W5NS
akhilesh7593
CH05NetSec6e_accessiblePPT.pptxNetwork Security Essentials: Applications and Standards
Sixth Edition
Chapter 5
Network Access Control and Cloud Security
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
If this PowerPoint presentation contains mathematical equations, you may need to check that your computer has the following installed:
1) Math Type Plugin
2) Math Player (free versions available)
3) NVDA Reader (free versions available)
This chapter begins our discussion of network security, focusing on two key topics:
network access control and cloud security. We begin with an overview of network
access control systems, summarizing the principal elements and techniques involved
in such a system. Next, we discuss the Extensible Authentication Protocol and
IEEE 802.1X, two widely implemented standards that are the foundation of many
network access control systems.
The remainder of the chapter deals with cloud security. We begin with an
overview of cloud computing, and follow this with a discussion of cloud security
issues.
Network Access Control (N A C)
An umbrella term for managing access to a network
Authenticates users logging into the network and determines what data they can access and actions they can perform
Also examines the health of the user’s computer or mobile device
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
2
Network access control (NAC) is an umbrella term for managing access to a network.
NAC authenticates users logging into the network and determines what data
they can access and actions they can perform. NAC also examines the health of the
user’s computer or mobile device (the endpoints).
N A C Systems Deal with Three Categories of Components (1 of 3)
Access requester (A R)
Node that is attempting to access the network and may be any device that is managed by the N A C system, including workstations, servers, printers, cameras, and other I P-enabled devices
Also referred to as supplicants, or clients
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
3
NAC systems deal with three categories of components:
• Access requestor (AR): The AR is the node that is attempting to access the
network and may be any device that is managed by the NAC system, including
workstations, servers, printers, cameras, and other IP-enabled devices. ARs
are also referred to as supplicants , or simply, clients.
• Policy server: Based on the AR’s posture and an enterprise’s defined policy,
the policy server determines what access should be granted. The policy server
often relies on backend systems, including antivirus, patch management, or a
user directory, to help determine the host’s condition.
• Network access server (NAS): The NAS functions as an access control point
for users in remote locations connecting to an enterprise’s internal network.
Also called a media gateway, a remote access server (RAS), or a policy server,
an NAS may include its own authentication services or rely on a separate
authentication service from the policy server.
N A C Systems Deal with Three Categories of Components (2 of 3)
Policy server
Determines what access should be granted
Often relies on backend systems
Network access server (N A S)
Functions as an access control point for users in remote locations connecting to an enterprise’s internal network
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
4
NAC systems deal with three categories of components:
• Access requestor (AR): The AR is the node that is attempting to access the
network and may be any device that is managed by the NAC system, including
workstations, servers, printers, cameras, and other IP-enabled devices. ARs
are also referred to as supplicants , or simply, clients.
• Policy server: Based on the AR’s posture and an enterprise’s defined policy,
the policy server determines what access should be granted. The policy server
often relies on backend systems, including antivirus, patch management, or a
user directory, to help determine the host’s condition.
• Network access server (NAS): The NAS functions as an access control point
for users in remote locations connecting to an enterprise’s internal network.
Also called a media gateway, a remote access server (RAS), or a policy server,
an NAS may include its own authentication services or rely on a separate
authentication service from the policy server.
N A C Systems Deal with Three Categories of Components (3 of 3)
May include its own authentication services or rely on a separate authentication service from the policy server
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
5
NAC systems deal with three categories of components:
• Access requestor (AR): The AR is the node that is attempting to access the
network and may be any device that is managed by the NAC system, including
workstations, servers, printers, cameras, and other IP-enabled devices. ARs
are also referred to as supplicants , or simply, clients.
• Policy server: Based on the AR’s posture and an enterprise’s defined policy,
the policy server determines what access should be granted. The policy server
often relies on backend systems, including antivirus, patch management, or a
user directory, to help determine the host’s condition.
• Network access server (NAS): The NAS functions as an access control point
for users in remote locations connecting to an enterprise’s internal network.
Also called a media gateway, a remote access server (RAS), or a policy server,
an NAS may include its own authentication services or rely on a separate
authentication service from the policy server.
Figure 5-1: Network Access Control Context
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 5.1 is a generic network access diagram. A variety of different ARs
seek access to an enterprise network by applying to some type of NAS. The first
step is generally to authenticate the AR. Authentication typically involves some
sort of secure protocol and the use of cryptographic keys. Authentication may be
performed by the NAS, or the NAS may mediate the authentication process. In the
latter case, authentication takes place between the supplicant and an authentication
server that is part of the policy server or that is accessed by the policy server.
The authentication process serves a number of purposes. It verifies a supplicant’s
claimed identity, which enables the policy server to determine what access
privileges, if any, the AR may have. The authentication exchange may result in the
establishment of session keys to enable future secure communication between the
supplicant and resources on the enterprise network.
Typically, the policy server or a supporting server will perform checks on the
AR to determine if it should be permitted interactive remote access connectivity.
These checks—sometimes called health, suitability, screening, or assessment
checks—require software on the user’s system to verify compliance with certain requirements
from the organization’s secure configuration baseline. For example, the
user’s antimalware software must be up-to-date, the operating system must be fully
patched, and the remote computer must be owned and controlled by the organization.
These checks should be performed before granting the AR access to the enterprise
network. Based on the results of these checks, the organization can determine
whether the remote computer should be permitted to use interactive remote access.
If the user has acceptable authorization credentials but the remote computer does
not pass the health check, the user and remote computer should be denied network
access or have limited access to a quarantine network so that authorized personnel
can fix the security deficiencies. Figure 5.1 indicates that the quarantine portion of
the enterprise network consists of the policy server and related AR suitability servers.
There may also be application servers that do not require the normal security
threshold be met.
Once an AR has been authenticated and cleared for a certain level of access
to the enterprise network, the NAS can enable the AR to interact with resources in
the enterprise network. The NAS may mediate every exchange to enforce a security
policy for this AR, or may use other methods to limit the privileges of the AR.
6
Network Access Enforcement Methods
The actions that are applied to A Rs to regulate access to the enterprise network
Many vendors support multiple enforcement methods simultaneously, allowing the customer to tailor the configuration by using one or a combination of methods
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
7
Enforcement methods are the actions that are applied to ARs to regulate access
to the enterprise network. Many vendors support multiple enforcement methods
simultaneously, allowing the customer to tailor the configuration by using one or a
combination of methods. The following are common NAC enforcement methods.
• IEEE 802.1X: This is a link layer protocol that enforces authorization before
a port is assigned an IP address. IEEE 802.1X makes use of the Extensible
Authentication Protocol for the authentication process. Sections 5.2 and
5.3 cover the Extensible Authentication Protocol and IEEE 802.1X,
respectively.
• Virtual local area networks (VLANs): In this approach, the enterprise network,
consisting of an interconnected set of LANs, is segmented logically
into a number of virtual LANs. The NAC system decides to which of the
network’s VLANs it will direct an AR, based on whether the device needs
security remediation, Internet access only, or some level of network access to
enterprise resources. VLANs can be created dynamically and VLAN membership,
of both enterprise servers and ARs, may overlap. That is, an enterprise
server or an AR may belong to more than one VLAN.
• Firewall: A firewall provides a form of NAC by allowing or denying network
traffic between an enterprise host and an external user. Firewalls are discussed
in Chapter 12.
• DHCP management: The Dynamic Host Configuration Protocol (DHCP) is
an Internet protocol that enables dynamic allocation of IP addresses to hosts.
A DHCP server intercepts DHCP requests and assigns IP addresses instead.
Thus, NAC enforcement occurs at the IP layer based on subnet and IP assignment.
A DCHP server is easy to install and configure, but is subject to various
forms of IP spoofing, providing limited security.
There are a number of other enforcement methods available from vendors.
The ones in the preceding list are perhaps the most common, and IEEE 802.1X is by
far the most commonly implemented solution.
Common N A C Enforcement Methods
I E E E 802.1 X
Virtual local area networks (V L A Ns)
Firewall
D H C P management
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
8
Enforcement methods are the actions that are applied to ARs to regulate access
to the enterprise network. Many vendors support multiple enforcement methods
simultaneously, allowing the customer to tailor the configuration by using one or a
combination of methods. The following are common NAC enforcement methods.
• IEEE 802.1X: This is a link layer protocol that enforces authorization before
a port is assigned an IP address. IEEE 802.1X makes use of the Extensible
Authentication Protocol for the authentication process. Sections 5.2 and
5.3 cover the Extensible Authentication Protocol and IEEE 802.1X,
respectively.
• Virtual local area networks (VLANs): In this approach, the enterprise network,
consisting of an interconnected set of LANs, is segmented logically
into a number of virtual LANs. The NAC system decides to which of the
network’s VLANs it will direct an AR, based on whether the device needs
security remediation, Internet access only, or some level of network access to
enterprise resources. VLANs can be created dynamically and VLAN membership,
of both enterprise servers and ARs, may overlap. That is, an enterprise
server or an AR may belong to more than one VLAN.
• Firewall: A firewall provides a form of NAC by allowing or denying network
traffic between an enterprise host and an external user. Firewalls are discussed
in Chapter 12.
• DHCP management: The Dynamic Host Configuration Protocol (DHCP) is
an Internet protocol that enables dynamic allocation of IP addresses to hosts.
