Assignment
JB12345
CH13-CompSec4e.pptxComputer Security:
Principles and Practice
Fourth Edition
By: William Stallings and Lawrie Brown
Lecture slides prepared for “Computer Security: Principles and Practice”, 4/e, by William Stallings and Lawrie Brown, Chapter 13 “Cloud and IoT Security”.
1
Chapter 13
Cloud and IoT Security
The two most significant developments in computing in recent years are cloud computing
and the Internet of Things (IoT). In both cases, security measures tailored to the specific
requirements of these environments are evolving. This chapter begins with an overview
of the concepts of cloud computing, followed by a discussion of cloud security. Then the
chapter examines the concepts of IoT and closes with a discussion of IoT security.
For further detail on the material on cloud computing and IoT in Sections 13.1
and 13.4, see [STAL16a].
2
Cloud Computing:
NIST defines cloud computing, in NIST SP-800-145 (The NIST Definition of Cloud Computing, September 2011) as follows:
“Cloud computing: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics,
three service models, and four deployment models.”
NIST defines cloud computing, in NIST SP-800-145 (The NIST Definition of Cloud
Computing ) as follows:
Cloud computing: A model for enabling ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction. This
cloud model promotes availability and is composed of five essential characteristics,
three service models, and four deployment models.
3
The definition refers to various models and characteristics, whose relationship
is illustrated in Figure 13.1. The essential characteristics of cloud computing include
the following:
• Broad network access: Capabilities are available over the network and accessed
through standard mechanisms that promote use by heterogeneous thin or thick
client platforms (e.g., mobile phones, laptops, and tablets) as well as other traditional
or cloud-based software services.
• Rapid elasticity: Cloud computing gives you the ability to expand and reduce
resources according to your specific service requirement. For example, you may
need a large number of server resources for the duration of a specific task. You
can then release these resources upon completion of the task.
• Measured service: Cloud systems automatically control and optimize resource
use by leveraging a metering capability at some level of abstraction appropriate
to the type of service (e.g., storage, processing, bandwidth, and active user
accounts). Resource usage can be monitored, controlled, and reported, providing
transparency for both the provider and consumer of the utilized service.
• On-demand self-service: A cloud service consumer (CSC) can unilaterally
provision computing capabilities, such as server time and network storage, as
needed automatically without requiring human interaction with each service
provider. Because the service is on demand, the resources are not permanent
parts of the consumer’s IT infrastructure.
Resource pooling: The provider’s computing resources are pooled to serve
multiple CSCs using a multitenant model, with different physical and virtual
resources dynamically assigned and reassigned according to consumer demand.
There is a degree of location independence, in that the CSC generally has no
control or knowledge of the exact location of the provided resources, but may
be able to specify location at a higher level of abstraction (e.g., country, state,
or datacenter). Examples of resources include storage, processing, memory,
network bandwidth, and virtual machines (VMs). Even private clouds tend to
pool resources between different parts of the same organization.
4
Cloud Service Models
NIST SP 800-145 defines three service models , which can be viewed as nested service alternatives:
software as a service (SaaS), platform as a service (PaaS), and infrastructure
as a service (IaaS).
5
NIST defines three service models, which can be viewed as nested service alternatives
Software as a service (SaaS)
Platform as a service (PaaS)
Infrastructure as a service (IaaS)
Software as a Service (SaaS)
SaaS provides service to customers in the form of software,
specifically application software, running on and accessible in the cloud. SaaS follows
the familiar model of Web services, in this case applied to cloud resources. SaaS enables
the customer to use the cloud provider’s applications running on the provider’s cloud
infrastructure. The applications are accessible from various client devices through
a simple interface, such as a Web browser. Instead of obtaining desktop and server
licenses for software products it uses, an enterprise obtains the same functions from
the cloud service. The use of SaaS avoids the complexity of software installation,
maintenance, upgrades, and patches. Examples of services at this level are Google
Gmail, Microsoft 365, Salesforce, Citrix GoToMeeting, and Cisco WebEx.
Common subscribers to SaaS are organizations that want to provide their
employees with access to typical office productivity software, such as document
management and email. Individuals also commonly use the SaaS model to acquire
cloud resources. Typically, subscribers use specific applications on demand. The cloud
provider also usually offers data-related features, such as automatic backup and data
sharing between subscribers.
6
SaaS provides service to customers in the form of software, specifically application software, running on and accessible in the cloud
It enables the customer to use the cloud provider’s applications running on the provider’s cloud infrastructure
The applications are accessible from various client devices through a simple interface, such as a Web browser
Instead of obtaining desktop and server licenses for software products it uses, an enterprise obtains the same functions from the cloud service
The use of SaaS avoids the complexity of software installation, maintenance, upgrades, and patches
Examples of this service are Google Gmail, Microsoft 365, Salesforce, Citrix GoToMeeting, and Cisco WebEx
Platform as a Service (PaaS)
A PaaS cloud provides service to customers in the form of
a platform on which the customer’s applications can run. PaaS enables the customer
to deploy onto the cloud infrastructure customer-created or acquired applications.
A PaaS cloud provides useful software building blocks, plus a number of development
tools, such as programming language tools, run-time environments, and other tools
that assist in deploying new applications. In effect, PaaS is an operating system in
the cloud. PaaS is useful for an organization that wants to develop new or tailored
applications while paying for the needed computing resources only as needed, and
only for as long as needed. AppEngine, Engine Yard, Heroku, Microsoft Azure, Force.
com, and Apache Stratos are examples of PaaS.
7
A PaaS cloud provides service to customers in the form of a platform on which the customer’s applications can run
PaaS enables the customer to deploy onto the cloud infrastructure customer-created or acquired applications
A PaaS cloud provides useful software building blocks, plus a number of development tools, such as programming language tools, run-time environments, and other tools that assist in deploying new applications
In effect, PaaS is an operating system in the cloud
It is useful for an organization that wants to develop new or tailored applications while paying for the needed computing resources only as needed, and only for as long as needed
Examples of PaaS include AppEngine, Engine Yard, Heroku, Microsoft Azure, Force.com, and Apache Stratos
Infrastructure as a Service (IaaS)
With IaaS, the customer has access to the resources
of the underlying cloud infrastructure. The cloud service user does not manage or
control the resources of the underlying cloud infrastructure, but has control over
operating systems, deployed applications, and possibly limited control of select
networking components (e.g., host firewalls). IaaS provides virtual machines and
other virtualized hardware and operating systems. IaaS offers the customer processing,
storage, networks, and other fundamental computing resources so the customer is
able to deploy and run arbitrary software, which can include operating systems and
applications. IaaS enables customers to combine basic computing services, such as
number crunching and data storage, to build highly adaptable computer systems.
Typically, customers are able to self-provision this infrastructure, using a Webbased
graphical user interface that serves as an IT operations management console
for the overall environment. API access to the infrastructure may also be offered
as an option. Examples of IaaS are Amazon Elastic Compute Cloud (Amazon
EC2), Microsoft Windows Azure, Google Compute Engine (GCE), and Rackspace.
8
With IaaS, the customer has access to the resources of the underlying cloud infrastructure
The cloud service user does not manage or control the resources of the underlying cloud infrastructure, but has control over operating systems, deployed applications, and possibly limited control of select networking components
IaaS provides virtual machines and other virtualized hardware and operating systems
IaaS offers the customer processing, storage, networks, and other fundamental computing resources so the customer is able to deploy and run arbitrary software, which can include operating systems and applications
IaaS enables customers to combine basic computing services, such as number crunching and data storage, to build highly adaptable computer systems
Examples of IaaS are Amazon Elastic Compute Cloud, Microsoft Windows Azure, Google Compute Engine, and Rackspace
Figure 13.2 compares the functions implemented by the cloud service provider
for the three service models.
9
Cloud Deployment Models
There is an increasingly prominent trend in many organizations to move a substantial
portion or even all information technology (IT) operations to enterprise cloud
computing. The organization is faced with a range of choices as to cloud ownership
and management. In this subsection, we look at the four most prominent deployment models for
cloud computing.
10
The four most prominent deployment models for cloud computing are:
Public cloud
Community cloud
Private cloud
Hybrid cloud
Public Cloud
A public cloud infrastructure is made available to the general public or a large industry group, and is owned by an organization selling cloud services
The cloud provider is responsible both for the cloud infrastructure and for the control of data and operations within the cloud
A public cloud may be owned, managed, and operated by a business, academic, or government organization, or some combination of them
All major components are outside the enterprise firewall, located in a multitenant infrastructure
Applications and storage are made available over the Internet via secured IP, and can be free or offered at a pay-per-usage fee
The major advantage of the public cloud is cost
The principal concern is security
A public cloud infrastructure is made available to the general public
or a large industry group, and is owned by an organization selling cloud services.
The cloud provider is responsible both for the cloud infrastructure and for the control
of data and operations within the cloud. A public cloud may be owned, managed, and
operated by a business, academic, or government organization, or some combination
of them. It exists on the premises of the cloud service provider.
In a public cloud model, all major components are outside the enterprise firewall,
located in a multitenant infrastructure. Applications and storage are made
available over the Internet via secured IP, and can be free or offered at a pay-per-usage
fee. This type of cloud supplies easy-to-use consumer-type services, such as:
Amazon and Google on-demand Web applications or capacity; Yahoo mail; and
Facebook or LinkedIn social media providing free storage for photographs. While
public clouds are inexpensive and scale to meet needs, they typically provide no or
lower SLAs and may not offer the guarantees against data loss or corruption found
with private or hybrid cloud offerings. The public cloud is appropriate for CSCs
and entities not requiring the same levels of service that are expected within the
firewall. Also, the public IaaS clouds do not necessarily provide for restrictions and
compliance with privacy laws, which remain the responsibility of the subscriber or
corporate end user. In many public clouds, the focus is on the CSC and small and
medium sized businesses where pay-per-use pricing is available, often equating to
pennies per gigabyte. Examples of services here might be picture and music sharing,
laptop backup, or file sharing.
The major advantage of the public cloud is cost. A subscribing organization only
pays for the services and resources it needs and can adjust these as needed. Further,
the subscriber has greatly reduced management overhead. The principal concern is
security. However, there are a number of public cloud providers that have demonstrated
strong security controls and, in fact, such providers may have more resources
and expertise to devote to security that would be available in a private cloud.
