Cloud Security Lecture Notes PDF
Document Details
Uploaded by CushyGriffin
Harvard University
Ramesh Nagappan
Tags
Summary
These lecture notes provide an overview of cloud security, focusing on isolation strategies, including workload, network, and storage isolation. The document also details data protection strategies and various components of cloud storage. It covers topics like microservices, and virtual desktop infrastructure (VDI).
Full Transcript
Cloud Security 1 Copyright © Ramesh Nagappan. All rights reserved. Cloud Security Week 5 – Lecture 1 Ramesh Nagappan Harvard University 2 Copyright © Ramesh Nagappan. All ri...
Cloud Security 1 Copyright © Ramesh Nagappan. All rights reserved. Cloud Security Week 5 – Lecture 1 Ramesh Nagappan Harvard University 2 Copyright © Ramesh Nagappan. All rights reserved. § Evolving Cloud Security Architecture § Building Secure Multitenancy Week 5 Lecture - 1 § Secure Isolation Strategies – Workload Isolation – Network Isolation – Storage Isolation – Application & Data isolation 3 Copyright © Ramesh Nagappan. All rights reserved. Multitenant Cloud Security Secure Isolation Access COMPUTE STORAGE NETWORK DATA Control Data Protection Monitoring & Auditing 4 Copyright © Ramesh Nagappan. All rights reserved. Cloud Security Architecture : Building Blocks Compute Storage Network Application/Data Physical § VNIC, vSwitch § Type 1 Hypervisor (VM) § VLAN, PVLAN, VXLAN Secure § Type 2 Hypervisor (VM) § Subnet, VPC, Gateways Isolation § Application Container § SDN, SR/IOV § Functions § Bastion Host, BGP Data Protection Access Control Monitoring and Auditing 5 Copyright © Ramesh Nagappan. All rights reserved. Cloud Infrastructure - Tenant Isolation Critical Requirements Workload Isolation o Applications running in the cloud as workloads that share the system's resources, such as CPU, memory, and networking. Workloads must be isolated from each other so that the tenants remain autonomous and secure within the hosted infrastructure requiring secure implementation of runtime environment and virtual systems isolation. Network Isolation o The application data flow on the network transit share the Cloud network infrastructure and allow clients or other hosts to connect to a particular endpoint. Network traffic and endpoints must be segmented and isolated to protect from unauthorized/unwanted access so that the clients and communicating peers can securely access the tenant. Storage Isolation All guest tenants must have a dedicated storage for storing application data. The storage assignment must remain isolated and it cannot be accessible to co-residents. The dedicated tenant storage can be a volume or slice or group of disks as logical volumes or virtual hard disk, volume storage but it must be secure and isolated for use with the target guest. Application/Data Isolation All application and data pertaining to a guest tenant on the cloud must remain secure and isolated during transit, in use and at rest. Application and data isolation must be maintained at the platform with controls that can help 6 isolation of application and data instances at runtime or Operating System environment. Copyright © Ramesh Nagappan. All rights reserved. Storage Isolation Why it is important ? þ Cloud storage architectures primarily deliver storage on demand requiring highly scalable and supporting multi-tenant consumers who share compute, network and storage resources from the same underlying physical infrastructure. Without storage isolation, tenants could intentionally or unintentionally consume a large part of the storage, intrusively access coresidents data that does not belong to them, or potentially tampering them. þ A proper Cloud storage design that includes support for multi-tenant storage allocation can be based either on per-VM allocations or hard rate limits that assume entire storage system as a single black box, that can be elastically scaled on demand. 7 Copyright © Ramesh Nagappan. All rights reserved. Storage in Cloud Infrastructure Types of Physical Storage Services § Direct Attached Storage (DAS) – A storage environment that directly connects to servers and applications access data from DAS using block-level access protocols (ex. IDE, SCSI, ATA/SATA, FC). § Examples: Internal or external Hard-disk Storage of a host, tape libraries. § Network Attached Storage (NAS) – Network based File sharing device usually attached to LAN. Facilitates centralized storage over network supporting file-level data access and sharing using IP based protocols (ex. NFS, CIFS). § Fiber Channel Storage Area Network (FC SAN) – Dedicated high speed network of servers and shared storage devices that provide block-level data access. Facilitates centralized storage and management. 