A DHCP server intercepts DHCP requests and assigns IP addresses instead.
Thus, NAC enforcement occurs at the IP layer based on subnet and IP assignment.
A DCHP server is easy to install and configure, but is subject to various
forms of IP spoofing, providing limited security.
There are a number of other enforcement methods available from vendors.
The ones in the preceding list are perhaps the most common, and IEEE 802.1X is by
far the most commonly implemented solution.
Figure 5-2: E A P Layered Context
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
The Extensible Authentication Protocol (EAP), defined in RFC 3748, acts as a
framework for network access and authentication protocols. EAP provides a set
of protocol messages that can encapsulate various authentication methods to be
used between a client and an authentication server. EAP can operate over a variety
of network and link level facilities, including point-to-point links, LANs, and
other networks, and can accommodate the authentication needs of the various
links and networks. Figure 5.2 illustrates the protocol layers that form the context
for EAP.
9
Authentication Methods
E A P provides a generic transport service for the exchange of authentication information between a client system and an authentication server
The basic E A P transport service is extended by using a specific authentication protocol that is installed in both the E A P client and the authentication server
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
10
EAP supports multiple authentication methods. This is what is meant by referring to
EAP as extensible . EAP provides a generic transport service for the exchange of authentication
information between a client system and an authentication server. The
basic EAP transport service is extended by using a specific authentication protocol,
or method, that is installed in both the EAP client and the authentication server.
Numerous methods have been defined to work over EAP. The following are
commonly supported EAP methods:
• EAP-TLS (EAP Transport Layer Security): EAP-TLS (RFC 5216) defines
how the TLS protocol (described in Chapter 6) can be encapsulated in EAP
messages. EAP-TLS uses the handshake protocol in TLS, not its encryption
method. Client and server authenticate each other using digital certificates.
Client generates a pre-master secret key by encrypting a random number with
the server’s public key and sends it to the server. Both client and server use
the pre-master to generate the same secret key.
• EAP-TTLS (EAP Tunneled TLS): EAP-TTLS is like EAP-TLS, except only
the server has a certificate to authenticate itself to the client first. As in EAPTLS,
a secure connection (the “tunnel”) is established with secret keys, but
that connection is used to continue the authentication process by authenticating
the client and possibly the server again using any EAP method or
legacy method such as PAP (Password Authentication Protocol) and CHAP
(Challenge-Handshake Authentication Protocol). EAP-TTLS is defined in
RFC 5281.
• EAP-GPSK (EAP Generalized Pre-Shared Key): EAP-GPSK, defined in
RFC 5433, is an EAP method for mutual authentication and session key derivation
using a Pre-Shared Key (PSK). EAP-GPSK specifies an EAP method
based on pre-shared keys and employs secret key-based cryptographic algorithms.
Hence, this method is efficient in terms of message flows and computational
costs, but requires the existence of pre-shared keys between each
peer and EAP server. The set up of these pairwise secret keys is part of the
peer registration, and thus, must satisfy the system preconditions. It provides
a protected communication channel when mutual authentication is successful
for both parties to communicate over and is designed for authentication
over insecure networks such as IEEE 802.11. EAP-GPSK does not require
any public-key cryptography. The EAP method protocol exchange is done in
a minimum of four messages.
• EAP-IKEv2: It is based on the Internet Key Exchange protocol version 2
(IKEv2), which is described in Chapter 9. It supports mutual authentication
and session key establishment using a variety of methods. EAP-TLS is defined
in RFC 5106.
Commonly Supported E A P Methods
E A P Transport Layer Security
E A P Tunneled T L S
E A P Generalized Pre-Shared Key
E A P-I K E v 2
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
11
EAP supports multiple authentication methods. This is what is meant by referring to
EAP as extensible . EAP provides a generic transport service for the exchange of authentication
information between a client system and an authentication server. The
basic EAP transport service is extended by using a specific authentication protocol,
or method, that is installed in both the EAP client and the authentication server.
Numerous methods have been defined to work over EAP. The following are
commonly supported EAP methods:
• EAP-TLS (EAP Transport Layer Security): EAP-TLS (RFC 5216) defines
how the TLS protocol (described in Chapter 6) can be encapsulated in EAP
messages. EAP-TLS uses the handshake protocol in TLS, not its encryption
method. Client and server authenticate each other using digital certificates.
Client generates a pre-master secret key by encrypting a random number with
the server’s public key and sends it to the server. Both client and server use
the pre-master to generate the same secret key.
• EAP-TTLS (EAP Tunneled TLS): EAP-TTLS is like EAP-TLS, except only
the server has a certificate to authenticate itself to the client first. As in EAPTLS,
a secure connection (the “tunnel”) is established with secret keys, but
that connection is used to continue the authentication process by authenticating
the client and possibly the server again using any EAP method or
legacy method such as PAP (Password Authentication Protocol) and CHAP
(Challenge-Handshake Authentication Protocol). EAP-TTLS is defined in
RFC 5281.
• EAP-GPSK (EAP Generalized Pre-Shared Key): EAP-GPSK, defined in
RFC 5433, is an EAP method for mutual authentication and session key derivation
using a Pre-Shared Key (PSK). EAP-GPSK specifies an EAP method
based on pre-shared keys and employs secret key-based cryptographic algorithms.
Hence, this method is efficient in terms of message flows and computational
costs, but requires the existence of pre-shared keys between each
peer and EAP server. The set up of these pairwise secret keys is part of the
peer registration, and thus, must satisfy the system preconditions. It provides
a protected communication channel when mutual authentication is successful
for both parties to communicate over and is designed for authentication
over insecure networks such as IEEE 802.11. EAP-GPSK does not require
any public-key cryptography. The EAP method protocol exchange is done in
a minimum of four messages.
• EAP-IKEv2: It is based on the Internet Key Exchange protocol version 2
(IKEv2), which is described in Chapter 9. It supports mutual authentication
and session key establishment using a variety of methods. EAP-TLS is defined
in RFC 5106.
Figure 5-3: E A P Protocol Exchanges
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 5.3 indicates a typical arrangement in which EAP is used. The following
components are involved:
• EAP peer: Client computer that is attempting to access a network.
• EAP authenticator: An access point or NAS that requires EAP authentication
prior to granting access to a network.
• Authentication server: A server computer that negotiates the use of a specific
EAP method with an EAP peer, validates the EAP peer’s credentials,
and authorizes access to the network. Typically, the authentication server is a
Remote Authentication Dial-In User Service (RADIUS) server.
The authentication server functions as a backend server that can authenticate
peers as a service to a number of EAP authenticators. The EAP authenticator then
makes the decision of whether to grant access. This is referred to as the EAP pass-through
mode . Less commonly, the authenticator takes over the role of the EAP
server; that is, only two parties are involved in the EAP execution.
As a first step, a lower-level protocol, such as PPP (point-to-point protocol)
or IEEE 802.1X, is used to connect to the EAP authenticator. The software entity
in the EAP peer that operates at this level is referred to as the supplicant . EAP
messages
containing the appropriate information for a chosen EAP method are
then exchanged between the EAP peer and the authentication server.
EAP messages may include the following fields:
■ Code: Identifies the Type of EAP message. The codes are Request (1),
Response (2), Success (3), and Failure (4).
■ Identifier: Used to match Responses with Requests.
■ Length: Indicates the length, in octets, of the EAP message, including the
Code, Identifier, Length, and Data fields.
■ Data: Contains information related to authentication. Typically, the Data field
consists of a Type subfield, indicating the type of data carried, and a Type-Data
field.
The Success and Failure messages do not include a Data field.
The EAP authentication exchange proceeds as follows. After a lower-level
exchange that established the need for an EAP exchange, the authenticator sends a
Request to the peer to request an identity, and the peer sends a Response with the
identity information. This is followed by a sequence of Requests by the authenticator
and Responses by the peer for the exchange of authentication information. The
information exchanged and the number of Request–Response exchanges needed
depend on the authentication method. The conversation continues until either
(1) the authenticator determines that it cannot authenticate the peer and transmits
an EAP Failure or (2) the authenticator determines that successful authentication
has occurred and transmits an EAP Success.
12
Figure 5-4: E A P Message Flow in Pass-Through Mode
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 5.4 gives an example of an EAP exchange. Not shown in the figure is a
message or signal sent from the EAP peer to the authenticator using some protocol
other than EAP and requesting an EAP exchange to grant network access. One
protocol used for this purpose is IEEE 802.1X, discussed in the next section. The
first pair of EAP Request and Response messages is of Type identity, in which the
authenticator requests the peer’s identity, and the peer returns its claimed identity
in the Response message. This Response is passed through the authenticator to the
authentication server. Subsequent EAP messages are exchanged between the peer
and the authentication server.
Upon receiving the identity Response message from the peer, the server
selects an EAP method and sends the first EAP message with a Type field related
to an authentication method. If the peer supports and accepts the selected EAP
method, it replies with the corresponding Response message of the same type.
Otherwise, the peer sends a NAK, and the EAP server either selects another EAP
method or aborts the EAP execution with a failure message. The selected EAP
method determines the number of Request/Response pairs. During the exchange
the appropriate authentication information, including key material, is exchanged.
The exchange ends when the server determines that authentication has succeeded
or that no further attempt can be made and authentication has failed.
