that are provided on demand to the customers from a browser. Cloud Computing leverages a number of computing models and technologies such as Service Oriented Architecture (SOA), Web 2.0, virtualization and other Internet-based technologies. In some respects, Cloud Computing represents the maturing of these technologies and is a marketing term to represent that maturity and the services they provide [2]. Cloud Computing offers three fundamental delivery models: Infrastructure-as-a- Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). IaaS 1
provides processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. PaaS offers platform layer resources, including operating system support and software development frameworks to build, deploy and deliver applications into the cloud. SaaS provides end-user applications that are running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). Even though there are several benefits to adopting Cloud Computing, there are also some significant barriers to its acceptance. One important issue is security, followed by privacy, standardization and legal matters. There are several security challenges that are specific for each delivery model. Also, Cloud Computing inherits security issues from its underlying technologies and presents its own security challenges as well. This makes even harder to secure the entire system. Most security measures have been developed to mitigate or stop parts of a system, but there is rarely a global security analysis of the complete cloud system. Thus, our goal is to develop a secure reference architecture to manage these security issues. In this work, we make the following contributions: 1. An analysis of vulnerabilities and threats (Chapter 3 and [3]) for cloud environments. This analysis helps to understand security implications when adopting Cloud Computing. Starting with an overview of the challenges identified in the literature, the analysis identifies the main vulnerabilities and threats of Cloud Computing and how service models can be affected by them. Also, we 2
describe the relationship between these vulnerabilities and threats, and how there vulnerabilities can be exploited in order to perform an attack. 2. A reference architecture (Chapter 4) to understand the fundamental structures of clouds. A reference architecture is a generic architecture, valid for a particular domain [4][5]. Various reference architectures have been defined by different organizations such as IBM [6], HP [7], NIST [8], and Oracle [9], giving their proprietary solutions or not considering security aspects. The majority of these reference architectures describe a high level of the main components of clouds. Even when we think that they provide useful information, we need to describe cloud architectures in a more precise way. Thus, we need a semi-formal approach like UML which describes architectures in a relatively precise way. Our cloud architecture defines each delivery service model through patterns and demonstrates how it helps in explaining the overall Cloud Computing environment. 3. Listing possible attack for cloud environments is not enough; we need to understand how these attacks can compromise cloud components. For this, we developed some misuse patterns (Chapter 5, [10]) that describe how an attack happens from the point of view of the attacker [11]. With a complete catalog of misuse patterns, we can apply them systematically and use the reference architecture to find where to add security measures to mitigate or stop an attack. 4. Identification of security patterns for some of the threats listed previously in the analysis (Chapter 6). Some cloud services are exposed as web services. We developed some security patterns for Web services [12], and we can also use 3
existing security defenses which can be tailored for cloud systems. We also identified new patterns. 5. A secure reference architecture (Chapter 6) that includes defensive measures to secure cloud environments, which combines both security and misuse patterns in order to add security features in the reference architecture. By checking if a threat (misuse pattern) can be stopped or mitigated in the secure reference architecture, we can evaluate its level of security. Our approach aims towards a reference architecture that can be used as secure framework that can be used for architects or designers before opting for any type of cloud system model. This work is based primarily in identifying main threats and describing them using misuse patterns, and also providing security defenses as forms of security patterns. Chapter 2 presents some background information that will be useful for the reader to understand better this work. In Chapter 3, we present a categorization of security issues for clouds focused in its delivery models, identifying the main vulnerabilities and threats found in the literature. In Chapter 4, a reference architecture is presented which provides a conceptual model defining the three most fundamental delivery models. Chapter 5 illustrates three misuse patterns including Resource Usage Monitoring Inference, Malicious Virtual Machine Creation and Malicious Virtual Machine Migration Process. Chapter 6 presents a secure reference architecture and an evaluation of the architecture using both misuse and security patterns. Chapter 7 provides some related work. In Chapter 8, we present some conclusions and possible future work. 4
2. BACKGROUND work. This section presents basic concepts in order to have a better understanding of this 2.1. Cloud Service Models Cloud computing providers offer three fundamental services according to the following service models: 2.1.1. Infrastructure-as-a-Service IaaS is the most basic cloud service model where cloud providers offer servers, storage and network, typically in a form of virtual appliances. Consumers can deploy and run any software such as operating systems and applications. IaaS providers are responsible for the underlying infrastructure including housing, running, and maintaining these resources while consumers are responsible for maintaining the operating system and their applications. Examples of IaaS providers include Amazon s EC2 [13], Eucalyptus [14], and Open Nebula [15]. 5
Figure 1: Infrastructure-as-a-Service Model 2.1.2. Platform-as-a-Service In the PaaS, providers offer environments for developing, deploying, hosting, and testing software applications. Typically it includes programming language, database, libraries, and other development tools. Consumers are not responsible for the underlying infrastructure, operating systems, or storage, but they are responsible for their deployed applications. Microsoft Azure [16], Google App Engine [17], and Force.com [18] are some examples of PaaS providers. Figure 2: Platform-as-a-Service Model 2.1.3. Software-as-a-Service In SaaS, cloud providers offer applications on demand that are hosted on the cloud and can be accessed through thin clients. Consumers do not manage or control the 6
underlying infrastructure. Some SaaS applications allow limited user-specific customization. Salesforce.com s CRM (Customer Relationship Management) [19], Google apps [20], and Freshbooks [21] are some examples of SaaS providers. Figure 3: Software-as-a-Service Model 2.2. Cloud Service Deployment Cloud Computing can be deployed in different ways such as public, private, hybrid and community clouds. 2.2.1. Public Cloud A Public Cloud is deployed by an organization (Cloud Provider), in which it offers its services to the general public over the Internet. The infrastructure is owned and managed by the service provider, and it is located in his facilities. These services are usually offered on a pay-as-you-go model. Cloud providers are responsible for the installation, management, provisioning and maintenance of the cloud services. For the users, their data is stored and processed in the cloud which may raise security and privacy issues. 7
Figure 4: Public Cloud 2.2.2. Private Cloud A Private Cloud is deployed for a single organization and is dedicated only to that organization s internal users. A private cloud resides in the organization s facilities; however, it can be hosted and managed by a third party provider. Organizations are in charge of the operation, maintenance and management of the cloud, so that data security and availability can be controlled by them. Figure 5: Private Cloud 8
2.2.3. Community Cloud Community clouds are deployed for a group of organizations that share common computing concerns. It may be owned, managed and operated by one or some of the organization members. Figure 6: Community Cloud 2.2.4. Hybrid Cloud It is a combination of the previous types of clouds (private, public, or community). In order to ensure security, an organization should migrate some of its process to a public cloud while remaining its critical process in-house. 9
Figure 7: Hybrid Cloud 2.3. Characteristics of Cloud Computing In general, Cloud Computing has the following characteristics [22][23][1][24][25]: Accessibility: Cloud services can be accessed from anywhere at any time via browsers or APIs by different client platforms such as laptops, desktops, mobile phones and tablets. Cloud services are network dependent, so the network (Internet, LAN, or WAN) has to work in order to access cloud services. On demand self-service: Customers access cloud services when they need them without going through a lengthy process. Elasticity: Elasticity refers the ability of a service to adjust (increase or decrease capacity) in order to meet the user s needs. Pay-as-you-go: Depending on the pricing model, customers only pay for the services they consume (computing power, bandwidth, storage, number of users, etc.). Sometimes, the services have flat rate, or they are free of charge. 10
Versatility: Cloud Computing supports different types of services: IaaS, PaaS, and SaaS, and each service can provide various applications running at the same time. Shared Resources: Cloud resources such as infrastructure, platform and software are shared among multiple customers (multi-tenant), which enable unused resources to serve different needs for different customers. Security: Cloud resources are centrally managed, so in theory security should be improved in this type of environments. However, security in complex environments is hard to undertake due to the fact data is stored and processed in unknown places, resources are shared by unrelated users, and other concerns. Reliability: Cloud Computing supports reliability by adding redundant sites in case an error or attack happens. Performance: The performance of applications can be better in clouds because computing resources can be assigned to them when workloads surge. Clouds can be suitable for intense-data applications since they require several computing resources. 2.4. Key Technologies for Cloud Computing Cloud computing combines a number of computing concepts and technologies such as SOA, Web 2.0, virtualization, and other Internet-based technologies. 2.4.1. Service Oriented Architecture (SOA) Service Oriented Architecture (SOA) is an architectural concept based on a set of loosely coupled services which can be discovered through a repository. This repository 11
contains a set of interface descriptions that defines constraints and policies that need to be followed in order to consume the service. A service represents a group of logical business operations. SOA provides platform-independent enabling components to be implemented in different platforms, technologies, and languages. SOA can be implemented using different technologies such as web services (SOAP, REST), CORBA, DCOM, and others. Web services are the most typical implementation of SOA, and cloud services are normally exposed as web services such as Amazon s EC2 [13]. Cloud Computing is a type of SOA which offers flexibility, extensibility, and reusability. 2.4.2. Web 2.0 Web 2.0 uses World Wide Web technology and Wed design that provides information sharing, collaboration and functionality of the Web. Web 2.0 allows the users not only to access content from a web site, but also to contribute to it. Major characteristics of Web 2.0 that differs from Web 1.0 include wikis, mashups, tagging, and social networking sites [15]. With Web 1.0, organizations have to make contractual arrangements with business partners in order to provide services such as payment services. However, PayPal offers services to individuals and organizations that require payment processing in their businesses without making any commitment and paying only for each transaction. 2.4.3. Virtualization Virtualization is the simulation of a computer resource including servers, network, storage, and operating system [27]. It creates multiple logical resources where different systems, applications, or users can interact with them. Hardware virtualization has led 12
indisputably to the evolution of Cloud Computing. Hardware virtualization refers to the creation of virtual machines that can run different operating systems. The software that manages virtualization is called virtual machine monitor or hypervisor. There are different types of hardware virtualization: full virtualization, partial virtualization and para virtualization. Operating system-level virtualization is a server virtualization where the operating system runs on top of the hardware, instead of the hypervisor. 2.4.4. Reference Architectures A reference architecture is a standardized, generic architecture, valid for a particular domain that does not contain implementation details [28]. It provides a template solution that can be instantiated into a specific software architecture by adding implementationoriented aspects. There is no formal definition what a reference architecture should contain. However, Avgeriou [29] proposes a description for reference architectures which includes the following: The system stakeholders that interacts with the system such as customers, administrators, developers and IT staff. The views describes in the RUP (use case model, analysis model, design model, deployment model, and implementation model). These views should be developed using Unified Modeling Language (UML). The architectural patterns that characterize parts of the architecture. The quality attributes that should be supported by the architecture. 13
A reference architecture should be described at an abstract level, and all details about implementation should only be considered for a specific software architecture instance. 2.4.5. Patterns A pattern is an encapsulated solution to a recurrent problem in a given context [4][5]. It is a reusable template that captures knowledge and experience of software developers. Analysis patterns can be used to build conceptual models [30][31], design and architectural patterns can be used to build flexible software [4][5], and security patterns are used to build secure systems [32][12][33][34]. A pattern can be used to build reference architectures, which we do in this work. Moreover, there is another type of pattern: a misuse pattern [11]. A misuse pattern describes how an attack happens from the point of view of an attacker. Typically a pattern provides a solution using UML diagrams such as class diagrams and sequence diagrams. These diagrams present a precise way of describing a system allowing designers to use them as guidelines. A pattern is described using a template. For this work, we follow the POSA template [4] which consists of the following components: intent, context, problem, solution, implementation, known uses, consequences, and related patterns. 14
3. ANALYSIS OF SECURITY ISSUES We present here a categorization of security issues for Cloud Computing focused in the so-called SPI model (SaaS, PaaS and IaaS), identifying the main vulnerabilities in this kind of systems and the most important threats found in the literature related to Cloud Computing and its environment. A threat is a potential attack that may lead to a misuse of information or resources, and the term vulnerability refers to the flaws in a system that allows an attack to be successful. There are some surveys where they focus on one service model, or they focus on listing cloud security issues in general without distinguishing among vulnerabilities and threats. Here, we present a list of vulnerabilities and threats, and we also indicate what cloud service models can be affected by them. Furthermore, we describe the relationship between these vulnerabilities and threats; how these vulnerabilities can be exploited in order to perform an attack, and also present some countermeasures related to these threats which try to solve or improve the identified problems. 3.1. Systematic Review of Security Issues for Cloud Computing We have carried out a systematic review [35][36][37] of the existing literature regarding security in Cloud Computing, not only in order to summarize the existing vulnerabilities and threats concerning this topic but also to identify and analyze the current state and the most important security issues for Cloud Computing. 15
3.1.1. Question Formalization The question focus was to identify the most relevant issues in Cloud Computing which consider vulnerabilities, threats, risks, requirements and solutions of security for Cloud Computing. This question had to be related with the aim of this work; that is to identify and relate vulnerabilities and threats with possible solutions. Therefore, the research question addressed by our research was the following: What security vulnerabilities and threats are the most important in Cloud Computing which have to be studied in depth with the purpose of handling them? The keywords and related concepts that make up this question and that were used during the review execution are: secure Cloud systems, Cloud security, delivery models security, SPI security, SaaS security, PaaS security, IaaS security, Cloud threats, Cloud vulnerabilities, Cloud recommendations, best practices in Cloud. 3.1.2. Selection of Sources The selection criteria through which we evaluated study sources was based on the research experience of the author and contributors of this work, and in order to select these sources we have considered certain constraints: studies included in the selected sources must be written in English and these sources must be web-available. The following list of sources has been considered: ScienceDirect, ACM digital library, IEEE digital library, Scholar Google and DBLP. Later, the experts will refine the results and will include important works that had not been recovered in these sources and will update this work taking into account other constraints such as impact factor, received cites, important journals, renowned authors, etc. 16
Once the sources had been defined, it was necessary to describe the process and the criteria for study selection and evaluation. The inclusion and exclusion criteria of this study were based on the research question. We therefore established that the studies must contain issues and topics which consider security on Cloud Computing, and that these studies must describe threats, vulnerabilities, countermeasures, and risks. 3.1.3. Review Execution During this phase, the search in the defined sources must be executed and the obtained studies must be evaluated according to the established criteria. After executing the search chain on the selected sources we obtained a set of about 120 results which were filtered with the inclusion criteria to give a set of about 40 relevant studies. This set of relevant studies was again filtered with the exclusion criteria to give a set of studies which corresponds with 15 primary proposals [38][2][39][40][41][42][43][44][45][46][47][48][49][50][51]. 3.1.4. Results and Discussion The results of the systematic review are summarized in Table 1 which shows a summary of the topics and concepts considered for each approach. Table 1: Summary of the topics considered in each approach Topics / References [38] [2] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51] Vulnerabilities X X X X X X X X X Threats X X X X X X X X X X X X X Mechanisms/Recommendations X X X X X X X X Security Standards X X Data Security X X X X X X X 17
Topics / References [38] [2] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51] Trust X X X X X Security Requirements X X X X X X SaaS, PaaS, IaaS Security X X X As it is shown in Table 1, most of the approaches discussed identify, classify, analyze, and list a number of vulnerabilities and threats focused on Cloud Computing. The studies analyze the risks and threats, often give recommendations on how they can be avoided or covered, resulting in a direct relationship between vulnerability or threats and possible solutions and mechanisms to solve them. In addition, we can see that in our search, many of the approaches, in addition to speaking about threats and vulnerabilities, also discuss other issues related to security in the Cloud such as the data security, trust, or security recommendations and mechanisms for any of the problems encountered in these environments. 3.2. Security in the SPI Model With SaaS, the burden of security lies with the cloud provider. In part, this is because of the degree of abstraction, the SaaS model is based on a high degree of integrated functionality with minimal customer control or extensibility. By contrast, the PaaS model offers greater extensibility and greater customer control. Largely because of the relatively lower degree of abstraction, IaaS offers greater tenant or customer control over security than do PaaS or SaaS [39]. Before analyzing security challenges in Cloud Computing, we need to understand the relationships and dependencies between these cloud service models [38]. PaaS as well as SaaS are hosted on top of IaaS; thus, any breach in IaaS will impact the security of both PaaS and SaaS services, but also it may be true on the other way around. However, we 18
have to take into account that PaaS offers a platform to build and deploy SaaS applications, which increases the security dependency between them. As a consequence of these deep dependencies, any attack to any cloud service layer can compromise the upper layers. Each cloud service model comprises its own inherent security flaws; however, they also share some challenges that affect all of them. These relationships and dependencies between cloud models may also be a source of security risks. A SaaS provider may rent a development environment from a PaaS provider, which might also rent an infrastructure from an IaaS provider. Each provider is responsible for securing his own services, which may result in an inconsistent combination of security models. It also creates confusion over which service provider is responsible once an attack happens. 3.2.1. Software-as-a-Service (SaaS) Security Issues SaaS provides application services on demand such as email, conferencing software, and business applications such as ERP, CRM, and SCM [52]. SaaS users have less control over security among the three fundamental delivery models in the cloud. The adoption of SaaS applications may raise some security concerns. 3.2.1.1. Application security These applications are typically delivered via the Internet through a Web browser [53][46]. However, flaws in web applications may create vulnerabilities for the SaaS applications. Attackers have been using the web to compromise user s computers and perform malicious activities such as steal sensitive data [54]. Security challenges in SaaS applications are not different from any web application technology, but traditional security solutions do not effectively protect it from attacks, so new approaches are 19
necessary [45]. The Open Web Application Security Project (OWASP) has identified the ten most critical web applications security threats [55]. There are more security issues, but it is a good start for securing web applications. 3.2.1.2. Multi-tenancy SaaS applications can be grouped into maturity models that are determined by the following characteristics: scalability, configurability via metadata, and multi-tenancy [52][56]. In the first maturity model, each customer has his own customized instance of the software. This model has drawbacks, but security issues are not so bad compared with the other models. In the second model, the vendor also provides different instances of the applications for each customer, but all instances use the same application code. In this model, customers can change some configuration options to meet their needs. In the third maturity model multi-tenancy is added, so a single instance serves all customers [57]. This approach enables more efficient use of the resources but scalability is limited. Since data from multiple tenants is likely to be stored in the same database, the risk of data leakage between these tenants is high. Security policies are needed to ensure that customer s data are kept separate from other customers [58]. For the final model, applications can be scaled up by moving the application to a more powerful server if needed. 3.2.1.3. Data security Data security is a common concern for any technology, but it becomes a major challenge when SaaS users have to rely on their providers for proper security [53][45][59]. In SaaS, organizational data is often processed in plaintext and stored in the 20
