Cloud Computing Service Models

Network Access Control

Network Access Control (NAC) is an umbrella term for managing access to a network
- Authenticates users logging into the network and determines what data they can access and actions they can perform
- Examines the health of the user's computer or mobile device
NAC systems deal with three categories of components:
- Access requester (AR) - node that is attempting to access the network and may be any device that is managed by the NAC system
- Policy server - determines what access should be granted
- Network access server (NAS) - functions as an access control point for users in remote locations connecting to an enterprise's internal network

Network Access Enforcement Methods

Actions that are applied to ARs to regulate access to the enterprise network
Many vendors support multiple enforcement methods simultaneously, allowing customers to tailor the configuration by using one or a combination of methods
Common NAC enforcement methods:
- IEEE 802.1X (link layer protocol)
- Virtual local area networks (VLANs)
- Firewall
- DHCP management

Extensible Authentication Protocol (EAP)

Acts as a framework for network access and authentication protocols
Provides a set of protocol messages that can encapsulate various authentication methods to be used between a client and an authentication server
Can operate over a variety of network and link-level facilities, including point-to-point links, LANs, and other networks
Commonly supported EAP methods:
- EAP Transport Layer Security (EAP-TLS)
- EAP Tunneled TLS (EAP-TTLS)
- EAP Generalized Pre-Shared Key (EAP-GPSK)
- EAP-IKEv2

IEEE 802.1X Access Control

Ports are logical entities defined within the authenticator and refer to physical network connections
Uncontrolled port allows the exchange of protocol data units (PDUs) between the supplicant and the AS, regardless of the authentication state of the supplicant
Controlled port allows the exchange of PDUs between a supplicant and other systems on the network only if the current state of the supplicant authorizes such an exchange
Essential element defined in 802.1X is a protocol known as EAPOL (EAP over LAN)
EAPOL operates at the network layers and makes use of an IEEE 802 LAN, such as Ethernet or Wi-Fi, at the link level

Cloud Computing

NIST defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
Cloud computing promotes availability and is composed of five essential characteristics, three service models, and four deployment models

Cloud Computing Reference Architecture

NIST SP 500-292 establishes a reference architecture, which focuses on the requirements of "what" cloud services provide, not a "how to" design solution and implementation
The reference architecture is intended to facilitate the understanding of the operational intricacies in cloud computing

Cloud Computing Actors

Cloud consumer: a person or organization that maintains a business relationship with, and uses service from, cloud providers
Cloud provider: a person, organization, or entity responsible for making a service available to interested parties
Cloud auditor: a party that can conduct independent assessment of cloud services, information system operations, performance, and security of the cloud implementation
Cloud broker: an entity that manages the use, performance, and delivery of cloud services, and negotiates relationships between CPs and cloud consumers
Cloud carrier: an intermediary that provides connectivity and transport of cloud services from CPs to cloud consumers

Cloud Security Risks and Countermeasures

Abuse and nefarious use of cloud computing
- Countermeasures: stricter initial registration and validation processes; enhanced credit card fraud monitoring and coordination
Malicious insiders
- Countermeasures: enforce strict supply chain management and conduct a comprehensive supplier assessment
Insecure interfaces and APIs
- Countermeasures: implement security best practices for installation/configuration; monitor environment for unauthorized changes/activity
Data loss or leakage
- Countermeasures: implement strong API access control; encrypt and protect integrity of data in transit
Account or service hijacking
- Countermeasures: prohibit the sharing of account credentials between users and services; leverage strong two-factor authentication techniques
Unknown risk profile
- Countermeasures: disclosure of applicable logs and data; partial/full disclosure of infrastructure details

Data Protection in the Cloud

Data must be secured while at rest, in transit, and in use, and access to the data must be controlled
Multi-instance model: provides a unique DBMS running on a virtual machine instance for each cloud subscriber
Multi-tenant model: provides a predefined environment for the cloud subscriber that is shared with other tenants, typically through tagging data with a subscriber identifier

Cloud Security as a Service (SecaaS)

Provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers' on-premise systems
Categories of SecaaS include:
- Identity and access management
- Data loss prevention
- Web security
- E-mail security
- Security assessments
- Intrusion management
- Security information and event management
- Encryption
- Business continuity and disaster recovery
- Network security

Symmetric Key Distribution

Symmetric encryption requires two parties to share the same key, which must be protected from access by others
Frequent key changes are desirable to limit the amount of data compromised if an attacker learns the key
Key distribution techniques:
- A key can be selected by one party and physically delivered to the other
- A third party can select the key and physically deliver it to both parties
- One party can transmit the new key to the other, using the old key to encrypt the new key
- A third party can deliver a key on encrypted links to both parties

Kerberos

Kerberos is a key distribution and user authentication service developed at MIT
Relies exclusively on symmetric encryption, making no use of public-key encryption
Two versions are in use: Version 4 and Version 5
Version 4 implementations still exist, although being phased out
Version 5 corrects some of the security deficiencies of Version 4 and has been issued as a proposed Internet Standard (RFC 4120)
Kerberos realm: a set of managed nodes that share the same Kerberos database
Kerberos principal: a service or user that is known to the Kerberos system, identified by its principal name

Kerberos Version 4

A basic third-party authentication scheme
Authentication Server (AS): users initially negotiate with AS to identify themselves
Ticket Granting Server (TGS): users subsequently request access to other services from TGS on the basis of their Ticket Granting Ticket (TGT)
Complex protocol using DES

Kerberos Realms and Principals

A Kerberos realm consists of:
- A set of managed nodes that share the same Kerberos database
- The Kerberos database resides on the Kerberos master computer system
- A read-only copy of the Kerberos database may reside on other Kerberos computer systems
- All changes to the database must be made on the master computer system
Kerberos principal: a service or user that is known to the Kerberos system, identified by its principal name
Principal names consist of three parts: realm, instance, and principal name

Key Distribution using Asymmetric Encryption

Public-key encryption addresses the problem of key distribution
Two distinct aspects:
- Distribution of public keys
- Use of public-key encryption to distribute secret keys
Public-key certificate: a public key plus a user ID, signed by a trusted third party (Certificate Authority)

X.509 Certificates

Part of the X.500 series of recommendations that define a directory service
Defines a framework for the provision of authentication services by the X.500 directory to its users
The directory may serve as a repository of public-key certificates
Defines alternative authentication protocols based on the use of public-key certificates
Initially issued in 1988, based on the use of public-key cryptography and digital signatures
Does not dictate the use of a specific algorithm, but recommends RSA

Obtaining a User’s Certificate

User certificates generated by a CA have the following characteristics:
- Any user with access to the public key of the CA can verify the user public key that was certified
- No party other than the certification authority can modify the certificate without this being detected
Because certificates are unforgeable, they can be placed in a directory without the need for the directory to make special efforts to protect them

Revocation of Certificates

Each certificate includes a period of validity
Revocation may be desirable on occasion for reasons such as:
- The user’s private key is assumed to be compromised
- The user is no longer certified by this CA
- The CA’s certificate is assumed to be compromised

X.509 Version 3

Includes optional extensions that may be added to the Version 2 format
Extensions fall into three main categories:
- Key and policy information
- Subject and issuer attributes
- Certification path constraints

PKIX Management Functions

Functions that potentially need to be supported by management protocols:
- Registration
- Initialization
- Certification
- Key pair recovery
- Key pair update
- Revocation request
- Cross certification
Alternative management protocols:
- Certificate management protocols (CMP)
- Certificate management messages over CMS (CMC)

Identity Management

A centralized, automated approach to provide enterprise-wide access to resources by employees and other authorized individuals
Focus is defining an identity for each user (human or process), associating attributes with the identity, and enforcing a means by which a user can verify identity
Principal elements of an identity management system:
- Authentication
- Authorization
- Accounting
- Provisioning
- Workflow automation
- Delegated administration
- Password synchronization
- Self-service password reset
- Federation