13
Table 5.1: Terminology Related to I E E E 802.1 X (1 of 5)
Authenticator
An entity at one end of a point-to-point L A N segment that facilities authentication of the entity to the other end of the link.
Authentication Exchange
The two-party conversation between systems performing an authentication process.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
14
IEEE 802.1X Port-Based Network Access Control was designed to provide access control
functions for LANs. Table 5.1 briefly defines key terms used in the IEEE 802.11
standard. The terms supplicant , network access point , and authentication server correspond
to the EAP terms peer , authenticator , and authentication server , respectively.
Until the AS authenticates a supplicant (using an authentication protocol),
the authenticator only passes control and authentication messages between the supplicant
and the AS; the 802.1X control channel is unblocked, but the 802.11 data
channel is blocked. Once a supplicant is authenticated and keys are provided, the
authenticator can forward data from the supplicant, subject to predefined access
control limitations for the supplicant to the network. Under these circumstances,
the data channel is unblocked.
Table 5.1: Terminology Related to I E E E 802.1 X (2 of 5)
Authentication Process
The cryptographic operations and supporting data frames that perform the actual authentication.
Authentication Server (A S)
An entity that provides an authentication service to an authenticator. This service determines, from the credentials provided by supplicant, whether the supplicant is authorized to access the services provided by the system in which the authenticator resides.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
15
IEEE 802.1X Port-Based Network Access Control was designed to provide access control
functions for LANs. Table 5.1 briefly defines key terms used in the IEEE 802.11
standard. The terms supplicant , network access point , and authentication server correspond
to the EAP terms peer , authenticator , and authentication server , respectively.
Until the AS authenticates a supplicant (using an authentication protocol),
the authenticator only passes control and authentication messages between the supplicant
and the AS; the 802.1X control channel is unblocked, but the 802.11 data
channel is blocked. Once a supplicant is authenticated and keys are provided, the
authenticator can forward data from the supplicant, subject to predefined access
control limitations for the supplicant to the network. Under these circumstances,
the data channel is unblocked.
Table 5.1: Terminology Related to I E E E 802.1 X (3 of 5)
Authentication Transport
The datagram session that actively transfers the authentication exchange between two systems.
Bridge Port
A port Of an I E E E 802.10 or 802.1 Q bridge.
Edge Port
A bridge port attached to a L A N that has no other bridges attached to it.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
16
IEEE 802.1X Port-Based Network Access Control was designed to provide access control
functions for LANs. Table 5.1 briefly defines key terms used in the IEEE 802.11
standard. The terms supplicant , network access point , and authentication server correspond
to the EAP terms peer , authenticator , and authentication server , respectively.
Until the AS authenticates a supplicant (using an authentication protocol),
the authenticator only passes control and authentication messages between the supplicant
and the AS; the 802.1X control channel is unblocked, but the 802.11 data
channel is blocked. Once a supplicant is authenticated and keys are provided, the
authenticator can forward data from the supplicant, subject to predefined access
control limitations for the supplicant to the network. Under these circumstances,
the data channel is unblocked.
Table 5.1: Terminology Related to I E E E 802.1 X (4 of 5)
Network Access Port
A point of attachment of a system to a L A N. It can be a physical port, such as a single L A N M A C attached to a physical L A N segment, or a logical port, for example, an I E E E 802.11 association between a station and an access point.
Port Access Entity (P A E)
The protocol entity associated with a port. It can support the protocol functionality associated with the authenticator, the supplicant, or both.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
17
IEEE 802.1X Port-Based Network Access Control was designed to provide access control
functions for LANs. Table 5.1 briefly defines key terms used in the IEEE 802.11
standard. The terms supplicant , network access point , and authentication server correspond
to the EAP terms peer , authenticator , and authentication server , respectively.
Until the AS authenticates a supplicant (using an authentication protocol),
the authenticator only passes control and authentication messages between the supplicant
and the AS; the 802.1X control channel is unblocked, but the 802.11 data
channel is blocked. Once a supplicant is authenticated and keys are provided, the
authenticator can forward data from the supplicant, subject to predefined access
control limitations for the supplicant to the network. Under these circumstances,
the data channel is unblocked.
Table 5.1: Terminology Related to I E E E 802.1 X (5 of 5)
Supplicant
An entity at one end of a point-to-point L A N segment that seeks to be authenticated by an authenticator attached to the Other end of that link.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
18
IEEE 802.1X Port-Based Network Access Control was designed to provide access control
functions for LANs. Table 5.1 briefly defines key terms used in the IEEE 802.11
standard. The terms supplicant , network access point , and authentication server correspond
to the EAP terms peer , authenticator , and authentication server , respectively.
Until the AS authenticates a supplicant (using an authentication protocol),
the authenticator only passes control and authentication messages between the supplicant
and the AS; the 802.1X control channel is unblocked, but the 802.11 data
channel is blocked. Once a supplicant is authenticated and keys are provided, the
authenticator can forward data from the supplicant, subject to predefined access
control limitations for the supplicant to the network. Under these circumstances,
the data channel is unblocked.
Figure 5-5: 802.1X Access Control
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
As indicated in Figure 5.5, 802.1X uses the concepts of controlled and uncontrolled
ports. Ports are logical entities defined within the authenticator and refer to
physical network connections. Each logical port is mapped to one of these two types
of physical ports. An uncontrolled port allows the exchange of protocol data units
(PDUs) between the supplicant and the AS, regardless of the authentication state
of the supplicant. A controlled port allows the exchange of PDUs between a supplicant
and other systems on the network only if the current state of the supplicant
authorizes such an exchange.
The essential element defined in 802.1X is a protocol known as EAPOL (EAP
over LAN). EAPOL operates at the network layers and makes use of an IEEE 802
LAN, such as Ethernet or Wi-Fi, at the link level. EAPOL enables a supplicant to
communicate with an authenticator and supports the exchange of EAP packets for
authentication.
19
Table 5.2: Common E A P O L Frame Types
| Frame Type | Definition |
| E A P O L-E A P | Contains an encapsulated E A P packet. |
| E A P O L-Start | A supplicant can issue this packet instead of waiting for a challenge from the authenticator. |
| E A P O L-Logoff | Used to return the state of the port to unauthorized when the supplicant if finished using the network. |
| E A P O L-Key | Used to exchange cryptographic keying information. |
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
The most common EAPOL packets are listed in Table 5.2. When the
supplicant first connects to the LAN, it does not know the MAC address of the
authenticator. Actually it doesn’t know whether there is an authenticator present
at all. By sending an EAPOL-Start packet to a special group-multicast address
reserved for IEEE 802.1X authenticators, a supplicant can determine whether an
authenticator is present and let it know that the supplicant is ready. In many cases,
the authenticator will already be notified that a new device has connected from
some hardware notification. For example, a hub knows that a cable is plugged in
before the device sends any data. In this case the authenticator may preempt the
Start message with its own message. In either case the authenticator sends an EAP Request
Identity message encapsulated in an EAPOL-EAP packet. The EAPOLEAP
is the EAPOL frame type used for transporting EAP packets.
The authenticator uses the EAP-Key packet to send cryptographic keys to the
supplicant once it has decided to admit it to the network. The EAP-Logoff packet
type indicates that the supplicant wishes to be disconnected from the network.
Figure 5-6: Example Timing Diagram for I E E E 802.1X
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
The EAPOL packet format includes the following fields:
• Protocol version: version of EAPOL.
• Packet type: indicates start, EAP, key, logoff, etc.
• Packet body length: If the packet includes a body, this field indicates the body
length.
• Packet body: The payload for this EAPOL packet. An example is an EAP packet.
Figure 5.6 shows an example of exchange using EAPOL. In Chapter 7, we examine
the use of EAP and EAPOL in the context of IEEE 802.11 wireless LAN security.
21
Cloud Computing
N I S T defines cloud computing, in N I S T S P-800-145 (The N I S T Definition of Cloud Computing ), as follows:
“A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.”
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
22
There is an increasingly prominent trend in many organizations to move a
substantial portion of or even all information technology (IT) operations to an
Internet-connected infrastructure known as enterprise cloud computing. This
section provides an overview of cloud computing.
NIST defines cloud computing, in NIST SP-800-145 (The NIST Definition of Cloud
Computing ), as follows:
Cloud computing: A model for enabling ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction. This
cloud model promotes availability and is composed of five essential characteristics,
three service models, and four deployment models.
Figure 5-7: Cloud Computing Elements
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
The definition refers to various models and characteristics, whose relationship is
illustrated in Figure 5.7. The essential characteristics of cloud computing include
the following:
• Broad network access: Capabilities are available over the network and accessed
through standard mechanisms that promote use by heterogeneous thin
or thick client platforms (e.g., mobile phones, laptops, and PDAs) as well as
other traditional or cloud-based software services.
• Rapid elasticity: Cloud computing gives you the ability to expand and reduce
resources according to your specific service requirement. For example, you
may need a large number of server resources for the duration of a specific
task. You can then release these resources upon completion of the task.
• Measured service: Cloud systems automatically control and optimize resource
use by leveraging a metering capability at some level of abstraction appropriate
to the type of service (e.g., storage, processing, bandwidth, and active user
accounts). Resource usage can be monitored, controlled, and reported, providing
transparency for both the provider and consumer of the utilized service.
