The Outside Malicious Attacks

Published Date: 02 Nov 2017

Iaas stands for Infrastructure as a Service, the cloud-service model providers of IaaS offer either physical which is rarer or Virtual machines and other various resources. In order to accommodate the needs of the customer the cloud operational support system, a large number of virtual machines provide flexibility and the ability to scale the services up and down according to each customer varying requirements is a great asset.

Infrastructure-as-a-Service (IaaS) can be defined as the use of servers, storage, and virtualization to enable utility like services for users. The infrastructure consists of the facility, communication networks, physical compute nodes, and the pool of virtualized computing resources managed by a service provider. The service aspect consists of components within the user's domain of control and would include the virtual machines and their operating systems, storage, and management of these (B. Hay, 2011)

Using an Iaas Cloud environment alleviates the users of the responsibility of managing the physical equipment required for the infrastructure while retaining the control over the operating systems configuration and software running on each machine separately. Industries face a big decision when it comes to using Cloud infrastructure, the decision consists of choosing between a self-managed private Cloud provider, pay and subscribe to another Cloud provider for hosted services or a combination of both. Charlie Oppenheimer made an observation that when computing high intensive loads and need a lot of bandwidth using self-hosting infrastructure is more cost effective and that the opposite seems to be true for light and intermittent use (Oppenheimer, 2012). Other factors worth consideration are the security policies that are applied to each Cloud provider; they may differ and may cause problems in countries with strict legislations or with different culture and the physical location of data.

As always Cloud Security is a priority, considering that most of the cloud services models run on top of the Iaas the risk of privacy related incidents is increased. There are a number of different possibilities that may result in such compromise. Such risks can be mitigated by assigning roles to personnel including different log in privileges for each user according to his job description needs. Apart from user compromisation encryption methods for the data used within the operating system is a must for countering exploitation in the virtualization layer. (W. Dawoud, 2010)

PaaS

PaaS stands for platform as a service. PaaS providers offer tools for programming languages and development of middleware which allows subscribers to develop applications without installing or configuring the development environment needed. PaaS is built upon the Iaas, meaning that PaaS needs IaaS to run, the same benefits apply like utility computing hardware virtualization and dynamic resource allocation according to needs plus the low investment costs instead of building a computer system to support the development tools. The preset configuration reduces administration and maintenance time required by the developers and system administrators. By using the provided tools that require better than average owned pcs to be able to handle the data load and processing capabilities along with the cloud data redundancy and high availability applications that are developed this way can be delivered to users via the internet (X. Wang, 2011). Google App engine and Microsoft Azure are some example of well-known PaaS providers.

A known problem that may arise from using such PaaS is compatibility. Each of the APIs uses different software, tools, features, languages. This may make the decision of choosing the appropriate Api difficult or even make impossible to switch between providers if later on needed. (J. Martins, 2011)

Full PaaS - Partial PaaS

Cloud platforms are categorized as Full PaaS or partial PaaS. Full Paas offers the client the ability to develop only by using a client which can be a web browser thus depriving the need of installing anything other than the client itself. The partial PaaS offer less flexibility than the full PaaS with great danger of vendor lock-in and compatibility issues but requires the least amount of maintenance and administration configuration and is ready to be used upon subscription or notary. (Z.Mahmood, 2011)

Security within a PaaS is as important as in a Iaas model. Public cloud providers offer limited abilities to the consumers for securing the proprietary data they produce and the location the data is stored in opposition with enterprise infrastructure .Platforms sometimes host services with elevated privileges for the convenience of operating effectively. The PaaS provider should be aware of the danger this creates and to counter this problem stronger restriction policies but also with enough privileges to operate effectively should be applied to avoid a consumer from having access to another customer platform, memory, data or network traffic. (F. Hu, 2010)

PaaS comes in the form of proprietary technology like Appfog Heroku or PagodaBox and also as open source technology like OpenShift. The open source Platforms are becoming more popular and proprietary companies make their code more publicly available. The difference between the 2 cases is that Open source platforms allow a great degree of control over security and even allow the security measures to be thoroughly tested and evaluated by third parties thus providing more security flexibility. Although most PaaS providers describe their security responsibilities in an SLA, third party security testing is strongly recommended regardless of the claims made by the provider.