11
Private Cloud
A private cloud is implemented within the internal IT environment
of the organization. The organization may choose to manage the cloud in house or
contract the management function to a third party. Additionally, the cloud servers
and storage devices may exist on premise or off premise.
Private clouds can deliver IaaS internally to employees or business units through
an intranet or the Internet via a virtual private network (VPN), as well as software
(applications) or storage as services to its branch offices. In both cases, private clouds
are a way to leverage existing infrastructure, and deliver and chargeback for bundled
or complete services from the privacy of the organization’s network. Examples of
services delivered through the private cloud include database on demand, email on
demand, and storage on demand.
A key motivation for opting for a private cloud is security. A private cloud
infrastructure offers tighter controls over the geographic location of data storage
and other aspects of security. Other benefits include easy resource sharing and rapid
deployment to organizational entities.
12
A private cloud is implemented within the internal IT environment of the organization
The organization may choose to manage the cloud in house or contract the management function to a third party
The cloud servers and storage devices may exist on premise or off premise
Private clouds can deliver IaaS internally to employees or busines units through an intranet or the Internet via a virtual private network (VPN), as well as software or storage as services to its branch offices
Examples of services delivered through the private cloud include database on demand, email on demand, and storage on demand
A key motivation for opting for a private cloud is security
Other benefits include easy resource sharing and rapid deployment to organizational entities
Community Cloud
A community cloud shares characteristics of private and public
clouds. Like a private cloud, a community cloud has restricted access. Like a public
cloud, the cloud resources are shared among a number of independent organizations.
The organizations that share the community cloud have similar requirements and,
typically, a need to exchange data with each other. One example of an industry that
is employing the community cloud concept is the health care industry. A community
cloud can be implemented to comply with government privacy and other regulations.
The community participants can exchange data in a controlled fashion.
The cloud infrastructure may be managed by the participating organizations
or a third party, and may exist on premise or off premise. In this deployment
model, the costs are spread over fewer users than a public cloud (but more than
a private cloud), so only some of the cost savings potential of cloud computing
are realized.
13
A community cloud shares characteristics of private and public clouds
Has restricted access like a private cloud
The cloud resources are shared among a number of independent organizations like a public cloud
The organizations that share the community cloud have similar requirements and, typically, a need to exchange data with each other
An example would be the health care industry
The cloud infrastructure may be managed by the participating organizations or a third party, and may exist on premise or off premise
In this deployment model, the costs are spread over fewer users than a public cloud so only some of the cost savings potential of cloud computing are realized
Hybrid Cloud
The hybrid cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability
With a hybrid cloud solution, sensitive information can be placed in a private area of the cloud, and less sensitive data can take advantage of the benefits of the public cloud
A hybrid public/private cloud solution can be particularly attractive for smaller business
Many applications for which security concerns are less can be offloaded at considerable cost savings without committing the organization to moving more sensitive data and applications to the public cloud
The hybrid cloud infrastructure is a composition of two or more
clouds (private, community, or public) that remain unique entities but are bound
together by standardized or proprietary technology that enables data and application
portability (e.g., cloud bursting for load balancing between clouds). With a hybrid
cloud solution, sensitive information can be placed in a private area of the cloud, and
less sensitive data can take advantage of the benefits of the public cloud.
A hybrid public/private cloud solution can be particularly attractive for smaller
businesses. Many applications for which security concerns are less can be offloaded
at considerable cost savings without committing the organization to moving more
sensitive data and applications to the public cloud.
14
| Private | Community | Public | Hybrid | |
| Scalability | Limited | Limited | Very high | Very high |
| Security | Most secure option | Very secure | Moderately secure | Very secure |
| Performance | Very good | Very good | Low to medium | Good |
| Reliability | Very high | Very high | Medium | Medium to high |
| Cost | High | Medium | Low | Medium |
Table 13.1
Comparison of Cloud Deployment Models
Table 13.1 lists some of the relative strengths and weaknesses of the four cloud
deployment models.
15
Cloud Computing:
NIST SP-500-292 (NIST Cloud Computing Reference Architecture) establishes reference architecture, described as follows:
“The NIST cloud computing reference architecture focuses on the requirements of “what” cloud services provide, not a “how to” design solution and implementation. The reference architecture is intended to facilitate the understanding of the operational intricacies in cloud computing. It does not represent the system architecture of a specific cloud computing system; instead it is a tool for describing, discussing, and developing a system-specific architecture using a common framework of reference.”
NIST SP 500-292 (NIST Cloud Computing Reference Architecture, September 2011) establishes reference
architecture, described as follows:
The NIST cloud computing reference architecture focuses on the requirements
of “what” cloud services provide, not a “how to” design solution and implementation.
The reference architecture is intended to facilitate the understanding of
the operational intricacies in cloud computing. It does not represent the system
architecture of a specific cloud computing system; instead it is a tool for describing,
discussing, and developing a system-specific architecture using a common framework
of reference.
16
Objectives
NIST developed the reference architecture with the following objectives in
mind:
• To illustrate and understand the various cloud services in the context of an
overall cloud computing conceptual model
• To provide a technical reference for CSCs to understand, discuss, categorize,
and compare cloud services
• To facilitate the analysis of candidate standards for security, interoperability,
and portability and reference implementations.
17
NIST developed the reference architecture with the following objectives in mind:
To illustrate and understand the various cloud services in the context of an overall cloud computing conceptual model
To provide a technical reference for CSCs to understand, discuss, categorize, and compare cloud services
To facilitate the analysis of candidate standards for security, interoperability, and portability and reference implementations
The reference architecture, depicted in Figure 13.3, defines five major actors in
terms of the roles and responsibilities:
• Cloud service consumer (CSC): A person or organization that maintains a business
relationship with, and uses service from, cloud providers.
• Cloud service provider (CSP): A person, organization, or entity responsible for
making a service available to interested parties.
• Cloud auditor: A party that can conduct independent assessment of cloud services,
information system operations, performance, and security of the cloud
implementation.
• Cloud broker: An entity that manages the use, performance, and delivery of
cloud services, and negotiates relationships between CSPs and cloud consumers.
• Cloud carrier: An intermediary that provides connectivity and transport of
cloud services from CSPs to cloud consumers.
The roles of the cloud consumer and provider have already been discussed.
To summarize, a cloud service provider can provide one or more of the cloud services
to meet IT and business requirements of cloud service consumers . For each of the
three service models (SaaS, PaaS, IaaS), the CSP provides the storage and processing
facilities needed to support that service model, together with a cloud interface
for cloud service consumers. For SaaS, the CSP deploys, configures, maintains, and
updates the operation of the software applications on a cloud infrastructure so that
the services are provisioned at the expected service levels to cloud consumers. The
consumers of SaaS can be organizations that provide their members with access to
software applications, end users who directly use software applications, or software
application administrators who configure applications for end users.
For PaaS, the CSP manages the computing infrastructure for the platform and
runs the cloud software that provides the components of the platform, such as runtime
software execution stacks, databases, and other middleware components. Cloud
consumers of PaaS can employ the tools and execution resources provided by CSPs
to develop, test, deploy, and manage the applications hosted in a cloud environment.
For IaaS, the CSP acquires the physical computing resources underlying the
service, including the servers, networks, storage, and hosting infrastructure. The IaaS
CSC in turn uses these computing resources, such as a virtual machine, for their fundamental
computing needs.
The cloud carrier is a networking facility that provides connectivity and transport
of cloud services between cloud consumers and CSPs. Typically, a CSP will set
up service level agreements (SLAs) with a cloud carrier to provide services consistent
with the level of SLAs offered to cloud consumers, and may require the cloud carrier
to provide dedicated and secure connections between cloud consumers and CSPs.
A cloud broker is useful when cloud services are too complex for a cloud consumer
to easily manage. A cloud broker can offer three areas of support:
• Service intermediation: These are value-added services, such as identity management,
performance reporting, and enhanced security.
• Service aggregation: The broker combines multiple cloud services to meet consumer
needs not specifically addressed by a single CSP, or to optimize performance
or minimize cost.
• Service arbitrage: This is similar to service aggregation except that the services
being aggregated are not fixed. Service arbitrage means a broker has the flexibility
to choose services from multiple agencies. The cloud broker, for example,
can use a credit-scoring service to measure and select an agency with the best
score.
A cloud auditor can evaluate the services provided by a CSP in terms of security
controls, privacy impact, performance, and so on. The auditor is an independent entity
that can assure that the CSP conforms to a set of standards.
18
Figure 13.4 illustrates the interactions between the actors. A cloud consumer
may request cloud services from a cloud provider directly or via a cloud broker. A
cloud auditor conducts independent audits and may contact the others to collect
necessary information. This figure shows that cloud networking issues involve three
separate types of networks. For a cloud producer, the network architecture is that of
a typical large datacenter, which consists of racks of high-performance servers and
storage devices, interconnected with high-speed top-of-rack Ethernet switches. The
concerns in this context focus on virtual machine placement and movement, load
balancing, and availability issues. The enterprise network is likely to have a quite
different architecture, typically including a number of LANs, servers, workstations,
PCs, and mobile devices, with a broad range of network performance, security, and
management issues. The concern of both producer and consumer with respect to the
cloud carrier, which is shared with many users, is the ability to create virtual networks,
with appropriate SLA and security guarantees.
19
Table 13.2
NIST Guidelines
on
Cloud Security
and
Privacy Issues
and Recommendations
(Page 1 of 2)
(Table is on pages 433-434 in the textbook)
There are numerous aspects to cloud security and numerous approaches to providing
cloud security measures. A good example of the scope of cloud security concerns and
issues is seen in the NIST guidelines for cloud security, specified in NIST SP 800-144
(Guidelines on Security and Privacy in Public Cloud Computing , December 2011)
and listed in Table 13.2. Thus, a full discussion of cloud security is well beyond the
scope of this chapter.
