Cloud Computing Service Models

Network Access Control

• Network Access Control (NAC) is an umbrella term for managing access to a network
  • Authenticates users logging into the network and determines what data they can access and actions they can perform
  • Examines the health of the user's computer or mobile device
• NAC systems deal with three categories of components:
  • Access requester (AR) - node that is attempting to access the network and may be any device that is managed by the NAC system
  • Policy server - determines what access should be granted
  • Network access server (NAS) - functions as an access control point for users in remote locations connecting to an enterprise's internal network

Network Access Enforcement Methods

• Actions that are applied to ARs to regulate access to the enterprise network
• Many vendors support multiple enforcement methods simultaneously, allowing customers to tailor the configuration by using one or a combination of methods
• Common NAC enforcement methods:
  • IEEE 802.1X (link layer protocol)
  • Virtual local area networks (VLANs)
  • Firewall
  • DHCP management

Extensible Authentication Protocol (EAP)

• Acts as a framework for network access and authentication protocols
• Provides a set of protocol messages that can encapsulate various authentication methods to be used between a client and an authentication server
• Can operate over a variety of network and link-level facilities, including point-to-point links, LANs, and other networks
• Commonly supported EAP methods:
  • EAP Transport Layer Security (EAP-TLS)
  • EAP Tunneled TLS (EAP-TTLS)
  • EAP Generalized Pre-Shared Key (EAP-GPSK)
  • EAP-IKEv2

IEEE 802.1X Access Control

• Ports are logical entities defined within the authenticator and refer to physical network connections
• Uncontrolled port allows the exchange of protocol data units (PDUs) between the supplicant and the AS, regardless of the authentication state of the supplicant
• Controlled port allows the exchange of PDUs between a supplicant and other systems on the network only if the current state of the supplicant authorizes such an exchange
• Essential element defined in 802.1X is a protocol known as EAPOL (EAP over LAN)
• EAPOL operates at the network layers and makes use of an IEEE 802 LAN, such as Ethernet or Wi-Fi, at the link level

Cloud Computing

• NIST defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
• Cloud computing promotes availability and is composed of five essential characteristics, three service models, and four deployment models

Cloud Computing Reference Architecture

• NIST SP 500-292 establishes a reference architecture, which focuses on the requirements of "what" cloud services provide, not a "how to" design solution and implementation
• The reference architecture is intended to facilitate the understanding of the operational intricacies in cloud computing

Cloud Computing Actors

• Cloud consumer: a person or organization that maintains a business relationship with, and uses service from, cloud providers
• Cloud provider: a person, organization, or entity responsible for making a service available to interested parties
• Cloud auditor: a party that can conduct independent assessment of cloud services, information system operations, performance, and security of the cloud implementation
• Cloud broker: an entity that manages the use, performance, and delivery of cloud services, and negotiates relationships between CPs and cloud consumers
• Cloud carrier: an intermediary that provides connectivity and transport of cloud services from CPs to cloud consumers

Cloud Security Risks and Countermeasures

• Abuse and nefarious use of cloud computing
  • Countermeasures: stricter initial registration and validation processes; enhanced credit card fraud monitoring and coordination
• Malicious insiders
  • Countermeasures: enforce strict supply chain management and conduct a comprehensive supplier assessment
• Insecure interfaces and APIs
  • Countermeasures: implement security best practices for installation/configuration; monitor environment for unauthorized changes/activity
• Data loss or leakage
  • Countermeasures: implement strong API access control; encrypt and protect integrity of data in transit
• Account or service hijacking
  • Countermeasures: prohibit the sharing of account credentials between users and services; leverage strong two-factor authentication techniques
• Unknown risk profile
  • Countermeasures: disclosure of applicable logs and data; partial/full disclosure of infrastructure details

Data Protection in the Cloud

• Data must be secured while at rest, in transit, and in use, and access to the data must be controlled
• Multi-instance model: provides a unique DBMS running on a virtual machine instance for each cloud subscriber
• Multi-tenant model: provides a predefined environment for the cloud subscriber that is shared with other tenants, typically through tagging data with a subscriber identifier

Cloud Security as a Service (SecaaS)

• Provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers' on-premise systems
• Categories of SecaaS include:
  • Identity and access management
  • Data loss prevention
  • Web security
  • E-mail security
  • Security assessments
  • Intrusion management
  • Security information and event management
  • Encryption
  • Business continuity and disaster recovery
  • Network security

Symmetric Key Distribution

• Symmetric encryption requires two parties to share the same key, which must be protected from access by others
• Frequent key changes are desirable to limit the amount of data compromised if an attacker learns the key
• Key distribution techniques:
  • A key can be selected by one party and physically delivered to the other
  • A third party can select the key and physically deliver it to both parties
  • One party can transmit the new key to the other, using the old key to encrypt the new key
  • A third party can deliver a key on encrypted links to both parties

Kerberos

• Kerberos is a key distribution and user authentication service developed at MIT
• Relies exclusively on symmetric encryption, making no use of public-key encryption
• Two versions are in use: Version 4 and Version 5
• Version 4 implementations still exist, although being phased out
• Version 5 corrects some of the security deficiencies of Version 4 and has been issued as a proposed Internet Standard (RFC 4120)
• Kerberos realm: a set of managed nodes that share the same Kerberos database
• Kerberos principal: a service or user that is known to the Kerberos system, identified by its principal name

Kerberos Version 4

• A basic third-party authentication scheme
• Authentication Server (AS): users initially negotiate with AS to identify themselves
• Ticket Granting Server (TGS): users subsequently request access to other services from TGS on the basis of their Ticket Granting Ticket (TGT)
• Complex protocol using DES

Kerberos Realms and Principals

• A Kerberos realm consists of:
  • A set of managed nodes that share the same Kerberos database
  • The Kerberos database resides on the Kerberos master computer system
  • A read-only copy of the Kerberos database may reside on other Kerberos computer systems
  • All changes to the database must be made on the master computer system
• Kerberos principal: a service or user that is known to the Kerberos system, identified by its principal name
• Principal names consist of three parts: realm, instance, and principal name

Key Distribution using Asymmetric Encryption

• Public-key encryption addresses the problem of key distribution
• Two distinct aspects:
  • Distribution of public keys
  • Use of public-key encryption to distribute secret keys
• Public-key certificate: a public key plus a user ID, signed by a trusted third party (Certificate Authority)

X.509 Certificates

• Part of the X.500 series of recommendations that define a directory service
• Defines a framework for the provision of authentication services by the X.500 directory to its users
• The directory may serve as a repository of public-key certificates
• Defines alternative authentication protocols based on the use of public-key certificates
• Initially issued in 1988, based on the use of public-key cryptography and digital signatures
• Does not dictate the use of a specific algorithm, but recommends RSA

Obtaining a User’s Certificate

• User certificates generated by a CA have the following characteristics:
  • Any user with access to the public key of the CA can verify the user public key that was certified
  • No party other than the certification authority can modify the certificate without this being detected
• Because certificates are unforgeable, they can be placed in a directory without the need for the directory to make special efforts to protect them

Revocation of Certificates

• Each certificate includes a period of validity
• Revocation may be desirable on occasion for reasons such as:
  • The user’s private key is assumed to be compromised
  • The user is no longer certified by this CA
  • The CA’s certificate is assumed to be compromised

X.509 Version 3

• Includes optional extensions that may be added to the Version 2 format
• Extensions fall into three main categories:
  • Key and policy information
  • Subject and issuer attributes
  • Certification path constraints

PKIX Management Functions

• Functions that potentially need to be supported by management protocols:
  • Registration
  • Initialization
  • Certification
  • Key pair recovery
  • Key pair update
  • Revocation request
  • Cross certification
• Alternative management protocols:
  • Certificate management protocols (CMP)
  • Certificate management messages over CMS (CMC)

Identity Management

• A centralized, automated approach to provide enterprise-wide access to resources by employees and other authorized individuals
• Focus is defining an identity for each user (human or process), associating attributes with the identity, and enforcing a means by which a user can verify identity
• Principal elements of an identity management system:
  • Authentication
  • Authorization
  • Accounting
  • Provisioning
  • Workflow automation
  • Delegated administration
  • Password synchronization
  • Self-service password reset
  • Federation