SaaS

Saas stands for Software as a service provides the subscriber with access to software or services that reside in the cloud and not on the local user’s device. The subscriber of a SaaS application requires only a client capable of running software such as a web browser in order to access the cloud hosted application. This reduces the needs for exquisite hardware and allows centralized control, deployment and maintenance of the leased software. Some popular SaaS software applications are Gmail and Hotmail (joel Gibson, 2012). Software as a Service Cloud model has many advantages when it comes to organization budgets. Microsoft Corporation published a report showing that deploying applications using SaaS Cloud model has a very low initial investment cost on hardware and staff (Gianpaolo Carraro, n.d.). Another Study made by Hurwitz & Associates concluded that SaaS cloud solutions offered a stunning 64% saving over 4 years for a comparable on premise solution (Amazon, 2012).

SaaS solution can provide protection from data loss , the flexibility of an Saas based application with Cloud storage can eliminate the need for the employees to carry sensitive and vital data when traveling or switching locations. Trying to locate and gather data from un-centralized data locations or models is either impossible or very costly to achieve. Balding states that a centralized SaaS provider is much more efficient when it comes to incident response and forensics (Balding, 2012). Other Security benefits include low testing costs cause of shared security testing, increased ability to deploy secure logging, secure software builds, and a more efficiently tuned system.

Deeper research shows that Saas comes with numerous disadvantages as well. Along with possible cost savings of an SaaS solution Hurwtiz & associates also concluded that saving of a SaaS model is based on the number of the employees, that means more employees costs increase (Amazon, 2012).Another important problem arises from the research, in different countries different regulations exist as for the security of enterprise data. Network World references regulations such as the Federal Information Security Management Act that requires customers to keep sensitive data within the country (World, 2012). Large risk lies not only on employees that carry sensitive data but also with insecure data endpoints. Proper research between SaaS solution providers is the best method to avoid and to mitigate risk problems. Messmer suggests asking questions as: which SaaS employees have root database access? Is data held encrypted? Is client data separated? What security controls are in place? What are the service level agreements? What information is captured in audit logs? (World, 2009) Decision making upon proper research is the best answer to mitigate security problems and not only when choosing SaaS provider.

Security Challenges in Cloud computing.

Cloud computing provides organizations with cost effective solutions as alternatives of hosting their own computing resources. Because Cloud computing is an emerging technology with very rapid growth the last decade has drawn attention from hackers and malicious users. Research shows that although cost efficient Cloud models are not 100% secure. In a cloud environment security is shared between the user and the cloud provider. Both entities are to trust each other and help improve security on both ends. Cloud security problems will be categorizes as Insider Threats, Outsider Malicious Attacks, Data Loss, Issues related to Multi-tenancy, loss of Control, and Service Disruption.

Insider Threats.

Research shows that a large part of security threats come from within the organization boundaries (Telecom, 2009).This threat is more complicated, an organization doesn’t only need to worry about its own employees that are interviewed before getting a job thus having a picture of their potential and their possible lack of skills but need to worry about the methods and the employees the Cloud provider utilizes. To summarize, the organizations which subscribe to cloud services, usually lack the transparency into the provider’s processes to hire its employees, for keeping data in various locations and its relations with third party vendors (Sailesh, 2009). This can result in several of malicious scenarios like corporate espionage casual hacker attack or malicious insider actions. Without any protection or encryption on the data stored in cloud providers data banks sensitive information may be even lost or sold to a possible competitor.

It still remains a challenge as to how an organization can restrict its internal employees and other people working on their system and access vital corporate data or confidential data of 3rd party collaborators without affecting the production. This problem can be mitigated by enforcing strict supply chain management and conducting a comprehensive supplier assessment. This will enable the Cloud provider to ensure that only people who get through an extensive characterizing and requirement testing or interviewing are hired. This also applies to contractors and vendors alike. By specifying human resources can be tied to legal action against them in case of any act of an espionage or intentional mal-behavior (Garnand, 2012). To complement all of the above transparent measures for overall information security and management practices must be in place. A compliance reporting system will help determine security breach notification so that, appropriate action may be taken against a person who has committed a fraud or an intentional sabotage. An intrusion prevention system combined with a notification system (SMTP, SNMP) should be deployed to discover any attack attempts and to repel them. (Telecom, 2009)

Outside Malicious Attacks

The outside malicious attacks are not only concerning the Cloud computing community but all the enterprises that have confidential data that must not leak outside of the company’s boundaries. Outside threats is one of the most concerning issues with any organization as it entails release of confidential information out in the open or possible defacing of the organization (Telecom, 2009). This problem extends to Cloud infrastructure too as Clouds are more associable than any private network and have more help interfaces for its legitimate users to have access to information. This is also the exploitation the hackers are using to gain leverage against the security of Cloud environments, Exploiting the API weakness, connection (media or logical channel) tapping or breaking in and by social engineering (Nayyar, 2011).