• On-demand self-service: A consumer can unilaterally provision computing
capabilities, such as server time and network storage, as needed automatically
without requiring human interaction with each service provider. Because
the service is on demand, the resources are not permanent parts of your IT
infrastructure.
• Resource pooling: The provider’s computing resources are pooled to serve
multiple consumers using a multi-tenant model, with different physical and
virtual resources dynamically assigned and reassigned according to consumer
demand. There is a degree of location independence in that the customer
generally has no control or knowledge of the exact location of the provided
resources, but may be able to specify location at a higher level of abstraction
(e.g., country, state, or data center). Examples of resources include storage,
processing, memory, network bandwidth, and virtual machines. Even
private clouds tend to pool resources between different parts of the same
organization.
NIST defines three service models , which can be viewed as nested service
alternatives:
• Software as a service (SaaS): The capability provided to the consumer is to
use the provider’s applications running on a cloud infrastructure. The applications
are accessible from various client devices through a thin client interface
such as a Web browser. Instead of obtaining desktop and server licenses
for software products it uses, an enterprise obtains the same functions from
the cloud service. SaaS saves the complexity of software installation, maintenance,
upgrades, and patches. Examples of services at this level are Gmail,
Google’s e-mail service, and Salesforce.com, which helps firms keep track of
their customers.
• Platform as a service (PaaS): The capability provided to the consumer is to
deploy onto the cloud infrastructure consumer-created or acquired applications
created using programming languages and tools supported by the provider.
PaaS often provides middleware-style services such as database and
component services for use by applications. In effect, PaaS is an operating
system in the cloud.
• Infrastructure as a service (IaaS): The capability provided to the consumer is
to provision processing, storage, networks, and other fundamental computing
resources where the consumer is able to deploy and run arbitrary software,
which can include operating systems and applications. IaaS enables customers
to combine basic computing services, such as number crunching and data storage,
to build highly adaptable computer systems.
NIST defines four deployment models :
• Public cloud: The cloud infrastructure is made available to the general public
or a large industry group and is owned by an organization selling cloud services.
The cloud provider is responsible both for the cloud infrastructure and
for the control of data and operations within the cloud.
• Private cloud: The cloud infrastructure is operated solely for an organization.
It may be managed by the organization or a third party and may exist on
premise or off premise. The cloud provider (CP) is responsible only for the
infrastructure and not for the control.
• Community cloud: The cloud infrastructure is shared by several organizations
and supports a specific community that has shared concerns (e.g., mission,
security requirements, policy, and compliance considerations). It may be managed
by the organizations or a third party and may exist on premise or off
premise.
• Hybrid cloud: The cloud infrastructure is a composition of two or more clouds
(private, community, or public) that remain unique entities but are bound together
by standardized or proprietary technology that enables data and application
portability (e.g., cloud bursting for load balancing between clouds).
23
Figure 5-7: Cloud Computing Contexts
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 5.8 illustrates the typical cloud service context. An enterprise maintains
workstations within an enterprise LAN or set of LANs, which are connected
by a router through a network or the Internet to the cloud service provider. The
cloud service provider maintains a massive collection of servers, which it manages
with a variety of network management, redundancy, and security tools. In the figure,
the cloud infrastructure is shown as a collection of blade servers, which is a
common architecture.
24
Cloud Computing Reference Architecture (1 of 2)
N I S T S P 500-292 (N I S T Cloud Computing Reference Architecture ) establishes a reference architecture, described as follows:
“The N I S T cloud computing reference architecture focuses on the requirements of “what” cloud services provide, not a “how to” design solution and implementation. The reference architecture is intended to facilitate the understanding of the operational intricacies
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
25
NIST SP 500-292 (NIST Cloud Computing Reference Architecture ) establishes a reference
architecture, described as follows:
The NIST cloud computing reference architecture focuses on the requirements
of “what” cloud services provide, not a “how to” design solution and implementation.
The reference architecture is intended to facilitate the understanding of
the operational intricacies in cloud computing. It does not represent the system
architecture of a specific cloud computing system; instead it is a tool for describing,
discussing, and developing a system-specific architecture using a common
framework of reference.
Cloud Computing Reference Architecture (2 of 2)
in cloud computing. It does not represent the system architecture of a specific cloud computing system; instead it is a tool for describing, discussing, and developing a system-specific architecture using a common framework of reference.”
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
26
NIST SP 500-292 (NIST Cloud Computing Reference Architecture ) establishes a reference
architecture, described as follows:
The NIST cloud computing reference architecture focuses on the requirements
of “what” cloud services provide, not a “how to” design solution and implementation.
The reference architecture is intended to facilitate the understanding of
the operational intricacies in cloud computing. It does not represent the system
architecture of a specific cloud computing system; instead it is a tool for describing,
discussing, and developing a system-specific architecture using a common
framework of reference.
Figure 5-9: N I S T Cloud Computing Reference Architecture
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
NIST developed the reference architecture with the following objectives
in mind:
• to illustrate and understand the various cloud services in the context of an
overall cloud computing conceptual model
• to provide a technical reference for consumers to understand, discuss, categorize,
and compare cloud services
• to facilitate the analysis of candidate standards for security, interoperability,
and portability and reference implementations
The reference architecture, depicted in Figure 5.9, defines five major actors
in terms of the roles and responsibilities:
• Cloud consumer: A person or organization that maintains a business relationship
with, and uses service from, cloud providers.
• Cloud provider: A person, organization, or entity responsible for making a
service available to interested parties.
• Cloud auditor: A party that can conduct independent assessment of cloud services,
information system operations, performance, and security of the cloud
implementation.
• Cloud broker: An entity that manages the use, performance, and delivery of
cloud services, and negotiates relationships between CPs and cloud consumers.
• Cloud carrier: An intermediary that provides connectivity and transport of
cloud services from CPs to cloud consumers.
27
Cloud Provider (1 of 3)
Cloud provider (C P)
Can provide one or more of the cloud services to meet I T and business requirements of cloud consumers
For each of the three service models (S a a S, P a a S, I a a S), the C P provides the storage and processing facilities needed to support that service model, together with a cloud interface for cloud service consumers
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
28
The roles of the cloud consumer and provider have already been discussed. To
summarize, a cloud provider can provide one or more of the cloud services to meet
IT and business requirements of cloud consumers . For each of the three service
models (SaaS, PaaS, IaaS), the CP provides the storage and processing facilities
needed to support that service model, together with a cloud interface for cloud service
consumers. For SaaS, the CP deploys, configures, maintains, and updates the
operation of the software applications on a cloud infrastructure so that the services
are provisioned at the expected service levels to cloud consumers. The consumers
of SaaS can be organizations that provide their members with access to software applications,
end users who directly use software applications, or software application
administrators who configure applications for end users.
For PaaS, the CP manages the computing infrastructure for the platform and
runs the cloud software that provides the components of the platform, such as runtime
software execution stack, databases, and other middleware components. Cloud
consumers of PaaS can employ the tools and execution resources provided by CPs to
develop, test, deploy, and manage the applications hosted in a cloud environment.
For IaaS, the CP acquires the physical computing resources underlying the
service, including the servers, networks, storage, and hosting infrastructure. The
IaaS cloud consumer in turn uses these computing resources, such as a virtual computer,
for their fundamental computing needs.
Cloud Provider (2 of 3)
For S a a S, the C P deploys, configures, maintains, and updates the operation of the software applications on a cloud infrastructure so that the services are provisioned at the expected service levels to cloud consumers
For P a a S, the C P manages the computing infrastructure for the platform and runs the cloud software that provides the components of the platform, such as runtime software execution stack, databases, and other middleware components
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
29
The roles of the cloud consumer and provider have already been discussed. To
summarize, a cloud provider can provide one or more of the cloud services to meet
IT and business requirements of cloud consumers . For each of the three service
models (SaaS, PaaS, IaaS), the CP provides the storage and processing facilities
needed to support that service model, together with a cloud interface for cloud service
consumers. For SaaS, the CP deploys, configures, maintains, and updates the
operation of the software applications on a cloud infrastructure so that the services
are provisioned at the expected service levels to cloud consumers. The consumers
of SaaS can be organizations that provide their members with access to software applications,
end users who directly use software applications, or software application
administrators who configure applications for end users.
For PaaS, the CP manages the computing infrastructure for the platform and
runs the cloud software that provides the components of the platform, such as runtime
software execution stack, databases, and other middleware components. Cloud
consumers of PaaS can employ the tools and execution resources provided by CPs to
develop, test, deploy, and manage the applications hosted in a cloud environment.
For IaaS, the CP acquires the physical computing resources underlying the
service, including the servers, networks, storage, and hosting infrastructure. The
IaaS cloud consumer in turn uses these computing resources, such as a virtual computer,
for their fundamental computing needs.
Cloud Provider (3 of 3)
For I a a S, the C P acquires the physical computing resources underlying the service, including the servers, networks, storage, and hosting infrastructure
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
30
The roles of the cloud consumer and provider have already been discussed. To
summarize, a cloud provider can provide one or more of the cloud services to meet
IT and business requirements of cloud consumers . For each of the three service
models (SaaS, PaaS, IaaS), the CP provides the storage and processing facilities
needed to support that service model, together with a cloud interface for cloud service
consumers. For SaaS, the CP deploys, configures, maintains, and updates the
operation of the software applications on a cloud infrastructure so that the services
are provisioned at the expected service levels to cloud consumers. The consumers
of SaaS can be organizations that provide their members with access to software applications,
end users who directly use software applications, or software application
administrators who configure applications for end users.