20
Table 13.2
NIST Guidelines on Cloud Security and Privacy Issues and Recommendations
(Page 2 of 2)
21
Security Issues for Cloud Computing
Security is a major consideration when augmenting or replacing on-premises systems with cloud services
Allaying security concerns is frequently a prerequisite for further discussions about migrating part or all of an organization’s computing architecture to the cloud
Availability is another major concern
Auditability of data must be ensured
Businesses should perform due diligence on security threats both from outside and inside the cloud
Cloud users are responsible for application-level security
Cloud vendors are responsible for physical security and some software security
Security for intermediate layers of the software stack is shared between users and vendors
Cloud providers must guard against theft or denial-of-service attacks by their users and users need to be protected from one another
Businesses should consider the extent to which subscribers are protected against the provider, especially in the area of inadvertent data loss
Security is important to any computing infrastructure. Companies go to great lengths
to secure on-premises computing systems, so it is not surprising that security looms as
a major consideration when augmenting or replacing on-premises systems with cloud
services. Allaying security concerns is frequently a prerequisite for further discussions
about migrating part or all of an organization’s computing architecture to the cloud.
Availability is another major concern.
Generally speaking, such questions only arise when businesses contemplating
moving core transaction processing, such as enterprise resource planning (ERP)
systems, and other mission critical applications to the cloud. Companies have traditionally
demonstrated less concern about migrating high maintenance applications
such as e-mail and payroll to cloud service providers, even though such applications
hold sensitive information.
Auditability is another concern for many organizations. For example, in the U.S.,
many organizations must comply with Sarbanes-Oxley and/or Health and Human
Services Health Insurance Portability and Accountability Act (HIPAA) regulations.
The auditability of their data must be ensured whether it is stored on premises or
moved to the cloud.
Before moving critical infrastructure to the cloud, businesses should perform due
diligence on security threats both from outside and inside the cloud. Many of the security
issues associated with protecting clouds from outside threats are similar to those that
have traditionally faced centralized data centers. In the cloud, however, responsibility for
assuring adequate security is frequently shared among users, vendors, and any third-party
firms that users rely on for security-sensitive software or configurations. Cloud users are
responsible for application-level security. Cloud vendors are responsible for physical
security and some software security such as enforcing external firewall policies. Security
for intermediate layers of the software stack is shared between users and vendors.
A security risk that should not be overlooked by companies considering a
migration to the cloud is that posed by sharing vendor resources with other cloud
users. Cloud providers must guard against theft or denial-of-service attacks by their
users and users need to be protected from one another. Virtualization can be a powerful
mechanism for addressing these potential risks because it protects against most
attempts by users to attack one another or the provider’s infrastructure. However,
not all resources are virtualized, and not all virtualization environments are bug free.
Incorrect virtualization may allow user code to access to sensitive portions of the provider’s
infrastructure or the resources of other users. Once again, these security issues
are not unique to the cloud and are similar to those involved in managing non-cloud
data centers, where different applications need to be protected from one another.
Another security concern that businesses should consider is the extent to which
subscribers are protected against the provider, especially in the area of inadvertent data
loss. For example, in the event of provider infrastructure improvements, what happens to
hardware that is retired or replaced? It is easy to imagine a hard disk being disposed of
without being properly wiped clean of subscriber data. It is also easy to imagine permissions
bugs or errors that make subscriber data visible to unauthorized users. User-level
encryption may be an important self-help mechanism for subscribers, but businesses
should ensure that other protections are in place to avoid inadvertent data loss.
22
Table 13.3
Control Functions and Classes
Numerous documents have been developed to guide business thinking about the
security issues associated with cloud computing. In addition to NIST SP 800-144,
which provides overall guidance, there is also NIST SP 800-146 (Cloud Computing
Synopsis and Recommendations , May 2012). NIST’s recommendations systematically
consider each of the major types of cloud services consumed by businesses, including
SaaS, IaaS, and PaaS. While security issues vary somewhat depending on the type of
cloud service, there are multiple NIST recommendations that are independent of service
type. Not surprisingly, NIST recommends selecting cloud providers that support
strong encryption, have appropriate redundancy mechanisms in place, employ authentication
mechanisms, and offer subscribers sufficient visibility about mechanisms used
to protect subscribers from other subscribers and the provider. NIST SP 800-146 also
lists the overall security controls that are relevant in a cloud computing environment
and that must be assigned to the different cloud actors. These are listed in Table 13.3.
As more businesses incorporate cloud services into their enterprise network
infrastructures, cloud computing security will persist as an important issue. Examples
of cloud computing security failures have the potential to have a chilling effect on
business interest in cloud services. This is inspiring service providers to be serious
about incorporating security mechanisms that will allay concerns of potential subscribers.
Some service providers have moved their operations to Tier 4 data centers
(see Section 5.8) to address user concerns about availability and redundancy. As so
many businesses remain reluctant to embrace cloud computing in a big way, cloud
service providers will have to continue to work hard to convince potential customers
that computing support for core business processes and mission critical applications
can be moved safely and securely to the cloud.
23
Risks and Countermeasures
The Cloud Security Alliance lists the following as the top cloud-specific security threats:
Abuse and nefarious use of cloud computing
Countermeasures include:
Stricter initial registration and validation processes
Enhanced credit card fraud monitoring and coordination
Comprehensive inspection of customer network traffic
Monitoring public blacklists for one’s own network blocks
Insecure interfaces and APIs
Countermeasures include:
Analyzing the security model of CSP interfaces
Ensuring that strong authentication and access controls are implemented in concert with encrypted transmission
Understanding the dependency chain associated with the API
In general terms, security controls in cloud computing are similar to the security
controls in any IT environment. However, because of the operational models and
technologies used to enable cloud service, cloud computing may present risks that
are specific to the cloud environment. The essential concept in this regard is that
while the enterprise loses a substantial amount of control over resources, services,
and applications, it must maintain accountability for security and privacy policies.
The Cloud Security Alliance [CSA13] lists the following as the top cloud-specific
security threats:
• Abuse and nefarious use of cloud computing: For many CSPs, it is relatively
easy to register and begin using cloud services, some even offering free limited
trial periods. This enables attackers to get inside the cloud to conduct various
attacks, such as spamming, malicious code attacks, and denial of service. PaaS
providers have traditionally suffered most from this kind of attacks; however,
recent evidence shows that hackers have begun to target IaaS vendors as well.
The burden is on the CSP to protect against such attacks, but cloud service
clients must monitor activity with respect to their data and resources to detect
any malicious behavior.
Countermeasures include (1) stricter initial registration and validation
processes; (2) enhanced credit card fraud monitoring and coordination; (3) comprehensive
inspection of customer network traffic; and (4) monitoring public
blacklists for one’s own network blocks.
• Insecure interfaces and APIs: CSPs expose a set of software interfaces or APIs
that customers use to manage and interact with cloud services. The security and
availability of general cloud services is dependent upon the security of these
basic APIs. From authentication and access control to encryption and activity
monitoring, these interfaces must be designed to protect against both accidental
and malicious attempts to circumvent policy.
Countermeasures include (1) analyzing the security model of CSP interfaces;
(2) ensuring that strong authentication and access controls are implemented
in concert with encrypted transmission; and (3) understanding the
dependency chain associated with the API.
• Malicious insiders: Under the cloud computing paradigm, an organization relinquishes
direct control over many aspects of security and, in doing so, confers
an unprecedented level of trust onto the CSP. One grave concern is the risk of
malicious insider activity. Cloud architectures necessitate certain roles that are
extremely high risk. Examples include CSP system administrators and managed
security service providers.
Countermeasures include the following: (1) enforce strict supply chain
management and conduct a comprehensive supplier assessment; (2) specify
human resource requirements as part of legal contract; (3) require transparency
into overall information security and management practices, as well as
compliance reporting; and (4) determine security breach notification processes.
24
Malicious insiders
Countermeasures include:
Enforce strict supply chain management and conduct a comprehensive supplier assessment
Specify human resource requirements as part of legal contract
Require transparency into overall information security and management practices, as well as compliance reporting
Determine security breach notification processes
Shared technology issues
Countermeasures include:
Implement security best practices for installation/configuration
Monitor environment for unauthorized changes/activity
Promote strong authentication and access control for administrative access and operations
Enforce SLAs for patching and vulnerability remediation
Conduct vulnerability scanning and configuration audits
• Malicious insiders: Under the cloud computing paradigm, an organization relinquishes
direct control over many aspects of security and, in doing so, confers
an unprecedented level of trust onto the CSP. One grave concern is the risk of
malicious insider activity. Cloud architectures necessitate certain roles that are
extremely high risk. Examples include CSP system administrators and managed
security service providers.
Countermeasures include the following: (1) enforce strict supply chain
management and conduct a comprehensive supplier assessment; (2) specify
human resource requirements as part of legal contract; (3) require transparency
into overall information security and management practices, as well as
compliance reporting; and (4) determine security breach notification processes.
Shared technology issues: IaaS vendors deliver their services in a scalable way
by sharing infrastructure. Often, the underlying components that make up this
infrastructure (CPU caches, GPUs, etc.) were not designed to offer strong isolation
properties for a multi-tenant architecture. CSPs typically approach this risk
by using isolated VMs for individual clients. This approach is still vulnerable to
attack, by both insiders and outsiders, and so can only be a part of an overall
security strategy.
Countermeasures include the following: (1) implement security best practices
for installation/configuration; (2) monitor environment for unauthorized
changes/activity; (3) promote strong authentication and access control for
administrative access and operations; (4) enforce SLAs for patching and vulnerability
remediation; and (5) conduct vulnerability scanning and configuration
audits.
25
Data loss or leakage
Countermeasures include:
Implement strong API access control
Encrypt and protect integrity of data in transit and at rest
Analyze data protection at both design and run time
Implement strong key generation, storage and management, and destruction practices
Account or service hijacking
Countermeasures include:
Prohibit the sharing of account credentials between users and services
Leverage strong two-factor authentication techniques where possible
Employ proactive monitoring to detect unauthorized activity
Understand CSP security policies and SLAs
Unknown risk profile
Countermeasures include:
Disclosure of applicable logs and data
Partial/full disclosure of infrastructure details
Monitoring and alerting on necessary information
• Data loss or leakage: For many clients, the most devastating impact from a
security breach is the loss or leakage of data. We will address this issue in the
next section.
Countermeasures include the following: (1) implement strong API access
control; (2) encrypt and protect integrity of data in transit and at rest; (3) analyze
data protection at both design and run time; and (4) implement strong key
generation, storage and management, and destruction practices.
• Account or service hijacking: Account and service hijacking, usually with stolen
credentials, remains a top threat. With stolen credentials, attackers can often
access critical areas of deployed cloud computing services, allowing them to
compromise the confidentiality, integrity, and availability of those services.