8 Copyright © Ramesh Nagappan. All rights reserved. Storage I/O Protocols Types § NFS – File-level (also called file-I/O) protocol for accessing and potentially sharing data. This protocol is device-independent - an NFS command request reading first 80 characters from a file, without knowing the location of the data on the device. Widely popular in UNIX world. § CIFS – A file-level protocol for accessing and sharing data. This protocol is device-independent a CIFS command, like NFS. CIFS has its origins in the Microsoft Windows NT world. § SCSI – The I/O protocol most prevalent in servers. A SCSI I/O command might tell a disk device to return data from a specific location on a disk drive. SCSI is often called a “block level” protocol, or block- I/O, because SCSI commands specify particular block (sector) locations on a specific disk. 9 Copyright © Ramesh Nagappan. All rights reserved. Types of Cloud Storage § File Storage FILE STORAGE – A File level storage stores files and folders and the visibility is the same to the end user clients accessing and to the system which stores it. – It is usually accessible using a NAS and common file level protocols such as SMB/CIFS (Windows), NFS (Linux/Solaris), EFS (AWS). It is ideal for shared storage. § Block Storage – Data is stored as blocs in volumes (ex. Hard-disks). – Block level storage presents itself to OS on physical/virtual servers using industry standard Fibre Channel and iSCSI connectivity mechanisms. It is ideal for dedicated storage. – Ex. EBS (AWS). 10 Copyright © Ramesh Nagappan. All rights reserved. Image Courtesy : EMC Types of Cloud Storage § Object Storage – Manages data as objects, as opposed to provide block-level data access. – Each object typically includes the data itself, a variable amount of metadata and unique object ID. – Object storage can be implemented at multiple levels, including the device level (object storage device), the system level, and the interface level. – Examples : Amazon S3, Rackspace, Dropbox, Smugmug 11 Copyright © Ramesh Nagappan. All rights reserved. Image Courtesy : Amazon AWS Cloud Storage Isolation § Cloud storage (or storage as a service), Isolation is accomplished by the abstraction of storage behind an interface where the storage can be logically or physically separated and administered on demand. The interface abstracts the location of the storage whether the storage is local or remote (or hybrid) and identifies the storage with Cloud consumer specific attributes assuring ability to control and manage data with high-degree of protection and integrity. § When storage is isolated storage, an application saves data to a unique data compartment that is associated with some aspect of the Cloud consumer identity. 12 Copyright © Ramesh Nagappan. All rights reserved. Cloud Access To Storage APIs and Protocols Web services APIs File Based APIs Block Based APIs REST NFS SOAP CIFS iSCSI over NAS FTP (Object Storage) (Network File Storage) (Ex: Amazon S3 (Block Storage) (Ex: Amazon EFS) (Ex. Amazon EBS) Microsoft Azure) 13 Copyright © Ramesh Nagappan. All rights reserved. iSCSI for Block Storage Isolation How to isolate a virtual disk in the cloud at block level ? § While SCSI connections spanned a few inches from a disk drive inside the chassis to the motherboard, iSCSI allows the underlying protocol to run over an IP connection (ex. NAS). This allows treating servers halfway around the world as if they were local disks, with low-level access to underlying disks. § Works on top of the TCP/IP, iSCSI allows SCSI commands sent over IP Networks (LANs, WANs or Internet. § iSCSI works by transporting block-level data between an iSCSI initiator (a Virtual machine or physical host) and iSCSI target on a Storage device. The protocol encapsulates SCSI commands and assembles the data in packets for the TCP/IP layer. Packets are sent over the the network using a point to point connection. 14 Copyright © Ramesh Nagappan. All rights reserved. iSCSI Initiators and Target LUN Storage is presented to the physical or virtual host as a LUN A logical unit number (LUN) is a unique identifier to designate an individual Target or collection of physical or virtual storage devices that execute I/O commands with a host computer as per SCSI 15 Copyright © Ramesh Nagappan. All rights reserved. Image Courtesy : EMC Using iSCSI on Cloud Block Storage is presented via iSCSI Connect Block storage entities to Virtual machines, making the disks behave as if they are locally attached disks. iSCSI enables this connectivity by transferring SCSI commands between the iSCSI initiator (Virtual Machine) and Target iSCSI storage. To establish a link with iSCSI SANs, all Virtual machines can use configured network interfaces (vNIC) as iSCSI initiators. Prior to this, It is the provider's responsibility to configure the disk volumes (iSCSI LUNs) with appropriate quota of diskspace required by the customer. 16 Copyright © Ramesh Nagappan. All rights reserved. REST APIs Using HTTP for Object Storage § Representation State Transfer (REST) interface allows to interact with external systems as Web resources. § Communicate over HTTP using HTTP methods (GET, POST, PUT, DELETE, etc) that Web browsers use to retrieve Web pages and to send data to remote servers. § REST allows Cloud storage services to offer programmatic access to CRUD operations of the Storages and fetch data (ex. Blob, Table, and File etc). 