For PaaS, the CP manages the computing infrastructure for the platform and
runs the cloud software that provides the components of the platform, such as runtime
software execution stack, databases, and other middleware components. Cloud
consumers of PaaS can employ the tools and execution resources provided by CPs to
develop, test, deploy, and manage the applications hosted in a cloud environment.
For IaaS, the CP acquires the physical computing resources underlying the
service, including the servers, networks, storage, and hosting infrastructure. The
IaaS cloud consumer in turn uses these computing resources, such as a virtual computer,
for their fundamental computing needs.
Roles and Responsibilities (1 of 3)
Cloud carrier
A networking facility that provides connectivity and transport of cloud services between cloud consumers and C Ps
Cloud auditor
An independent entity that can assure that the C P conforms to a set of standards
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
31
The cloud carrier is a networking facility that provides connectivity and transport
of cloud services between cloud consumers and CPs. Typically, a CP will set up
service level agreements (SLAs) with a cloud carrier to provide services consistent
with the level of SLAs offered to cloud consumers, and may require the cloud carrier
to provide dedicated and secure connections between cloud consumers and CPs.
A cloud broker is useful when cloud services are too complex for a cloud consumer
to easily manage. Three areas of support can be offered by a cloud broker:
• Service intermediation: These are value-added services, such as identity management,
performance reporting, and enhanced security.
• Service aggregation: The broker combines multiple cloud services to meet
consumer needs not specifically addressed by a single CP, or to optimize performance
or minimize cost.
• Service arbitrage: This is similar to service aggregation except that the services
being aggregated are not fixed. Service arbitrage means a broker has the flexibility
to choose services from multiple agencies. The cloud broker, for example, can
use a credit-scoring service to measure and select an agency with the best score.
A cloud auditor can evaluate the services provided by a CP in terms of security
controls, privacy impact, performance, and so on. The auditor is an independent
entity that can assure that the CP conforms to a set of standards.
Roles and Responsibilities (2 of 3)
Useful when cloud services are too complex for a cloud consumer to easily manage
Three areas of support can be offered by a cloud broker:
Service intermediation
Value-added services such as identity management, performance reporting, and enhanced security
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
32
The cloud carrier is a networking facility that provides connectivity and transport
of cloud services between cloud consumers and CPs. Typically, a CP will set up
service level agreements (SLAs) with a cloud carrier to provide services consistent
with the level of SLAs offered to cloud consumers, and may require the cloud carrier
to provide dedicated and secure connections between cloud consumers and CPs.
A cloud broker is useful when cloud services are too complex for a cloud consumer
to easily manage. Three areas of support can be offered by a cloud broker:
• Service intermediation: These are value-added services, such as identity management,
performance reporting, and enhanced security.
• Service aggregation: The broker combines multiple cloud services to meet
consumer needs not specifically addressed by a single CP, or to optimize performance
or minimize cost.
• Service arbitrage: This is similar to service aggregation except that the services
being aggregated are not fixed. Service arbitrage means a broker has the flexibility
to choose services from multiple agencies. The cloud broker, for example, can
use a credit-scoring service to measure and select an agency with the best score.
A cloud auditor can evaluate the services provided by a CP in terms of security
controls, privacy impact, performance, and so on. The auditor is an independent
entity that can assure that the CP conforms to a set of standards.
Roles and Responsibilities (3 of 3)
Service aggregation
The broker combines multiple cloud services to meet consumer needs not specifically addressed by a single C P, or to optimize performance or minimize cost
Service arbitrage
A broker has the flexibility to choose services from multiple agencies
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
33
The cloud carrier is a networking facility that provides connectivity and transport
of cloud services between cloud consumers and CPs. Typically, a CP will set up
service level agreements (SLAs) with a cloud carrier to provide services consistent
with the level of SLAs offered to cloud consumers, and may require the cloud carrier
to provide dedicated and secure connections between cloud consumers and CPs.
A cloud broker is useful when cloud services are too complex for a cloud consumer
to easily manage. Three areas of support can be offered by a cloud broker:
• Service intermediation: These are value-added services, such as identity management,
performance reporting, and enhanced security.
• Service aggregation: The broker combines multiple cloud services to meet
consumer needs not specifically addressed by a single CP, or to optimize performance
or minimize cost.
• Service arbitrage: This is similar to service aggregation except that the services
being aggregated are not fixed. Service arbitrage means a broker has the flexibility
to choose services from multiple agencies. The cloud broker, for example, can
use a credit-scoring service to measure and select an agency with the best score.
A cloud auditor can evaluate the services provided by a CP in terms of security
controls, privacy impact, performance, and so on. The auditor is an independent
entity that can assure that the CP conforms to a set of standards.
Cloud Security Risks and Countermeasures (1 of 2)
The Cloud Security Alliance [C S A10] lists the following as the top cloud specific security threats, together with suggested countermeasures:
Abuse and nefarious use of cloud computing
Countermeasures: Stricter initial registration and validation processes; enhanced credit card fraud monitoring and coordination; comprehensive introspection of customer network traffic; monitoring public blacklists for one’s own network blocks
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
34
In general terms, security controls in cloud computing are similar to the security
controls in any IT environment. However, because of the operational models and
technologies used to enable cloud service, cloud computing may present risks that
are specific to the cloud environment. The essential concept in this regard is that the
enterprise loses a substantial amount of control over resources, services, and applications
but must maintain accountability for security and privacy policies.
The Cloud Security Alliance [CSA10] lists the following as the top cloud specific
security threats, together with suggested countermeasures:
• Abuse and nefarious use of cloud computing: For many CPs, it is relatively
easy to register and begin using cloud services, some even offering free limited
trial periods. This enables attackers to get inside the cloud to conduct various
attacks, such as spamming, malicious code attacks, and denial of service. PaaS
providers have traditionally suffered most from this kind of attacks; however,
recent evidence shows that hackers have begun to target IaaS vendors as well.
The burden is on the CP to protect against such attacks, but cloud service clients
must monitor activity with respect to their data and resources to detect
any malicious behavior.
Countermeasures include (1) stricter initial registration and validation
processes; (2) enhanced credit card fraud monitoring and coordination;
(3) comprehensive introspection of customer network traffic; and (4) monitoring
public blacklists for one’s own network blocks.
• Malicious insiders: Under the cloud computing paradigm, an organization relinquishes
direct control over many aspects of security and, in doing so, confers
an unprecedented level of trust onto the CP. One grave concern is the risk
of malicious insider activity. Cloud architectures necessitate certain roles that
are extremely high risk. Examples include CP system administrators and managed
security service providers.
Countermeasures include the following: (1) enforce strict supply chain
management and conduct a comprehensive supplier assessment; (2) specify
human resource requirements as part of legal contract; (3) require transparency
into overall information security and management practices, as well
as compliance reporting; and (4) determine security breach notification
processes.
Cloud Security Risks and Countermeasures (2 of 2)
Malicious insiders
Countermeasures: Enforce strict supply chain management and conduct a comprehensive supplier assessment; specify human resource requirements as part of legal contract; require transparency into overall information security and management practices, as well as compliance reporting; determine security breach notification processes
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
35
In general terms, security controls in cloud computing are similar to the security
controls in any IT environment. However, because of the operational models and
technologies used to enable cloud service, cloud computing may present risks that
are specific to the cloud environment. The essential concept in this regard is that the
enterprise loses a substantial amount of control over resources, services, and applications
but must maintain accountability for security and privacy policies.
The Cloud Security Alliance [CSA10] lists the following as the top cloud specific
security threats, together with suggested countermeasures:
• Abuse and nefarious use of cloud computing: For many CPs, it is relatively
easy to register and begin using cloud services, some even offering free limited
trial periods. This enables attackers to get inside the cloud to conduct various
attacks, such as spamming, malicious code attacks, and denial of service. PaaS
providers have traditionally suffered most from this kind of attacks; however,
recent evidence shows that hackers have begun to target IaaS vendors as well.
The burden is on the CP to protect against such attacks, but cloud service clients
must monitor activity with respect to their data and resources to detect
any malicious behavior.
Countermeasures include (1) stricter initial registration and validation
processes; (2) enhanced credit card fraud monitoring and coordination;
(3) comprehensive introspection of customer network traffic; and (4) monitoring
public blacklists for one’s own network blocks.
• Malicious insiders: Under the cloud computing paradigm, an organization relinquishes
direct control over many aspects of security and, in doing so, confers
an unprecedented level of trust onto the CP. One grave concern is the risk
of malicious insider activity. Cloud architectures necessitate certain roles that
are extremely high risk. Examples include CP system administrators and managed
security service providers.
Countermeasures include the following: (1) enforce strict supply chain
management and conduct a comprehensive supplier assessment; (2) specify
human resource requirements as part of legal contract; (3) require transparency
into overall information security and management practices, as well
as compliance reporting; and (4) determine security breach notification
processes.
Risks and Countermeasures (1 of 5)
Insecure interfaces and A P Is
Countermeasures: Analyzing the security model of C P interfaces; ensuring that strong authentication and access controls are implemented in concert with encryption machines; understanding the dependency chain associated with the A P I
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
36
• Insecure interfaces and APIs: CPs expose a set of software interfaces or APIs
that customers use to manage and interact with cloud services. The security
and availability of general cloud services are dependent upon the security of
these basic APIs. From authentication and access control to encryption and
activity monitoring, these interfaces must be designed to protect against both
accidental and malicious attempts to circumvent policy.