cloud. The SaaS provider is the one responsible for the security of the data while is being processed and stored [30]. Also, data backup is a critical aspect in order to facilitate recovery in case of disaster, but it introduces security concerns as well [45]. Also cloud providers can subcontract other services such as backup from third-party service providers, which may raise concerns. Moreover, most compliance standards do not envision compliance with regulations in a world of Cloud Computing [53]. In the world of SaaS, the process of compliance is complex because data is located in the provider s datacenters, which may introduce regulatory compliance issues such as data privacy, segregation, and security, that must be enforced by the provider. 3.2.1.4. Accessibility Accessing applications over the internet via web browser makes access from any network device easier, including public computers and mobile devices. However, it also exposes the service to additional security risks. The Cloud Security Alliance [60] has released a document that describes the current state of mobile computing and the top threats in this area such as information stealing mobile malware, insecure networks (WiFi), vulnerabilities found in the device OS and official applications, insecure marketplaces, and proximity-based hacking. 3.2.2. Platform-as-a-Service (PaaS) Security Issues PaaS facilitates deployment of cloud-based applications without the cost of buying and maintaining the underlying hardware and software layers [45]. As with SaaS and IaaS, PaaS depends on a secure and reliable network and secure web browser. PaaS application security comprises two software layers: Security of the PaaS platform itself 21
(i.e., runtime engine), and Security of customer applications deployed on a PaaS platform [39]. PaaS providers are responsible for securing the platform software stack that includes the runtime engine that runs the customer applications. Same as SaaS, PaaS also brings data security issues and other challenges that are described as follows: 3.2.2.1. Third-party relationships Moreover, PaaS does not only provide traditional programming languages, but also does it offer third-party web services components such as mashups [39][61]. Mashups combine more than one source element into a single integrated unit. Thus, PaaS models also inherit security issues related to mashups such as data and network security [62]. Also, PaaS users have to depend on both the security of web-hosted development tools and third-party services. 3.2.2.2. Development Life Cycle From the perspective of the application development, developers face the complexity of building secure applications that may be hosted in the cloud. The speed at which applications will change in the cloud will affect both the System Development Life Cycle (SDLC) and security [53][48]. Developers have to keep in mind that PaaS applications should be upgraded frequently, so they have to ensure that their application development processes are flexible enough to keep up with changes [43]. However, developers also have to understand that any changes in PaaS components can compromise the security of their applications. Besides secure development techniques, developers need to be educated about data legal issues as well, so that data is not stored in inappropriate 22
locations. Data may be stored on different places with different legal regimes that can compromise its privacy and security. 3.2.2.3. Underlying infrastructure security In PaaS, developers do not usually have access to the underlying layers, so providers are responsible for securing the underlying infrastructure as well as the applications services [63]. Even when developers are in control of the security of their applications, they do not have the assurance that the development environment tools provided by a PaaS provider are secure. In conclusion, there is less material in the literature about security issues in PaaS. SaaS provides software delivered over the web while PaaS offers development tools to create SaaS applications. However, both of them may use multi-tenant architecture so multiple concurrent users utilize the same software. Also, PaaS applications and user s data are also stored in cloud servers which can be a security concern as discussed on the previous section. In both SaaS and PaaS, data is associated with an application running in the cloud. The security of this data while it is being processed, transferred, and stored depends on the provider. 3.2.3. Infrastructure-as-a-Service (IaaS) Security Issues IaaS provides a pool of resources such as servers, storage, networks, and other computing resources in the form of virtualized systems, which are accessed through the Internet [48]. Users are entitled to run any software with full control and management on the resources allocated to them [42]. With IaaS, cloud users have better control over the 23
security compared to the other models as long there is no security hole in the virtual machine monitor [45]. They control the software running in their virtual machines, and they are responsible to configure security policies correctly[64]. However, the underlying compute, network, and storage infrastructure is controlled by cloud providers. IaaS providers must undertake a substantial effort to secure their systems in order to minimize these threats that result from creation, communication, monitoring, modification, and mobility [65]. Here are some of the security issues associated to IaaS. 3.2.3.1. Virtualization Virtualization allows users to create, copy, share, migrate, and roll back virtual machines, which may allow them to run a variety of applications [66][67]. However, it also introduces new opportunities for attackers because of the extra layer that must be secured [54]. Virtual machine security becomes as important as physical machine security, and any flaw in either one may affect the other [43]. Virtualized environments are vulnerable to all types of attacks for normal infrastructures; however, security is a greater challenge as virtualization adds more points of entry and more interconnection complexity [68]. Unlike physical servers, VMs have two boundaries: physical and virtual [48]. 3.2.3.2. Virtual Machine Monitor The Virtual Machine Monitor (VMM) or hypervisor is responsible for virtual machines isolation; therefore, if the VMM is compromised, its virtual machines may potentially be compromised as well. The VMM is a low-level software that controls and monitors its virtual machines, so as any traditional software it entails security flaws [68]. 24
Keeping the VMM as simple and small as possible reduces the risk of security vulnerabilities, since it will be easier to find and fix any vulnerability. Moreover, virtualization introduces the ability to migrate virtual machines between physical servers for fault tolerance, load balancing or maintenance [40][10]. This useful feature can also raise security problems [65][66][69]. An attacker can compromise the migration module in the VMM and transfer a victim virtual machine to a malicious server. Also, it is clear that VM migration exposes the content of the VM to the network, which can compromise its data integrity and confidentiality. A malicious virtual machine can be migrated to another host (with another VMM) compromising it. 3.2.3.3. Shared resource VMs located on the same server can share CPU, memory, I/O, and others. Sharing resources between VMs may decrease the security of each VM. For example, a malicious VM can infer some information about other VMs through shared memory or other shared resources without need of compromising the hypervisor [10]. Using covert channels, two VMs can communicate bypassing all the rules defined by the security module of the VMM [70]. Thus, a malicious Virtual Machine can monitor shared resources without being noticed by its VMM, so the attacker can infer some information about other virtual machines. 3.2.3.4. Public VM image repository In IaaS environments, a VM image is a prepackaged software template containing the configurations files that are used to create VMs. Thus, these images are fundamental for the overall security of the cloud [10][71]. One can either create her own VM image from 25
scratch, or one can use any image stored in the provider s repository. For example, Amazon offers a public image repository where legitimate users can download or upload a VM image. Malicious users can store images containing malicious code into public repositories compromising other users or even the cloud system [44][48][49]. For example, an attacker with a valid account can create an image containing malicious code such as a Trojan horse. If another customer uses this image, the virtual machine that this customer creates will be infected with the hidden malware. Moreover, unintentionally data leakage can be introduced by VM replication [44]. Some confidential information such as passwords or cryptographic keys can be recorded while an image is being created. If the image is not cleaned, this sensitive information can be exposed to other users. VM images are dormant artifacts that are hard to patch while they are offline [72]. 3.2.3.5. Virtual Machine Rollback Furthermore, virtual machines are able to be rolled back to their previous states if an error happens. But rolling back virtual machines can re-expose them to security vulnerabilities that were patched or re-enable previously disabled accounts or passwords. In order to provide rollbacks, we need to make a copy (snapshot) of the virtual machine, which can result in the propagation of configuration errors and other vulnerabilities [53][67]. 3.2.3.6. Virtual Machine Life Cycle Additionally, it is important to understand the lifecycle of the VMs and their changes in states as they move through the environment. VMs can be on, off, or suspended which makes it harder to detect malware. Also, even when virtual machines are offline, they can 26
be vulnerable [48]; that is, a virtual machine can be instantiated using an image that may contain malicious code. These malicious images can be the starting point of the proliferation of malware by injecting malicious code within other virtual machines in the creation process. 3.2.3.7. Virtual Networks Network components are shared by different tenants due to resource pooling. As mentioned before, sharing resources allows attackers to launch cross-tenant attacks [44]. Virtual Networks increase the VMs interconnectivity, an important security challenge in Cloud Computing [73]. The most secure way is to hook each VM with its host by using dedicated physical channels. However, most hypervisors use virtual networks to link VMs to communicate more directly and efficiently. For instance, most virtualization platforms such as Xen provide two ways to configure virtual networks: bridged and routed, but these techniques increase the possibility to perform some attacks such as sniffing and spoofing virtual network [68][74]. 3.3. Analysis of Security Issues in Cloud Computing We systematically analyze now existing security vulnerabilities and threats of Cloud Computing. For each vulnerability and threat, we identify what cloud service model or models are affected by these security problems. Table 2 presents an analysis of vulnerabilities in Cloud Computing. This analysis offers a brief description of the vulnerabilities, and indicates what cloud service models (SPI) can be affected by them. For this analysis, we focus mainly on technology-based vulnerabilities; however, there are other vulnerabilities that are common to any 27
organization, but they have to be taken in consideration since they can negatively impact the security of the cloud and its underlying platform. Some of these vulnerabilities are the following: Lack of employee screening and poor hiring practices [40] some cloud providers may not perform background screening of their employees or providers. Privileged users such as cloud administrators usually have unlimited access to the cloud data. Lack of customer background checks most cloud providers do not check their customer s background, and almost anyone can open an account with a valid credit card and email. Apocryphal accounts can let attackers perform any malicious activity without being identified [40]. Lack of security education people continue to be a weak point in information security [75]. This is true in any type of organization; however, in the cloud, it has a bigger impact because there are more people that interact with the cloud: cloud providers, third-party providers, suppliers, organizational customers, and endusers. Cloud Computing leverages many existing technologies such as web services, web browsers, and virtualization, which contributes to the evolution of cloud environments. Therefore, any vulnerability associated to these technologies also affects the cloud, and it can even have a significant impact. 28
Table 2. Vulnerabilities in Cloud Computing ID Vulnerabilities Description Layer V01 Insecure interfaces and APIs Cloud providers offer services that can be accessed through APIs (SOAP, REST, or HTTP with XML/JSON) [65]. The security of the cloud depends upon the security of these interfaces [40]. Some problems are: a) Weak credential b) Insufficient authorization checks c) Insufficient input-data validation SPI Also, cloud APIs are still immature which means that are frequently updated. A fixed bug can introduce another security hole in the application [76]. V02 Unlimited allocation of resources Inaccurate modeling of resource usage can lead to overbooking or over-provisioning [41]. SPI V03 Data-related vulnerabilities a) Data can be colocated with the data of unknown owners (competitors, or intruders) with a weak separation [59] b) Data may be located in different jurisdictions which have different laws [43][76][77] c) Incomplete data deletion data cannot be completely removed [43][44][49][78] d) Data backup done by untrusted third-party providers [78][79] e) Information about the location of the data usually is unavailable or not disclosed to users [49] f) Data is often stored, processed, and transferred in clear plain text SPI V04 Vulnerabilities in Virtual Machines a) Possible covert channels in the colocation of VMs [70][80][81] b) Unrestricted allocation and deallocation of resources with VMs [79] c) Uncontrolled Migration - VMs can be migrated from one server to another server due to fault tolerance, load balance, or hardware maintenance [65][67] d) Uncontrolled snapshots VMs can be copied in order to provide flexibility [53], which may lead to data leakage e) Uncontrolled rollback could lead to reset vulnerabilities - VMs can be backed up to a previous state for restoration [67], but patches applied after the previous state disappear f) VMs have IP addresses that are visible to anyone within the cloud - attackers can map where the target VM is located within the cloud (Cloud cartography [80]) I 29
ID Vulnerabilities Description Layer V05 Vulnerabilities in Virtual Machine Images a) Uncontrolled placement of VM images in public repositories [48] b) VM images are not able to be patched since they are dormant artifacts [67] I V06 Vulnerabilities in Hypervisors a) Complex hypervisor code [82] b) Flexible configuration of VMs or hypervisors to meet organization needs can be exploited I V07 Vulnerabilities in Virtual Networks Sharing of virtual bridges by several virtual machines [73] I From Table 2, we can conclude that data storage and virtualization are the most critical and an attack to them can do the most harm. Attacks to lower layers have more impact to the other layers. Table 3 presents an overview of threats in Cloud Computing. Like Table 2 it also describes the threats that are related to the technology used in cloud environments, and it indicates what cloud service models are exposed to these threats. We put more emphasis on threats that are associated with data being stored and processed remotely, sharing resources and the usage of virtualization. Table 3. Threats in Cloud Computing ID Threats Description Layer An account theft can be performed by different ways such as SPI T01 social engineering and weak credentials. If an attacker gains Account or service access to a user s credential, he can perform malicious hijacking activities such as access sensitive data, manipulate data, and redirect any transaction [40]. Since data cannot be completely removed from unless the SPI T02 Data scavenging device is destroyed, attackers may be able to recover this data [41][49][39]. Data leakage happens when the data gets into the wrong hands SPI T03 Data leakage while it is being transferred, stored, audited or processed [40][41][44][80]. It is possible that a malicious user will take all the possible SPI T04 Denial of Service resources. Thus, the system cannot satisfy any request from other legitimate users due to resources being unavailable. 30
ID Threats Description Layer Users attack web applications by manipulating data sent from S Customer-data their application component to the server s application T05 manipulation [44][55]. For example, SQL injection, command injection, insecure direct object references, and cross-site scripting. It is designed to exploit the hypervisor in order to take control I T06 VM escape of the underlying infrastructure [48][83]. It happens when a VM is able to gain access to another VM I T07 VM hopping T08 T09 T10 Malicious VM creation Insecure VM migration Sniffing/Spoofing virtual networks (i.e by exploting some hypervisor vulnerability) [41][66] An attacker who creates a valid account can create a VM image containing malicious code such as a Trojan horse and store it in the provider repository [44]. Live migration of virtual machines exposes the contents of the VM state files to the network. An attacker can do the following actions: a) Access data illegally during migration [65] b) Transfer a VM to an untrusted host [67] c) Create and migrate several VM causing disruptions or DoS A malicious VM can listen to the virtual network or even use ARP spoofing to redirect packets from/to other VMs [68][73]. I I I The relationship between threats and vulnerabilities is illustrated in Table 4, which describes how a threat can take advantage of some vulnerability to compromise the system. The goal of this analysis is also to identify some existing defenses that can defeat these threats. This information can be expressed in a more detailed way using misuse patterns [11]. Misuse patterns describe how a misuse is performed from the point of view of the attacker. For instance, in threat T09, an attacker can read or tamper with the contents of the VM state files during live migration. This can be possible because VM migration transfer the data over network channels that are often insecure, such as the Internet. Insecure VM migration can be mitigated by the following proposed techniques: TCCP [84] provides confidential execution of VMs and secure migration operations as well. PALM [85] proposes a secure migration system that provides VM live migration capabilities under the condition that a VMM-protected system is present and active. Threat 08 is another cloud threat where an attacker creates 31
malicious VM image containing any type of virus or malware. This threat is feasible because any legitimate user can create a VM image and publish it on the provider s repository where other users can retrieve them. If the malicious VM image contains malware, it will infect other VMs instantiated with this malicious VM image. In order to overcome this threat, an image management system was proposed, Mirage [71]. It provides the following security management features: access control framework, image filters, provenance tracking system, and repository maintenance services. Table 4. Relationships between Threats, Vulnerabilities, and Countermeasures Threat T01 T02 T03 T04 T05 T06 T07 T08 T09 Vulnerabili ties V01 V03a, V03c V03a, V03c, V03d, V03f, V04a-f, V05a, V07 Incidents An attacker can use the victim s account to get access to the target s resources. Data from hard drives that are shared by several customers cannot be completely removed. Authors in [80] illustrated the steps necessary to gain confidential information from other VMs co-located in the same server as the attacker. Side channel [88] V01, V02 An attacker can request more computational resources, so other legal users are not able to get additional capacity. V01 V06a, V06b V04b, V06b V05a, V05b V04d Some examples are described in [55] such as SQL, command injection, and cross-site scripting A zero-day exploit in the HyperVM virtualization application that destroyed about 100,000 websites [93] [96] presents a study that demonstrates security flaws in most virtual machines monitors An attacker can create a VM image containing malware and publish it in a public repository. [97] has empirically showed attacks against the migration functionality of the latest version of 32 Countermeasures Identity and Access Management Guidance [86] Dynamic credential [87] Specify destruction strategies on Servicelevel Agreements (SLAs) FRS techniques [89] Digital Signatures [90] Encryption [88] Homomorphic encryption [91] Cloud providers can force policies to offer limited computational resources Web application scanners [92] HyperSafe [82] TCCP (Trusted Cloud Computing Platform) [84] TVDc (Trusted Virtual Datacenter) [94][95] Mirage [71] PALM [85] TCCP [84]
Threat T10 Vulnerabili Incidents Countermeasures ties the Xen and VMware virtualization products. VNSS [74] V07 Sniffing and spoofing virtual networks [73] Virtual network framework based on Xen network modes: bridged and routed [73] 3.3.1. Countermeasures In this section, we provide a brief description of each countermeasure mentioned before, except for threats T02 and T07. 3.3.1.1. Countermeasures for T01: Account or service hijacking Identity and Access Management Guidance: Cloud Security Alliance (CSA) is a non-profit organization that promotes the use of best practices in order to provide security in cloud environments. CSA has issued an Identity and Access Management Guidance [86] which provides a list of recommended best practiced to assure identities and secure access management. This report includes centralized directory, access management, identity management, role-based access control, user access certifications, privileged user and access management, separation of duties, and identity and access reporting. Dynamic Credentials: [87] presents an algorithm to create dynamic credentials for mobile cloud computing systems. The dynamic credential changes its value once a user changes its location or when he has exchanged a certain number of data packets. 33
3.3.1.2. Countermeasures for T03: Data Leakage Fragmentation-redundancy-scattering (FRS) technique [89]: This technique aims to provide intrusion tolerance and, in consequence, secure storage. This technique consists in first breaking down sensitive data into insignificant fragments, so any fragment does not have any significant information by itself. Then, fragments are scattered in a redundant fashion across different sites of the distributed system. Digital Signatures: [90] proposes to secure data using digital signature with RSA algorithm while data is being transferred over the Internet. They claimed that RSA is the most recognizable algorithm, and it can be used to protect data in cloud environments. Homomorphic encryption: The three basic operations for cloud data are transfer, store, and process. Encryption techniques can be used to secure data while it is being transferred in and out of the cloud or stored in the provider s premises. Cloud providers have to decrypt cipher data in order to process it, which raises privacy concerns. In [91], they propose a method based on the application of fully homomorphic encryption to the security of clouds. Fully homomorphic encryption allows performing arbitrary computation on ciphertexts without being decrypted. Current homomorphic encryption schemes support limited number of homomorphic operations such as addition and multiplication. The authors in [98] provided some real-world cloud applications where some basic homomorphic operations are needed. However, it requires a huge processing power which may impact on user response time and power consumption. 34