Outside threats may not be as damaging as inside threats and are more difficult to conceal and since the provider is responsible for a percentage of the security it provides to its subscribers the organization usually faces allegations . While the insider threats pose a great deal of danger for the cloud providers attacks made outbound of the Cloud are posing a greater impact not in terms of damage done directly to the system or processes but in the damage done to the reputation and long term losing customer base. This threat can be mitigated in a similar way with the traditional network Data Center threat mitigation however, Clouds are not similar to a dedicated Data Center as it uses Virtual Machines and multiple tenants thus making the perimeter protection of the network using firewalls, ACL’s and intrusion prevention systems mandatory. On the inside of the network perimeter honey pots should be deployed along with a strong AAA system, which alone is a challenge for a hacker or attacker to break through (Group, 2010). Further security fortification can be achieved by using a Network Access Control System that will match the OS level in terms of antivirus and personal firewall and can be used for both the Cloud employees and the cloud customers and can secure the remote information access. Virtual machines should be isolated for each customer and a context based firewall should be implemented in the case of one machine being compromised not to become a base for future attacks on the rest of the VMs linked with it (Behl, 2011). Since new security threats arise every day in number complexity making the prediction of hacking moves more difficult to predict a logical and topological cloud picture is a must in order to properly monitor the movement components and activities within the cloud environment. This should help the attack vectors to be related to any un-obvious activity within the cloud as an attack of hack attempt into the domain. It is advised that predefined critical information and objects in the cloud that are possible targets of hackers to be correlated, monitoring them will result in useful information. Also the use of honey pot traps is recommended for luring casual to professional hackers (Sailesh, 2009).

Data Loss

A problem that is faced when organizations migrate their data to Cloud models is possible data loss through various occasions. Organizations expect to have the same integrity availability and safety for the data stored in the cloud as they would in their own premises. The fact is that since clouds are multi-tenant environments and the access control must be organized and configured to achieve proper access security. Unauthorized parties must be prevented from gaining access to sensitive corporate data. (Antony T.Velte, 2010) Such security threats may cause the company to lose reputation among cloud providers thus losing customer count thus losing money. Deleting or altering data without taking backup of the original contents is an obvious example. Insufficient authentication, authorization, and accounting controls, an inconsistent use of encryption and encryption keys, operational failures, political issues and data center reliability are the biggest factors responsible in a direct and indirect way for data loss. (Sosinsky, n.d.)

Service Disruption

Service disruption is a thorn in the back of IT infrastructure, with the rapid growth of the internet the attacks made by hackers the phishing frauds and exploitations have been growing too. Cloud environments do not differ. If an attacker gains access to log in credentials of an organization the confidentiality of the cloud is at risk. Possible data manipulation or even data transactions may occur. Even worse the attacker may redirect the organizations clients to malicious phishing sites or launch a Denial of Service attack or a Distributed DoS attack leveraging bot-nets and auto-dialers. (Sailesh, 2009).