Countermeasures include (1) analyzing the security model of CP
interfaces; (2) ensuring that strong authentication and access controls are
implemented in concert with encrypted transmission; and (3) understanding
the dependency chain associated with the API.
• Shared technology issues: IaaS vendors deliver their services in a scalable way
by sharing infrastructure. Often, the underlying components that make up this
infrastructure (CPU caches, GPUs, etc.) were not designed to offer strong
isolation properties for a multi-tenant architecture. CPs typically approach
this risk by the use of isolated virtual machines for individual clients. This approach
is still vulnerable to attack, by both insiders and outsiders, and so can
only be a part of an overall security strategy.
Countermeasures include the following: (1) implement security best
practices for installation/configuration; (2) monitor environment for unauthorized
changes/activity; (3) promote strong authentication and access control
for administrative access and operations; (4) enforce SLAs for patching
and vulnerability remediation; and (5) conduct vulnerability scanning and
configuration audits.
• Data loss or leakage: For many clients, the most devastating impact from a
security breach is the loss or leakage of data. We address this issue in the next
subsection.
Countermeasures include the following: (1) implement strong API access
control; (2) encrypt and protect integrity of data in transit; (3) analyze
data protection at both design and run time; and (4) implement strong key
generation, storage and management, and destruction practices.
Risks and Countermeasures (2 of 5)
Shared technology issues
Countermeasures: Implement security best practices for installation/configuration; monitor environment for unauthorized changes/activity; promote strong authentication and access control for administrative access and operations; enforce S L As for patching and vulnerability remediation; conduct vulnerability scanning and configuration audits
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
37
• Insecure interfaces and APIs: CPs expose a set of software interfaces or APIs
that customers use to manage and interact with cloud services. The security
and availability of general cloud services are dependent upon the security of
these basic APIs. From authentication and access control to encryption and
activity monitoring, these interfaces must be designed to protect against both
accidental and malicious attempts to circumvent policy.
Countermeasures include (1) analyzing the security model of CP
interfaces; (2) ensuring that strong authentication and access controls are
implemented in concert with encrypted transmission; and (3) understanding
the dependency chain associated with the API.
• Shared technology issues: IaaS vendors deliver their services in a scalable way
by sharing infrastructure. Often, the underlying components that make up this
infrastructure (CPU caches, GPUs, etc.) were not designed to offer strong
isolation properties for a multi-tenant architecture. CPs typically approach
this risk by the use of isolated virtual machines for individual clients. This approach
is still vulnerable to attack, by both insiders and outsiders, and so can
only be a part of an overall security strategy.
Countermeasures include the following: (1) implement security best
practices for installation/configuration; (2) monitor environment for unauthorized
changes/activity; (3) promote strong authentication and access control
for administrative access and operations; (4) enforce SLAs for patching
and vulnerability remediation; and (5) conduct vulnerability scanning and
configuration audits.
• Data loss or leakage: For many clients, the most devastating impact from a
security breach is the loss or leakage of data. We address this issue in the next
subsection.
Countermeasures include the following: (1) implement strong API access
control; (2) encrypt and protect integrity of data in transit; (3) analyze
data protection at both design and run time; and (4) implement strong key
generation, storage and management, and destruction practices.
Risks and Countermeasures (3 of 5)
Data loss or leakage
Countermeasures: Implement strong A P I access control; encrypt and protect integrity of data in transit; analyze data protection at both design and run time; implement strong key generation, storage and management, and destruction practices
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
38
• Insecure interfaces and APIs: CPs expose a set of software interfaces or APIs
that customers use to manage and interact with cloud services. The security
and availability of general cloud services are dependent upon the security of
these basic APIs. From authentication and access control to encryption and
activity monitoring, these interfaces must be designed to protect against both
accidental and malicious attempts to circumvent policy.
Countermeasures include (1) analyzing the security model of CP
interfaces; (2) ensuring that strong authentication and access controls are
implemented in concert with encrypted transmission; and (3) understanding
the dependency chain associated with the API.
• Shared technology issues: IaaS vendors deliver their services in a scalable way
by sharing infrastructure. Often, the underlying components that make up this
infrastructure (CPU caches, GPUs, etc.) were not designed to offer strong
isolation properties for a multi-tenant architecture. CPs typically approach
this risk by the use of isolated virtual machines for individual clients. This approach
is still vulnerable to attack, by both insiders and outsiders, and so can
only be a part of an overall security strategy.
Countermeasures include the following: (1) implement security best
practices for installation/configuration; (2) monitor environment for unauthorized
changes/activity; (3) promote strong authentication and access control
for administrative access and operations; (4) enforce SLAs for patching
and vulnerability remediation; and (5) conduct vulnerability scanning and
configuration audits.
• Data loss or leakage: For many clients, the most devastating impact from a
security breach is the loss or leakage of data. We address this issue in the next
subsection.
Countermeasures include the following: (1) implement strong API access
control; (2) encrypt and protect integrity of data in transit; (3) analyze
data protection at both design and run time; and (4) implement strong key
generation, storage and management, and destruction practices.
Risks and Countermeasures (4 of 5)
Account or service hijacking
Countermeasures: Prohibit the sharing of account credentials between users and services; leverage strong two-factor authentication techniques where possible; employ proactive monitoring to detect unauthorized activity; understand C P security policies and S LAs
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
39
• Account or service hijacking: Account or service hijacking, usually with stolen
credentials, remains a top threat. With stolen credentials, attackers can
often access critical areas of deployed cloud computing services, allowing
them to compromise the confidentiality, integrity, and availability of those
services.
Countermeasures include the following: (1) prohibit the sharing of
account credentials between users and services; (2) leverage strong two-factor
authentication techniques where possible; (3) employ proactive monitoring
to detect unauthorized activity; and (4) understand CP security policies
and SLAs.
• Unknown risk profile: In using cloud infrastructures, the client necessarily
cedes control to the CP on a number of issues that may affect security. Thus
the client must pay attention to and clearly define the roles and responsibilities
involved for managing risks. For example, employees may deploy applications
and data resources at the CP without observing the normal policies and
procedures for privacy, security, and oversight.
Countermeasures include (1) disclosure of applicable logs and data; (2)
partial/full disclosure of infrastructure details (e.g., patch levels and firewalls);
and (3) monitoring and alerting on necessary information.
Similar lists have been developed by the European Network and Information
Security Agency [ENIS09] and NIST [JANS11].
Risks and Countermeasures (5 of 5)
Unknown risk profile
Countermeasures: Disclosure of applicable logs and data; partial/full disclosure of infrastructure details; monitoring and alerting on necessary information
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
40
• Account or service hijacking: Account or service hijacking, usually with stolen
credentials, remains a top threat. With stolen credentials, attackers can
often access critical areas of deployed cloud computing services, allowing
them to compromise the confidentiality, integrity, and availability of those
services.
Countermeasures include the following: (1) prohibit the sharing of
account credentials between users and services; (2) leverage strong two-factor
authentication techniques where possible; (3) employ proactive monitoring
to detect unauthorized activity; and (4) understand CP security policies
and SLAs.
• Unknown risk profile: In using cloud infrastructures, the client necessarily
cedes control to the CP on a number of issues that may affect security. Thus
the client must pay attention to and clearly define the roles and responsibilities
involved for managing risks. For example, employees may deploy applications
and data resources at the CP without observing the normal policies and
procedures for privacy, security, and oversight.
Countermeasures include (1) disclosure of applicable logs and data; (2)
partial/full disclosure of infrastructure details (e.g., patch levels and firewalls);
and (3) monitoring and alerting on necessary information.
Similar lists have been developed by the European Network and Information
Security Agency [ENIS09] and NIST [JANS11].
Table 5.3: N I S T Guidelines on Security and Privacy Issues and Recommendations (1 of 10)
Governance
Extend organizational practices pertaining to the policies. procedures. and standards used for application development and service provisioning in the cloud as well as the design,implementation,testing,use,and monitoring or deployed or engaged services.
Put in place audit mechanisms and tools to ensure organizational practices are followed throughout the system lifecycle.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
41
As can be seen from the previous section, there are numerous aspects to cloud
security and numerous approaches to providing cloud security measures. A further
example is seen in the NIST guidelines for cloud security, specified in SP-800-14 and
listed in Table 5.3. Thus, the topic of cloud security is well beyond the scope of this
chapter. In this section, we focus on one specific element of cloud security.
Table 5.3: N I S T Guidelines on Security and Privacy Issues and Recommendations (2 of 10)
Compliance
Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives. particularly those involving data location. privacy and security controls. records management. and electronic discovery requirements.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
42
As can be seen from the previous section, there are numerous aspects to cloud
security and numerous approaches to providing cloud security measures. A further
example is seen in the NIST guidelines for cloud security, specified in SP-800-14 and
listed in Table 5.3. Thus, the topic of cloud security is well beyond the scope of this
chapter. In this section, we focus on one specific element of cloud security.
Table 5.3: N I S T Guidelines on Security and Privacy Issues and Recommendations (3 of 10)
Review and the cloud provider-s offerings with respect to the organizational requirements to be met and ensure that the contract terms adequately meet the requirements. Ensure that the cloud provider' s electronic discovery capabilities and processes do not compromise the privacy or security of data and applications.
