Cloud Security Mechanisms

Encryption – 1/2
 Definition
 A digital coding system dedicated to preserving the confidentiality and integrity of data
 Used to encode plaintext data into a protected and unreadable format
 Implementation mechanisms
 Based on standardized algorithm called a cipher to transform original plaintext data into encrypted
data referred to as ciphertext
 Encryption key - a string of characters used to decrypt the ciphertext back to the original plaintext
format & exchanged while connection is established
 Accessing ciphertext without a proper encryption key does not divulge the original plaintext data
apart from some forms of metadata such as message length and creation date.
 The encryption mechanism may protect the system from many security threats such as traffic
eavesdropping, malicious intermediary, insufficient authorization and overlapping trust boundaries
 2 common forms of encryption: symmetric and asymmetric encryption
 Symmetric encryption
 The same key for both encryption and decryption – private key cryptography
 An evidence is provided with ciphertext to ensure that it is encrypted by the rightful party to maintain
and verify data confidentiality.

Sender w/ Receiver w/
Private Key Private Key

오상규
1
 Encryption – 2/2
 Asymmetric encryption
 Two different keys: a private key and a public key – public key cryptography
 Private key known only to its owner (receiver) and public key commonly available to public (senders)
 Public key to encrypt (sending party) and private key to decrypt (receiving party)
 The ciphertext encrypted with a private key can be only decrypted with the corresponding public key
and vice versa.
 Private key encryption  integrity & authenticity, but no confidentiality
 Public key encryption  confidentiality, but no integrity & no authenticity
 Encryption by itself can protect the confidentiality of messages, but other techniques are still needed
to protect the integrity and authenticity of a message; for example, verification of a message
authentication code (MAC) or a digital signature.
 Asymmetric encryption is slower than symmetric encryption since it always requires more computation.
Receiver w/
Private Key

Sender w/ Sender w/
Public Key Public Key

오상규
2
 Hashing
 Definition
 A one-way, irreversible form of data protection mechanism
 Message locked and provided with no key to unlock  typical way to maintain passwords
 A mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size (a hash function)
which is designed to also be a one-way function – a function which is infeasible to invert
 Implementation mechanisms
 A hashing code or message digest derived from the message via a hashing technology
① A digest generated from the message via a hash function and attached to the message when sent
② Another digest generated the message via the same hash function when arrived
③ Accepted when two digests are matched rejected otherwise
 Five properties of the ideal cryptographic hash function:
 It should be deterministic so the same message always results in the same hash value.
 It should be quick to compute the hash value for any given message.
 It should be infeasible to generate a message from its hash value except by trying all possible
messages.
 Even a small change to a message should change the hash value so extensively that the new hash
value appears uncorrelated with the old hash value.
 It should be infeasible to find two different messages with the same hash value.

Hash
Function
Sender w/ Receiver w/
a hash function The same hash function

오상규
3
 Digital Signature
 Definition
 A means of providing data authenticity and integrity through authentication and non-repudiation
 A mathematical scheme for demonstrating the authenticity of digital messages or documents
 A reason for recipient to believe that the message was created by a known sender (authentication),
that the sender cannot deny having sent the message (non-repudiation), and that the message was
not altered in transit (integrity) when valid
 A standard element of most cryptographic protocol suites commonly used for software distribution,
financial transactions, contract management software, and in other cases where it is important to
detect forgery or tampering
 Implementation mechanisms
 Created based on the combination of hashing and asymmetric encryption mechanisms
 A message digest first generated via hashing mechanism, then encrypted with a private key, and
appended to the original message
 The message verified by the recipient via first being decrypted with a public key and then for the
attached message digest being compared with the one newly generated from the original message
 Basically for mitigating security threats such as malicious intermediary, insufficient authentication and
overlapping trust boundaries

Hash Asymmetric
Encryption w/
Function Private Key
Sender

Asymmetric Hash
Encryption w/
Public Key Function
Receiver

오상규
4
 Public Key Infrastructure (PKI)
 Definition
 A common approach for managing the issuance of asymmetric keys
 A system of protocols, data formats, rules and practices that enable large-scale systems to securely use
public key cryptography
 A system to associate public keys with their corresponding key owners (known as public key
identification) while enabling the verification of key validity
 Implementation mechanisms
 Based on digital certificates which are digitally signed data structures that bind public keys to
certificate owner identities as well as to related information such as validity periods and usually digitally
signed by a third-party certificate authority (CA)
 Most digital certificates issued by a handful of trusted CAs like VeriSign and Comodo even though
large organizations such as Microsoft or even an individual can generate certificates as long as they
have the appropriate software tools
 Primarily for countering the insufficient authorization threat as well as malicious intermediary