Encryption: Encryption techniques have been used for long time to secure sensitive data. Sending or storing encrypted data in the cloud will ensure that data is secure. However, it is true assuming that the encryption algorithms are strong. There are some well-known encryption schemes such as AES (Advanced Encryption Standard). Also, SSL technology can be used to protect data while it is in transit. Moreover, [88] describes that encryption can be used to stop side channel attacks on cloud storage de-duplication, but it may lead to offline dictionary attacks reveling personal keys. 3.3.1.3. Countermeasures for T05: Customer Data Manipulation Web application scanners: Web applications can be an easy target because they are exposed to the public including potential attackers. Web application scanners [92] is a program which scans web applications through the web front-end in order to identify security vulnerabilities. There are also other web application security tools such as web application firewall. Web application firewall routes all web traffic through the web application firewall which inspects specific threats. 3.3.1.4. Countermeasures for T06: VM Escape HyperSafe [82]: It is an approach that provides hypervisor control-flow integrity. HyperSafe s goal is to protect type I hypervisors using two techniques: nonbypassable memory lockdown which protects write-protected memory pages from being modified, and restricted pointed indexing that converts control data into pointer indexes. In order to evaluate the effectiveness of this approach, they have conducted four types of attacks such as modify the hypervisor code, execute the 35
injected code, modify the page table, and tamper from a return table. They concluded that HyperSafe successfully prevented all these attacks, and that the performance overhead is low. Trusted Cloud Computing Platform: TCCP [84] enables providers to offer closed box execution environments, and allows users to determine if the environment is secure before launching their VMs. The TCCP adds two fundamental elements: a trusted virtual machine monitor (TVMM) and a trusted coordinator (TC). The TC manages a set of trusted nodes that run TVMMs, and it is maintained but a trusted third party. The TC participates in the process of launching or migrating a VM, which verifies that a VM is running in a trusted platform. The authors in [99] claimed that TCCP has a significant downside due to the fact that all the transactions have to verify with the TC which creates an overload. They proposed to use Direct Anonymous Attestation (DAA) and Privacy CA scheme to tackle this issue. Trusted Virtual Datacenter: TVDc [94][95] insures isolation and integrity in cloud environments. It groups virtual machines that have common objectives into workloads named Trusted Virtual Domains (TVDs). TVDc provides isolation between workloads by enforcing mandatory access control, hypervisor-based isolation, and protected communication channels such as VLANs. TVDc provides integrity by employing load-time attestation mechanism to verify the integrity of the system. 36
3.3.1.5. Countermeasures for T08: Malicious Virtual Machine Creation Mirage: In [71], the authors propose a virtual machine image management system in a cloud computing environment. This approach includes the following security features: access control framework, image filters, a provenance tracking, and repository maintenance services. However, one limitation of this approach is that filters may not be able to scan all malware or remove all the sensitive data from the images. Also, running these filters may raise privacy concerns because they have access to the content of the images which can contain customer s confidential data. 3.3.1.6. Countermeasures for T09: Insecure Virtual Machine Migration Protection Aegis for Live Migration of VMs (PALM): [85] proposes a secure live migration framework that preserves integrity and privacy protection during and after migration. The prototype of the system was implemented based on Xen and GNU Linux, and the results of the evaluation showed that this scheme only adds slight downtime and migration time due to encryption and decryption. VNSS: [74] proposes a security framework that customizes security policies for each virtual machine, and it provides continuous protection thorough virtual machine live migration. They implemented a prototype system based on Xen hypervisors using stateful firewall technologies and userspace tools such as iptables, xm commands program and conntrack-tools. The authors conducted some experiments to evaluate their framework, and the results revealed that the security policies are in place throughout live migration. 37
3.3.1.7. Countermeasures for T010: Sniffing/Spoofing virtual networks Virtual Network Security: Wu et al [73] presents a virtual network framework that secures the communication among virtual machines. This framework is based on Xen which offers two configuration modes for virtual networks: bridged and routed. The virtual network model is composed of three layers: routing layers, firewall, and shared networks, which can prevent VMs from sniffing and spoofing. An evaluation of this approach was not performed when this publication was published. Furthermore, web services are the largest implementation technology in cloud environments. However, web services also lead to several challenges that need to be addressed. Security web services standards describe how to secure communication between applications through integrity, confidentiality, authentication and authorization. There are several security standard specifications [12] such as Security Assertion Markup Language (SAML), WS-Security, Extensible Access Control Markup (XACML), XML Digital Signature, XML Encryption, Key Management Specification (XKMS), WS- Federation, WS-Secure Conversation, WS-Security Policy and WS-Trust. The NIST Cloud Computing Standards Roadmap Working Group has gathered high level standards that are relevant for Cloud Computing. 3.4. Summary We have presented security issues for cloud models: IaaS, PaaS, and IaaS, which vary depending on the model. As described in this chapter, storage, virtualization, and 38
networks are the biggest security concerns in Cloud Computing. Virtualization which allows multiple users to share a physical server is one of the major concerns for cloud users. Also, another challenge is that there are different types of virtualization technologies, and each type may approach security mechanisms in different ways. Virtual networks are also target for some attacks especially when communicating with remote virtual machines. Some surveys have discussed security issues about clouds without making any difference between vulnerabilities and threats. We have focused on this distinction, where we consider important to understand these issues. Enumerating these security issues was not enough; that is why we made a relationship between threats and vulnerabilities, so we can identify what vulnerabilities contribute to the execution of these threats and make the system more robust. Also, some current solutions were listed in order to mitigate these threats. However, new security techniques are needed as well as redesigned traditional solutions that can work with cloud architectures. Traditional security mechanisms may not work well in cloud environments because it is a complex architecture that is composed of a combination of different technologies. 39
4. REFERENCE ARCHITECTURE Various reference architectures for clouds have been defined by IBM [6], HP [7], NIST [8], and Oracle [9][100]. However, these reference architectures mostly provide high level definitions and cloud components. Also, some of them provide implementation details using their proprietary solutions. They only focus on requirements for cloud as an entire system, but we believe that each service delivery model has its own requirements that need to take into consideration in order to define a precise reference architecture. We develop a reference architecture that provides a conceptual model defining the three most fundamental delivery models: IaaS, PaaS, and SaaS. Our proposed reference architecture includes use case models which represent the basic functions of cloud environments. These use cases help us to identify the main actors who interact with the system and are responsible for their actions. Use cases can be used to analyze the threats to its activities and to find where the system is vulnerable. Therefore, we have listed common use cases that can be applied to any cloud delivery model. However, we also provide some use cases in detail for each cloud model. Moreover, in order to identify what cloud components are compromised once an attack happens, we have developed a class diagram that shows the composition of a cloud. By defining precisely the units of a cloud architecture, we can observe the progression of an attack ad define ways to stop its advance. We have also developed patterns for the cloud service models that describe more detailed cloud units [101][102]. 40
4.1. Cloud Architecture Overview Figure 8 presents an overview of a cloud architecture, which shows its fundamental and support services. Later sections will describe detailed cloud services levels in the form of patterns. As depicted in Figure 8, a cloud reference architecture is composed of four basic layers: hardware, IaaS, PaaS, and SaaS. The hardware layer represents the physical infrastructure including servers, network, and storage. These physical resources are grouped into nodes, and nodes which are physically close to each other form a cluster. IaaS layer provides virtualized computer resources in the form of virtual machines (VMs). A VM is created and managed by virtual machine monitors (VMMs), which access the underlying infrastructure on behalf of them. A virtual machine image is used for instantiating a VM. Typically a virtual machine image contains an operating system, basic configuration information such as number of CPUs, amount of memory, size of disk, and pre-installed applications. The PaaS layer is built on top of the IaaS layer which provides a set of virtual machines to create develop, deploy and test applications online. SaaS layer can be either built on top of IaaS or on top of PaaS, which provides a set of applications on demand over the network. All these cloud services and their components are managed through the Management Services unit, which provides functions that allow providers to set up, deliver, provision, and monitor their services. Also, this unit also provides business services that support cloud services such as pricing, metering, billing, account management, contracts and others. Non-functional services such as security, 41
availability, portability, interoperability and reliability must be implemented across all layers of the reference architecture. Figure 8: Cloud Architecture Overview 4.2. Cloud Computing Standards There is a need for a set of cloud standards including security, portability and interoperability standards in order to promote the adoption of Cloud Computing. Serious problems may arise when a customer wants to move his application or data to another cloud vendor. He can end up having his data or applications in a format that is not supported by other cloud provider. Many cloud vendors offer their own proprietary 42
services which makes difficult for customers to migrate to another vendor. There are few standards for clouds, but NIST is leading some work in this direction by identifying current standards and standard gaps [103]. Cloud computing leverages existing technologies including web services, the Internet, and virtualization. There are many standards that support these technologies. Existing web services standards have emerged to solve security, reliability and interoperability concerns. Other standards are under development in order to support cloud computing functions and requirements. A complete list of standards that are related to cloud computing and specific-cloud standards can be found in [104]. Some of them are: Open Virtualization Format (OVF) [105] developed by Distributed Management Task Force (DMTF) is an open standard for packaging and securely distributing virtual appliances across different virtual environments. There are some vendors that use OVF in their products such as VMware [106], IBM s SmartCloud [107], VirtualBox [108], and OpenStack [109]. Cloud Infrastructure Management Interface (CIMI) [110] developed by DMTF standardizes interactions between clouds in order to achieve interoperable cloud infrastructure management between cloud providers and consumers. This standard has been released recently with the collaboration of Microsoft, Oracle, IBM, Hitachi, VMware, and others. Open Cloud Computing Interface (OCCI) [111] from Open Grid Forum describes APIs that allow cloud providers to expose their services though standardized interfaces. There are some cloud vendors such as OpenNebula [112] and OpenStack [109] that offer APIs that are based on the OCCI standard. 43
Cloud Data Management Interface (CDMI) [113] from the Storage Networking Industry Association (SNIA) defines the functional interface that applications will use to create, retrieve, update and delete data elements from clouds. CDMI was produced with the collaboration of different organizations. Several private and government organizations have developed standards to ensure that some level of security is followed by an organization. However, some standards are not well adopted by organizations due to several reasons due to their ambiguities such as web services standards. We can eliminate or reduce confusion by defining precisely a reference architecture. This reference architecture can be used as a starting point for developing standards for clouds to ensure that the fundamental definitions and cloud components are well-understood. 4.3. Use Case Model As part of the reference architecture for Cloud Computing, we define a use-case model which describes some common functions for cloud environments. The Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC) project at the NIST [114] has produced a list of use cases related to portability, interoperability, and security. Cloud Computing Use Case Discussion Group [115] defines common use case scenarios for Cloud Computing. This work describes the capabilities and requirements needed to be standardized in order to achieve interoperability, integration, and portability. This collaborative work describes seven typical scenarios in Cloud Computing such as cloud applications accessed by end users, cloud applications accessed by a company s employees and end users, cloud applications integrated with a company s internal 44
processes, cloud applications accessed by partners companies, private clouds, changing cloud vendors, and hybrid clouds. [116] provides a use-case model for SaaS which shows how a system behaves. Also, the authors in [117] describe a use-case model that shows functional requirements for PaaS models. Based on these previous works, we compile general functions that can be applied in all cloud services (Figure 9). However, the details from some use cases will vary from one cloud model to the other one. Thus, we produce use case models for each cloud service as well. Use cases can help to identify possible flaws in the system by analyzing their activities. Also, use cases aims to identify actors that will interact with the system. An actor can be either a person or an institution. There are four main roles: cloud consumer, cloud provider, cloud auditor, and cloud broker. Cloud Consumer: A cloud consumer is a person or an institution that uses a service from a cloud provider. If the cloud consumer is an institution, then there may be different sub-roles. For example, SaaS consumers can be end users who consumes directly the applications, service administrator who configures applications for end users, business manager who is responsible for the financial aspects, or IT manager who is responsible to integrate the cloud services with local processes. However, PaaS consumers can also be application developers, testers, and deployers, and IaaS consumers can be IT manager, system developers, and system administrators as well. Cloud Provider: A cloud provider can be also a person or an institution that provides a service to the cloud consumer. The cloud administrator is a super role that can be divided into other three roles: IaaS administrator, PaaS administrator, and SaaS administrator. Each administrator can be divided into two main actors: service operations 45
administrator and service business administrator. A service operations administrator is responsible for setting up, monitoring, managing, deploying and provisioning cloud services. A service business administrator establishes business relationships with cloud consumers such as setting up accounts and signing contracts. Cloud Auditor: A cloud auditor can be part of the cloud provider or it can be a thirdparty that evaluates cloud services offered by a cloud provider in terms of security, privacy, availability, performance, etc. They express an opinion whether a cloud service complies with certain standards. Many industries such as healthcare and finance, there are strong regulations such as HIPAA that dictates how data should be handled and where it should be stored. Auditors can verify if a cloud provider follows these regulations. Cloud Broker: Multiple cloud providers offer disparate services that it may be too complex for consumers to integrate them. This is where a cloud broker appears. A cloud broker is an entity that intermediates between cloud consumers and providers, so instead of contacting a cloud provider directly, a cloud consumer contacts a cloud broker. A cloud broker can improve some functionalities or combine different services from different cloud providers. The following use cases represent common functions for cloud services in general, where service represents IaaS, PaaS, or SaaS. Open Account: A cloud consumer requests to open an account in order to subscribe to a service. To open an account, a consumer typically provides his email address and credit card information. The provider may verify that the provided email address and credit card information are valid. 46
Request Service: A consumer requests a service to the cloud provider who validates if the user has a valid account. The cloud provider deploys the service based on the user s request. Consume Service: A consumer starts using the service. Once the consumer starts consuming a service, the provider starts metering the consumer usage of the service. The collected information will be passed to the billing process in order to generate invoices for payments. Modify Service: Consumers request to increase or decrease cloud resources or change type of service. Request Service Removal: A consumer requests to terminate the service. The cloud provider releases the allocated resources. Also, the provider sends the final billing. Close Account: A consumer requests to close the account. He may also request to return his data or to transfer the data to another cloud. Providers will terminate all the services where the consumer was subscribed, and issue the last bill. Pay Bill: A consumer pay either directly to the provider or through a financial institution. Setup Service: Cloud providers are responsible for the hardware and software installation in order to deliver their services. Register Service: Once the service is setup, cloud providers need to publish a list of available services in some sort of catalog where users can locate them. Monitor Service: Cloud providers monitor the status of the system and its resources. In IaaS, providers monitor their underlying infrastructures (servers, 47
storage and network), and the virtual resources. In PaaS, provides monitor the virtual development and deployment environments, and SaaS providers monitor the performance of their applications. Manage Service: Management operations include allocation of virtual and physical resources and applications configurations and provisioning. Also, it includes security management operations such as authentication, authorization, data protection, and resource isolation. Meter Usage: Depending on the pricing model, there may be a need to meter customer usage of the service such as processing power, network bandwidth and storage space. The collected information will be passed to the billing process in order to generate invoices for payments. Update Service: Cloud providers handle the update of their current services such as patching and upgrading current versions of software, and acquisition of new software or hardware. Generate reports: Generate reports to provide the status of the service, resource usage, resource available, etc. Audit Service: Cloud providers can request to audit their facilities and operations to third-party auditors to evaluate their services in terms of security, privacy, performance and others. Auditors can also certify that a cloud service is compliant with certain standards. 48
Figure 9: Common Use Cases for Cloud Computing Figure 10 shows some typical use cases for Infrastructure-as-a-Service. Setup Infrastructure: IaaS providers setup all underlying infrastructure: hardware (servers, storage and network) and the virtualization software. 49
Create VMI: Both users and IaaS providers can create Virtual Machine Images (VMI) from scratch. A VMI contains the initial configuration files which may include operating system, number of CPUs, amount of memory, size of disk, and pre-installed applications. VMIs are used to instantiate Virtual Machines. Register VMI: VMIs are stored into a repository where they can be accessed by users. Modify VMI: Users may need to modify existing VMIs to meet their requirements. Request VM: Users specify the amount of computational resources and types of software components needed in a new VM. Create VM: IaaS Provider allocates resources and creates a VM with the requirements specified by the user such as memory size, CPU size, storage size, and other customization information. Consume VM: A party starts using it by installing and configuring any application. The cloud provider also starts metering the usage of the service in order to send this information to the billing process. Modify VM: Parties request to their providers to increase/decrease computing and storage resource. Manage VM: There are some management operations that a party can perform on their virtual machine once it is created such as: start, migrate, suspend, shutdown, resume, rollback, and restart. Manage set of VMs: The Cloud Administrator can also perform some management operations on the virtual machines that are under his supervision due to fault tolerance, hardware maintenance, workload balancing, and elastic scaling. 50
Figure 10: Use Case Diagram for IaaS Figure 11 shows the use case diagram for Platform-as-a-Service. Setup Environment: The PaaS provider configures the environment that hosts development languages, databases, libraries, and other components and tools in order to develop and deploy applications. If the PaaS provider does not own the underlying infrastructure including network, servers and storage, he has to rent the infrastructure where environments will be hosted. 51
Manage Environment: The PaaS provider manages the installation, upgrading, configuration, and patching of all the development and deployment tools. Request Environment: A user requests an environment to develop, test, or deploy his own application. Consume Environment: Developers (users) can start coding, testing, or deploying their custom applications. Developers may have the option to work offline where they have to install a client application in their local machines. While the party uses the environment, it is metered in order to generate the bill for the service usage. Figure 11: Use Case Diagram for PaaS 52