Countermeasures include the following: (1) prohibit the sharing of account
credentials between users and services; (2) leverage strong two-factor authentication
techniques where possible; (3) employ proactive monitoring to detect
unauthorized activity; and (4) understand CSP security policies and SLAs.
• Unknown risk profile: In using cloud infrastructures, the client necessarily cedes
control to the cloud provider on a number of issues that may affect security.
Thus the client must pay attention to and clearly define the roles and responsibilities
involved for managing risks. For example, employees may deploy applications
and data resources at the CSP without observing the normal policies
and procedures for privacy, security, and oversight.
Countermeasures include (1) disclosure of applicable logs and data; (2)
partial/full disclosure of infrastructure details (e.g., patch levels and firewalls);
and (3) monitoring and alerting on necessary information.
Similar lists have been developed by the European Network and Information
Security Agency [ENIS09] and NIST SP 800-144.
26
Data Protection in the Cloud
There are many ways to compromise data. Deletion or alteration of records without
a backup of the original content is an obvious example. Unlinking a record from a
larger context may render it unrecoverable, as can storage on unreliable media. Loss
of an encoding key may result in effective destruction. Finally, unauthorized parties
must be prevented from gaining access to sensitive data.
The threat of data compromise increases in the cloud, due to the number of,
and interactions between, risks and challenges that are either unique to the cloud
or more dangerous because of the architectural or operational characteristics of the
cloud environment.
Data must be secured while at rest, in transit, and in use, and access to the
data must be controlled. The client can employ encryption to protect data in transit,
though this involves key management responsibilities for the CSP. The client can
enforce access control techniques, but, again, the CSP is involved to some extent
depending on the service model used.
For data at rest, the ideal security measure is for the client to encrypt the
database and only store encrypted data in the cloud, with the CSP having no access
to the encryption key. So long as the key remains secure, the CSP has no ability to
decipher the data, although corruption and other denial-of-service attacks remain
a risk. The model depicted in Figure 5.9 works equally well when the data is stored
in a cloud.
27
The threat of data compromise increases in the cloud, due to the number of, and interactions between, risks and challenges that are either unique to the cloud or more dangerous because of the architectural or operational characteristics of the cloud environment
Data must be secured while at rest, in transit, and in use, and access to the data must be controlled
The client can employ encryption to protect data in transit, though this involves key management responsibilities for the CSP
The client can enforce access control techniques, but CSP is involved to some extent depending on the service model used
For data at rest, the ideal security measure is for the client to encrypt the database and only store encrypted data in the cloud, with the CSP having no access to the encryption key
Even with these precautions, corruption and other denial-of-service attacks remain a risk
Data Protection in the Cloud
Multi-instance Model
Multi-tenant Model
Provides a unique DBMS running on a VM instance for each cloud subscriber
This gives the subscriber complete control over role definition, user authorization, and other administrative tasks related to security
Provides a predefined environment for the cloud subscriber that is shared with other tenants, typically through tagging data with a subscriber identifier
Tagging gives the appearance of exclusive use of the instance, but relies on the cloud provider to establish and maintain a sound secure database environment
Database environments used in cloud computing can vary significantly. Some
providers support a multi-instance model , which provide a unique DBMS running on
a VM instance for each cloud subscriber. This gives the subscriber complete control
over role definition, user authorization, and other administrative tasks related to
security. Other providers support a multi-tenant model, which provides a predefined
environment for the cloud subscriber that is shared with other tenants, typically
through tagging data with a subscriber identifier. Tagging gives the appearance of
exclusive use of the instance, but relies on the cloud provider to establish and maintain
a sound secure database environment.
28
Beyond the protection and isolation of data, the cloud service provider (CSP)
needs to address the broader security considerations for the protection of its assets.
Figure
13.5a, adapted from [ENIS15], suggests a categorization of these assets for
the three cloud service models. The bottom two layers shown in the figure include
organization and facilities. Organization denotes the human resources and the policies
and procedures for maintaining the facilities and supporting the delivery of the
services. Facilities denote the physical structures and supplies such as networks, cooling,
and power supply. Above these levels are the assets specific to the provision of
services. For IaaS, the CSP maintains a hypervisor and/or OS on each of its servers, as
well as the networking software for interconnection of CSP servers and connection
to cloud service consumers (CSCs). Added to these assets for PaaS are the libraries,
middleware, and other software to support CSC applications. For SaaS, the CSP also
has application software assets for CSC use.
Figure 13.5b suggests key security tasks that are the responsibility of the CSP
and of the CSC. The lowest level of the diagram has to do with organizational issues
related to the management of its supplies and facilities. These issues will be dealt with
in Chapters 14, 15, and 17. The next level of Figure 13.5b covers the physical security
of the facility, a topic covered in Chapter 16. Above that, depending on the service
model, the CSP is responsible for the security of a range of software capabilities;
security measures in the area were addressed in Chapters 11 and 12.
29
Cloud Security as a Service
In the context of cloud computing, cloud security as a service, designated SecaaS, is a segment of the SaaS offering of a CSP
The CSA defines SecaaS as the provision of security applications and services via the cloud either to cloud-based infrastructure and software, or from the cloud to the customers’ on-premise systems
The CSA has identified the following SecaaS categories of service:
Identity and access management
Data loss prevention
Web security
E-mail security
Security assessments
Intrusion management
Security information and event management
Encryption
Business continuity and disaster recovery
Network security
The term security as a service has generally meant a package of security services
offered by a service provider that offloads much of the security responsibility from
an enterprise to the security service provider. Among the services typically provided
are authentication, anti-virus, antimalware/spyware, intrusion detection, and security
event management. In the context of cloud computing, cloud security as a service,
designated SecaaS, is a segment of the SaaS offering of a CSP.
The CSA defines SecaaS as the provision of security applications and services
via the cloud either to cloud-based infrastructure and software, or from the cloud to
the customers’ on-premise systems [CSA11]. The CSA has identified the following
SecaaS categories of service:
• Identity and access management
• Data loss prevention
• Web security
• E-mail security
• Security assessments
• Intrusion management
• Security information and event management
• Encryption
• Business continuity and disaster recovery
• Network security
30
In this section, we examine these categories with a focus on security of the
cloud-based infrastructure and services (see Figure 13.6).
Identity and access management (IAM) includes people, processes, and systems
that are used to manage access to enterprise resources by assuring that the identity
of an entity is verified, then granting the correct level of access based on this assured
identity. One aspect of identity management is identity provisioning, which has to do
with providing access to identified users and subsequently deprovisioning, or denying
access, to users when the client enterprise designates such users as no longer having
access to enterprise resources in the cloud. Among other requirements, the cloud
service provider must be able to exchange identity attributes with the enterprise’s
chosen identity provider.
The access management portion of IAM involves authentication and access
control services. For example, the CSP must be able to authenticate users in a trustworthy
manner. The access control requirements in SPI environments include establishing
trusted user profile and policy information, using it to control access within
the cloud service, and doing this in an auditable way.
Data loss prevention (DLP) is the monitoring, protecting, and verifying the
security of data at rest, in motion, and in use. Much of DLP can be implemented by
the cloud client, such as discussed in previously in this section (Data Protection in the
Cloud). The CSP can also provide DLP services, such as implementing rules about
what functions can be performed on data in various contexts.
Web security is real-time protection offered either on premise through software/
appliance installation or via the cloud by proxying or redirecting Web traffic to
the CSP. This provides an added layer of protection on top of things like antiviruses
to prevent malware from entering the enterprise via activities such as Web browsing.
In addition to protecting against malware, a cloud-based Web security service
might include usage policy enforcement, data backup, traffic control, and Web access
control.
A CSP may provide a Web-based e-mail service, for which security measures
are needed. E-mail security provides control over inbound and outbound e-mail, protecting
the organization from phishing, malicious attachments, enforcing corporate
polices such as acceptable use and spam prevention. The CSP may also incorporate
digital signatures on all e-mail clients and provide optional e-mail encryption.
Security assessments are third-part audits of cloud services. While this service
is outside the province of the CSP, the CSP can provide tools and access points to
facilitate various assessment activities.
Intrusion management encompasses intrusion detection, prevention, and
response. The core of this service is the implementation of intrusion detection systems
(IDSs) and intrusion prevention systems (IPSs) at entry points to the cloud and on
servers in the cloud. An IDS is a set of automated tools designed to detect unauthorized
access to a host system. An IPS incorporates IDS functionality and in addition
includes mechanisms designed to block traffic from intruders.
Security information and event management (SIEM) aggregates (via push or
pull mechanisms) log and event data from virtual and real networks, applications, and
systems. This information is then correlated and analyzed to provide real-time reporting
and alerting on information/events that may require intervention or other type
of response. The CSP typically provides an integrated service that can put together
information from a variety of sources both within the cloud and within the client
enterprise network.
Encryption is a pervasive service that can be provided for data at rest in the
cloud, e-mail traffic, client-specific network management information, and identity
information. Encryption services provided by the CSP involve a range of complex
issues, including key management, how to implement virtual private network (VPN)
services in the cloud, application encryption, and data content access.
Business continuity and disaster recovery comprise measures and mechanisms
to ensure operational resiliency in the event of any service interruptions. This is an
area where the CSP, because of economies of scale, can offer obvious benefits to a
cloud service client. The CSP can provide backup at multiple locations, with reliable
failover and disaster recovery facilities. This service must include a flexible infrastructure,
redundancy of functions and hardware, monitored operations, geographically
distributed data centers, and network survivability.
Network security consists of security services that allocate access, distribute,
monitor, and protect the underlying resource services. Services include perimeter and
server firewalls and denial-of-service protection. Many of the other services listed in
this section, including intrusion management, identity and access management, data
loss protection, and Web security, also contribute to the network security service.
31
OpenStack
This section provides an overview of an open-source security module that is part
of the OpenStack cloud OS. OpenStack is an open-source software project of the
OpenStack Foundation that aims to produce an open-source cloud operating system
[ROSA14, SEFR12]. The principal objective is to enable creating and managing
huge groups of virtual private servers in a cloud computing environment. OpenStack
is embedded, to one degree or another, into data center infrastructure and cloud
computing products offered by Cisco, IBM, Hewlett-Packard, and other vendors. It
provides multi-tenant IaaS, and aims to meets the needs of public and private clouds
regardless of size, by being simple to implement and massively scalable.