Certificate Request : Consumer’s Data

Data &
Public Key : Consumer’s Data Verified by CA

Cloud Consumer : CA’s Certificate Properties

CA’s Hash
Private Key Function
CA Certificate : Consumer’s Data Digest

: CA’s Digital Signature

오상규
5
 Identity and Access Management (IAM)
 Definition
 The components and policies necessary to control and track user identities and access privileges for IT
resources, environments and systems
 Comprised of authentication, authorization, user management and credential management
 Implementation mechanisms
 Authentication
 Username & password pair: typical user authentication credentials managed by IAM
 Additional mechanism: digital signature, digital certificates, biometric hardware (fingerprint leader),
specialized software (voice recognition), locking user accounts to registered IP/MAC address, etc.
 Authorization
 Access controls based on relationships between identities, access control rights and IT resource
availability
 User management
 Administrative capabilities including creating new user identities & access group, resetting passwords,
defining password policies and managing privileges
 Credential management
 Credential management including establishing identities and access control rules for defined user
account which mitigates the threat of insufficient authorization
 Although its objectives are similar to those of the PKI mechanism, the IAM mechanism’s scope of
implementation is distinct because its structure encompasses access controls and policies in addition
to assigning specific levels of user privileges.
 Primarily for countering the insufficient authorization, denial of service and overlapping trust boundaries
threats
오상규
6
 Single Sign-On (SSO)
 Definition
 A mechanism enabling one cloud service consumer to be authenticated by a security broker which
establishes a security context that is persisted while the cloud service consumer accesses other cloud
services or cloud-based IT resources in order for the cloud service consumer not to re-authenticate itself
with every subsequent request
 Implementation mechanisms
 Not a trivial job at all to propagate the authentication and authorization information for a cloud
service consumer across multiple cloud services, especially with a numerous cloud services or cloud-
based IT resources to be invoked as part of the same overall runtime activity
 SSO (or security broker) mechanism to enable mutually independent cloud services and IT resources to
generate and circulate runtime authentication and authorization credentials (security token) in order
to allow the credentials provided by the cloud service consumer at its login time to be valid through
out the duration of the same session
 Security brokerage mechanism is especially useful when a cloud service consumer needs to access
cloud services residing on different clouds.
 Not to counter security threats directly , but to enhance the usability of cloud-based environments for
access and management of distributed IT resources and solutions without violating security policies

Free Pass with Security Token

3

Security Token 2
Security
1 Broker
Security Credentials Cloud A Cloud B Cloud C
Cloud Consumer

오상규
7
 Cloud-based Security Groups
 Definition
 A mechanism to group a cloud service consumer and a set of virtual IT resources together with the
same security boundary made of a virtual barrier in order to share the same security policy via a
technique called resource segmentation by which separate physical or virtual IT environments are
created for different users and groups
 Implementation mechanisms
 Based on resource segmentation to enable virtualization by allocation a variety of physical IT resources
to virtual machines – multiple organization’s trust boundaries from different cloud consumers overlap on
the same underlying physical IT resources by dividing up virtual IT resources from the same physical IT
resource
 A physical network or a physical server can be Cloud Cloud Cloud
Consumer A Consumer B Consumer C
segmented (VPNs or VMs) into a number of virtual
networks and virtual servers and logical cloud-
based security groups.
 Closely related to the logical network perimeter
mechanism, properly implemented cloud-based VPN Physical VPN Network VPN

security groups can effectively counter many

security threats such as the denial of service, VM0 VM1 VMX VM0 VM1 VMY
insufficient authorization and overlapping trust Hypervisor0 Hypervisor1
boundaries.
 Segmentation or virtualization is basically
motivated by the optimization of IT resource PMX PMY

utilization and technology advances in order to Cloud Z

complement those security breaches.
오상규
8
 Hardened Virtual Server Images
 Definition
 The process of blocking unnecessary/vulnerable software functions or components from the virtual
server image to eliminate potential vulnerabilities that can be exploited by attackers
 A template for virtual server instance creation that has been subjected to a hardening process
 Implementation mechanisms
 A virtual server image is created from a template configuration called a virtual server image within
cloud environment.
 A hardened virtual server image is created by removing redundant software, closing unnecessary
communication ports and disabling unused services/internal root account/guest access from or on the
standard virtual server image – the resulting virtual server template is significantly more secure than the
original standard image.
 Hardened virtual servers images may counter security threats such as the denial of service, insufficient
authorization and overlapping trust boundaries.

Applied Security Policies

Hardened
 Close unused/unnecessary server ports
Virtual Server VIM
 Disable unused/unnecessary services Image
 Disable unnecessary internal root
accounts VM Image
Repository
 Disable guest access to system directories
Standard
 Uninstall redundant software Resource
Virtual Server Management
 Establish memory quotas Image System
…

오상규
9