Figure 12 shows the use case diagram for Software-as-a-Service. Setup Application: The SaaS provider installs the application on the cloud, so it can be accessible on demand. The SaaS provider does not necessarily own the physical infrastructure where the application is running. In this case, the SaaS provider has to rent the infrastructure or platform for hosting its applications. Manage Application: The SaaS provider is in charge of the configuration, updates and patches of the SaaS applications. Register Application: The SaaS provider registers applications so they can be accessible to SaaS users. Request Application: A user requests to use an application. Consume Application: A user starts consuming the application and the data is saved on the cloud. The user may need to download a client application on his local machine and then the data is synchronized with the data in the cloud. 53
Figure 12: Use Case Diagram for SaaS 4.4. Infrastructure-as-a-Service 4.4.1. Intent Describe the infrastructure to allow the sharing of distributed virtualized computational resources such as servers, storage, and network. 4.4.2. Context Distributed systems where we want to improve the utilization of resources and provide convenient access to all users. 54
4.4.3. Problem Some organizations do not have the resources to invest in infrastructure, middleware, or applications needed to run their businesses. Also, they may not be able to handle higher demands, or they cannot afford to maintain and store unused resources. How can they get access to computational resources? 4.4.4. Forces Transparency - The underlying architecture should be transparent to its users. Users should be able to use the provider s services without understanding its infrastructure. Flexibility - Different infrastructure configurations and amounts of resources can be demanded by users. Elasticity - Users should be able to expand or reduce resources in order to meet the different needs of their applications. Pay-per-use - Users should only pay for the resources they consume. On demand service Services should be provided on demand. Manageability - In order to manage a large amount of service requests, the cloud resources must be easy to deploy and manage. Accessibility - Users should access resources from anywhere at anytime. Testability - We intend to develop system programs in this environment and we need to test them conveniently. Shared resources - Many users should be able to share resources in order to increase the amount of resource utilization and thus reduce costs. 55
Isolation - Different user execution instances should be isolated from each other. Shared Non-functional requirements provision (NFRs) Sharing of the costs to provide NFRs is necessary to allow providers to offer a higher level of NFRs. Security This level is the basis for execution of the complete cloud system and its degree of security will affect all the applications running on it. We should provide a convenient and measurable structure to define security requirements. 4.4.5. Solution The solution to this problem is a structure that is composed of many servers, storage, and a network, which can be shared by multiple users and accessible through the Internet. These resources are provided to the users as a form of service called Infrastructure-as-a- Service (IaaS). IaaS is based on virtualization technology which creates unified resources that can be shared by different applications. This foundation layer IaaS can be used as a reference for non-functional requirements. Structure Figure 13 shows a class diagram for a cloud infrastructure. The Cloud Controller is the main component which processes requests from a Party (actor) through a Portal. A Portal is the external interface where a Party makes requests to the cloud provider. A Party can be an institution or a user (customers and administrators). A Party can have one or more Accounts. The Cloud Controller receives requests from the users. A Cloud Controller controls a set of Cluster Controllers, and the Cluster Controller is composed of Node Controllers, which consist of a pool of Hardware (Servers, Storage and Network). The Cluster Controller handles the state information of its Node Controllers, 56
and schedules incoming requests to run instances. A Node Controller controls the execution, monitoring, and termination of the VMs through a Virtual Machine Monitor (VMM) which is the one responsible to create and run Virtual Machines (VM) instances. The Cloud Controller retrieves and stores user data and Virtual Machine Images (VMI). The Virtual Machine Image Repository contains a collection of Virtual Machine Images that are used to instantiate a VM. The Dynamic Host Configuration Protocol (DHCP) server assigns a MAC/IP (Media Access Control/Internet Protocol) pair address for each VM through the Cloud Controller, and requests the Domain Name System (DNS) server to translate domain names into IP addresses in order to locate cloud resources. 57
Figure 13: Class Diagram for Infrastructure-as-a-Service architecture Dynamics UC1: Create a Virtual Machine (Error! Reference source not found.) For the creation of a VM, a party can provide the location for his VM, or it can be assigned by the provider. For this use case, we assume that the party provides the location. Summary: Create of a Virtual Machine for a party who provides the list of resources needed, virtual machine image, and the location for his VM. Actor: Party Precondition: The party has a valid account 58
Description: a) A party requests a set of computational resources and chooses the virtual machine image and the location where the VM is going to be located. b) The Cloud Controller verifies whether the requester has a valid account. c) The Cloud Controller requests to the Cluster Controller that controls the specified location to create a VM. d) The Cluster Controller chooses the first Node Controller that can support the computational resources requirements. e) The Cluster Controller requests the Node Controller to create a VM. f) The Node Controller sends the requests to the VMM that is in charge to actually create the VM. g) The VMM creates a VM with the requested resources and assigns it to the party s account. h) The Cloud Controller acknowledges the Party through the portal that the VM has been created. Postcondition: A virtual machine is created and assigned to an account and to the hardware. 59
Figure 14: Sequence Diagram for Use Case Create a Virtual Machine 60
UC2: Migrate a Virtual Machine (Figure 15) The administrator can migrate a VM to a specific Node Controller that can be located in the same or in a different Cluster Controller. The administrator can also migrate a VM to a specific location or to the first node that has the available resources. For the scenario below, we assume that the administrator will move a VM to the first available Node Controller within the same Cluster Controller. Summary: A VM is migrated from one Node Controller to another one Actor: Administrator Precondition: a VM resides in some Node Controller (Compute Node Source) Description: a) The Administrator requests to the Cloud Controller to migrate a VM. However, the migration process can be automatic due to load balancing for example. b) The Cloud Controller sends a request to the Cluster Controller to start the migration of the VM. c) The Cluster Controller requests the Node Controller Source to stop the VM. The Node Controller Source forwards this request to the VMM Source. d) The VMM Source stops the VM and copies the content of the VM. e) Do the same as UC1 f) The VMM Source sends the content of the VM to the VMM destination. g) The VMM destination copies the content into the new VM Postcondition: The VM has migrated to another host 61
Figure 15: Sequence Diagram for Use Case Migrate a Virtual Machine 4.4.6. Implementation As an example, we show the implementation of one of the known uses of this pattern. There are many ways to implement our conceptual models and this is just a possible way to do it. Eucalyptus [14] is an open source software that allows to implement Infrastructure as a Service in order to run and control virtual machine instances via Xen and KVM. Eucalyptus consists of five main components that are described in Figure 16 [118]. 62
Figure 16: Eucalyptus main components The two higher level components are: the Cloud Controller and Walrus. The Cloud Controller is a Java program that offers EC2-compatible SOAP and web interfaces. Walrus is a data storage where users can store and access virtual machine images and their data. Walrus can be accessed through S3-compatible SOAP and REST interfaces. Top-level components can aggregate resources from several clusters. Each cluster needs a Cluster Controller which is typically deployed on the head-node of a cluster. Each node will also need a Node Controller for controlling the hypervisor. Cluster Controller and Node Controllers are deployed as web services, and communications between them takes place over SOAP with WS-Security [119]. A cloud can be setup as a single-cluster where the Cloud Controller and the Cluster Controller are located on the same machine, which are referred to front-end. All other machines running the Node Controllers are referred as back-end. However, there could be also a more advanced configuration which comprises several Cluster Controller or Walrus deployed in different machines. 63
A typical configuration includes [120]: 1 Cloud Controller (CPU-1GHz, Memory-512MB, Disk-5400rpm IDE, Disk space-40gb) 1 Walrus Controller (CPU-1GHz, Memory-512MB, Disk-5400rpm IDE, Disk space-40gb) 1 Cluster Controller + Storage Controller (CPU-1GHz, Memory-512MB, Disk- 5400rpm IDE, Disk space-40gb) Nodes (VT extensions, Memory-1GB, Disk-5400rpm IDE, Disk space-40gb) 4.4.7. Known Uses Eucalyptus [14] is an open source framework used for hybrid and private cloud computing. OpenNebula [15] is an open source toolkit to build clouds. Nimbus [121] is an open source set of tools that offers IaaS capabilities to the scientific community. Amazon s EC2 [13] provides compute capacity though web services. HP Cloud Services [122] is a public cloud solution that provides scalable virtual servers on demand. IBM SmartCloud Foundation [123] offers servers, storage and virtualization components in order to build private, public and hybrid clouds. 4.4.8. Consequences The Cloud Infrastructure Pattern provides the following benefits: 64
Transparency Cloud users are usually not aware where their virtual machines are running or where their data is stored. However, in some cases users can request a general location zone for virtual machines or data. Flexibility - Cloud users can request different types of computational and storage resources. For instance, Amazon s EC2 [13] provides a variety of instance types and operating systems. Elasticity - Resources provided to users can be scaled up or down depending on their needs. Multiple virtual machines can be initiated and stopped in order to handle increased or decreased workloads. Pay-per-Use Cloud users can save on hardware investment because they do not need to purchase more servers. They just need to pay for the services that they use. Cloud services are usually charged using a fee-for-service billing model [2]. For instance, users pay for the storage, bandwidth or computing resources they consume per month. On demand services IaaS providers deliver computational resources, storage and network as services with one click. Manageability - Users place their requests to the cloud administrator who allocates, migrates, and monitors VMs. Accessibility - Cloud services are delivered using user-centric interfaces via the Internet [124] from anywhere and anytime. Testability Having an isolated environment allows testing system programs without affecting the execution of other virtual machines. 65
Shared resources - Virtualization enables to share a pool of resources such as processing capacity, storage, and networks. Thus, higher utilization rate can be reached [125]. Isolation A VMM provides strong isolation between different virtual machines, whose guest operating systems are then protected from one another [126]. Shared Non-functional requirements (NFRs) provision Some IaaS providers offer security features such as authentication and authorization to customers that can be added as part of the service. Sharing allows the provider to offer a higher degree of NFRs at a reasonable cost. Security - Security defenses can be defined wih respect to this architecture. For example, connection of users to the cloud controller may be mutually authenticated to avoid impostors from either side. The Cloud Infrastructure Pattern has the following liabilities: Cloud computing is dependent on network connections. While using cloud services, users must be connected to the Internet, although a limited amount of work can be done offline. The Cloud may bring security risks associated to privacy and confidentiality areas since the users do not have the control of the underlying infrastructure. The isolation between VMs may not be so strong [10]. Virtualization increases some performance overhead. 66
4.4.9. Related Patterns The Virtual Machine Operating System [127] describes the VMM and its created VMs from the point of view of an OS architecture. The Grid Architectural Pattern [128] allows the sharing of distributed and heterogeneous computational resources such as CPU, memory, and disk storage for a grid environment. Misuse patterns [10] describe possible attacks to cloud infrastructures. The Platform-as-a-Service (PaaS) pattern describes development platforms that provide virtual environments for developing applications in the cloud. Party [31] indicates that users can be individuals or institutions. 4.5. Platform-as-a-Service 4.5.1. Intent Provide virtual environments for developing, deploying, monitoring, and managing applications online without the cost of buying and managing the corresponding software tools or hardware. 4.5.2. Context PaaS services are built on top of the cloud s Infrastructure-as-a-Service (IaaS), which provides the underlying infrastructure. 67
4.5.3. Problem Organizations may want to develop their own custom applications without buying and maintaining the developing tools, databases, operating systems, and infrastructure underneath them. Also, when the team is spread across several places, it is necessary to have a convenient way to coordinate their work. How do we provide these functions? This problem is affected by the following forces: Collaboration sometimes teams of developers are located in different geographic locations. When working on a project, they all should have access to the development tools, code, and data. Coordination When many developers work on a complex project, we need to coordinate their work. Elasticity There should be a way to increase or decrease resources for more compute-intense development and deployment tasks. Pay-for-use Party should only pay for the resources that they use. Transparency Developers should not be concerned about the underlying infrastructure including hardware and operating systems, and its configuration for development and deployment. On demand services The developers should have the ability to request for an application tool and start using it. Accessibility Developers should be able to access the tools via standard networks and from anywhere at any time. Testability - We intend to develop application programs in this environment and we need to test them conveniently. 68
Versatility The platform should be able to be used to build applications for any domain or type of application. Also, different options for developing tools should be offered to the users. Simplification Developers should be able to build applications without installing any specialized tools or software in their computers. Security - The platform should offer facilities to develop secure programs and itself should be protected from attacks. 4.5.4. Solution PaaS offers virtual execution environments with shared tools and libraries for application development, deployment and testing into the cloud. PaaS uses IaaS as a foundation layer (servers, storage, and network). PaaS hides the complexity of managing the infrastructure underneath. Structure Figure 17 shows a class diagram for a cloud Platform-as-a-Service (PaaS). The Portal is an external interface where a party makes requests to the PaaS Provider that checks if the party has a valid account. A Party can be an Institution or a User (developers, administrators). The Party will choose the developing tools from the Software Repository which contains a list of developing tools available for the users. The PaaS provider offers Virtual Environments such as Development Environment, Deployment Environment, and Testing Environment. The Development Environment is composed of Development Tools, Libraries, and Databases. The Virtual 69
Environments are built upon the IaaS (Infrastructure-as-a-Service) which provides the underlying hardware. The same PaaS Provider can manage the IaaS, or it can be managed by a third-party service provider. Figure 17: Class Diagram for PaaS Pattern Dynamics UC1: Request Environment (Figure 18) Summary: A party requests a development environment in order to build his own application Actor: Party Precondition: The Party has an account Description: 70
a) The Party requests to use a development environment b) The PaaS Provider checks if the Party has a valid account c) The PaaS Provider instantiates the development environment d) The PaaS Provider assigns the development environment to the Party s account e) The PaaS Provider sends the client application to the Party. f) The Party downloads the client applications on his machine Postcondition: The client application is download in the party s machine Figure 18: Sequence Diagram for Consuming Development Software UC2: Deploy an Application (Figure 19) Summary: A party requests to deploy his application into the cloud, so the application can be accessed by anyone from anywhere at any time. Actor: Party (developer) 71
Precondition: The party has an account Description: a) A party requests to deploy his application into the cloud. b) The PaaS Provider checks if the party has a valid account. c) The PaaS Provider instantiates a Deployment Environment. d) The PaaS Provider installs and runs the code. e) The PaaS Provider acknowledges the Party through the Portal that his application is deployed. Postcondition: The application is running and ready to be accessed by the end-users Figure 19: Sequence Diagram for Deploying an Application 72
4.5.5. Implementation As an example of implementation of a typical PaaS approach we present here the approach used by Force.com. Force.com [19] is a cloud Platform-as-a-Service system from Salesforce.com. Force.com s platform provides PaaS services as a stack of technologies and services covering from infrastructure, database as a service, integration as a service, logic as a service, user interface as a service, development as a service, and AppExchange [18] in order to create business applications. Figure 20 shows the stack of Force.com s technologies and services, and it includes: Infrastructure - The foundation of Force.com platform is the infrastructure that supports the other layers. Force.com uses of three geographically dispersed data centers and a production-class development lab which use replication to mirror the data at each location. Database as a service It enables customers to create customized data objects, such as relational tables, and the use of metadata to describes those objects. Force.com provides data security by providing features such as user authentication, administrative permissions, object-level permissions, and field-level permissions. 73
Figure 20: The Force.com stack and services (from [18]) Integration as a service Force.com provides integration technologies that are compliant with open Web services and service-oriented architecture (SOA) standards, including SOAP, WSDL, and WS-I Basic Profile [129]. Force.com offers different prepackaged integration solutions such as Web Services API, Web Services Apex, callouts and mashups, and outbound messaging. Logic as a service Force.com provides three options for implementing an application s business processing logic: declarative logic (unique fields, audit history tracking, history tracking, and approval processes), formula-based logic (formula fields, data validation rules, workflow rules, and approval processes), and procedural logic (Apex triggers and classes). User Interface as a Service Force.com provides two types of tools for creating the user interface of applications built on the platform applications: Force.com s Builder and 74
Visualforce. Builder creates metadata, which Forces.com uses to generate a default user interface for each database object with its corresponding methods such as create, edit, and delete. With Visualforce, developers can use standard web development technologies such as HTML, Ajax, and Adobe Flex to create user interfaces for their cloud applications. Development as a Service - Force.com offers some features to create cloud applications: Metadata API, Integrated Development Environment (IDE), Force.com Sandbox, and Code Share. Metadata API allows modifying the XML files that control an organization s metadata. The IDE provides a code editor for adding, modifying and testing Apex applications. Apex is the Force.com proprietary programming language. Also, multiple developers can share a code source repository using the synchronization features of the IDE. Force.com Sandbox provides a separate cloud-based application environment for development, quality assurance, and training. Force.com Code Share allows developers from different organizations to collaborate on the development, testing, and deployment of cloud applications. Force.com IDE [130] is a client application for creating, modifying, and deploying applications. Once the user downloads the IDE in his local machine, he can start coding. The IDE is in communication with the Force.com platform servers. There are two types of operations: online and offline. For example, in the online mode, when a class is saved, the IDE sends the class to the Force.com servers that compile the class and return any result (error message). In the offline mode, all changes you performed on a local machine, and once you connect to Force.com, all those changes are submitted and committed. Force.com provides a built-in support for automated testing. Once an 75
application is developed in the development environment, it may be migrated to another environment such as testing, or production. The Force.com IDE provides an easy way to deploy; just right click on the component and select Deploy to Server. Application Exchange AppExchange is a cloud application marketplace where users can find applications which are delivered by partners or third-party developers. Force.com offers environments [131] where users can start developing, testing, and deploying cloud computing applications. There are different types of environments such as Production, Development, and Test Environments. The Production environment stores live data, while the Development Environment stores test data and are used for developing and testing applications. The Development Environment has two types: Developer Edition and Sandbox. Sandbox is a copy of the production environment that can include data, configurations, or both. A Developer Edition environment [132] includes the following developer technologies: Apex programming language, Visualforce for building custom user interface and controllers, the Integration APIs, and more. Figure 21 depicts the platform for the Developer Edition environment. The Force.com s virtual environments run on Salesforce s infrastructure. 76
Figure 21: Class Diagram of Force.com s PaaS architecture Force.com uses different security techniques to defense its platform from different types of threats [133]. User authentication: Most users are authenticated on the login page, but also there are other forms of user authentication: delegated authentication, and Security Assertion Markup Language (SAML). An authenticated session needs to be established before accessing the Force.com SOAP API and Metadata API. 77