Trust
Ensure that service arrangements have sufficient means to allow visibility into the security and privacy controls and processes employed by the cloud provider, and their performance over time.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
43
As can be seen from the previous section, there are numerous aspects to cloud
security and numerous approaches to providing cloud security measures. A further
example is seen in the NIST guidelines for cloud security, specified in SP-800-14 and
listed in Table 5.3. Thus, the topic of cloud security is well beyond the scope of this
chapter. In this section, we focus on one specific element of cloud security.
Table 5.3: N I S T Guidelines on Security and Privacy Issues and Recommendations (4 of 10)
Establish clear, exclusive ownership rights over data.
Institute a risk management program that is flexible enough to adapt to the constantly evolving and shifting risk landscape for the lifecycle of the system. Continuously monitor the security state of the information system to support ongoing risk management decisions.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
44
As can be seen from the previous section, there are numerous aspects to cloud
security and numerous approaches to providing cloud security measures. A further
example is seen in the NIST guidelines for cloud security, specified in SP-800-14 and
listed in Table 5.3. Thus, the topic of cloud security is well beyond the scope of this
chapter. In this section, we focus on one specific element of cloud security.
Table 5.3: N I S T Guidelines on Security and Privacy Issues and Recommendations (5 of 10)
Architecture
Understand the underlying technologies that the cloud provider uses to provision services, including the implications that the technical controls involved have on the security and privacy or the system. over the full system lifecycle and across all system components.
Identity and Access Management
Ensure that adequate safeguards are in place to secure authentication. authorization, and other identity and access management functions. and are suitable for the organization
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
45
As can be seen from the previous section, there are numerous aspects to cloud
security and numerous approaches to providing cloud security measures. A further
example is seen in the NIST guidelines for cloud security, specified in SP-800-14 and
listed in Table 5.3. Thus, the topic of cloud security is well beyond the scope of this
chapter. In this section, we focus on one specific element of cloud security.
Table 5.3: N I S T Guidelines on Security and Privacy Issues and Recommendations (6 of 10)
Software Isolation
Understand virtualization and other logical isolation techniques that the cloud provider employs in its multi-tenant software architecture. and assess the risks involved for the organization.
Data protection
Evaluate the suitability of the cloud provider's data management solutions for the organizational data concerned and the ability to control access to data, to secure data while at rest, in transit, and in use, and to sanitize data.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
46
As can be seen from the previous section, there are numerous aspects to cloud
security and numerous approaches to providing cloud security measures. A further
example is seen in the NIST guidelines for cloud security, specified in SP-800-14 and
listed in Table 5.3. Thus, the topic of cloud security is well beyond the scope of this
chapter. In this section, we focus on one specific element of cloud security.
Table 5.3 NIST Guidelines on Security and Privacy Issues and Recommendations
(page 2 of 2)
Table 5.3: N I S T Guidelines on Security and Privacy Issues and Recommendations (7 of 10)
Take into consideration the risk of collating organizational data with those of other organizations whose threat profiles are high or whose data collectively represent significant concentrated value. Fully understand and weigh the risks involved in cryptographic key management with the facilities available in the cloud environment and the processes established by the cloud provider.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
47
Table 5.3 NIST Guidelines on Security and Privacy Issues and Recommendations
(page 2 of 2)
Table 5.3: N I S T Guidelines on Security and Privacy Issues and Recommendations (8 of 10)
Availability
Understand the contract provisions and procedures for availability, data backup and recovery , and disaster recovery , and ensure that they meet the organization's continuity and contingency planning requirements.
Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations can be immediately resumed, and that all operations can be eventually reinstituted in a timely and organized manner.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
48
Table 5.3 NIST Guidelines on Security and Privacy Issues and Recommendations
(page 2 of 2)
Table 5.3: N I S T Guidelines on Security and Privacy Issues and Recommendations (9 of 10)
Incident response
Understand the contract provisions and procedures for incident response and ensure that they meet the requirements of the organization.
Ensue that the cloud provider has a transparent response process in place and sufficient mechanisms to share information during and after an incident.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
49
Table 5.3 NIST Guidelines on Security and Privacy Issues and Recommendations
(page 2 of 2)
Table 5.3: N I S T Guidelines on Security and Privacy Issues and Recommendations (10 of 10)
Ensure that the organization can respond to incidents in a coordinated fashion with the cloud provider in accordance with their respective roles and responsibilities for the computing environment.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
50
Table 5.3 NIST Guidelines on Security and Privacy Issues and Recommendations
(page 2 of 2)
Data Protection in the Cloud (1 of 4)
The threat of data compromise increases in the cloud
Database environments used in cloud computing can vary significantly
Multi-instance model
Provides a unique D B M S running on a virtual machine instance for each cloud subscriber
This gives the subscriber complete control over role definition, user authorization, and other administrative tasks related to security
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
51
There are many ways to compromise data. Deletion or alteration of records
without a backup of the original content is an obvious example. Unlinking a record
from a larger context may render it unrecoverable, as can storage on unreliable
media. Loss of an encoding key may result in effective destruction. Finally, unauthorized
parties must be prevented from gaining access to sensitive data.
The threat of data compromise increases in the cloud, due to the number of
and interactions between risks and challenges that are either unique to the cloud or
more dangerous because of the architectural or operational characteristics of the
cloud environment.
Database environments used in cloud computing can vary significantly. Some
providers support a multi-instance model , which provides a unique DBMS running
on a virtual machine instance for each cloud subscriber. This gives the subscriber
complete control over role definition, user authorization, and other administrative
tasks related to security. Other providers support a multi-tenant model , which provides
a predefined environment for the cloud subscriber that is shared with other
tenants, typically through tagging data with a subscriber identifier. Tagging gives
the appearance of exclusive use of the instance, but relies on the CP to establish and
maintain a sound secure database environment.
Data Protection in the Cloud (2 of 4)
Multi-tenant model
Provides a predefined environment for the cloud subscriber that is shared with other tenants, typically through tagging data with a subscriber identifier
Tagging gives the appearance of exclusive use of the instance, but relies on the C P to establish and maintain a sound secure database environment
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
52
There are many ways to compromise data. Deletion or alteration of records
without a backup of the original content is an obvious example. Unlinking a record
from a larger context may render it unrecoverable, as can storage on unreliable
media. Loss of an encoding key may result in effective destruction. Finally, unauthorized
parties must be prevented from gaining access to sensitive data.
The threat of data compromise increases in the cloud, due to the number of
and interactions between risks and challenges that are either unique to the cloud or
more dangerous because of the architectural or operational characteristics of the
cloud environment.
Database environments used in cloud computing can vary significantly. Some
providers support a multi-instance model , which provides a unique DBMS running
on a virtual machine instance for each cloud subscriber. This gives the subscriber
complete control over role definition, user authorization, and other administrative
tasks related to security. Other providers support a multi-tenant model , which provides
a predefined environment for the cloud subscriber that is shared with other
tenants, typically through tagging data with a subscriber identifier. Tagging gives
the appearance of exclusive use of the instance, but relies on the CP to establish and
maintain a sound secure database environment.
Data Protection in the Cloud (3 of 4)
Data must be secured while at rest, in transit, and in use, and access to the data must be controlled
The client can employ encryption to protect data in transit, though this involves key management responsibilities for the C P
For data at rest the ideal security measure is for the client to encrypt the database and only store encrypted data in the cloud, with the C P having no access to the encryption key
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
53
Data must be secured while at rest, in transit, and in use, and access to the
data must be controlled. The client can employ encryption to protect data in transit,
though this involves key management responsibilities for the CP. The client can
enforce access control techniques but, again, the CP is involved to some extent depending
on the service model used.
For data at rest, the ideal security measure is for the client to encrypt the database
and only store encrypted data in the cloud, with the CP having no access to the
encryption key. So long as the key remains secure, the CP has no ability to read the
data, although corruption and other denial-of-service attacks remain a risk.
A straightforward solution to the security problem in this context is to encrypt
the entire database and not provide the encryption/decryption keys to the
service provider. This solution by itself is inflexible. The user has little ability to
access individual data items based on searches or indexing on key parameters, but
rather would have to download entire tables from the database, decrypt the tables,
and work with the results. To provide more flexibility, it must be possible to work
with the database in its encrypted form.
Data Protection in the Cloud (4 of 4)
A straightforward solution to the security problem in this context is to encrypt the entire database and not provide the encryption/decryption keys to the service provider
The user has little ability to access individual data items based on searches or indexing on key parameters
The user would have to download entire tables from the database, decrypt the tables, and work with the results
To provide more flexibility it must be possible to work with the database in its encrypted form
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
54
Data must be secured while at rest, in transit, and in use, and access to the
data must be controlled. The client can employ encryption to protect data in transit,
though this involves key management responsibilities for the CP. The client can
enforce access control techniques but, again, the CP is involved to some extent depending
on the service model used.
For data at rest, the ideal security measure is for the client to encrypt the database
and only store encrypted data in the cloud, with the CP having no access to the
encryption key. So long as the key remains secure, the CP has no ability to read the
data, although corruption and other denial-of-service attacks remain a risk.