17 Copyright © Ramesh Nagappan. All rights reserved. Image Courtesy : Amazon S3 Using REST API Example Using REST on Amazon S3 Buckets An Object can be CRUD (Created, Read, Updated, Deleted) using REST API on a Cloud DELETE /puppy.jpg HTTP/1.1 User-Agent: safari Storage (ex. Amazon S3) Host: ramesh_bucket.s3.amazonaws.com Date: Tue, 16 Feb 2016 21:20:27 +0000 x-amz-date: Tue, 15 Feb 2016 21:20:27 +0000 Authorization: AWS AKIAIOSFODNN7EXAMPLE:k3nL7gH3+PadhTEV 18 Copyright © Ramesh Nagappan. All rights reserved. Image Courtesy : Amazon S3 Data Lake Storing massive volumes in Object Storage A data lake allows an organization to store all of their data, semi-structured and unstructured, in one centralized repository in Cloud Object storage. Helps to store and analyze massive volumes and heterogenous types of data Helps scale storage and compute independently Upload content broken as multi-parts and download object(s) using REST API. Store unstructured data as name value pairs Store accumulations of integrated data from one 19 or more disparate sources Copyright © Ramesh Nagappan. All rights reserved. Multipathing & Path Failover Failover and Load-balancing to reduce bottlenecks and outages § Multipathing – It is critical to maintain a constant connection between a host and its storage – Use more than one physical path that transfers data between the host and an external storage device. In case of a failure of Multipathing any element in the SAN network, such as an adapter, switch, or cable, VM can switch to another physical path, which does not use the failed component. – Multipathing provides load balancing. Load balancing is the process of distributing I/O loads across multiple physical paths. Load balancing reduces or removes potential bottlenecks. – Ex. Host based Multipathing, SAN based Multipathing.. 20 Copyright © Ramesh Nagappan. All rights reserved. Image Courtesy : VMWare § Evolving Cloud Security Architecture § Building Secure Multitenancy Week 5 Lecture - 1 § Secure Isolation Strategies – Workload Isolation – Network Isolation – Storage Isolation – Application & Data isolation 22 Copyright © Ramesh Nagappan. All rights reserved. Multitenant Cloud Security Secure Isolation Access APPS COMPUTE STORAGE NETWORK Control DATA Data Protection Monitoring & Auditing 23 Copyright © Ramesh Nagappan. All rights reserved. Cloud Security Architecture : Building Blocks Compute Storage Network Application/Data Physical/Electrical Physical § VNIC, vSwitch § Type 1 Hypervisor Secure iSCSI (Block storage) § VLAN, PVLAN, VXLAN § Type 2 Hypervisor Isolation NFS (File storage) § IP Subnets § Application Container § REST (Object storage) § SDN, SR/IOV § Functions as Service Data Protection Access Control Monitoring and Auditing 24 Copyright © Ramesh Nagappan. All rights reserved. Cloud Infrastructure - Tenant Isolation Critical Requirements Workload Isolation o Applications running in the cloud as workloads that share the system's resources, such as CPU, memory, and networking. Workloads must be isolated from each other so that the tenants remain autonomous and secure within the hosted infrastructure requiring secure implementation of runtime environment and virtual systems isolation. Network Isolation o The application data flow on the network transit share the Cloud network infrastructure and allow clients or other hosts to connect to a particular endpoint. Network traffic and endpoints must be segmented and isolated to protect from unauthorized/unwanted access so that the clients and communicating peers can securely access the tenant. Storage Isolation All guest tenants must have a dedicated storage for storing application data. The storage assignment must remain isolated and it cannot be accessible to co-residents. The dedicated tenant storage can be a volume or slice or group of disks as logical volumes or virtual hard disk, volume storage but it must be secure and isolated for use with the target guest. Application/Data Isolation All application and data pertaining to a guest tenant on the cloud must remain secure and isolated during transit, in use and at rest. Application and data isolation must be maintained at the platform with controls that can help 25 Copyright isolation of application © Ramesh Nagappan. All rights reserved. and data instances at runtime or Operating System environment. Application/Data Isolation Why it is important ? þ Cloud architectures may also require delivery of applications and data on demand supporting multi-tenant consumers who share compute, network and storage resources from the same underlying physical infrastructure. This leads to some Tenants require applications and data are isolated within the host and they require its error levels does not affect other applications, may require multi-homed/multiple virtual applications supporting different contexts of the tenant. þ In a multi-tenant environment, applications and data within a tenant may be required provide further isolation to enhance security and/or performance within the context of single application as multiple instances delivering data to different consumers. 