Force.com secure its network using different mechanisms such as Stateful packet inspection (SPI), bastion hosts, two-factor authentication processes, and end-toend TLS/SSL cryptographic protocols. For sensitive data such as customer passwords, Force.com applies an MD5 oneway cryptographic hash function, and supports encryption of field data. At an infrastructure and network level, salesforce.com applies rigorous security standards, such as SysTrust SAS 70 Type II. Salesforce.com implements industry best practices to harden the host computers. For example, all hosts use Linux or Solaris distribution with non-default configurations and minimal processes, user accounts, and network protocols. 4.5.6. Known Uses Google App Engine [17] provides an environment to build and host web applications on Google s infrastructure. Google App Engine supports two application environments: Java and Python. Microsoft Azure [16] provides a platform to build, deploy, and manage applications. It provides different programming languages such as.net, Java, PHP and others in order to build applications. Salesforce [19] offers a development platform to build custom applications. (See Implementation) IBM SmartCloud Applications Services [134] delivers a collaborative environment that supports the full lifecycle for software development, deployment, and delivery. 78
4.5.7. Consequences The PaaS pattern provides the following benefits: Collaboration Geographically dispersed developers can collaborate on the same project because the code is managed online [135]. Coordination A project can be conveniently administered from a central point. Elasticity The resources (storage, networking resources, and servers) needed to develop and deploy an application can grow or shrink to accommodate varying workload volumes. Pay-for-use Parties only pay for the services they consume. Parties do not need to buy any developing tools or full year license. Transparency The PaaS provider manages upgrades, patches, and other maintenance as well as the infrastructure. The user does not need to worry about compatibility issues between the server configurations and the development software. On demand services PaaS providers offer software development tools that can be used by developers when needed. Accessibility PaaS services are accessed through the Internet via web browsers from anywhere at any time. Testability The variety of tools that we can use makes testing application programs in this environment more convenient. Versatility PaaS offers different programming languages and databases. For instance, using Microsoft Azure, you can build applications using.net, Java, PHP and others. 79
Simplification Developers do not need to buy or install any specialized software or tools, but they may need to install some client applications if they choose to work offline. The development applications are managed and maintained by the PaaS providers. Security - The development tools should include tools to develop, test, and deploy secure applications, supporting some secure methodology [136]. The platform itself should have protection against its identified threats. The Platform-as-a-Service pattern has the following liabilities: PaaS providers usually offer their own proprietary development software which makes hard to migrate an application from one vendor to another one. Also, APIs from different providers vary, which raises portability issues as well. The availability of the PaaS products depends mostly on the Internet. Thus, those services are available as long there are network connections. A PaaS provider can either own or sub-contract the underlying infrastructure to an IaaS provider. In either case, the security or availability of PaaS services may not be assured. 4.5.8. Related Patterns Cloud infrastructure Pattern describes the infrastructure to allow sharing of distributed virtualized computational resources. Misuse Patterns in [10] describe possible attacks to cloud environments, which may affect the security of PaaS. 80
Cloud Computing: Platform as a Service (PaaS) Pattern [117] describes execution environments for PaaS applications. Party [31] indicates that users can be individuals or institutions. 4.6. Software-as-a-Service 4.6.1. Intent Provide a set of software applications available in a cloud system that can be accessed by client devices through the Internet. 4.6.2. Context SaaS applications are hosted by the provider and accessed through the Internet via user interfaces or APIs (application programmable interfaces). 4.6.3. Problem Customers may need to use software products that do not require local installation and maintenance of the software. How can software be delivered over the network? This problem is affected by the following forces: Pay-for-use Customers should be charged on a per-use basis like utility services. Transparency Customers should not be concerned about the maintenance or updates of the software. On demand services Customers should have the ability to start using an application when needed. 81
Accessibility Customers should be able to access the software applications anytime and anywhere. Flexibility Customers should be able to configure the software application to their needs such as currency or date formats. Elasticity Applications should be able to scale down or up depending of the customers needs [52]. For example, a customer can increase or decrease the number of users using the application. Simplification Customers do not need to install any special software in their local machine. Security - The software offered to the users must be a secure application. It should be built following a secure methodology [136]. 4.6.4. Solution SaaS applications are delivered as a service to users typically thorough the Internet via web browsers or APIs. SaaS in clouds enables users to access applications on demand, in which both computation and storage are hosted in the cloud without installing any software in their local machines. SaaS can be developed and deployed using underlying Platform-as-a-Service or Infrastructure-as-a-Service offerings. Structure Figure 22 shows a class diagram for a Software-as-a-Service (SaaS). A SaaS Provider processes requests from parties through a Portal. A Party can be either a User or a group of users (Institution). A Party can have one or more Accounts. A SaaS 82
Provider offers a set of SaaS Applications. SaaS Catalog contains the list of the SaaS Applications that are offered to the users. There can be a single Application Instance of the application that is shared by different users, or single instance per user. The SaaS Provider offers a set of Software Applications that resides on a Platform. SaaS applications can be deployed using underlying Platform-as-a-Service or Infrastructure-asa-Service offerings. The platform can be owned or rented to a third-party provider. Figure 22: Class Diagram for SaaS Pattern Dynamics UC1: Subscribe to an application (Figure 23) 83
Summary: A User requests to buy a subscription in order to access an application from the SaaS provider Actor: User Precondition: The User has a valid account Description: a) A User requests to subscribe to an application thorough the Provider s Portal. b) The SaaS Provider checks if the user has a valid account. c) The SaaS Provider creates an instance of the software application. For this case, we assume that each application instance serves one party. d) The SaaS Provider acknowledges the user that his subscription to the application is done. Postcondition: The user can start using the application Figure 23: Sequence Diagram for UC1 - Subscribe to an application UC2: Consume an application (Figure 24) Summary: A User requests to consume a subscribed application Actor: User 84
Precondition: The User has an account and he has subscribed to the application Description: a) A User requests to consume an application that he was subscribed before b) The SaaS Provider checks if the user has a valid account. c) The User starts consuming the application d) The User requests to save his data Postcondition: The user s data is stored in the cloud Figure 24: Sequence Diagram for UC2 - Consume an application 4.6.5. Implementation SaaS can be categorized into four distinct levels [137]. The first level services are Ad Hoc/Custom where each customer has its own customized version of the hosted application. For the second level services, Configurable, provider s servers host a 85
separate instance of the application for each customer similar to the previous level. However, the instances are not customized for each customer, but they provide some configuration options. The third level services are Configurable, Multi-Tenant Efficient which a single instance serves all customers, with configurable metadata. At the fourth level, Scalable, Configurable, Multi-tenant-Efficient, multiple identical instances that are controlled by the load balancer. In order to manage multitenant data, there are three approaches for databases [138]. The simplest approach is to store data in different databases. For the second approach, the same database hosts multiple customers where each customer has their own tables and schema. In the third approach, customer s data are stored in the same database and set of tables. In Salesforce s model, a single instance of an application is shared among many customers, and customers data is stored in a shared database. For customization purpose, a metadata can be used to configure the way an application appears and behaves such as look of the screen and data fields. 4.6.6. Known Uses Salesforce.com s CRM (Customer Relationship Management) [19] is an online web-based software that records, tracks, manages, and analyzes sales data. Google apps such as Gmail, Google Calendar, and Google Docs [20] are webbased applications that can be accessed through different thin clients with Internet connection. 86
Freshbooks.com [21] is an online invoicing service that mainly serves to small business. IBM SmartCloud Solutions [139] provides a set of software and business processes delivered by IBM as a service including Business Analytics and Optimization, Social Business, Smarter Commerce, and Smarter Cities. 4.6.7. Consequences The SaaS pattern provides the following benefits: Pay-for-use SaaS providers often charges their applications based on some parameters such as number or users [140]. For example, Salesforce s Enterprise CRM costs $125 per user per month. Google Apps for business costs $5 per user per month, but it is free for individuals and small teams. Transparency SaaS applications are deployed, supported, maintained, and upgraded by the provider. Due to the fact that SaaS applications are hosted on the cloud, updates and upgrades are available immediately to the users [52]. Users typically do not need to install or setup any application in their local machines. Also, SaaS applications can be used from any operating system. On demand services SaaS applications can be used once they are needed. For example, to get access to the Gmail (Google App), a user just opens a browser, logins in his account, and starts using the application. Accessibility SaaS applications can be accessed across the Internet by a user at anytime. 87
Flexibility SaaS applications can be customized to a certain degree depending how they were designed. Not all providers offer customization. For instance, a customer may modify the page layout. Elasticity SaaS applications are hosted in the cloud, so the users do not need to install it in their local machines. Simplification Typically SaaS applications are access through web browsers or APIs, which do not require specific software on the client. Security - It is possible to deploy secure applications if they have been built using a secure development methodology [136]. The Software-as-a-Service pattern has the following liabilities: There are some applications that demand high user interaction; in that case the SaaS model may not be suitable because of the network latency. Since customers data is stored on the vendor s servers or even on a third-party s servers, data security becomes an issue. The network used to accessed SaaS applications can be insecure such as the Internet. It can raise some security problems such as integrity and confidentiality. SaaS applications typically are unique to each provider, which makes harder for users to switch to a different vendor. SaaS applications may be updated frequently by the providers, which may be difficult for users to manage the integration of SaaS applications with their business processes. 88
Cloud applications may introduce compliance concerns because the users data is stored and managed by the provider. 4.6.8. Related Patterns Infrastructure-as-a-Service Pattern [101] describes the infrastructure to allow sharing of distributed virtualized computational resources. Platform-as-a-Service Pattern [101] describes virtual environments for developing, deploying, testing, and managing applications online. Misuse Patterns in [10] describe possible attacks to cloud environments. Party [31] indicates that users can be individuals or institutions. 4.7. Reference Architecture Environment Error! Reference source not found. shows a class diagram for a Cloud Computing nvironment. A Cloud Computing Environment is a global view of a cloud, which describes the main cloud components such as cloud services, hardware, and support services. The Portal is the gate to access cloud services to cloud provider. A Cloud is composed of services, infrastructure, and support services such as operational, business and security services. Cloud physical resources can be located in different zones, Clusters. A Cluster is a collection of Nodes that are located within close physical proximity. A Node is made up of a set of Hardware (Servers, Storage and Network), Virtual Machines (VMs), and a Virtual Machine Monitor (VMM). A VMM creates and manages virtual machines and makes direct access to the hardware on behalf of them. The fundamental cloud services are Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS). The SaaS provides on demand 89
Applications while the PaaS offers Virtual Environments such as Development, Deployment and Testing Environments which includes programming languages, databases, libraries, and other tools. IaaS provides virtualized resources such as servers and storage as Virtual Machines. Support services are needed to provision the creation, implementation and management of cloud services. Business Support Services provides centralized management of cloud resources, including metering, billing, reporting, and account administration. Operational Support Services are responsible for monitoring, provisioning, and other management functions such as configuration, upgrades, and installations of the system. Non-Functional Services consist of security, availability, reliability, interoperability etc. 90
Figure 25: Class Diagram for a Cloud Computing Environment 91
4.8. Summary Since Cloud Computing has impacted organization strategies, we need some guidance in order to have a good understanding of this computing model. We have developed a reference architecture which defines the basic cloud units and their service models. This reference architecture includes common uses cases for clouds in general, but also for each service model. Since clouds are complex environments and each service model has their own requirements and characteristics, we describe them separately using patterns. There are many reference architecture developed by different vendors and organizations, which some of them describe cloud architecture using their own products. A reference architecture should not include implementation details, but some guidance in order to understand what is a cloud and not how is it deployed. Our goal is to produce a systematic methodology to add security to cloud systems which will be discussed in Chapter 6. This approach will be based on this reference architecture and a catalog of security patterns. 92
5. MISUSE PATTERNS In order to design a secure system, we need to understand possible threats to our system. Several methods have been developed to identify threats, e.g. [141]. Once identified, we need to describe how these threats are realized to accomplish a misuse according to the goals of the attacker. A misuse pattern describes how a misuse is performed from the point of view of the attacker [11]. It defines the environment where the attack is performed, countermeasures to stop it, and it provides forensic information in order to trace the attack once it happens. Misuse patterns are useful for developers because once they determine that a possible attack can happen in the environment, a corresponding misuse pattern will indicate what security mechanisms are needed as countermeasures. Also, misuse patterns can be very useful for forensic examiners to determine how an attack is performed, and where they can find useful evidence information after the attack is done. An important value of misuse patterns is that they describe the components of the system where the attack is performed using class diagrams and sequence diagrams, relating the attack to specific system units. We present in this chapter three examples of misuse patterns that describe some threats found in cloud computing environments. One of the vulnerabilities that is inherent in cloud computing is the co-location of virtual machines, where an attacker s virtual machine tries to reside in the same server of the victim s virtual machine with purposes of misuse, such as information inference based on resource usage (leakage of 93
information). Moreover, sharing virtual machine images is one of the new threats that cloud computing is facing. Virtual machine images are prepackaged software templates that are used to instantiate virtual machines. Thus, these images have a significant effect on the overall security of the cloud [71]. Cloud providers offer a repository service where providers and users can store their images. Users can either create their own image, or they can use any image stored in the repository. An attacker who creates a valid account can create an image containing malicious code such as a Trojan horse. If another customer uses this image, the virtual machine that he creates will be infected with the hidden malware, which can then perform a variety of misuses. Furthermore, the contents of virtual machines such as the kernel, applications, and data being used by these applications can be compromised during live migration. 5.1. Resource Usage Monitoring Inference in Cloud Computing 5.1.1. Intent Cloud systems allow many virtual machines to share the same physical infrastructure. An attacker s virtual machine may be placed in the same hardware as the victim s virtual machine to obtain some information such as estimate traffic rates or detect cache activity spikes. 5.1.2. Context Infrastructure-a-as-Service (IaaS) provides a set of virtualized resources such as servers, network, and storage that are accessible through the Internet. In IaaS, physical infrastructure is shared by multiple virtual machines (VMs) that are created and managed 94
by a Virtual Machine Monitor (VMM). The VMM is responsible for the isolation of its VM. 5.1.3. Problem To perform some types of misuse it is necessary to have a virtual machine co-located with the target s virtual machine in the same physical structure. How to assign a machine to be located in the same hardware as the victim s virtual machine? Once the attacker s virtual machine is placed on the same hardware as the victim s virtual machine, how the attacker can deduce information by monitoring the victim s behavior? The attack can be performed by taking advantage of the following vulnerabilities: Any person can open an account and create a VM. Knowing when a VM is running helps the attacker by informing him when the victim is running. The attacker should be able to receive unlimited resources as needed. Any resource that is shared by different virtual machines can become a covert channel that will provide some information that can be useful to infer something about any co-located virtual machine. 5.1.4. Solution When the user requests a virtual machine, he can specify the location where his VM will be located or it can assigned on his behalf. Also, the user specifies a VM instance type that indicates a combination of computational power, memory and persistent storage. The VMM creates a virtual machine that is assigned to a particular server located in the region specified by the user. 95
Like any other customers, an attacker can simply request to rent an infrastructure, and he can run and control virtual machines in the cloud. The attacker can successfully locate his virtual machine in the same hardware as the victim, and then learn some information by monitoring some channels. For example, In Amazon s EC2 and other clouds, it is more likely that an availability zone corresponds to a certain range of IP addresses [80]. Knowing the IP address of the victim, the attacker can determine the location of the VM and create his VM in the same zone. The attacker can observe the behavior of the victim, such as traffic rate or cache activity and deduce some information. In order for the attacker to determine the victim s IP address, systems such as EC2 map public IP addresses to private IP addresses through their DNS services. As a result, the attacker can make DNS queries in EC2 in order to find the required internal IP addresses. In [80], they conducted a survey of public servers on EC2 and they identified four distinct IP address prefixes. Then, they performed a TCP either to port 80 or port 443. From the IP addresses that corresponded to these ports, they performed a DNS lookup using the EC2's DNS. Structure Figure 26 shows a class diagram for the virtual machine structure in cloud computing. A Party can be either a User or an Institution which is composed of several Users. A Party creates one or more Accounts in order to use the Cloud s services. A Party makes a request to the Cloud Controller by a Portal which is the interface to access cloud services. The Cloud is composed of a set of Clusters which consists of a set of Nodes. Each Node is a collection of Hardware (server, storage and network), and it runs a number of Virtual Machines (VMs) which are created by a Virtual Machine Monitor 96
(VMM). A VMM creates VMS and assigns their instances to the Party who requested them. When the instance is launched, it is assigned to the Party s account and to the physical resources. The VM passes system calls to the VMM which executes those calls in the Hardware. In theory, a VMM isolates its Virtual Machines be defining a set of communication restrictions between them. However, using covert channels, two VMs can communicate bypassing all the rules defined by the VMM [70]. Thus, a malicious Virtual Machine can monitor shared resources without being noticed by its VMM, so the attacker can infer some information about other virtual machines. Figure 26: Class Diagram for virtualization in Cloud Computing 97
Dynamics UC1: Co-locate attacker s VM besides the Victim s VM (Figure 27) Summary: An attacker requests a VM that will be co-located on the same physical machine as the victim s VM. Actor: Attacker Precondition: The attacker must have a valid account, and he can choose the location where his VM will be located. Description: a) The attacker finds where his victim s VM is located. Amazon s EC2 [13] allows users to choose the location of his VM (region and availability zone). b) The attacker requests to rent a VM to the provider. c) Do the same as UC: Create a VM (from IaaS pattern) d) The attacker verifies if both VMs runs in the same hardware. For example, virtual machines running on top of a Xen hypervisor have matching Dom0 IP address (privileged domain) [1], or they have close internal IP addresses. Postcondition: A Virtual Machine is created in the specified location and assigned to the same physical hardware as the victim s VM. 98
Figure 27: Co-locate attacker s VM besides the Victim s VM UC2: Infer some of the victim s information by monitoring his resource usage (Figure 28) Summary: An attacker who has compromised the victim s VM with a malicious application inspects the shared resource in order to obtain some useful information. Actor: Attacker Precondition: The attacker must have an account and his VM runs on the same hardware as his victim s VM. Description: a) The attacker injects a malicious application inside the victim s VM. b) The attacker monitors the shared resource. 99
c) The malicious application sends sensitive information through a shared resource such as the network without being notice by the VMM. d) The attacker reads the sensitive information. e) Repeat steps b) d) Postcondition: The attacker gets some confidential information. Figure 28: Sequence Diagram for the use case Infer some of the victim s information by monitoring his resource usage 5.1.5. Consequences The success of this attack implies: Basically, anyone who has a valid credit can request a virtual machine from a provider. For example, in Amazon s EC2, a user creates an account using his email account and a valid credit card. Thus, an attacker can create and control virtual machines in the cloud. 100