A straightforward solution to the security problem in this context is to encrypt
the entire database and not provide the encryption/decryption keys to the
service provider. This solution by itself is inflexible. The user has little ability to
access individual data items based on searches or indexing on key parameters, but
rather would have to download entire tables from the database, decrypt the tables,
and work with the results. To provide more flexibility, it must be possible to work
with the database in its encrypted form.
Figure 5-10: An Encryption Scheme for a Cloud-Based Database
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
An example of such an approach, depicted in Figure 5.10, is reported in
[DAMI05] and [DAMI03]. A similar approach is described in [HACI02]. Four entities
are involved:
• Data owner: An organization that produces data to be made available for controlled
release, either within the organization or to external users.
• User: Human entity that presents requests (queries) to the system. The user
could be an employee of the organization who is granted access to the database
via the server, or a user external to the organization who, after authentication,
is granted access.
• Client: Frontend that transforms user queries into queries on the encrypted
data stored on the server.
• Server: An organization that receives the encrypted data from a data owner
and makes them available for distribution to clients. The server could in fact
be owned by the data owner but, more typically, is a facility owned and maintained
by an external provider. For our discussion, the server is a cloud server.
55
Cloud Security as a Service (S E C A A S) (1 of 2)
The Cloud Security Alliance defines S e c a a S as the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers’ on premise systems
The Cloud Security Alliance has identified the following SecaaS categories of service:
Identity and access management
Data loss prevention
Web security
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
56
The term security as a service (SecaaS) has generally meant a package of security
services offered by a service provider that offloads much of the security responsibility
from an enterprise to the security service provider. Among the services typically
provided are authentication, antivirus, antimalware/-spyware, intrusion detection,
and security event management. In the context of cloud computing, cloud security
as a service, designated SecaaS, is a segment of the SaaS offering of a CP.
The Cloud Security Alliance defines SecaaS as the provision of security applications
and services via the cloud either to cloud-based infrastructure and software
or from the cloud to the customers’ on-premise systems [CSA11b]. The Cloud
Security Alliance has identified the following SecaaS categories of service:
■ Identity and access management
■ Data loss prevention
■ Web security
■ E-mail security
■ Security assessments
■ Intrusion management
■ Security information and event management
■ Encryption
■ Business continuity and disaster recovery
■ Network security
Cloud Security as a Service (S E C A A S) (2 of 2)
E-mail security
Security assessments
Intrusion management
Security information and event management
Encryption
Business continuity and disaster recovery
Network security
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
57
The term security as a service (SecaaS) has generally meant a package of security
services offered by a service provider that offloads much of the security responsibility
from an enterprise to the security service provider. Among the services typically
provided are authentication, antivirus, antimalware/-spyware, intrusion detection,
and security event management. In the context of cloud computing, cloud security
as a service, designated SecaaS, is a segment of the SaaS offering of a CP.
The Cloud Security Alliance defines SecaaS as the provision of security applications
and services via the cloud either to cloud-based infrastructure and software
or from the cloud to the customers’ on-premise systems [CSA11b]. The Cloud
Security Alliance has identified the following SecaaS categories of service:
■ Identity and access management
■ Data loss prevention
■ Web security
■ E-mail security
■ Security assessments
■ Intrusion management
■ Security information and event management
■ Encryption
■ Business continuity and disaster recovery
■ Network security
Figure 5-11: Elements of Cloud Security as a Service
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
In this section, we examine these categories with a focus on security of the
cloud-based infrastructure and services (Figure 5.11).
Identity and access management (IAM) includes people, processes, and systems
that are used to manage access to enterprise resources by assuring that the
identity of an entity is verified, and then granting the correct level of access based
on this assured identity. One aspect of identity management is identity provisioning,
which has to do with providing access to identified users and subsequently
deprovisioning, or deny access, to users when the client enterprise designates such
users as no longer having access to enterprise resources in the cloud. Another aspect
of identity management is for the cloud to participate in the federated identity
management scheme (see Chapter 4) scheme used by the client enterprise. Among
other requirements, the cloud service provider (CSP) must be able to exchange
identity attributes with the enterprise’s chosen identity provider.
The access management portion of IAM involves authentication and access
control services. For example, the CSP must be able to authenticate users in a
trustworthy manner. The access control requirements in SPI environments include
establishing trusted user profile and policy information, using it to control access
within the cloud service, and doing this in an auditable way.
Data loss prevention (DLP) is the monitoring, protecting, and verifying the
security of data at rest, in motion, and in use. Much of DLP can be implemented by
the cloud client, such as discussed in Section 5.6. The CSP can also provide DLP
services, such as implementing rules about what functions can be performed on data
in various contexts.
Web security is real-time protection offered either on premise through software/
appliance installation or via the cloud by proxying or redirecting Web traffic
to the CP. This provides an added layer of protection on top of things like antiviruses
to prevent malware from entering the enterprise via activities such as Web
browsing. In addition to protecting against malware, a cloud-based Web security
service might include usage policy enforcement, data backup, traffic control, and
Web access control.
A CSP may provide a Web-based e-mail service, for which security measures
are needed. E-mail security provides control over inbound and outbound e-mail,
protecting the organization from phishing, malicious attachments, enforcing corporate
polices such as acceptable use and spam prevention. The CSP may also incorporate
digital signatures on all e-mail clients and provide optional e-mail encryption.
Security assessments are third-part audits of cloud services. While this service
is outside the province of the CSP, the CSP can provide tools and access points to
facilitate various assessment activities.
Intrusion management encompasses intrusion detection, prevention, and response.
The core of this service is the implementation of intrusion detection systems
(IDSs) and intrusion prevention systems (IPSs) at entry points to the cloud and on
servers in the cloud. An IDS is a set of automated tools designed to detect unauthorized
access to a host system. We discuss this in Chapter 1. An IPS incorporates IDS
functionality but also includes mechanisms designed to block traffic from intruders.
Security information and event management (SIEM) aggregates (via push or
pull mechanisms) log and event data from virtual and real networks, applications,
and systems. This information is then correlated and analyzed to provide real-time
reporting and alerting on information/events that may require intervention or other
type of response. The CSP typically provides an integrated service that can put together
information from a variety of sources both within the cloud and within the
client enterprise network.
Encryption is a pervasive service that can be provided for data at rest in the
cloud, e-mail traffic, client-specific network management information, and identity
information. Encryption services provided by the CSP involve a range of complex
issues, including key management, how to implement virtual private network (VPN)
services in the cloud, application encryption, and data content access.
Business continuity and disaster recovery comprise measures and mechanisms
to ensure operational resiliency in the event of any service interruptions. This is an
area where the CSP, because of economies of scale, can offer obvious benefits to a
cloud service client [WOOD10]. The CSP can provide backup at multiple locations,
with reliable failover and disaster recovery facilities. This service must include a
flexible infrastructure, redundancy of functions and hardware, monitored operations,
geographically distributed data centers, and network survivability.
Network security consists of security services that allocate access, distribute,
monitor, and protect the underlying resource services. Services include perimeter and
server firewalls and denial-of-service protection. Many of the other services listed in
this section, including intrusion management, identity and access management, data
loss protection, and Web security, also contribute to the network security service.
58
Table 5.4: Control Functions and Classes
| Technical | Operational | Management |
| Access Control Audit and Accountability Identification and Authentication System and Communication Protection | Awareness and Training Configuration and Management Contingency Planning Incident Response Maintenance Media Protection Physical and Environmental Protection Personnel Security System and Information Integrity | Certification. Accreditation and Security Assessment Planning Risk Assessment System and Services Acquisition |
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Numerous documents have been developed to guide businesses thinking about the
security issues associated with cloud computing. In addition to SP 800-144, which
provides overall guidance, NIST has issued SP 800-146 (Cloud Computing Synopsis
and Recommendations, May 2012). NIST’s recommendations systematically consider
each of the major types of cloud services consumed by businesses including
Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as
a Service (PaaS). While security issues vary somewhat depending on the type of
cloud service, there are multiple NIST recommendations that are independent of
service type. Not surprisingly, NIST recommends selecting cloud providers that
support strong encryption, have appropriate redundancy mechanisms in place,
employ authentication mechanisms, and offer subscribers sufficient visibility about
mechanisms used to protect subscribers from other subscribers and the provider.
SP 800-146 also lists the overall security controls that are relevant in a cloud computing
environment and that must be assigned to the different cloud actors. These
are shown in Table 5.4.
As more businesses incorporate cloud services into their enterprise network
infrastructures, cloud computing security will persist as an important issue.
Examples of cloud computing security failures have the potential to have a chilling
effect on business interest in cloud services and this is inspiring service providers
to be serious about incorporating security mechanisms that will allay concerns of
potential subscribers. Some service providers have moved their operations to Tier 4
data centers to address user concerns about availability and redundancy. Because so
many businesses remain reluctant to embrace cloud computing in a big way, cloud
service providers will have to continue to work hard to convince potential customers
that computing support for core business processes and mission critical applications
can be moved safely and securely to the cloud.
Summary
Network access control
Elements of a network access control system
Network access enforcement methods
Extensible authentication protocol
Authentication methods
E A P exchanges
Cloud security as a service
I E E E 802.1 X port-based network access control
Cloud computing
Elements
Reference architecture
Cloud security risks and countermeasures
Data protection in the cloud
Addressing cloud computing security concerns
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
60
Chapter 5 summary.
Copyright
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
61