26 Copyright © Ramesh Nagappan. All rights reserved. Application Isolation How it can be accomplished ? Isn’t that Application vendor specific ? § Application isolation strategies are usually “Vendor specific” and achieved through a combination of many application-level controls. – Mostly pertain to specific feature of a software vendor – Other isolation options may include: § Microservices and use of packaged application containers § Application and database schemas § Application instances (running and accessible via different ports of a host) § Operating system–level controls, including POSIX, dedicated credentials (for example, users, groups, roles, and so on) § Dedicated data repositories, and logical resource controls. 27 Copyright © Ramesh Nagappan. All rights reserved. Microservices Application Containers based Isolation Container - X Container - Y Container - Z Container - XY Monolithic Multi-tier Application Microservices - Containerized Applications § With Microservices, each application is decomposed into individual services, and deployed separately isolating from one another as containerized applications. § Each microservice is aligned with a specific business function, and only defines the operations necessary to that business function. 28 Copyright © Ramesh Nagappan. All rights reserved. Data Isolation Rationale § Data resident in Cloud-scale architectures are usually hosted on purpose-built databases that distribute the data across multiple data stores, file systems, and databases to meet the demand from system requests. – To help with access patterns, volume, business logic, localization and address latency § Data isolation requirements also vary by application architecture design in terms of the following: – Data storage types – Date usage – Data volume, velocity and variety – Data longevity – Durability and availability – Transaction compliance 29 Copyright © Ramesh Nagappan. All rights reserved. Data Isolation – Design choices Data Isolation by design § Data isolation design vary by application in terms of two common approaches – Iron Triangle of Data – Iron Triangle of Purpose § Two common approaches for design – CAP Theorem § Consistency vs. Availability vs. Partition Tolerance – PIE Theorem § Query “Pattern” flexibility vs. “Infinite Scale vs. Efficiency 30 Copyright © Ramesh Nagappan. All rights reserved. CAP Theorem – Iron Triangle of Data Data Isolation by design § CAP Theorem is a tool for helping designers determine the trade-offs that must be made while designing data organization. § CAP focuses on the data the system uses. The CAP theorem proposes that networked shared-data systems can only guarantee or strongly support – Consistency or Availability. § For example - In traditional “relational databases”, there is commonly no partitioning of the database. In this case, the system can ensure consistency and availability. – There is no room in these distributed cloud systems for any data loss. – This means that partition tolerance is required. The choice you must make is between consistency and availability. 31 Copyright © Ramesh Nagappan. All rights reserved. PIE Theorem – Iron Triangle of Purpose Data Isolation by design § PIE focuses on the purpose of the system handling the data. § PIE proposes that networked shared-data systems can only guarantee or strongly support two of the features: pattern flexibility, infinite scale, or efficiency. § For example – Data stores that store and maintain “structured and unstructured data” (ex. Object storage, Data lake) – There are no methods for maintaining consistency and integrity. – This means that a state of partial consistency is required. 32 Copyright © Ramesh Nagappan. All rights reserved. Choice of Data Store – Type of Data Storage Data Isolation by design Choice of data store vary any given workload and business use case § Data can be stored by a file system such as a Microsoft Windows file share or Linux directory. § Object stores are increasing in popularity for workloads requiring semi-structured and unstructured data analytics. § Relational databases often store highly complex transactional data structures. § Nonrelational document, database, graph, ledger often store high-velocity data requiring highly flexible data structures. 