Attackers can take advantage of knowledge about the target location because the DNS provides such information. A DNS s provider can map public IP addresses to local IP addresses. Amazon s EC2 uses a regular pattern when assigning IP addresses to VMs depending on the type of an instance and the location of the VM. This can be used to infer where a VM is located. Any physical resource that multiplexes between the attacker and the target can be a potentially useful channel: L2 cache, CPU load, data cache, network access, CPU branch predictors and instruction cache, DRAM memory bus, CPU pipelines, scheduling of CPU cores and time slices, disk access, etc. This information could be used by a competitor to deduce an imminent product announcement, a company s reorganization, or another significant institution event. Servers in cloud computing environments only run when needed, so an attacker can look at the status of the server and see if any virtual machine instances are running. This can make his work more efficient. Possible sources of failure include: There is a possibility that an attacker s instance is not assigned to the same server as the victim s instance even when we know the location and the type of the victim s instance. That location can be composed of many servers and the same types of instances can be assigned to different servers. Some defenses described in the next section can stop this attack. 101
In some clouds, users could request their virtual machines to be assigned on hardware that only can be occupied by virtual machines of their accounts. 5.1.6. Countermeasures Resource Usage Monitoring Inference can be stopped by the following countermeasures: Verify the background of the user when opening an account; however, this is very hard to do and may reduce the economic incentives of the provider. Enforce security policies in the VMM to minimize covert channels. For example, shype [142] is a security enforcement module implemented for Xen hypervisors. shype controls the sharing of resources between virtual machines according to formal policies. Authors in [143] proposes a model called Prioritized Chinese Wall model (PCW) to reduce the risk of covert information flows among virtual machines. Assign random local IP addresses to the instances, so the attacker will not associate a local IP address to a certain location or instance type. Control access to the DNS map. Monitor the utilization of the infrastructure so all users get some portion of the computing in the cloud. From the victim s perspective, cloud customers cannot monitor other customers computations to protect themselves against timing side-channel, and the provider cannot 102
monitor their customers computations due to privacy concerns. However, [144] proposes a new approach to reduce the risk of timing channel in clouds. From the point of view of the cloud provider, covert channel and side channel attacks cannot be detected since they rely on legitimate use of the system [145]. However, cloud providers can mitigate these types of attacks; two possible solutions are proposed in [145]. 5.1.7. Forensics Where can we find evidence of this attack? Providers can keep logs of the requests made by the users. Providers can keep logs of the co-located virtual machines that are assigned to the same server. 5.1.8. Related Patterns The Virtual Machine Monitor [127] provides isolation between different virtual machines that execute different operating systems. Resource Assignment patterns can be used for assigning servers to users. 5.2. Malicious Virtual Machine Creation 5.2.1. Intent A Virtual Machine Image is a type of virtual appliance that is used to instantiate a Virtual Machine (VM). Virtual Machine Images contain initial file system state and software for the machine. An attacker may create a virtual machine image that contains malicious code so it can infect other users when they create their virtual machines. The 103
attacker may read also confidential data from images that are publicly stored in the provider s repository. 5.2.2. Context Some IaaS (Infrastructure as a Service) providers offer a VM image repository where users can retrieve images in order to initialize their VM. These VM Images can be created and published by the provider or by a client. 5.2.3. Problem To perform some types of misuse it is necessary to be able to create and publish VM images. The attack can be performed by taking advantage of the following vulnerabilities: Any person who has a valid account can create and register a VM image. There should be a common place where the users can share VM images. VM images contain prepackaged software components for an application. Thus, an attacker can create a VM image with malicious code. VM images contain installed and fully configured applications. The configuration may require sensitive operations such as creating username and password [71]. 5.2.4. Solution When a user publishes a VM image as public, any other user of the cloud is able to use it to instantiate his VM. This VM image can contain malicious code. The Virtual Machine Monitor (VMM) will run this image in order to instantiate the user s VM. Now, the attacker can have control of the virtual machine and perform malicious activities such 104
as infect other computers. Infected virtual machines may appear briefly, infect other virtual machines, and disappear before they can be detected [67]. Structure Figure 29 shows a class diagram for the repository for VM images in cloud computing. A Party can be either a User or an Institution (set of users). A Party can have several Accounts. A Party requests to the Cloud Controller through a Portal in order to access a cloud service. The Cloud is composed of a set of Clusters, and each Cluster is composed of Nodes. A Node is a collection of Hardware (Server, Storage, and Network), a Virtual Machine Monitor (VMM) and a set of Virtual Machines (VMs) running on top of its VMM. A Virtual Machine (VM) is an isolated software container that has a CPU, RAM, hard disk, and network controllers. The VMM creates VMs by instantiating a Virtual Machine Image (VM Image), and it assigns their instances to the users who requested them. A VM Image is a pre-installed operating system and application stack. When the instance is launched, it is assigned to a physical server and given other hardware resources. The VM passes system calls to the VMM which executes those calls in the Hardware. A Party retrieves a VM Image from the Provider s VMI Repository. These images can be created and published by any user or by the provider. 105
Figure 29: Class diagram for VM Image Misuse Pattern ` Dynamics UC1: Publish a Malicious Virtual Machine Image (Figure 30) Summary: The attacker publishes a Virtual Machine Image that contains malicious code. Actor: Attacker Precondition: The attacker must have an account with the Cloud Provider Description: a) The attacker creates a VM Image. b) The attacker installs malicious software within the VM image c) The attacker requests to the Cloud to upload the VM Image. 106
d) The Cloud Controller checks if the attacker (legal user) has an account. e) The Cloud Controller uploads the VM Image into the repository. f) The Cloud Controller sends an acknowledgement to the attacker. Postcondition: A VM Image is created and placed into the Cloud Provider s repository, so any other user can use it and get infected. Figure 30: Sequence Diagram for the Use Case Publish a Malicious VM Image UC2: Launch a VM using an infected VM Image (Figure 31) Summary: A user launches a VM using an infected VM Image. Actor: User 107
Precondition: The user must have an account, and the attacker has published her VM Image into the Cloud Provider s repository. Also, the user should choose the VM Image created by the attacker. Description: a) The User request to the Cloud Controller to retrieve a list of VM Images available. b) The Cloud Controller checks if the user has a valid account. c) If the user is valid, the Cloud sends the list of VM Images. d) The User chooses the VM Image, and he requests to launch a VM to the Cloud Controller. Do the same steps as UC: Create a VM from IaaS Pattern e) Once the VM is launched, it executes the malicious code. Postcondition: The user s VM is infected and it may infect other VMs. Figure 31: Sequence Diagram for the use case Launch a VM using a malicious VM Image 108
5.2.5. Consequences Some of the benefits of the misuse pattern are the following: An attacker can open an account using a valid credit card and register malicious VM images into the provider s repository. VM Images contain all the software dependencies needed to run the Trojan horse, so the attacker does not need to worry whether the victims software stacks satisfies the Trojan horse s dependencies [71]. An attacker can get control of the infected virtual machines and obtain some confidential information. Repositories that contain malicious VM images can be a way to distribute malware. Infected virtual machines may infect other virtual machines. For example, an attacker may create a malicious VM image in order to infect other machines creating a collection of infected machines, Botnet [146]. Possible sources of failure include: There is a possibility that the users choose to create their own VM images instead of using a public VM Image. Since VM images are dormant artifacts that reside in the repository, they are not harmful if they are not executed. Users can only retrieve images that are from certified owners. 109
5.2.6. Countermeasures Malicious VM Images can be stopped by the following countermeasures: Authors in [71] proposed an image management system that control access to images, tracks the origin of images, and provides image filters and scanners that detect and repair security violations. Verify the background of the user when opening an account; however, this is very hard to do. Users can only retrieve or publish certified VM Images. Use an Intrusion Detection System (IDS) to identify malicious activities such as in [147]. 5.2.7. Forensics Where can we find evidence of this attack? Providers can keep logs of the users that publish/retrieve VM Images. We can audit a suspicious VM Image. 5.3. Malicious Virtual Machine Migration Process 5.3.1. Intent The attacker tries to provoke leakage of sensitive information or modify the virtual machine (VM) content while it is in transit. 110
5.3.2. Context Cloud environments mostly rely on virtualization. The virtual machine monitor (VMM) provides the foundation for virtualization management. One important feature is the migration of a VM from one VMM to another one due to high availability, hardware maintenance, fault tolerance, and load balancing [148]. 5.3.3. Problem To perform some types of misuse it is necessary to be able to monitor and intercept the transfer of a VM from one server to another. The attack can be performed by taking advantage of the following vulnerabilities: The migration process involves transferring the VM content across a network that can be insecure such as the Internet. The VM may be transferred in clear text. Thus, its information can be captured or modified by an attacker. The module that handles migration operations can be compromised. A VM can be transferred to an insecure host. The content of the transferred VM may have malicious code. 5.3.4. Solution When a VM is transferred from one server to another, an attacker can monitor the network and obtain some confidential information or manipulate the VM content while it is in transit. Also, the attacker can compromise the VMM and gain full control of the migration process. 111
Structure Figure 32 shows a class diagram for VM Migration Process. A Party can be either a User or an Institution (set of users). A Party can have several Accounts. A Party makes requests to the Cloud Controller via a Portal. A Cloud is composed of Clusters, where each Cluster comprises a set of Nodes. A Node is a collection of Hardware (Servers, Network, and Storage), a VMM, and a set of VMs. A Virtual Machine Monitor (VMM) creates and manages Virtual Machines (VMs). A VM is a software implementation of a machine that executes programs. Its kernel operations are performed by calls to the VMM. VMMs assign instances of the Virtual Machine to a physical server, which includes other Hardware resources. The VMM manages the migration process of a VM from one server (VMM) to another. Figure 32: Class Diagram for VM Migration Process 112
UC1: Man-in-the-middle attack during VM migration process (Figure 33) Summary: An attacker listens to the network during a migration process to obtain some confidential data. Actor: Attacker, Cloud Manager Precondition: The attacker has impersonated both the source and the destination VMM Description: a) The attacker starts monitoring the network traffic b) The Cloud Manager requests to migrate a VM from one VMM to another one. The request will be forwarded from Cloud Controller to Cluster Controller, and then to the Node Controller, and finally the VMM will perform the migration process. c) The source VMM requests VM migration to the destination VMM d) The source VMM starts transferring the VM to the destination VMM e) The attacker captures the traffic being transmitted f) The attacker modifies the VM g) The destination VMM receives the VM and starts the new VM Postcondition: The attacker captured and modified the VM. 113
Figure 33: Sequence Diagram for the use case Man-in-the-middle attack during VM migration process UC2: Migrate several VMs to a victim VMM (Figure 34) Summary: A large number of VMs are transferred from a compromised VMM to the victim VMM. Actor: Attacker Precondition: The source VMM (VMMc) has been compromised and the attacker has gained control of the migration module Description: a) The attacker requests to migrate a list of VMs to the victim VMM. The request will be forwarded from Cloud Controller to Cluster Controller, and then to the Node Controller, and finally the VMM will perform the migration process. b) The compromised VMM requests VM migration to the victim VMM (VMMv) c) The destination VMM accepts the request 114
d) The compromised VMM starts transferring several VMs e) The victim VMM receives the VMs and starts the new VMs Postcondition: The attacker has overwhelmed the victim machine by migrating a large number of VMs to the destination machine. Figure 34: Sequence Diagram for the use case Migrate several VMs to a victim VMM 5.4. Consequences Some benefits of the misuse pattern are the following: The attacker can intercept the VM and obtain some confidential information, or he can modify the content of the VM while it is crossing the network. After the attacker compromises a VMM, he may send a large number of VMs to a victim s machine, causing disruptions or denial of service. 115
A compromised VMM can transfer the victim s VM to the attacker s machine, gaining full control of the VM. A transferred VM may contain malicious code that can infect other VMs that are under the control of the target VMM. Possible sources of failure include: When the attacker eavesdrops on the communication channel, he may not get all the necessary data. Some defenses described in the next section can stop this attack. 5.4.1. Countermeasures Insecure VM Migration can be stopped by the following countermeasures: [84] proposes a Trusted Cloud Computing Platform (TCCP) that provides confidential execution of guest virtual machines. It provides secure VM launch and migration operations. [85] proposes a secure migration system that provides VM live migration capabilities under the condition that a VMM-protected system is present and active. The connection between the source and the destination VMMs should be authenticated and encrypted during the migration process. Isolate VM migration traffic to prevent eavesdropping attacks. 5.4.2. Forensics Where can we find evidence of this attack? 116
The provider can keep logs of the VMs that are transferred from one machine to another. Also, it can store information about the source and destination VMMs. 5.4.3. Related Patterns The Virtual Machine Monitor provides isolation between different virtual machines that execute different operating systems. 5.5. Discussion Designers need to understand the possible threats before designing secure systems. Our misuse patterns show that clouds are also vulnerable to attacks targeting some of its features such as shared virtual machine images, virtual machine live migration, and isolation. Identifying only threats is not enough; we need to understand how an attack is performed. These misuse patterns can help designers to understand how an attack is performed and what components of the system were used and compromised during an attack. Misuse patterns follow a template that contain different sections: context that describes the environment that the attack is performed, problem that includes forces which describes the vulnerabilities of the system, solution that depicts the components of the system using a class diagram and how an attack is performed using sequence diagrams. Also, misuse patterns describe the consequences which discuss the benefits and drawbacks of the misuse pattern from the attacker s point of view, countermeasures that enumerate security mechanisms which can be applied to mitigate the threat, and forensics that indicate how to trace an attack once it happens or where to search for forensic data.. It is possible to build a relatively complete catalog of misuse patterns for cloud computing. Having such a catalog we can analyze a specific cloud architecture and 117
evaluate its degree of resistance to these misuses. The architecture (existing or under construction) must have a way to prevent or at least mitigate all the misuses that apply to it. When potential cloud customers buy cloud services they negotiate a Service Level Agreement (SLA) with the provider. This SLA could indicate what misuses the provider is explicitly able to control. Many providers do not want to show their security architectures; showing their list of misuse patterns would give them a way to prove a degree of resistance to misuses without having to show their security details. 5.5.1. Summary We have presented some cloud computing threats as misuse patterns which describe in a systematic way how a misuse is performed from the attacker point of view. Virtualization, a key component for clouds, enables clouds to improve the utilization of physical resources by sharing resources by different users. Sharing resources among different virtual machines gives some opportunities to an attacker to monitor confidential information. Also, virtual machines can be transferred from one server to another. Migration process uses a network such as the Internet to transport virtual machines; thus, attackers can exploit this vulnerability by listening to the network in order to obtain some confidential data. Also, sharing virtual machine images, virtual appliances that contain pre packaged software used to initialize the virtual machine, raises security concerns. Virtual machine images may contain malicious code that can be propagated once a user executes one of these malicious images. 118
6. SECURE REFERENCE ARCHITECTURE Different cloud deployment models and cloud services creates different concerns about how security is enforced. A Private cloud is deployed for a specific company while public clouds serve many customers sharing the same resources. For private clouds, multi-tenancy is not a concern, but it introduces many security issues when working with public clouds. In the same way, cloud services also create different security issues. For example, SaaS services are provided typically though the Internet via web browsers. This type of security issues is also true for any kind of system that uses web applications; however, the result could be more catastrophic because an attacker may also compromise data from many users. For the PaaS model, a user gets a development environment where he can develop any kind of application even containing malicious code. Once that application is deployed into the cloud, it can attack other users. IaaS services provide virtual machines which may create other points of attack through the hypervisor and its virtual resources. The basic approach we use adds security to cloud systems by applying a systematic methodology from [149], which can be used as a guideline to build secure cloud systems and evaluate the security level of the secure framework. We use as starting point our reference architecture [150]. We combine security and misuse patterns to build a secure reference architecture. By checking if a threat (misuse pattern) can be stopped or mitigated in the secure reference architecture, we can evaluate its level of security. We 119
have done a systematic enumeration of cloud threats [3] and have started building a catalog of cloud misuse patterns [10]; with a complete catalog we can apply them systematically and use the reference architecture to find where we should add corresponding security patterns to stop them [149]. 6.1. Securing a Cloud Reference Architecture We build here a secure reference architecture by using a methodology developed in [149] which integrates security patterns in the application life cycle. Figure 35 describes how to secure a reference architecture: We analyze each use case looking for vulnerabilities and threats as in [141]. We use the list of threats from [3] to find further vulnerabilities and threats. These threats are expressed in the form of misuse patterns [11] that describes how an attack happens from the point of view of the attacker. We developed some misuse patterns for Cloud Computing in [10]. We apply policies to handle the threats and we identify security patterns to realize the policies. There are some defenses that come from best practices and others that handle specific threats. We evaluate the security level of the of the reference architecture by using misuse cases. 120
Figure 35: Securing a cloud reference architecture 6.2. Administration of Security Use Cases We assume Role-Based Access Control (RBAC) as authorization model. In RBAC, a user is assigned to roles, and rights are assigned to a role. There are some security functions that can be applied to all cloud models (Figure 36). This is just an illustrative list; it is necessary to define a structured governance function from which security functions and policies can be derived. Login Provide a portal for users to access cloud services. Create a user A user can be a single individual or an institution (collection of users). There are two types of users: cloud provider s users and cloud consumer s users. 121
Delete user Once a cloud employee leaves the company or a customer closes his account, the user that corresponds to him is erased. Create role A role defines a task that a person performs in his job. For example, a cloud employee can be an IT administrator, security administrator, cloud administrator, node administrator, and cluster administrator. A customer can be an end-user, developer, IT manager, and institution manager. Roles are assigned rights. Delete role A role can be deleted if there are not associated user to it. Assign rights to a role Rights are functions that a role can perform in the system. For instance, a cluster administrator can migrate virtual machines within his jurisdiction. Assign roles to a user Users must be given roles before interacting with the system. Define security mechanisms Security administrators define what cryptographic measures will be implemented across all cloud layers. For example, define algorithms that will secure data while it is being transferred, stored or processed. 122
Figure 36: Security Use Case Model 6.3. Identifying Threats We can enumerate threats systematically by using uses cases and activity diagrams. We have identified use cases for cloud environments in [150]. This systematic approach implies a detailed investigation of each activity from each use in order to find possible threats [141]. However, this approach can be combined with the analysis of security 123