32
Open-source software project of the OpenStack Foundation that aims to produce an open-source cloud operating system
The principal objective is to enable creating and managing huge groups of virtual private servers in a cloud computing environment
OpenStack is embedded, to one degree or another, into data center infrastructure and cloud computing products
It provides multi-tenant IaaS, and aims to meet the needs of public and private clouds, regardless of size, by being simple to implement and massively scalable
OpenStack
The OpenStack OS consists of a number of independent modules, each of which has a project name and a functional name
The security module for OpenStack is Keystone
Keystone provides the shared security services essential for a functioning cloud computing infrastructure
It provides the following main services:
Identity
Token
Service catalog
Policies
The OpenStack OS consists of a number of independent modules, each of
which has a project name and a functional name. The modular structure is easy to
scale out and provides a commonly used set of core services. Typically, the components
are configured together to provide a comprehensive IaaS capability. However,
the modular design is such that the components are generally capable of being used
independently.
The security module for OpenStack is Keystone. Keystone provides the shared
security services essential for a functioning cloud computing infrastructure. It provides
the following main services:
• Identity: This is user information authentication. This information defines a
user’s role and permissions within a project, and is the basis for a role-based
access control (RBAC) mechanism. Keystone supports multiple methods of
authentication, including user name and password, Lightweight Directory
Access Protocol (LDAP), and a means of configuring external authentication
methods supplied by the CSC.
• Token: After authentication, a token is assigned and used for access control.
OpenStack services retain tokens and use them to query Keystone during
operations.
• Service catalog: OpenStack service endpoints are registered with Keystone to
create a service catalog. A client for a service connects to Keystone and determines
an endpoint to call based on the returned catalog.
• Policies: This service enforces different user access levels. Each OpenStack
service defines the access policies for its resources in an associated policy file.
A resource, for example, could be API access, the ability to attach to a volume,
or to fire up instances. These policies can be modified or updated by the cloud
administrator to control the access to the various resources.
33
Figure 13.7 illustrates the way in which Keystone interacts with other Open-
Stack components to launch a new VM. Nova is the management software module
that controls VMs within the IaaS cloud computing platform. It manages the lifecycle
of compute instances in an OpenStack environment. Responsibilities include spawning,
scheduling, and decommissioning of machines on demand. Thus, Nova enables
enterprises and service providers to offer on-demand computing resources by provisioning
and managing large networks of VMs. Glance is a lookup and retrieval
system for VM disk images. It provides services for discovering, registering, and
retrieving virtual images through an API. Swift is a distributed object store that
creates a redundant and scalable storage space of up to multiple petabytes of data.
Object storage does not present a traditional file system, but rather a distributed
storage system for static data such as VM images, photo storage, e-mail storage,
backups, and archives.
34
The Internet of Things (IoT)
IoT is a term that refers to the expanding interconnection of smart devices, ranging from appliances to tiny sensors
A dominant theme is the embedding of short-range mobile transceivers into a wide array of gadgets and everyday items, enabling new forms of communication between people and things, and between things themselves
The Internet supports the interconnectivity usually through cloud systems
The objects deliver sensor information, act on their environment, and in some cases modify themselves, to create overall management of a larger system
The IoT is primarily driven by deeply embedded devices
These devices are low-bandwidth, low-repetition data capture, and low-bandwidth data-usage appliances that communicate with each other and provide data via user interfaces
Embedded appliances, such as high-resolution video security cameras, video VoIP phones, and a handful of others, require high-bandwidth streaming capabilities
The Internet of Things is the latest development in the long and continuing revolution
of computing and communications. Its size, ubiquity, and influence on everyday
lives, business, and government dwarf any technical advance that has gone before.
The Internet of Things (IoT) is a term that refers to the expanding interconnection
of smart devices, ranging from appliances to tiny sensors. A dominant theme
is the embedding of short-range mobile transceivers into a wide array of gadgets
and everyday items, enabling new forms of communication between people and
things, and between things themselves. The Internet now supports the interconnection
of billions of industrial and personal objects, usually through cloud systems.
The objects deliver sensor information, act on their environment, and in some
cases modify themselves, to create overall management of a larger system, like a
factory or city.
The IoT is primarily driven by deeply embedded devices. These devices are low-bandwidth,
low-repetition data capture, and low-bandwidth data-usage appliances
that communicate with each other and provide data via user interfaces. Embedded
appliances, such as high-resolution video security cameras, video VoIP phones, and a
handful of others, require high-bandwidth streaming capabilities. Yet countless products
simply require packets of data to be intermittently delivered.
35
Evolution
With reference to the end systems supported, the Internet has gone through roughly
four generations of deployment culminating in the IoT:
1. Information technology (IT): PCs, servers, routers, firewalls, and so on, bought
as IT devices by enterprise IT people, primarily using wired connectivity.
2. Operational technology (OT): Machines/appliances with embedded IT built
by non-IT companies, such as medical machinery, SCADA (supervisory control
and data acquisition), process control, and kiosks, bought as appliances by
enterprise OT people, primarily using wired connectivity.
3. Personal technology: Smartphones, tablets, and eBook readers bought as IT
devices by consumers (employees) exclusively using wireless connectivity and
often multiple forms of wireless connectivity.
4. Sensor/actuator technology: Single-purpose devices bought by consumers, IT,
and OT people exclusively using wireless connectivity, generally of a single
form, as part of larger systems.
The fourth generation is usually thought of as the IoT, and which is marked by
using billions of embedded devices.
36
With reference to the end systems supported, the Internet has gone through roughly four generations of deployment culminating in the IoT:
Information technology (IT)
PCs, servers, routers, firewalls, and so on, bought as IT devices by enterprise IT people, primarily using wired connectivity
Operational technology (OT)
Machines/appliances with embedded IT built by non-IT companies, such as medical machinery, SCADA, process control, and kiosks, bought as appliances by enterprise OT people, primarily using wired connectivity
Personal technology
Smartphones, tablets, and eBook readers bought as IT devices by consumers (employees) exclusively using wireless connectivity and often multiple forms of wireless connectivity
Sensor/actuator technology
Single-purpose devices bought by consumers, IT and OT people exclusively using wireless connectivity, generally of a single form, as part of larger systems
It is the fourth generation that is usually thought of as the IoT, and which is marked by the use of billions of embedded devices
The key components of an IoT-enabled device are the following (see Figure 13.8):
• Sensor: A sensor measures some parameter of a physical, chemical, or biological
entity and delivers an electronic signal proportional to the observed
characteristic, either in the form of an analog voltage level or a digital signal.
In both cases, the sensor output is typically input to a microcontroller or other
management element.
• Actuator: An actuator receives an electronic signal from a controller and
responds by interacting with its environment to produce an effect on some
parameter of a physical, chemical, or biological entity.
• Microcontroller: The “smart” in a smart device is provided by a deeply embedded
microcontroller.
• Transceiver: A transceiver contains the electronics needed to transmit and
receive data. Most IoT devices contain a wireless transceiver, capable of communication
using Wi-Fi, ZigBee, or some other wireless scheme.
• Radio-frequency Identification (RFID): (RFID) technology, which uses radio
waves to identify items, is increasingly becoming an enabling technology for IoT.
The main elements of an RFID system are tags and readers. RFID tags are small
programmable devices used for object, animal, and human tracking. They come
in a variety of shapes, sizes, functionalities, and costs. RFID readers acquire and
sometimes rewrite information stored on RFID tags that come within operating
range (a few inches up to several feet). Readers are usually connected to a computer
system that records and formats the acquired information for further uses.
37
To better understand the function of an IoT, it is useful to view it in the context of a
complete enterprise network that includes third-party networking and cloud computing
elements. Figure 13.9 provides an overview illustration.
38
Edge
At the edge of a typical enterprise network is a network of IoT-enabled devices,
consisting of sensors and perhaps actuators. These devices may communicate with
one another. For example, a cluster of sensors may all transmit their data to one
sensor that aggregates the data to be collected by a higher-level entity. At this
level also there may also be a number of gateways. A gateway interconnects the
IoT-enabled devices with the higher-level communication networks. It performs
the necessary translation between the protocols used in the communication networks
and those used by devices. A gateway may also perform a basic data aggregation
function.
39
At the edge of a typical enterprise network is a network of IoT-enabled devices consisting of sensors and perhaps actuators
These devices may communicate with one another
A cluster of sensors may all transmit their data to one sensor that aggregates the data to be collected by a higher-level entity
A gateway interconnects the IoT-enabled devices with the higher-level communication networks
It performs the necessary translation between the protocols used in the communication networks and those used by devices
It may also perform a basic data aggregation function
Fog
In many IoT deployments, massive amounts of data may be generated by a distributed network of sensors
Rather than store all of that data permanently (or at least for a long period) in central storage accessible to IoT applications, it is often desirable to do as much data processing close to the sensors as possible
The purpose of what is sometimes referred to as the edge computing level is to convert network data flows into information that is suitable for storage and higher-level processing
Processing elements at these levels may deal with high volumes of data and perform data transformation operations, resulting in the storage of much lower volumes of data
The following are examples of fog computing operations:
In many IoT deployments, massive amounts of data may be generated by a distributed
network of sensors. For example, offshore oil fields and refineries can generate
a terabyte of data per day. An airplane can create multiple terabytes of data per
hour. Rather than store all of that data permanently (or at least for a long period) in
central storage accessible to IoT applications, it is often desirable to do as much data
processing close to the sensors as possible. Thus, the purpose of what is sometimes
referred to as the edge computing level is to convert network data flows into information
that is suitable for storage and higher-level processing. Processing elements
at these level may deal with high volumes of data and perform data transformation
operations, resulting in the storage of much lower volumes of data. The following are
examples of fog computing operations:
• Evaluation : Evaluating data for criteria as to whether it should be processed
at a higher level.
• Formatting : Reformatting data for consistent higher-level processing.
• Expanding/decoding : Handling cryptic data with additional context (such as
the origin).
• Distillation/reduction : Reducing and/or summarizing data to minimize the
impact of data and traffic on the network and higher-level processing systems.
• Assessment : Determining whether data represents a threshold or alert; this
could include redirecting data to additional destinations.