33 Copyright © Ramesh Nagappan. All rights reserved. Choice of Database – ACID Compliance Data Isolation by design 1. Structured Data 2. Relationships & Referential Integrity 3. Transactional / ACID compliance 4. Indexing Ex: Relational Databases 35 Copyright © Ramesh Nagappan. All rights reserved. Choice of Database – BASE Compliance Data Isolation by design Ex: NoSQL Databases 36 Copyright © Ramesh Nagappan. All rights reserved. Data Isolation – Distribution Models Isolation by Distribution § Distribution models help meet the demand that Cloud applications place on their supporting data stores. – The four popular distribution models are Clustering, Partitioning, Sharding, Database federation § Clustering – A database cluster consists of one or more database instances working together as a single unit. Each database instance can provide data redundancy, which makes the database cluster highly durable. § Partitioning – Takes the data in a single table or file and distributes it across multiple tables or files using a partitioning function. § This function is often based on the values in a single column such as an order date. – The partitions are a collection of rows or items, defined in the partition function, that are stored in individual tables or files. The partitions are then stored in a single instance of a schema and database server. 37 Copyright © Ramesh Nagappan. All rights reserved. Data Isolation – Distribution Models Isolation by Distribution.. continued § Sharding – Sharding is a form of table partitioning. – Sharding allows the system to distribute the partitions across multiple databases, which can reside in different instances. – The real advantage of sharding lies in the distribution across database instances. This allows you to support exponential data growth and improved throughput for both read and write operations. § Database Federation – Method of distributing data by creating multiple related databases. These databases often contain the data related to specific aspects of an application. – For instance, there may be one database that contains customer data, another with product data, and a third with order data. Each of these databases is autonomous from the other databases. This configuration requires a database that serves as the federator, or traffic cop, which directs requests to the correct database 38 Copyright © Ramesh Nagappan. All rights reserved. Virtual Desktop Infrastructure þ Virtual desktop infrastructure or VDI is a computing model that adds a layer of virtualization between the server and the desktop environment. By installing this virtualization in place of a more traditional operating system, administrators can provide users with ‘access anywhere’ capabilities and heightening data security throughout the organization. þ VDI hosts the desktop image in the data center, organizations keep sensitive data safe in the data center— not on the end-user’s machine which can be lost, stolen, or even destroyed. VDI can be accessed by stateless thin clients (hardware and software). 39 Copyright © Ramesh Nagappan. All rights reserved. Image Courtesy : Xen Components of VDI Image Courtesy : Xen Image Courtesy : VMWare 40 Copyright © Ramesh Nagappan. All rights reserved. Cloud Security Architecture : Building Blocks Compute Storage Network Application § VNIC, vSwitch Microservices model Physical/Electrical Physical § VLAN, PVLAN, VXLAN § CAP & PIE Secure § Hypervisor-Mediated iSCSI (Block storage) § Data Storage types § Subnet, VPC, Gateways Isolation § OS-Mediated § REST (Object storage) § SDN, SR/IOV § Distribution models § Container § NFS (File Storage) § Bastion Host, BGP § VDI Data Protection Access Control Monitoring and Auditing 42 Copyright © Ramesh Nagappan. All rights reserved. References / Work Cited NIST : Virtualization http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf http://csrc.nist.gov/publications/drafts/800-125a/sp800-125a_draft.pdf Xen Hypervisor – Virtual Desktop Infrastructure https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xendesktop-deployment- blueprint.pdf http://h10032.www1.hp.com/ctg/Manual/c01570105.pdf http://www8.hp.com/h20195/V2/getpdf.aspx/4AA4-9489ENW.pdf?ver=3.0 VMWare – Virtual Desktop Infrastructure https://www.vmware.com/support/pubs/vdi_pubs.html http://www.vmware.com/pdf/vdm21_manual.pdf https://www.vmware.com/files/pdf/partners/netapp-vmware-view-wp.pdf 43 Copyright © Ramesh Nagappan. All rights reserved. References / Work Cited NIST : Virtualization http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf Storage Virtualization http://www.iitk.ac.in/cc/workshop29-8/hp2.ppt http://citi.umass.edu/ghpc/EMC_Presentation_V4.ppt https://www.purestorage.com/resources/type-a/WP- PureStorageandVMwarevSphereBestPracticesGuide_Request.html https://www.vmware.com/software-defined-datacenter/storage http://www.oracle.com/us/products/storage/zs3/virtualization/index.html http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html http://community.netapp.com/t5/Tech-OnTap-Articles/PDF-Preview-StorageGRID-Webscale-Nonstop-Object- Storage-for-Enterprise-and-Cloud/ta-p/90139 Object Storage http://www.snia.org/sites/default/education/tutorials/2013/spring/file/BrentWelch_Object_Storage_Technology.pdf 44 Copyright © Ramesh Nagappan. All rights reserved. § Data Protection Strategies – Concepts and Technology Week 5 – Workload Cryptographic Services Lecture - 2 – Network Cryptographic Services – Storage Cryptographic Services – Application Data Protection 45 Copyright © Ramesh Nagappan. All rights reserved.