threats done in [3], which lists threats in the literature. Figure 37 describes an activity diagram that shows several threats: Figure 37: Activity Diagram for Use Cases Create VMI and Publish VMI We have identified some threats by analyzing the flow of events in a use case (Figure 37). Table 5 depicts an analysis of each action in the activity diagram according to main security attributes, the source of the threat, and assets that can be compromised. The standard main security attributes are confidentiality (CO), integrity (IN), availability 124
(AV), and accountability (AC). The source of the threat can be an authorized insider (AIn), unauthorized insider (UIn), or outsider (Out). Table 5: Misuse Activities Analysis Actor Action # Cloud Create Customer VMI T1 Cloud Customer IaaS Administrator Send VMI Receive VMI Sec. Att. CO/IN/AV/AC Misuse Activity Source AIn/UIn/Out Description Asset IN Out Insert malicious code within the image VMI CO Out VMI may be read while VMI T2 being transmitted IN Out VMI may be modified VMI T3 while in transit T4 AC Out Disavows sending a VMI VMI CO AIn/UIn Collects sensitive VMI T5 information from VMI T6 AV AIn Disavows receiving a VMI VMI IN UIn/AIn Modify VMI - insert VMI T7 malicious code 6.4. Cloud Defenses There are a variety of security patterns for all architectural levels of the system [151]; however, these security patterns may need to be adapted for cloud environments. In this section, we provide a list of some security patterns for clouds and provide some examples. These security patterns are not sufficient to secure the entire cloud system, but it can be used as general guidance. Here are some of the security patterns which are selected to handle specific threats: Secure migration process provides a continuous protection for live and offline migration processes. 125
Secure hypervisor reinforces the security of the hypervisor in order to avoid attacks. Secure virtual networks secures the communication among virtual machines. Secure virtual machine image repository offers secure control of virtual machine images. Virtualized Trusted Platform Module determines if the environment is secure before creating and launching a virtual machine. Web application scanners scans web applications to identify security vulnerabilities. Cloud data protection protects sensitive data while it is processed, stored or transferred (encryption, digital signature, fragmentation-redundancy-scattering, homomorphic encryption) For this work, we develop a pattern to secure virtual machine image repository that can be used to mitigate or stops some of the threats identified in Section 4. 6.4.1. Secure Virtual Machine Image Repository System Intent The secure virtual machine image (VMI) repository system offers secure control of virtual machine images by removing or hiding unwanted information. It also provides logging, authentication and authorization. 126
Context Cloud consumers and providers can publish and retrieve VMI in order to instantiate a virtual machine (VM) Problem A VMI can contain sensitive information without being noticed by the publisher or it can contain malicious code infecting virtual machines that are created using it. The solution will be affected by the following forces: Virtual machine images should be filtered when they are being published or retrieved. The user who wants to publish or retrieve a VMI should be authenticated. We should keep track of any actions applied to the VMI such as who accessed it, type of access, and date. We should control what actions a user can perform. The security controls should not affect the performance of the system. Solution The Secure VMI Repository System provides a mechanism to filter virtual machine images in order to hide or remove confidential information or detect malware and remove it. It also provides authentication, authorization, and logging. For the authorization, we use a Role-Based Access Control (RBAC) model [127][34] which assigns rights to roles to perform some actions in a resource. Individual users may be assigned one or more roles. 127
Structure Figure 38 shows a class model for the secure VM images repository system. The Virtual Machine Image Repository holds a set of virtual machine images (VMI) that can be used to instantiate a virtual machine. The repository uses a Filter that scans all VM images before being published, but also it can scan them before retrieving a VMI. The subsystem Authenticator is an instance of the Authenticator Pattern [34] that allows the repository to authenticate the users before publishing or retrieving an image. The Log keeps tracks of any accesses to the repository. The Role and Right are instances of the RBAC pattern. A Role has the Rights to perform some actions in a VMI. The Reference Monitor subsystem enforces the authorization rights defined by the RBAC. Figure 38: Secure VMI Repository System 128
6.5. Secure Reference Architecture Once security patterns are identified, we apply them into the reference architecture in order to stop or mitigate the threats. Security mechanisms are added to the Infrastructureas-a-Service Pattern in [150] including authenticator, authorization, logging and other security mechanisms that mitigates specific threats. To avoid impostors we can use the authentication module so every action with the cloud needs to be authenticated. The logging instance can be used to trace all activities that can be used for auditing at a later time. For the authorization, we use a Role-Based Access Control (RBAC), so only authorized users can perform some actions to assets. These security mechanisms are shown in blue color. Figure 39 shows a secure IaaS architecture pattern. In this model, the subsystem Authenticator is an instance of the Authenticator pattern [34] and allows the Cloud Controller to authenticate Cloud Consumers/Administrators. Log indicates instances of the Logging pattern, and it is used to keep track of any access to a cloud resource such as VM, VMM, and VM Image Repository. The Reference Monitor reinforces authorization rights defined by the RBAC instances [34]. The Filter scans all virtual machines in order to remove malicious code. 129
Figure 39: Secure IaaS pattern 6.6. Evaluating Security using a Reference Architecture In previous sections, we have identified some threats by analyzing the activities of use cases. Then, we have described some security patterns that mitigate or stop these threats. Therefore, we can now evaluate whether these security patterns (defenses) cover the threats. For instance, as shown in Table 6, we can apply the secure virtual machine 130
image repository system to mitigate or stop some of the threats identified in previous sections. The authenticator and authorization modules can stop T1 and T4, in which only authenticated and authorized users can publish a VMI. The filter module mitigates threat T2 and T5. Any authorized user can store his VMI in the public repository, but it will be scanned to remove any malicious code before being stored. The secure network mitigates T2, which provides integrity and confidentiality while the VMI is being transmitted. Table 6: Threat List vs. Mitigation Defenses ID Threats Defense T1 The cloud customer is an impostor and publishes Authenticator - Authorization a VMI T2 The cloud consumer inserts malicious code Filter module within a VMI T3 An external attacker listens to the network to Secure network obtain information about the VMI T4 The IaaS administrator is an impostor and Authenticator - Authorization collects information within the VMI T5 The IaaS administrator creates a malicious VMI Filter module Listing threats is not enough; we need a way to understand how an attack happens. Misuse patterns describe how an attack happens from the point of view of an attacker. We can use misuse patterns to test security of the reference architecture. We have developed some misuse patterns including Malicious Virtual Machine Creation [10]. This misuse pattern describes how an attacker may create a virtual machine image which can contain malicious code so it can infect other users when they create their virtual machine. Figure 40 describes how an attacker can publish a virtual machine image that contains malicious code. 131
Figure 40: Sequence Diagram for the use case Publish a Malicious VM Image We can use the sequence diagram to show how the secure reference architecture can stop some threats described in the misuse pattern (Figure 41). In this example, we can see if the attacker is not a valid user; the attack cannot go any further since the authentication will fail. If the attacker has a valid user, his attempt to publish an image will then be intercepted by the reference monitor to check whether he is authorized or not. Even if the attacker is authorized since he is a valid user and he has rights to publish an image, his image will then be filtered to scan for malicious code. If the image has a malicious code, then it is removed before being stored. 132
Figure 41: Sequence Diagram for the Use Case Securely Publish VM Images 6.7. Summary We have shown how to build a secure reference architecture for Cloud Computing. We have followed the methodology in [149] to match the application requirements to the cloud security. In order to develop a secure framework, we have identified a list of threats by analyzing the activities of use cases [141], but we also have done systematic enumeration of cloud threats in [3]. Identifying cloud threats is not enough; we need a way to describe how an attack is performed and what cloud units are compromised. We have developed misuse patterns that describe from the point of view of the attacker how an attack (misuse of information) is performed. We have started building a catalog of misuse patterns [10], which can be used to find where to add security patterns to stop 133
them using a reference architecture. The security patterns are selected from the analysis of threats. For this work, we have developed a security pattern in order to demonstrate how it mitigates or stops some threats identified in previous sections. 134
7. RELATED WORK A reference architecture is a standardized, generic architecture, valid for a particular domain that does not contain implementation details [28]. It provides a template solution that can be instantiated into a specific software architecture by adding implementationoriented aspects. There is no formal definition what a reference architecture should contain. However, an approach to defining reference architectures is provided in [29]. A reference architecture should be described at an abstract level, and all details about implementation should only be considered for a specific software architecture instance. Moreover, the authors in [152] proposed a pattern-based reference architecture which describes a framework which allows the consideration of different types of service-based systems. There are different reference architectures developed or being developed for Cloud Computing, and some of them are generic while others focus on specific areas or products. A report by IBM [6] describes a Cloud Computing Reference Architecture that is based on their cloud implementation. They describe the architectural components using high level block diagrams where main characteristics of cloud stand out such as: roles (cloud service consumer, cloud service provider, and cloud service creator), cloud services (IaaS, PaaS, SaaS, and BPaaS Business Process-as-a-Service), common cloud management platform (operational and business support services), infrastructure (servers, storage, network and facilities), and portals (service consumer portal, service developer 135
portals, and service provider portal). The most noticeable component in this reference architecture is the Management Platform. They only state that non-functional requirements such as security, resiliency and consumability must be considered across all layers of the model. Also, NIST [8] has produced a reference architecture which is similar to IBM s. The purpose of their reference architecture is to develop an architecture that is not tied to any vendor and to address the US Government needs. The NIST reference architecture introduces three more actors: Cloud Broker, Cloud Auditor, and Cloud Carrier. NIST focuses only on the three basic delivery models (SaaS, PaaS, and IaaS). Regarding security, they state that security is a shared responsibility between cloud providers and consumers. Cloud service and deployment models have differing degrees of security implications. Our proposed reference architecture has the same goals as IBM and NIST; provide a cloud model that can be used as guidance for designers or architects without any implementation details. However, they do not provide sufficient information about how different cloud services are composed. HP [7] provides an overview of their CloudSystem s architecture, including three CloudSystem offerings: HP CloudSystem Matrix, HP CloudSystem Enterprise, and HP Cloud Service Provider. This solution employs a three-layer architecture: supply, delivery and demand layers. The supply layer provides the delivery of infrastructure elements such as compute, network, storage, and other resources both physical and virtual. The delivery layer enables and manages the delivery of application services. The demand layer provides portal services for requesting services. Also, they describe some security solutions such as HP TippingPoint Intrusion Prevention System (IPS) that inspects all traffic moving in/out of the datacenter, Virtual Management Center which monitors 136
virtual resources in each host, and virtual controller plus virtual firewall combination that controls traffic in/out of each virtual machine. This document describes a specific solution using HP technologies. However, our goal is to describe what the main components for cloud services are, not how to implement clouds using some specific solutions. The Oracle Reference Architecture comprises of two documents: Cloud Foundation [100] and Cloud Infrastructure [9]. The Cloud Foundation provides a conceptual architecture which defines architectural characteristics and requirements of clouds. The Cloud Infrastructure defines architecture views based on the conceptual architecture. Their objective was to present a reference architecture that is supported by their products. The PCI-Compliant Cloud Reference Architecture defines a basic framework for building clouds that are compliant with Payment Card Industry (PCI) Data Security Standard (DSS). It provides a cloud architecture using products such as VMware, Cisco, Trend Micro, and HyTrust. It shows how these products additional security controls can meet the PCI DSS requirements. This architecture consists of four fundamental layers: cloud application, business orchestration, service orchestration, and infrastructure layers. The cloud application represents the external interface that allows to access the cloud services. The business orchestration layer consists of the configuration of the cloud entities and the governance policies for controlling the cloud deployment. Service orchestration represents the provisioning logic for the cloud infrastructure. Infrastructure layer consists of the virtual and physical servers, network, storage, hypervisor, security and management resources. This architecture only provides security requirements that 137
cloud providers should follow in order to meet the PCI DSS standards using specific products. 138
8. CONCLUSIONS AND FUTURE WORK Cloud Computing systems are complex systems that leverage different technologies and can be deployed in different ways such as public, private and hybrid, as well as provide services such as IaaS, PaaS, and SaaS. All this implies that it can be a challenge to understand how to make a cloud secure. We need to understand its security issues and how to make cloud environments secure. In this work, we have provided the following contributions: 1. We performed a systematic review of security issues for cloud environments where we enumerated the main cloud threats and vulnerabilities found in the literature [3]. In this analysis, we presented a categorization of security issues focused in each service model (SaaS, PaaS, and IaaS), and we identified which service model can be affected by these security issues. Also, we described the relationship between these threats and vulnerabilities and provided possible countermeasures for each identified threat identified. 2. We developed a reference architecture to have a precise view of cloud systems [150]. Since clouds are complex systems, we presented each service model in the form of patterns which describe their requirements, characteristics, main units, and the relationship between these units. We also included some use cases that describe common functions for cloud services in general as well as for each service model. 139
3. We described three specific cloud threats in the form of misuse patterns: Resource Usage Monitoring Inference, Malicious Virtual Machine Creation, and Malicious Virtual Machine Migration. The Resource Usage Monitoring Inference misuse pattern describes how an attacker tries to co-locate his virtual machine in the same server as the victim in order to infer some information. The Malicious Virtual Machine Creation misuse pattern depicts how an attacker can create a virtual machine image which contains malicious code in order to infect other virtual machines that use this image. Malicious Virtual Machine Migration describes how a virtual machine can be compromised while being migrated. 4. We showed how to secure a reference architecture by applying security patterns to add security defenses and misuse patterns to evaluate its security level. Besides the systematic review of security issues mentioned in 1), we also followed an approach from [141] in order to find possible threats by analyzing the activities from each use case. We analyzed an activity diagram for use cases create and publish a virtual machine image in order to identify possible threats. Once identified the threats, we followed the approach in [149] in order to find a matching security pattern to defend against these threats. 5. We developed a pattern for a secure virtual machine repository system which offers a secure control of virtual machine images by removing or hiding unwanted information. Then, we evaluated the level of security by showing how this security stops or mitigates these threats. 140
This work can be extended by completing the catalog of misuse patterns to include those threats identified in [3]. From Table 3, we can identify some threats that can be described as misuse patterns: Covert channels in clouds covert channels allow inter-vm communication bypassing the security rules of the hypervisor. Virtual machine escape describes how to exploit the hypervisor in order to take control of the underlying platform. Virtual machine hopping describes how a virtual machine can access other virtual machines by exploiting the hypervisor for example. Sniffing virtual networks describes how a virtual machine can listen to the virtual network traffic in order to get confidential information. Spoofing virtual networks describes how a malicious virtual machine can intercept information in the virtual network with the purpose of altering its routing function. A good number of security patterns have been produced [151], but we still need to adjust them to be valid for cloud environments or to develop new security patterns that are specific for clouds. Also from Table 4, we can identify some security mechanism and represent them as security patterns: Secure migration process provides a continuous protection for live migration and offline migration as well. Secure hypervisor reinforces the security of the hypervisor to avoid some attacks. 141
Secure virtual networks secures the communication among virtual machines. Virtualized trusted platform module provides a framework to determine whether the environment is secure before launching a virtual machine. Web applications scanners scans web applications in order to identify security vulnerabilities. Cloud data protection protects sensitive data while it is processed, stored or transferred. (encryption, digital signature, fragmentation-redundancy-scattering, homomorphic encryption) Developing a good catalog for both security and misuse patterns can help designers and architects to use the reference architecture in order to add security and evaluate its security. Another use of this cloud architecture is to be a reference for security certification of services. A cloud provider can show that his services can handle the corresponding threats which can increase customer trust. Also, a reference architecture can be used to support standards. It helps architects or designers to identify what components of the cloud system are associated with the standard and can be used to comply with the specific rules of the standard. Moreover, hybrid clouds are becoming more popular due to security and privacy issues associated to public clouds. This reference architecture also provides general information for organizations wishing to integrate their existing IT processes and system with cloud infrastructure. Before migrating any process or system, organizations should refer to the cloud architecture to plan a strategy for integrating existing resources to 142
clouds, to understand the inherent issues and limitations, and to think in terms to moving some processes and data to the cloud. 143
REFERENCES [1] P. Mell and T. Grance, The NIST Definition of Cloud Computing, NIST, Special Publication 800-145, Sep. 2011. Available: http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf [2] Centre for the Protection of National Infrastructure, Information Security Briefing 01/2010 Cloud Computing, Mar-2010. Available: http://www.cpni.gov.uk/documents/publications/2010/2010007- ISB_cloud_computing.pdf [3] K. Hashizume, D. G. Rosado, E. Fernandez-Medina, and E. B. Fernandez, An Analysis of Security issues for Cloud Computing, accepted for the Journal of Internet Computing. [4] F. Buschmann, R. Meunier, H. Rohnert, P. Sommerland, and M. Stal, Pattern- Oriented Software Architecture Volume 1: A System of Patterns, Volume 1. Wiley, 1996. [5] E. Gamma, R. Helm, R. Johnson, and J. Vlissides, Design patterns: elements of reusable object-oriented software. Boston, MA, USA: Addison-Wesley Longman Publishing Co., Inc., 1995. [6] M. Behrendt, B. Glasner, P. Kopp, R. Dieckmann, G. Breiter, S. Pappe, H. Kreger, and A. Arsanjani, IBM Cloud Computing Reference Architecture 2.0. 2011.Available: http://thoughtsoncloud.com/index.php/2011/08/ibm-cloudcomputing-reference-architecture-whats-in-it-for-me/ [7] HP, Understanding the HP CloudSystem Reference Architecture. 2011. Available: http://www.techrepublic.com/whitepapers/understanding-the-hpcloudsystem-reference-architecture/3391071 [8] F. Liu, J. Tong, J. Mao, R. B. Bohn, J. V. Messina, M. L. Badger, and D. Leaf, NIST Cloud Computing Reference Architecture. 2011. Available: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505 144
[9] Anbu Krishnaswamy Anbarasu, Oracle Reference Architecture - Cloud Infrastructure, Release 3.0. Oracle, Nov-2011. Available: http://www.oracle.com/technetwork/topics/entarch/oracle-ra-cloud-infrastructurer3-0-1395892.pdf [10] K. Hashizume, N. Yoshioka, and E. B. Fernandez, Three Misuse Patterns for Cloud Computing, in Security Engineering for Cloud Computing: Approaches and Tools, D. G. Rosado, D. Mellado, E. Fernandez-Medina, and M. Piattini, Eds. IGI Global, 2013, pp. 36 53. [11] E. B. Fernandez, N. Yoshioka, and H. Washizaki, Modeling Misuse Patterns, in Proceedings of the 4th Int. Workshop on Dependability Aspects of Data Warehousing and Mining Applications (DAWAM 2009), in conjunction with the 4th Int.Conf. on Availability, Reliability, and Security (ARES 2009), Fukuoka, Japan, 2009, pp. 566 571. [12] E. B. Fernandez, O. Ajaj, I. Buckley, N. Delessy-Gassant, K. Hashizume, and M. M. Larrondo-Petrie, A Survey of Patterns for Web Services Security and Reliability Standards, Future Internet, vol. 4, no. 2, pp. 430 450, Apr. 2012. [13] Amazon Web Services LLC, Amazon Elastic Compute Cloud. [Online]. Available: http://aws.amazon.com/ec2/. [Accessed: 20-Jan-2012]. [14] Eucalyptus Systems, Eucalyptus Cloud. [Online]. Available: http://www.eucalyptus.com/eucalyptus-cloud. [Accessed: 02-Feb-2012]. [15] OpenNebula Project, About the OpenNebula.org Project. [Online]. Available: http://opennebula.org/about:about. [Accessed: 01-Mar-2012]. [16] Microsoft, Windows Azure. [Online]. Available: http://www.windowsazure.com/en-us. [Accessed: 19-Feb-2012]. [17] Google, Google App Engine. [Online]. Available: https://developers.google.com/appengine/. [Accessed: 09-Mar-2012]. [18] Salesforce, Force.com: A comprehensive look at the World s Premier Cloud- Computing Platform.. [19] Salesforce, Salesforce product overview, Salesforce.com. [Online]. Available: http://www.salesforce.com/products/. [Accessed: 28-Sep-2012]. 145