40
Evaluation
Formatting
Expanding/decoding
Distillation/reduction
Assessment
Fog
Generally fog computing devices are deployed physically near the edge of the IoT network near the sensors and other data-generating devices
Fog computing and fog services are expected to be a distinguishing characteristic of the IoT
Fog computing represents an opposite trend in modern networking from cloud computing
With cloud computing, massive, centralized storage and processing resources are made available to distributed customers over cloud networking facilities to a relatively small number of users
With fog computing, massive numbers of individual smart objects are interconnected with fog networking facilities that provide processing and storage resources close to the edge devices in an IoT
Fog computing addresses the challenges raised by the activity of thousands or millions of smart devices, including security, privacy, network capacity constraints, and latency requirements
The term fog computing is inspired by the fact that fog tends to hover low to the ground, whereas clouds are high in the sky
Generally, fog computing devices they are deployed physically near the edge
of the IoT network; that is, near the sensors and other data-generating devices. Thus,
some of the basic processing of large volumes of generated data is offloaded and
outsourced from IoT application software located at the center.
Fog computing and fog services are expected to be a distinguishing characteristic
of the IoT. Fog computing represents an opposite trend in modern networking
from cloud computing. With cloud computing, massive, centralized storage and processing
resources are made available to distributed customers over cloud networking
facilities to a relatively small number of users. With fog computing, massive numbers
of individual smart objects are interconnected with fog networking facilities that
provide processing and storage resources close to the edge devices in an IoT. Fog
computing addresses the challenges raised by the activity of thousands or millions of
smart devices, including security, privacy, network capacity constraints, and latency
requirements. The term fog computing is inspired by the fact that fog tends to hover
low to the ground, whereas clouds are high in the sky.
41
Core
The core network, also referred to as a backbone network, connects geographically dispersed fog networks as well as providing access to other networks that are not part of the enterprise network
Typically the core network will use very high-performance routers, high-capacity transmission lines, and multiple interconnected routers for increased redundancy and capacity
The core network may also connect to high-performance, high-capacity servers such as large database servers and private cloud facilities
Some of the core routers may be purely internal, providing redundancy and additional capacity without serving as edge routers
The core network, also referred to as a backbone network, connects geographically
dispersed fog networks as well as providing access to other networks that are not part
of the enterprise network. Typically, the core network will use very high-performance
routers, high-capacity transmission lines, and multiple interconnected routers for
increased redundancy and capacity. The core network may also connect to high-performance,
high-capacity servers such as large database servers and private cloud
facilities. Some of the core routers may be purely internal, providing redundancy and
additional capacity without serving as edge routers.
42
| Cloud | Fog | |
| Location of processing/storage resources | Center | Edge |
| Latency | High | Low |
| Access | Fixed or wireless | Mainly wireless |
| Support for mobility | Not applicable | Yes |
| Control | Centralized/hierarchical (full control) | Distributed/hierarchical (partial control) |
| Service access | Through core | At the edge/on handheld device |
| Availability | 99.99% | Highly volatile/highly redundant |
| Number of users/devices | Tens/hundreds of millions | Tens of billions |
| Main content generator | Human | Devices/sensors |
| Content generation | Central location | Anywhere |
| Content consumption | End device | Anywhere |
| Software virtual infrastructure | Central enterprise servers | User devices |
Table 13.4
Comparison of Cloud and Fog Features
The cloud network provides storage and processing capabilities for the massive
amounts of aggregated data that originate in IoT-enabled devices at the edge.
Cloud servers also host the applications that (1) interact with and manage the IoT
devices, and (2) analyze the IoT-generated data.
Table 13.4 compares cloud and fog computing.
43
IoT is perhaps the most complex and undeveloped area of network security. To
see this, consider Figure 13.10, which shows the main elements of interest for IoT
security. At the center of the network are the application platforms, data storage
servers, and network and security management systems. These central systems
gather data from sensors, send control signals to actuators, and are responsible
for managing the IoT devices and their communication networks. At the edge of
the network are IoT-enabled devices, some of which are quite simple constrained
devices, and some of which are more intelligent unconstrained devices. As well,
gateways may perform protocol conversion and other networking service on behalf
of IoT devices.
Figure 13.10 illustrates a number of typical scenarios for interconnection and
the inclusion of security features. The shading in Figure 13.10 indicates the systems
that support at least some of these functions. Typically, gateways will implement
secure functions, such as TLS and IPsec. Unconstrained devices may or may not
implement some security capability. Constrained devices generally have limited or no
security features. As suggested in the figure, gateway devices can provide secure communication
between the gateway and the devices at the center, such as application
platforms and management platforms. However, any constrained or unconstrained
devices attached to the gateway are outside the zone of security established between
the gateway and the central systems. As shown, unconstrained devices can communicate
directly with the center and support security functions. However, constrained
devices that are not connected to gateways have no secure communications with
central devices.
44
Patching Vulnerability
In an often-quoted 2014 article, security expert Bruce Schneier stated that we are at
a crisis point with regard to the security of embedded systems, including IoT devices
[SCHN14]. The embedded devices are riddled with vulnerabilities and there is no
good way to patch them. The chip manufacturers have strong incentives to produce
their product with its firmware and software as quickly and cheaply as possible. The
device manufacturers choose a chip based on price and features and do very little
if anything to the chip software and firmware. Their focus is the functionality of
the device itself. The end user may have no means of patching the system or, if so, little
information about when and how to patch. The result is that the hundreds of millions
of Internet-connected devices in the IoT are vulnerable to attack. This is certainly a
problem with sensors, allowing attackers to insert false data into the network. It is
potentially a graver threat with actuators, where the attacker can affect the operation
of machinery and other devices.
45
There is a crisis point with regard to the security of embedded systems, including IoT devices
The embedded devices are riddled with vulnerabilities and there is no good way to patch them
Chip manufacturers have strong incentives to produce their product as quickly and cheaply as possible
The device manufacturers focus is the functionality of the device itself
The end user may have no means of patching the system or, if so, little information about when and how to patch
The result is that the hundreds of millions of Internet-connected devices in the IoT are vulnerable to attack
This is certainly a problem with sensors, allowing attackers to insert false data into the network
It is potentially a graver threat with actuators, where the attacker can affect the operation of machinery and other devices
IoT Security and Privacy Requirements
ITU-T Recommendation Y.2066 includes a list of security requirements for the IoT
The requirements are defined as being the functional requirements during capturing, storing, transferring, aggregating, and processing the data of things, as well as to the provision of services which involve things
The requirements are:
Communication security
Data management security
Service provision security
Integration of security policies and techniques
Mutual authentication and authorization
Security audit
ITU-T Recommendation Y.2066 (Common Requirements of the Internet of Things,
June 2014) includes a list of security requirements for the IoT. This list is a useful
baseline for understanding the scope of security implementation needed for an
IoT deployment. The requirements are defined as being the functional requirements
during capturing, storing, transferring, aggregating, and processing the data of things,
as well as to the provision of services which involve things. These requirements are
related to all the IoT actors. The requirements are the following:
• Communication security: Secure, trusted, and privacy protected communication
capability is required, so unauthorized access to the content of data can be
prohibited, integrity of data can be guaranteed and privacy-related content of
data can be protected during data transmission or transfer in IoT.
• Data management security: Secure, trusted, and privacy protected data management
capability is required, so unauthorized access to the content of data can
be prohibited, integrity of data can be guaranteed, and privacy-related content
of data can be protected when storing or processing data in IoT.
• Service provision security: Secure, trusted, and privacy protected service provision
capability is required, so unauthorized access to service and fraudulent
service provision can be prohibited and privacy information related to IoT users
can be protected.
• Integration of security policies and techniques: The ability to integrate different
security policies and techniques is required, so as to ensure a consistent security
control over the variety of devices and user networks in IoT.
• Mutual authentication and authorization: Before a device (or an IoT user) can
access the IoT, mutual authentication and authorization between the device
(or the IoT user) and IoT is required to be performed according to predefined
security policies
.
• Security audit: Security audit is required to be supported in IoT. Any data
access or attempt to access IoT applications are required to be fully transparent,
traceable and reproducible according to appropriate regulation and laws.
In particular, IoT is required to support security audit for data transmission,
storage, processing, and application access.
46
A key element in providing security in an IoT deployment is the gateway. ITU-T
Recommendation Y.2067 (Common Requirements and Capabilities of a Gateway for
Internet of Things Applications, June 2014) details specific security functions that
the gateway should implement, some of which are illustrated in Figure 13.11. These
consist of the following:
• Support identification of each access to the connected devices.
• Support authentication with devices. Based on application requirements and
device capabilities, it is required to support mutual or one-way authentication
with devices. With one-way authentication, either the device authenticates itself
to the gateway or the gateway authenticates itself to the device, but not both.
• Support mutual authentication with applications.
• Support the security of the data that are stored in devices and the gateway,
or transferred between the gateway and devices, or transferred between the
gateway and applications. Support the security of these data based on security
levels.
• Support mechanisms to protect privacy for devices and the gateway.
• Support self-diagnosis and self-repair as well as remote maintenance.
• Support firmware and software update.
• Support auto configuration or configuration by applications. The gateway is
required to support multiple configuration modes, for example, remote and
local configuration, automatic and manual configuration, and dynamic configuration
based on policies.
Some of these requirements may be difficult to achieve when they involve providing
security services for constrained devices. For example, the gateway should
support security of data stored in devices. Without encryption capability at the constrained
device, this may be impractical to achieve.
Note the Y.2067 requirements make a number of references to privacy requirements.
Privacy is an area of growing concern with the widespread deployment of
IoT-enabled things in homes, retail outlets, and vehicles and humans. As more things
are interconnected, governments and private enterprises will collect massive amounts
of data about individuals, including medical information, location and movement
information, and application usage.
47
Cisco has developed a framework for IoT security [FRAH15] that serves as a useful
guide to the security requirements for IoT. Figure 13.12 illustrates the security
environment related to the logical structure of an IoT. The IoT model is a simplified
version of the World Forum IoT Reference Model. It consists of the following levels:
• Smart objects/embedded systems: Consists of sensors, actuators, and other embedded
systems at the edge of the network. This is the most vulnerable part of an
IoT. The devices may not be in a physically secure environment and may need to
function for years. Availability is certainly an issue. Network managers also need
to be concerned about the authenticity and integrity of the data generated by
sensors and about protecting actuators and other smart devices from unauthorized
use. Privacy and protection from eavesdropping may also be requirements.
• Fog/edge network: This level is concerned with the wired and wireless interconnection
of IoT devices. In addition, a certain amount of data processing
and consolidation may be done at this level. A key issue of concern is the wide
variety of network technologies and protocols used by the various IoT devices
and the need to develop and enforce a uniform security policy.
