Pre-requisite: Cloud Computing
In this article, we’ll discuss the infrastructure security at the host level in cloud computing followed by the introduction of the topic itself then moving towards the host security at various delivery models such as System as a Service(SaaS), Platform as a Service(Paas) and Infrastructure as a service(Iaas) after which we will end this article by discussing the Virtual server Security.
During the review process of host security and assessing risks, one should always consider the context of cloud service delivery models(IaaS, PaaS, and SaaS) and various deployment models(Public, Private, and Hybrid). As we know there are no new security threats to hosts specific to cloud computing apart from the virtualization security threats like virtual machine escape, system configuration drift, and insider threats.
The elastic nature of cloud computing can bring new operation challenges from a security management perspective. Therefore managing the vulnerabilities and patches is tougher than running a scan, as the rates of changes are much higher than in traditional data centers.
SaaS and Paas Host Security
Generally, the cloud service providers do not share information regarding their host platforms, hosts OS, and the processes that are in place to secure the hosts, as hackers might exploit that information when they are trying to break into the cloud services. Hence, in the context of System as a service(SaaS) or Platform as a service(PaaS) cloud services security of the host should be non-transparent with the customers and the responsibility of securing the host is confined to the cloud service providers.
- Virtualization is a technique that improves the host’s hardware utilization, along with other benefits, it is common for cloud service providers to employ virtualization platforms including VMware hypervisors and XEN, in their host’s computing platform architecture. Apart from this one should be aware of how his provider is using the virtualization technology and the provider’s process for securing the virtualization layer.
- Both the SaaS and PaaS delivery models software platforms should abstract the host operating system from the end user with a host abstraction layer. The accessibility of the abstraction layer is different in each one of the delivery models (SaaS and PaaS).
- In System as a Service, the abstraction layer is hidden from the users and only available to the developers and the cloud service provider’s operational staff.
- Whereas in Platform as a Service users have indirect access to the abstraction layer in the form of PaaS API(Application programming interface) that eventually interacts with the host abstraction layer.
- Thus, the customers of System as a Service(SaaS) and Platform as a Service(Paas) rely on the cloud service providers to provide a secure host platform on which the application is developed and deployed.
Infrastructure as a Service(IaaS) Host Security
The customers of Infrastructure as a Service(IaaS) are primarily responsible for securing the hosts in the cloud, Infrastructure as a Service(IaaS) employs virtualization at the host layer, IaaS host security can be categorized as follows:
Virtualization Software Security
It provides customers to create and terminate virtual instances. Virtualization can be achieved by using virtualization models such as:-OS-level virtualization, paravirtualization, or hardware-based virtualization. In public, IaaS application customers do not have access to this software layer as it is managed by cloud service providers.
Customer Guest OS or Virtual Server Security
The virtual instance of an operating system is placed above the virtualization layer and is visible to customers from the internet. Customers have full access to virtual servers. For example:- various versions of Linux, Microsoft, and Solaris are available in amazon’s aws for creating an instance.
Virtual Server Security
The customers of Infrastructure as a Service(IaaS) have full access to the virtualized guest virtual machines that are hosted and isolated from each other by hypervisor technology. Thus, customers are responsible for the security management of the guest virtual machines. A public Infrastructure as a Service(IaaS) offers a web service API to perform management functions such as provisioning, decommissioning, and duplication of virtual servers on the IaaS platform itself.
These system management functions can provide elasticity for resources to grow or shrink according to the demands. Network access mitigation steps to be taken for restricting access to virtual instances as the virtual servers are available to anyone on the internet. Conventionally, the cloud service providers block all ports except port 22(secure shell or SSH) for accessing the virtual servers instances.
Host Security Threats in the Public IaaS
- Deployment of malware embedded in software components in the virtual machines.
- Attack on that system which is not properly secured by the host firewalls
- Attacks on accounts that are not properly secured eg. weak passwords, repetitive passwords, etc.
- Stealing keys that will be used to access and manage hosts(SSH private keys).
Securing Virtual Servers
Ways to Secure the Virtual Servers in the Cloud require Operational Security procedures as:-
- Safeguard the private keys as they might be used to access hosts in the public cloud.
- Never allow password-based authentication at the shell prompt.
- Require passwords for role-based access eg., Solaris, SELinux.
- Host firewall should be available to only minimum ports which are necessary to support the services offered by the instances.
- Disable the unused services and use only required services eg., Database services, FTP services, print services, etc.
- Periodically check the logs for any kind of suspicious activities.
- Isolate the decryption keys from the cloud where the data is hosted–unless required for decryption and use only for the duration of decryption activity.
- Include no authentication credentials in virtualized images except for a key to decrypt the file system.
- Install a host-based intrusion detection system(IDS).
- Protect the integrity of virtualized images from unauthorized access.