[20] Google, Welcome to Google Enterprise. [Online]. Available: http://www.google.com/enterprise/apps/. [Accessed: 29-Sep-2012]. [21] FreshBooks, Say Hello to Cloud Accounting. [Online]. Available: http://www.freshbooks.com/. [Accessed: 30-Sep-2012]. [22] H. Leigang and X. Mingqing, The future of automatic test system (ATS) brought by Cloud Computing, in 2009 IEEE AUTOTESTCON, 2009, pp. 412 414. [23] S. Zhang, S. Zhang, X. Chen, and X. Huo, Cloud Computing Research and Development Trend, in Second International Conference on Future Networks (ICFN 10), Sanya, Hainan, China, 2010, pp. 93 97. [24] C. Gong, J. Liu, Q. Zhang, H. Chen, and Z. Gong, The Characteristics of Cloud Computing, in 2010 39th International Conference on Parallel Processing Workshops (ICPPW), 2010, pp. 275 279. [25] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. H. Katz, A. Konwinski, G. Lee, D. A. Patterson, A. Rabkin, and M. Zaharia, Above the Clouds: A Berkeley View of Cloud Computing, 2009. [26] S. Murugesan, Understanding Web 2.0, IT Professional, vol. 9, no. 4, pp. 34 41, Aug. 2007. [27] Virtualization, Wikipedia. 14-Dec-2012. [28] P. Reed, Reference Architecture: The best of best practices, Sep-2002. [Online]. Available: http://www.ibm.com/developerworks/rational/library/2774.html#author1. [Accessed: 10-Dec-2012]. [29] P. Avgeriou, Describing, Instantiating and Evaluating a Reference Architecture: A Case Study, Enterprise Architect Journal, Fawcette Technical Publications, Jun. 2003. [30] E. B. Fernandez and X. Yuan, Semantic Analysis Patterns, in Proceedings of the 19th Int. Conf. on Conceptual Modeling, ER2000, 2000, pp. 183 195. [31] M. Fowler, Analysis Patterns: Reusable Object Models, 1st ed. Addison-Wesley Professional, 1997. [32] E. B. Fernandez, Security Patterns, in Proceedings of the Eight International Symposium on System and Information Security, 2006. 146
[33] M. Schumacher and U. Roedig, Security Engineering with Patterns, in PLoP 2001, 2001. [34] M. Schumacher, E. B. Fernandez, D. Hybertson, F. Buschmann, and P. Sommerlad, Security Patterns Integrating Security & Systems Engineering. Wiley Series on Software Design Patterns, 2006. [35] B. Kitchenham, Procedures for Perfoming Systematic Review, Software Engineering Group, Department of Computer Scinece Keele University, United Kingdom and Empirical Software Engineering, National ICT Australia Ltd., Australia, TR/SE-0401, 2004. [36] B. Kitchenham and S. Charters, Guidelines for performing Systematic Literature Reviews in Software Engineering. Version 2.3, University of Keele (Software Engineering Group, School of Computer Science and Mathematics) and Durham (Department of Conputer Science), UK, 2007. [37] P. Brereton, B. A. Kitchenham, D. Budgen, M. Turner, and M. Khalil, Lessons from applying the systematic literature review process within the software engineering domain, Journal of Systems and Software, vol. 80, no. 4, pp. 571 583, 2007. [38] Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing V3.0. 2011. Available: https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf [39] T. Mather, S. Kumaraswamy, and S. Latif, Cloud Security and Privacy. O Reilly Media, Inc., 2009. [40] Cloud Security Alliance, Top Threats to Cloud Computing V1.0. 2010. [41] ENISA, Cloud Computing: Benefits, Risks and Recommendations for Information Security. 2009. Available: http://www.enisa.europa.eu/activities/riskmanagement/files/deliverables/cloud-computing-risk-assessment [42] K. Dahbur, B. Mohammad, and A. B. Tarakji, A survey of risks, threats and vulnerabilities in cloud computing, in Proceedings of the 2011 International Conference on Intelligent Semantic Web-Services and Applications, Amman, Jordan, 2011, pp. 1 6. 147
[43] L. Ertaul, S. Singhal, and S. Gökay, Security Challenges in Cloud Computing, in Proceedings of the 2010 International Conference on Security and Management SAM 10, Las Vegas, US, 2010, pp. 36 42. [44] B. Grobauer, T. Walloschek, and E. Stocker, Understanding Cloud Computing Vulnerabilities, IEEE Security Privacy, vol. 9, no. 2, pp. 50 57, 2011. [45] S. Subashini and V. Kavitha, A survey on security issues in service delivery models of cloud computing, Journal of Network and Computer Applications, vol. 34, no. 1, pp. 1 11, Jan. 2011. [46] M. Jensen, J. Schwenk, N. Gruschka, and L. L. Iacono, On Technical Security Issues in Cloud Computing, in IEEE International Conference on Cloud Computing (CLOUD 09), 2009, pp. 109 116. [47] C. Onwubiko, Security Issues to Cloud Computing, in Cloud Computing: Principles, Systems & Applications, N. Antonopoulos and L. Gillam, Eds. Springer- Verlag, 2010. [48] M. A. Morsy, J. Grundy, and I. Müller, An Analysis of The Cloud Computing Security Problem, in Proceedings of APSEC 2010 Cloud Workshop, Sydney, Australia, 2010. [49] W. A. Jansen, Cloud Hooks: Security and Privacy Issues in Cloud Computing, in Proceedings of the 44th Hawaii International Conference on System Sciences, Koloa, Kauai, HI, 2011, pp. 1 10. [50] D. Zissis and D. Lekkas, Addressing cloud computing security issues, Future Generation Computer Systems, vol. 28, no. 3, pp. 583 592, 2012. [51] W. Jansen and T. Grance, Guidelines on Security and Privacy in Public Cloud Computing, NIST, Special Publication 800-144, 2011. [52] J. Ju, Y. Wang, J. Fu, J. Wu, and Z. Lin, Research on Key Technology in SaaS, in International Conference on Intelligent Computing and Cognitive Informatics (ICICCI), 2010, pp. 384 387. [53] J. W. Rittinghouse and J. F. Ransome, Security in the Cloud, in Cloud Computing: Implementation, Management, and Security, CRC Press, 2009. [54] D. Owens, Securing Elasticity in the Cloud, Communications of the ACM, vol. 53, no. 6, pp. 46 51, May-2010. 148
[55] OWASP, The Ten Most Critical Web Application Security Risks. 2010. Available: https://www.owasp.org/index.php/category:owasp_top_ten_project [56] Y. Zhang, S. Liu, and X. Meng, Towards high level SaaS maturity model: Methods and case study, in Services Computing Conference. APSCC 2009. IEEE Asia-Pacific, 2009, pp. 273 278. [57] F. Chong, G. Carraro, and R. Wolter, Multi-Tenant Data Architecture, Jun-2006. [Online]. Available: http://msdn.microsoft.com/en-us/library/aa479086.aspx. [Accessed: 05-Jun-2011]. [58] C.-P. Bezemer and A. Zaidman, Multi-tenant SaaS applications: maintenance dream or nightmare?, in Proceedings of the Joint ERCIM Workshop on Software Evolution (EVOL) and International Workshop on Principles of Software Evolution (IWPSE), Antwerp, Belgium, 2010, pp. 88 92. [59] J. Viega, Cloud Computing and the Common Man, Computer, vol. 42, no. 8, pp. 106 108, Aug-2009. [60] Cloud Security Alliance, Security Guidance for Critical Areas of Mobile Computing. Nov-2012. Available: https://downloads.cloudsecurityalliance.org/initiatives/mobile/mobile_guidance_v1.pdf [61] C. Keene, The Keene View on Cloud Computing, 18-Mar-2009. [Online]. Available: http://www.keeneview.com/2009/03/what-is-platform-as-servicepaas.html. [Accessed: 16-Jul-2011]. [62] K. Xu, X. Zhang, M. Song, and J. Song, Mobile Mashup: Architecture, Challenges and Suggestions, in International Conference on Management and Service Science. MASS 09, 2009, pp. 1 4. [63] R. Chandramouli and P. Mell, State of security readiness, Crossroads, vol. 16, no. 3, pp. 23 25, Mar-2010. [64] T. Jaeger and J. Schiffman, Outlook: Cloudy with a Chance of Security Challenges and Improvements, IEEE Security Privacy, vol. 8, no. 1, pp. 77 80, 2010. 149
[65] W. Dawoud, I. Takouna, and C. Meinel, Infrastructure as a service security: Challenges and solutions, in the 7th International Conference on Informatics and Systems (INFOS), 2010, pp. 1 8. [66] A. Jasti, P. Shah, R. Nagaraj, and R. Pendse, Security in multi-tenancy cloud, in IEEE International Carnahan Conference on Security Technology (ICCST), 2010, pp. 35 41. [67] T. Garfinkel and M. Rosenblum, When virtual is harder than real: Security challenges in virtual machine based computing environments, in Proceedings of the 10th conference on Hot Topics in Operating Systems, Santa Fe, NM, 2005, vol. 10, pp. 227 229. [68] J. S. Reuben, A survey on virtual machine security, Seminar on Network Security, 2007. [69] S. Venkatesha, Survey of Virtual Machine Migration Techniques, 2009. Available: http://www.academia.edu/760613/survey_of_virtual_machine_migration_techniq ues [70] P. Ranjith, P. Chandran, and S. Kaleeswaran, On Covert Channels between Virtual Machines, Journal in Computer Virology, Springer, vol. 8, pp. 85 97, 2012. [71] J. Wei, X. Zhang, G. Ammons, V. Bala, and P. Ning, Managing security of virtual machine images in a cloud environment, in Proceedings of the 2009 ACM workshop on Cloud computing security, 2009, pp. 91 96. [72] K. Owens, Securing Virtual Compute Infrastructure in the Cloud. SAVVIS. Available: http://www.savvis.com/en-us/info_center/documents/hos-whitepapersecuringvirutalcomputeinfrastructureinthecloud.pdf [73] H. Wu, Y. Ding, C. Winer, and L. Yao, Network security for virtual machine in cloud computing, in 5th International Conference on Computer Sciences and Convergence Information Technology (ICCIT), 2010, pp. 18 21. [74] G. Xiaopeng, W. Sumei, and C. Xianqin, VNSS: A network security sandbox for virtual computing environment, in IEEE Youth Conference on Information Computing and Telecommunications (YC-ICT), 2010, pp. 395 398. 150
[75] K. Popovic and Z. Hocenski, Cloud computing security issues and challenges, in Proceedings of the 33rd International Convention MIPRO, 2010, pp. 344 349. [76] S. Carlin and K. Curran, Cloud Computing Security, International Journal of Ambient Computing and Intelligence, vol. 3, no. 1, pp. 38 46, 2011. [77] A. Bisong and S. Rahman, An Overview of the Security Concerns in Enterprise Cloud Computing, International Journal of Network Security & Its Applications (IJNSA), vol. 3, no. 1, pp. 30 45, Jan. 2011. [78] M. Townsend, Managing a security program in a cloud computing environment, in Information Security Curriculum Development Conference, Kennesaw, Georgia, 2009, pp. 128 133. [79] V. Winkler, Securing the cloud: Cloud computer security techniques and tactics. Elsevier Inc., 2011. [80] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds, in Proceedings of the 16th ACM conference on Computer and communications security, Chicago, Illinois, USA, 2009, pp. 199 212. [81] Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, Cross-VM side channels and their use to extract private keys, in Proceedings of the 2012 ACM conference on Computer and communications security, New York, NY, USA, 2012, pp. 305 316. [82] Z. Wang and X. Jiang, HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity, presented at the Proceedings of the IEEE Symposium on Security and Privacy, 2010, pp. 380 395. [83] C. Wang, Q. Wang, K. Ren, and W. Lou, Ensuring data storage security in Cloud Computing, presented at the 17th International Workshop on Quality of Service, 2009, pp. 1 9. [84] N. Santos, K. P. Gummadi, and R. Rodrigues, Towards Trusted Cloud Computing, in Proceedings of the 2009 conference on Hot topics in cloud computing, San Diego, California, 2009. [85] F. Zhang, Y. Huang, H. Wang, H. Chen, and B. Zang, PALM: Security Preserving VM Live Migration for Systems with VMM-enforced Protection, in Trusted 151
Infrastructure Technologies Conference, 2008. APTC 08. Third Asia-Pacific, 2008, pp. 9 18. [86] Cloud Security Alliance, SecaaS Implementation Guidance, Category 1: Identity and Access Managament. 2012. Available: https://downloads.cloudsecurityalliance.org/initiatives/secaas/secaas_cat_1_iam_i mplementation_guidance.pdf [87] S. Xiao and W. Gong, Mobility Can Help: Protect User Identity with Dynamic Credential, in Eleventh International Conference on Mobile Data Management (MDM), 2010, pp. 378 380. [88] D. Harnik, B. Pinkas, and A. Shulman-Peleg, Side Channels in Cloud Services: Deduplication in Cloud Storage, IEEE Security Privacy, vol. 8, no. 6, pp. 40 47, 2010. [89] J. Wylie, M. Bakkaloglu, V. Pandurangan, M. Bigrigg, S. Oguz, K. Tew, C. Williams, G. Ganger, and P. Khosla, Selecting the right data distribution scheme for a survivable storage system, CMU-CS-01-120, May 2001. [90] U. Somani, K. Lakhani, and M. Mundra, Implementing digital signature with RSA encryption algorithm to enhance the Data Security of cloud in Cloud Computing, in 1st International Conference on Parallel Distributed and Grid Computing (PDGC), 2010, pp. 211 216. [91] M. Tebaa, S. El Hajji, and A. El Ghazi, Homomorphic encryption method applied to Cloud Computing, in National Days of Network Security and Systems (JNS2), 2012, pp. 86 89. [92] E. Fong and V. Okun, Web Application Scanners: Definitions and Functions, in Proceedings of the 40th Annual Hawaii International Conference on System Sciences, 2007. [93] D. Goodin, Webhost hack wipes out data for 100,000 sites, The Register, 08-Jun- 2009. [Online]. Available: http://www.theregister.co.uk/2009/06/08/webhost_attack/. [Accessed: 02-Aug- 2011]. 152
[94] S. Berger, R. Cáceres, D. Pendarakis, R. Sailer, E. Valdez, R. Perez, W. Schildhauer, and D. Srinivasan, TVDc: managing security in the trusted virtual datacenter, SIGOPS Oper. Syst. Rev., vol. 42, no. 1, pp. 40 47, Jan. 2008. [95] S. Berger, R. Cáceres, K. Goldman, D. Pendarakis, R. Perez, J. R. Rao, E. Rom, R. Sailer, W. Schildhauer, D. Srinivasan, S. Tal, and E. Valdez, Security for the cloud infrastructure: trusted virtual data center implementation, IBM Journal of Research and Development, vol. 53, no. 4, pp. 560 571, Jul. 2009. [96] T. Ormandy, An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments, in CanSecWest Applied Security Conference, Vancouver, 2007. [97] J. Oberheide, E. Cooke, and F. Jahanian, Empirical Exploitation of Live Virtual Machine Migration, in Proceedings of BlackHat DC convention, 2008. [98] M. Naehrig, K. Lauter, and V. Vaikuntanathan, Can homomorphic encryption be practical?, in Proceedings of the 3rd ACM workshop on Cloud computing security workshop, 2011, pp. 113 124. [99] W. Han-zhang and H. Liu-sheng, An improved trusted cloud computing platform model based on DAA and privacy CA scheme, in International Conference on Computer Application and System Modeling (ICCASM), 2010, vol. 13, pp. V13 33 V13 39. [100] M. Wilkins, Oracle Reference Architecture - Cloud Foundation Architecture, Release 3.0.. Available: http://www.oracle.com/technetwork/topics/entarch/oraclera-cloud-infrastructure-r3-0-1395892.pdf [101] K. Hashizume, E. B. Fernandez, and M. M. Larrondo-Petrie, Cloud Service Model Patterns, in 19th Conference on Pattern Languages of Programs, 2012. [102] K. Hashizume, E. B. Fernandez, and M. M. Larrondo-Petrie, A pattern for Software-as-a-Service in Clouds, in Workshop on Redefining and Integrating Security Engineering (RISE 12), Washington, DC, USA, 2012. [103] M. Hogan, F. Liu, A. Sokol, and J. Tong, NIST Cloud Computing Standards Roadmap. National Institute of Standards and Technology, Jul-2011. Available: http://collaborate.nist.gov/twiki-cloudcomputing/pub/cloudcomputing/standardsroadmap/nist_sp_500-291_jul5a.pdf 153
[104] National Institute of Standards and Technology, Inventory of Standards Relevant to Cloud Computing, Cloud Computing Collaboration Site. [Online]. Available: http://collaborate.nist.gov/twiki-cloudcomputing/bin/view/cloudcomputing/standardsinventory. [Accessed: 15-Oct- 2012]. [105] Distributed Management Task Force, INC, Open Virtualization Format (OVF). [Online]. Available: http://www.dmtf.org/standards/ovf. [Accessed: 04-Dec-2012]. [106] VMware, Virtual Appliances, 07-Dec-2012. [Online]. Available: http://www.vmware.com/technical-resources/virtualization-topics/virtualappliances/ovf. [107] IBM, Deploying the virtual machine images. [Online]. Available: http://pic.dhe.ibm.com/infocenter/tivihelp/v51r1/index.jsp?topic=%2fcom.ibm.tusc. doc%2fvm_install%2fc_ctr_deploy_vms.html. [Accessed: 07-Dec-2012]. [108] VirtualBox now supports OVF. [Online]. Available: http://blog.virtualarchitect.nl/2009/04/virtualbox-now-supports-ovf/. [Accessed: 08- Dec-2012]. [109] OpenStack, Open source software for building private and public clouds. [Online]. Available: http://www.openstack.org/. [Accessed: 07-Dec-2012]. [110] Distributed Management Task Force, INC, DMTF Releases Specification for Simplifying Cloud Infrastructure Management. [Online]. Available: http://www.dmtf.org/news/pr/2012/8/dmtf-releases-specification-simplifying-cloudinfrastructure-management. [Accessed: 04-Dec-2012]. [111] Open Grid Forum, Open Cloud Computing Interface WG (OCCI-WG). [Online]. Available: http://www.ogf.org/gf/group_info/view.php?group=occi-wg. [Accessed: 04-Dec-2012]. [112] OpenNebula, OpenNebula OCCI API Specification. [Online]. Available: http://opennebula.org/documentation:archives:rel2.0:occidd. [Accessed: 08-Dec- 2012]. [113] Storage Networking Industry Association, Cloud Data Management Interface (CDMI). [Online]. Available: http://www.snia.org/cdmi. [Accessed: 04-Dec-2012]. 154
[114] L. Badger, R. B. Bohn, R. Chandramouli, T. Grance, T. Karygiannis, R. Patt- Corner, and J. Voas, Cloud Computing Use Cases. [Online]. Available: http://www.nist.gov/itl/cloud/use-cases.cfm. [Accessed: 01-Jul-2012]. [115] Cloud Computing Use Case Discussion Group, Cloud Computing Use Cases Version 4.0. Jul-2010. Available: http://opencloudmanifesto.org/cloud_computing_use_cases_whitepaper-4_0.pdf [116] C. Spence, J. Devoys, and S. Chahal, Architecting Software as a Service for the Enterprise. IBM, Oct-2009. Available: http://www.intel.com/content/www/us/en/cloud-computing/cloud-computing-intelit-architecting-software-as-a-service-paper.html [117] Nexof, Cloud Computing: Platform as a Service (PaaS). 2010. Available: http://www.nexof-ra.eu/?q=node/669 [118] C. Baun and M. Kunze, Building a private cloud with Eucalyptus, in The 5th IEEE International Conference on E-Science Workshops, 2009, pp. 33 38. [119] K. Hashizume and E. B. Fernandez, A Pattern for WS-Security, in First IEEE Int. Workshop on Security Eng. Environments, Shanghai, China, 2009. [120] Ubuntu, UEC Package Install Separate. [Online]. Available: https://help.ubuntu.com/community/uec/packageinstallseparate#overview. [Accessed: 03-Feb-2012]. [121] About Nimbus, 12-Feb-2012. [Online]. Available: http://www.nimbusproject.org/about/. [122] Hewlett-Packard Development Company, HP Cloud Service. [Online]. Available: http://hpcloud.com/. [Accessed: 02-Feb-2012]. [123] IBM, IBMSmart Cloud. [Online]. Available: http://www.ibm.com/cloudcomputing/us/en/. [Accessed: 12-Sep-2012]. [124] L. Wang, J. Tao, M. Kunze, A. C. Castellanos, D. Kramer, and W. Karl, Scientific Cloud Computing: Early Definition and Experience, in 10th IEEE International Conference on High Performance Computing and Communications, 2008. HPCC 08, 2008, pp. 825 830. [125] D. Amrheim, Forget Defining Cloud Computing. [Online]. Available: http://soa.sys-con.com/node/1018801. [Accessed: 15-Jan-2012]. 155
[126] P. A. Karger and D. R. Safford, I/O for Virtual Machine Monitors: Security and Performance Issues, IEEE Security Privacy, vol. 6, no. 5, pp. 16 23, Oct. 2008. [127] E. B. Fernandez and T. Sorgente, A Pattern Language for Secure Operating System Architectures, in Procs. of the 5th Latin American Conference on Pattern Languages of Programs, Campos do Jordao, Brazil, 2005, pp. 68 88. [128] R. Y. D. Camargo, A. Goldchleger, M. Carneiro, and F. Kon, The Grid architectural pattern: Leveraging distributed processing capabilities, in Procs. of the International Conference on Pattern Languages of Program Design 5, 2006, pp. 337 356. [129] E. B. Fernandez, K. Hashizume, I. Buckley, M. M. Larrondo-Petrie, and M. VanHilst, Web services security: Standards and products, in Web Services Security Development and Architecture: Theoretical and Practical Issues, C. A. Gutierrez, E. Fernandez-Medina, and M. Piattini, Eds. IGI Global Group, 2010, pp. 152 177. [130] Salesforce, An Introduction to the Force.com IDE. [Online]. Available: http://wiki.developerforce.com/page/an_introduction_to_force_ide. [Accessed: 06-Mar-2012]. [131] Salesforce, An Introduction to Environments. [Online]. Available: http://wiki.developerforce.com/page/an_introduction_to_environments. [Accessed: 06-Mar-2012]. [132] Salesforce, About the Force.com Developer Edition Environments. [Online]. Available: http://wiki.developerforce.com/page/developer_edition. [Accessed: 06- Mar-2012]. [133] Salesforce, Secure, private, and trustworthy: enterprise cloud computing with Force.com, 06-Mar-2012. [Online]. Available: http://www.salesforce.com/assets/pdf/misc/wp_forcedotcom-security.pdf. [134] M. Dodani, On Cloud Nine Through Architecture, The Journal of Object Technology, vol. 9, no. 3, 2010. [135] G. Lawton, Developing Software Online With Platform-as-a-Service Technology, Computer, vol. 41, no. 6, pp. 13 15, Jun. 2008. 156
[136] A. V. Uzunov and E. B. Fernandez, Engineering Security into Distributed Systems: A Survey of Methodologies, to appear in Journal of Universal Computer Science. [137] Z. Pervez, S. Lee, and Y.-K. Lee, Multi-tenant, secure, load disseminated SaaS architecture, in Proceedings of the 12th international conference on Advanced communication technology, Piscataway, NJ, USA, 2010, pp. 214 219. [138] G. Liu, Research on independent SaaS platform, in 2010 The 2nd IEEE International Conference on Information Management and Engineering (ICIME), 2010, pp. 110 113. [139] IBM Cloud Computing: SaaS. [Online]. Available: http://www.ibm.com/cloudcomputing/us/en/saas.html. [Accessed: 09-Nov-2012]. [140] Software as a service, Wikipedia, the free encyclopedia. 25-Sep-2012. [141] F. A. Braz, E. B. Fernandez, and M. VanHilst, Eliciting Security Requirements through Misuse Activities, in Proceedings of the 2nd Int. Workshop on Secure Systems Methodologies using Patterns (SPattern 08). In conjunction with the 4th International Conference ontrust, Privacy & Security in Digital Busines(TrustBus 08), Turin, Italy, 2008, pp. 328 333. [142] R. Sailer, T. Jaeger, E. Valdez, R. Caceres, R. Perez, S. Berger, J. L. Griffin, and L. van Doorn, Building a MAC-based security architecture for the Xen opensource hypervisor, in Computer Security Applications Conference, 21st Annual, 2005. [143] G. Cheng, H. Jin, D. Zou, A. K. Ohoussou, and F. Zhao, A Prioritized Chinese Wall Model for Managing the Covert Information Flows in Virtual Machine Systems, in The 9th International Conference for Young Computer Scientists, 2008. ICYCS 2008., 2008, pp. 1481 1487. [144] A. Aviram, S. Hu, B. Ford, and R. Gummadi, Determinating Timing Channels in Compute Clouds, in Proceedings of the 2010 ACM workshop on Cloud computing security workshop, Chicago, Illinois, USA, 2010. [145] Z. Wang and R. B. Lee, Covert and Side Channels Due to Processor Architecture, in Proceedings of the 22nd Annual Computer Security Applications Conference, Washington, DC, USA, 2006, pp. 473 482. 157
[146] J. Chandrashekar, S. Orrin, C. Livadas, and E. M. Schooler, The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware, Intel Technology Journal, vol. 13, no. 2, 2009. [147] K. Vieira, A. Schulter, C. B. Westphall, and C. M. Westphall, Intrusion Detection for Grid and Cloud Computing, IT Professional, vol. 12, no. 4, pp. 38 43, Aug. 2010. [148] W. Voorsluys, J. Broberg, S. Venugopal, and R. Buyya, Cost of Virtual Machine Live Migration in Clouds: A Performance Evaluation, in Proceedings of the 1st International Conference on Cloud Computing, Berlin, Heidelberg, 2009, pp. 254 265. [149] E. B. Fernandez, M. M. Larrondo-Petrie, T. Sorgente, and M. VanHilst, A methodology to develop secure systems using patterns, in Integrating security and software engineering: Advances and future vision, H. Mouratidis and P. Giorgini, Eds. IDEA Press, 2006, pp. 107 126. [150] K. Hashizume, E. B. Fernandez, and M. M. Larrondo-Petrie, A Reference Architecture for Cloud Computing, to be sent for publication. [151] E. B. Fernandez, Security patterns in practice - Designing secure architectures using software patterns. Wiley Series on Software Design Patterns (to appear). [152] V. Stricker, K. Lauenroth, P. Corte, F. Gittler, S. De Panfilis, and K. Pohl, Creating a Reference Architecture for Service-Based Systems A Pattern-Based Approach, in Towards the Future Internet - Emerging Trends from European Research, G. Tselentis, A. Galis, A. Gavras, S. Krco, V. Lotz, E. Simperl, B. Stiller, and T. Zahariadis, Eds. IOS Press, 2010. 158