• Core network: The core network level provides data paths between network
center platforms and the IoT devices. The security issues here are those confronted
in traditional core networks. However, the vast number of endpoints to
interact with and manage creates a substantial security burden.
• Data center/cloud: This level contains the application, data storage, and network
management platforms. IoT does not introduce any new security issues at
this level, other than the necessity of dealing with huge numbers of individual
endpoints.
Within this four-level architecture, the Cisco model defines four general security
capabilities that span multiple levels:
• Role-based security: RBAC systems assign access rights to roles instead of
individual users. In turn, users are assigned to different roles, either statically
or dynamically, according to their responsibilities. RBAC enjoys widespread
commercial use in cloud and enterprise systems and is a well-understood tool
that can be used to manage access to IoT devices and the data they generate.
• Anti-tamper and detection: This function is particularly important at the device
and fog network levels but also extends to the core network level. All of these
levels may involve components that are physically outside the area of the enterprise
that is protected by physical security measures.
• Data protection and confidentiality: These functions extend to all level of the
architecture.
• Internet protocol protection: Protection of data in motion from eavesdropping
and snooping is essential between all levels.
Figure 13.12 maps specific security functional areas across the four layers of
the IoT model.
48
[FRAH15] also proposes a secure IoT framework that defines the
components of a security facility for an IoT that encompasses all the levels, as shown
in Figure 13.13. The four components are:
• Authentication: Encompasses the elements that initiate the determination of
access by first identifying the IoT devices. In contrast to typical enterprise network
devices, which may be identified by a human credential (e.g., username
and password or token), the IoT endpoints must be fingerprinted by means
that do not require human interaction. Such identifiers include RFID, x.509
certificates, or the MAC address of the endpoint.
• Authorization: Controls a device’s access throughout the network fabric. This
element encompasses access control. Together with the authentication layer,
it establishes the necessary parameters to enable the exchange of information
between devices and between devices and application platforms and enables
IoT-related services to be performed.
• Network enforced policy: Encompasses all elements that route and transport
endpoint traffic securely over the infrastructure, whether control, management,
or actual data traffic.
• Secure analytics, including visibility and control: This component includes all the
functions required for central management of IoT devices. This involves, firstly,
visibility of IoT devices, which simply means that central management services
are securely aware of the distributed IoT device collection, including identity
and attributes of each device. Building on this visibility is the ability to exert
control, including configuration, patch updates, and threat countermeasures.
An important concept related to this framework is that of trust relationship. In
this context, trust relationship refers to the ability of the two partners to an exchange to
have confidence in the identity and access rights of the other. The authentication component
of the trust framework provides a basic level of trust, which is expanded with the
authorization component. [FRAH15] gives the example that a car may establish a trust
relationship with another car from the same vendor. That trust relationship, however,
may only allow cars to exchange their safety capabilities. When a trusted relationship
is established between the same car and its dealer’s network, the car may be allowed to
share additional information such as its odometer reading and last maintenance record.
49
MiniSec
MiniSec is an open-source security module that is part of the TinyOS operating system
It is designed to be a link-level module that offers a high level of security, while simultaneously keeping energy consumption low and using very little memory
MiniSec provides confidentiality, authentication, and replay protection
MiniSec has two operating modes, one tailored for single-source communication, and another tailored for multi-source broadcast communication
This section provides an overview of MiniSec, an open-source security module that is
part of the TinyOS operating system. TinyOS is designed for small embedded systems
with tight requirements on memory, processing time, real-time response, and power
consumption. TinyOS takes the process of streamlining quite far, resulting in a very
minimal OS for embedded systems, with a typical configuration requiring 48 KB
of code and 10 KB of RAM [LEVI12]. The main application of TinyOS is wireless
sensor networks, and it has become the de facto OS for such networks. With sensor
networks the primary security concerns relate to wireless communications. MiniSec
is designed to be a link-level module that offers a high level of security, while simultaneously
keeping energy consumption low and using very little memory [LUK07].
MiniSec provides confidentiality, authentication, and replay protection.
MiniSec has two operating modes, one tailored for single-source communication,
and another tailored for multi-source broadcast communication. The latter does
not require per-sender state for replay protection and thus scales to large networks.
MiniSec is designed to meet the following requirements:
• Data authentication: Enables a legitimate node to verify whether a message
originated from another legitimate node (i.e., a node with which it shares a
secret key) and was unchanged during transmission.
• Confidentiality: A basic requirement for any secure communications system.
• Replay protection: Prevents an attacker from successfully recording a packet
and replaying it at a later time.
• Freshness: Because sensor nodes often stream time-varying measurements,
providing guarantee of message freshness is an important property. There are
two types of freshness: Strong and weak. MiniSec provides a mechanism to
guarantee weak freshness, where a receiver can determine a partial ordering
over received messages without a local reference time point.
• Low energy overhead: This is achieved by minimizing communication overhead
and by using only symmetric encryption.
• Resilient to lost messages: The relatively high occurrence of dropped packets
in wireless sensor networks requires a design that can tolerate high message
loss rates.
50
MiniSec
MiniSec is designed to meet the following requirements:
• Data authentication: Enables a legitimate node to verify whether a message
originated from another legitimate node (i.e., a node with which it shares a
secret key) and was unchanged during transmission.
• Confidentiality: A basic requirement for any secure communications system.
• Replay protection: Prevents an attacker from successfully recording a packet
and replaying it at a later time.
• Freshness: Because sensor nodes often stream time-varying measurements,
providing guarantee of message freshness is an important property. There are
two types of freshness: Strong and weak. MiniSec provides a mechanism to
guarantee weak freshness, where a receiver can determine a partial ordering
over received messages without a local reference time point.
• Low energy overhead: This is achieved by minimizing communication overhead
and by using only symmetric encryption.
• Resilient to lost messages: The relatively high occurrence of dropped packets
in wireless sensor networks requires a design that can tolerate high message
loss rates.
Two cryptographic algorithms used by MiniSec are
worth noting. The first of these is the encryption algorithm Skipjack. Skipjack was
developed in the 1990s by the U.S. National Security Agency (NSA). It is one of
the simplest and fastest block cipher algorithms, which is critical to embedded systems.
A study of eight possible candidate algorithms for wireless security networks
[LAW06] concluded that Skipjack was the best algorithm in terms of code memory,
data memory, encryption/decryption efficiency, and key setup efficiency.
Skipjack makes use of an 80-bit key. It was intended by NSA to provide a secure
system once it became clear that DES, with only a 56-bit key, was vulnerable. Contemporary
algorithms, such as AES, employ a key length of at least 128 bits, and 80 bits
is generally considered inadequate. However, for the limited application of wireless
sensor networks and other IoT devices, which provide large volumes of short data
blocks over a slow data link, Skipjack suffices. With its efficient computation and low
memory footprint, Skipjack is an attractive choice for IoT devices.
The block cipher mode of operation chosen for MiniSec is the Offset Codebook
(OCB) mode. As mentioned in Chapter 2, a mode of operation must be specified
when a plaintext source consists of multiple blocks of data to be encrypted with the
same encryption key. OCB mode is provably secure assuming the underlying block
cipher is secure. OCB mode is a one-pass mode of operation making it highly efficient.
Only one block cipher call is necessary for each plaintext block, (with an additional
two calls needed to complete the whole encryption process). OCB is especially
well suited for the stringent energy constraints of sensor nodes.
A feature that contributes significantly to the efficiency of OCB is that with
one pass through the sequence of plaintext blocks, it produces a ciphertext of equal
length and a tag for authentication. To decrypt a ciphertext, the receiver performs
the reverse process to recover the plaintext. Then, the receiver ensures that the tag is
as expected. If the receiver computes a different tag than the one accompanying the
ciphertext, the ciphertext is considered to be invalid. Thus, both message authentication
and message confidentiality are achieved with a single, simple algorithm. OCB
will be described in Chapter 21.
MiniSec employs per-device keys; that is, each key is unique to a particular pair
of devices to prevent replay attacks.
51
MiniSec is designed to meet the following requirements:
Data authentication
Confidentiality
Replay protection
Freshness
Low energy overhead
Resilient to lost messages
Summary
Cloud security concepts
Security issues for cloud computing
Addressing cloud computing security concerns
The Internet of Things
Things on the Internet of Things
Evolution
Components of IoT-enabled things
IoT and cloud context
IoT security
The patching vulnerability
IoT security and privacy requirements defined by ITU-T
An IoT security framework
An open-source IoT security module
Cloud computing
Cloud computing elements
Cloud service models
Cloud deployment models
Cloud computing reference architecture
Cloud security approaches
Risks and countermeasures
Data protection in the cloud
Security approaches for cloud computing assets
Cloud security as a service
Open-source cloud security module
Chapter 13 summary.
52
Figure 13.1 Cloud Computing Elements
Broad Network Access
Resource Pooling
Rapid Elasticity
Es se
n ti
al C
h ar
ac te
ri st
ic s
S er
vi ce
M od
el s
D ep
lo ym
en t
M od
el s
Measured Service
On-Demand Self-Service
Public Private Hybrid Community
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Figure 13.1 Cloud Computing Elements
Broad
Network Access
Resource Pooling
Rapid
Elasticity
E
s
s
e
n
t
i
a
l
C
h
a
r
a
c
t
e
r
i
s
t
i
c
s
S
e
r
v
i
c
e
M
o
d
e
l
s
D
e
p
l
o
y
m
e
n
t
M
o
d
e
l
s
Measured
Service
On-Demand
Self-Service
Public Private Hybrid Community
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Figure 13.2 Separation of Responsibilities in Cloud Service Models
Managed by customer
Networking
Storage
Servers
Virtualization
OS
Middleware
Runtime
Data
Applications
Traditional
IT - on
premises
Networking
Storage
Servers
Virtualization
OS
Middleware
Runtime
Data
Applications
IaaS
Networking
Storage
Servers
Virtualization
OS
Middleware
Runtime
Data
Applications
PaaS
Networking
Storage
Servers
Virtualization
OS
Middleware
Runtime
Data
Applications
SaaS
Managed by cloud service provider
Figure 13.3 NIST Cloud Computing Reference Architecture
Cloud Consumer
Cloud Auditor
Service Intermediation
Service Aggregation
Service Arbitrage
Cloud Broker
Cloud Provider
Security Audit
Performance Audit
Privacy Impact Audit
SaaS Service Layer Service Orchestration Cloud
Service Management
PaaS
Hardware
Physical Resource Layer
Facility
Resource Abstraction and Control Layer
IaaS Business Support
Provisioning/ Configuration
Portability/ Interoperability
Se cu
ri ty
Pr iv
ac y
Cloud Carrier
Figure 13.3 NIST Cloud Computing Reference Architecture
Cloud
Consumer
Cloud
Auditor
Service
Intermediation
Service
Aggregation
Service
Arbitrage
Cloud
Broker
Cloud Provider
Security
Audit
Performance
Audit
Privacy
Impact Audit
SaaS
Service Layer
Service Orchestration Cloud
Service
Management
PaaS
Hardware
Physical Resour ce Layer
Facility
Resource Abstraction
and Control Layer
IaaS
Business
Support
Provisioning/
Configuration
Portability/
Interoperability
S
e
c
u
r
i
t
y
P
r
i
v
a
c
y
Cloud Carrier
Figure 13.4 Interactions Between Actors in Cloud Computing
Cloud Consumer
Cloud Broker
Cloud Auditor
Cloud Producer
Enterprise Network
Cloud Carrier
Data Center Network
Governance Extend organizational practices pertaining to the policies, procedures, and standards used for application development and service provisioning in the cloud, as well as the design, implementation, testing, use, and monitoring of deployed or engaged services. Put in place audit mechanisms and tools to ensure organizational practices are followed throughout the system lifecycle. Compliance Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives, particularly those involving data location, privacy and security controls, records management, and electronic discovery requirements. Review and assess the cloud provider’s offerings with respect to the organizational requirements to be met and ensure that the contract terms adequately meet the requirements. Ensure that the cloud provider’s electronic discovery capabilities and processes do not compromise the privacy or security of data and applications. Trust Ensure that service arrangements have sufficient means to allow visibility into the security and privacy controls and processes employed by the cloud provider, and their performance over time. Establish clear, exclusive ownership rights over data. Institute a risk management program that is flexible enough to adapt to the constantly evolving and shifting risk landscape for the lifecycle of the system. Continuously monitor the security state of the information system to support ongoing risk management decisions. Architecture Understand the underlying technologies that the cloud provider uses to provision services, including the implications that the technical controls involved have on the security and privacy of the system, over the full system lifecycle and across all system components. Identity and access management Ensure that adequate safeguards are in place to secure authentication, authorization, and other identity and access management functions, and are suitable for the organization. Software isolation Understand virtualization and other logical isolation techniques that the cloud provider employs in its multi-tenant software architecture, and assess the risks involved for the organization. Data protection Evaluate the suitability of the cloud provider’s data management solutions for the organizational data concerned and the ability to control access to data, to secure data while at rest, in transit, and in use, and to sanitize data. Take into consideration the risk of collating organizational data with those of other organizations whose threat profiles are high or whose data collectively represent significant concentrated value. Fully understand and weigh the risks involved in cryptographic key management with the facilities available in the cloud environment and the processes established by the cloud provider. Availability
Governance
Extend organizational practices pertaining to the policies, procedures, and standards used for
application development and service provisioning in the cloud, as well as the design, implementation,
testing, use, and monitoring of deployed or engaged services.
Put in place audit mechanisms and tools to ensure organizational practices are followed throughout
the system lifecycle.
Compliance
Understand the various types of laws and regulations that impose security and privacy obligations
on the organization and potentially impact cloud computing initiatives, particularly those involving data
location, privacy and security controls, records management, and electronic discovery requirements.
Review and assess the cloud provider’s offerings with respect to the organizational requirements to
be met and ensure that the contract terms adequately meet the requirements.
Ensure that the cloud provider’s electronic discovery capabilities and processes do not compromise the
privacy or security of data and applications.
Trust
Ensure that service arrangements have sufficient means to allow visibility into the security and
privacy controls and processes employed by the cloud provider, and their performance over time.
Establish clear, exclusive ownership rights over data.
Institute a risk management program that is flexible enough to adapt to the constantly evolving and
shifting risk landscape for the lifecycle of the system.
Continuously monitor the security state of the information system to support ongoing risk
management decisions.
Architecture
Understand the underlying technologies that the cloud provider uses to provision services, including
the implications that the technical controls involved have on the security and privacy of the system, over
the full system lifecycle and across all system components.
Identity and access management
Ensure that adequate safeguards are in place to secure authentication, authorization, and other
identity and access management functions, and are suitable for the organization.
Software isolation
Understand virtualization and other logical isolation techniques that the cloud provider employs in
its multi-tenant software architecture, and assess the risks involved for the organization.
Data protection
Evaluate the suitability of the cloud provider’s data management solutions for the organizational
data concerned and the ability to control access to data, to secure data while at rest, in transit, and in use,
and to sanitize data.
Take into consideration the risk of collating organizational data with those of other organizations
whose threat profiles are high or whose data collectively represent significant concentrated value.
Fully understand and weigh the risks involved in cryptographic key management with the facilities
available in the cloud environment and the processes established by the cloud provider.
Availability
Availability Understand the contract provisions and procedures for availability, data backup and recovery, and disaster recovery, and ensure that they meet the organization’s continuity and contingency planning requirements. Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations can be immediately resumed, and that all operations can be eventually reinstituted in a timely and organized manner. Incident response Understand the contract provisions and procedures for incident response and ensure that they meet the requirements of the organization. Ensure that the cloud provider has a transparent response process in place and sufficient mechanisms to share information during and after an incident. Ensure that the organization can respond to incidents in a coordinated fashion with the cloud provider in accordance with their respective roles and responsibilities for the computing environment.
Availability
Understand the contract provisions and procedures for availability, data backup and recovery, and
disaster recovery, and ensure that they meet the organization’s continuity and contingency planning
requirements.
Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations
can be immediately resumed, and that all operations can be eventually reinstituted in a timely and
organized manner.
Incident response
Understand the contract provisions and procedures for incident response and ensure that they meet
the requirements of the organization.
Ensure that the cloud provider has a transparent response process in place and sufficient
mechanisms to share information during and after an incident.
Ensure that the organization can respond to incidents in a coordinated fashion with the cloud
provider in accordance with their respective roles and responsibilities for the computing environment.
Technical Operational Management Access Control Audit and Accountability Identification and
Authentication System and
Communication Protection
Awareness and Training Configuration and
Management Contingency Planning Incident Response Maintenance Media Protection Physical and Environmental
Protection Personnel Security System
and Information Integrity
Certification, Accreditation and Security Assessment
Planning Risk Assessment System and Services Acquisition
Technical Operational Management
Access Control
Audit and Accountability
Identification and
Authentication
System and
Communication
Protection
Awareness and Training
Configuration and
Management
Contingency Planning
Incident Response
Maintenance
Media Protection
Physical and Environmental
Protection
Personnel Security System
and Information Integrity
Certification, Accreditation and
Security Assessment
Planning Risk Assessment
System and Services Acquisition
Figure 13.5 Security Considerations for Cloud Computing Assets
(a) Cloud computing assets
Organization
Pr ov id er
Cu sto
m er
IaaS PaaS SaaS
Hypervisor/ OS/Network
Middleware + Hypervisor/OS
/Network
Virtual machine
Application
Application
Client Client
Application + Middleware +
Hypervisor/OS /Network
OS
Facilities (network, housing, cooling, power)
(b) Cloud computing management tasks
Manage and protect supplies and facilities (power, cooling, cabling, guards, etc.)
Deploy and maintain hardware (server racks, disks, routers, cables, etc.)
Pr ov id er
Cu sto
m er
IaaS PaaS SaaS
Manage user accounts, user permissions, etc.
Deploy, update and patch application software
Deploy, update and
patch OS
Deploy, update and patch app
software
Deploy, update and patch hypervisor/OS/network
Deploy, update and patch middleware + libraries
Figure 13.6 Elements of Cloud Security as a Service
Cloud service clients and adversaries
Identity and access management Network security
Data loss prevention
Web security Intrusion management
Encryption
E-mail security
Security assessments Security information and event management Business continuity and disaster recovery
Figure 13.6 Elements of Cloud Security as a Service
Cloud service clients and adversaries
Identity and access management
Network security
Data loss
prevention
Web security
Intrusion
management
Encryption
E-mail security
Security assessments
Security information and
event management
Business continuity and
disaster recovery
Figure 13.7 Launching a Virtual Machine in OpenStack
Nova Scheduler
Nova Scheduler
Swift proxy
Swift worker
4. Schedule VM
5. Receive launch VM
message
6. Request image 8. Look up
image 9. Return location & metadata
10 . R
eq ue
st im
ag e
13 . G
et im
ag e
11. Find service, check credentials, request image
7. Find service, check credentials, request image
12. Get image
3. Launch VM
14. Launch VM
1. Launch VM
2. Fi nd s
ervic e,
chec k cre
dent ials,
laun ch V
M
Client
Nova compute
Nova message queue
Keystone
Glance API
Glance registry
Figure 13.9 The IoT/Cloud Context
Data center/
cloud
Ethernet Transactional response time
Core network
IP/MPLS, security QoS/QoE driven response time
Fog network
3G/4G/LTE/Wi-Fi Distributed intelligence Real-time response time
Smart things network
Bluetooth, WiFi, wired millisecond response time
Network management Applications
Millions
of devices
Tens of
thousands
of devices
Thousands
of devices
Hundreds
of devices
Figure 13.10 IoT Security: Elements of Interest
A
Internet or
Enterprise Network
G
G
G
= application, management, or storage platform
= gateway
= unconstrained device
= constrained device
shading = includes security features
C
CCC
C
C C
C
U
U
U U
U
U U
U
A
A
Figure 13.11 IoT Gateway Security Functions
Devices
Gateways
Internet or enterprise network
Application platforms
Authentication secure data transfer
Authentication secure data transfer
Security, privacy of data at rest
Figure 13.11 IoT Gateway Security Functions
Devices
Gateways
Internet or
enterprise
network
Application
platforms
Authentication
secure data transfer
Authentication
secure data transfer
Security, privacy
of data at rest
Figure 13.13 Secure IoT Framework
Network Enforced Policy
Secure Analytics: Visibility and Control
Authorization
Authentication
Tr us
t R el
at io
ns hi
p