The most easy targets are the machines of the outside world and the IP addresses and extensions that are exposed via various publicly available internet tools. This information may lead to the compromised accounts to be used as a launching base for the attacker from where he can leverage legit account to launch subsequent attacks which will go unnoticed and the attacker will be concealed. This type of attack can cause losing credibility in the Cloud competition thus resulting in reduced funds and minimized customer base and is one of the most impacting threats (Sailesh, 2009). Service disruption can affect an organization in a variety of ways; customer dissatisfaction is one of the major problems even to the extent of lowering the morale of the employees (Microsoft, 2009). The Service disruption threat may be mitigated with a variety of processes, the very first measure that would be taken is for the provider to prohibit sharing account credentials between tenants by all means and services should be held valid to each VM or session (Group, 2010). The provider must use a strong authentication technique usually two-factor like Kerberos protocol to ensure that its users are only getting in the system after a strong authentication process , to make it even more difficult to bypass techniques like known IP ranges or DNS names bolster the defense of the authentication process (Abdelmajid, 2010). Monitoring the system and the authentication process is a must in order to detect unauthorized activity in a session or in a VM. By this method the provider can analyze and decide which connections are deemed unauthorized for a tenant. As mentioned earlier, the security of a cloud environment is a responsibility both the provider and the tenant thus making communication between them mandatory. The customer should be ready to comply to the mechanisms mentioned above to maximize security for their confidential data and information. From the provider perspective, any security policies that the tenant needs them to be applied to their data should be flexible enough to accept and implement to their cloud security model. Moreover customer registration should be a strict process and if done properly through validation processes attacks may be detected before even commencing thus increasing the protection of such a system. Close inspection of customer network traffic is a default metric expected from any provider by using Intrusion Prevention System and if possible by Host Intrusion Preventions System at customer’s hardware endpoints. Hacking attempts to disrupt services can also be avoided by monitoring public blacklists and by providers own blacklist (Gaofeng Zhang, 2012).

Multi-tenancy Issues

The purpose of the cloud is to serve multiple users that may share the same applications and the physical hardware to run their Virtual Machines. The cloud users are the tenants of the provider. In terms of providing cloud services companies see a very promising ground to expand but it has some serious security limitations. The application and hardware sharing can enable information to be leaked and exploited and the surface of attack is expanded. The risk of VM to VM attacks or a compromised VM to become a hub for future attacks is greatly enhanced (Nayyar, 2011).

While multitenacity is the main concept of the cloud, it has its own security limitations. These limitations can be overcome by using the Defense-in-Depth approach. Defense in depth approach involves defending the cloud infrastructure with different layer protection mechanisms as per the layer requirement and according to the layer characteristics. This defense strategy ensures that threats have to bypass more than one defense layer which in turn gives the advantage over hacker attacks as many or most of them will be anticipating less work of them to bypass security thus leaving the attack unfinished. For the rest of the hackers that continue through the hacking process will find that the multiple layer defense concept is not easily overcome. This strategy enables providers to be able to identify and block a number of threats at early stages before they penetrate into the cloud environment and do any damage. (Behl, 2011)

Loss of Control

Organizations using Cloud models need to port data outside the industries boundaries. Most companies are not aware of the location of their data and services since the provider can host their data or services anywhere within the Cloud (Halrton, 2010). This situation puts the companies at great risk in the eyes of their customers, organizations that lose control over their vital data and are not aware of any security mechanisms that are applied to protect them should be the prime need of an organization with a Cloud system. Trust putted in Cloud providers according to Tech Target is the most arising concern in the IT community (Jain, 2011).

The loss of control over services and data may prove to be of vital importance thus very dangerous for the integrity of the company. While this is a reality on Cloud environments the effect of losing control can be mitigated by working out a strategy for data integrity and authentication mechanisms between the Cloud services provider and the customer. Organizations willing to enter the Cloud world must understand that Cloud providers have different security policies and SLA’s thus they have to pinpoint anything which will occur problems with their internal security policies or processes and fix tit before attempting to migrate any data or service to the Cloud (Alliance, 2010). To ease this process proper communication and mutual understand and agreement between the Company which will result in Cloud Services and the Cloud services provider must occur. The provider can allow the customer to port a part of their security process to the customer’s virtual domain while the customer can be specific to what their needs area and ask for the customization of SLA’s and processes/policies. In addition to the above the use of strong network authentication key exchange mechanisms and authorization processes which are both known to the provider and are transparent to the customer will form a strong security backbone for the Cloud service (Behl, 2011). The above steps help prevent Loss of Control over critical services and data each company using a cloud environment may face. The customer will be more assured for their data and the provider will provide services customized to each customer thus creating a good case of harmony between the two.

Availability and Performance

Availability and performance is one of the key descriptions of a Cloud environment. Cloud providers need to address any issues that hinder the performance and the availability of the services they provide in order to fulfill the terms of their agreement with their customers. One solution to addressing these matters is for the organizations that provide Cloud services to define and adopt a well formed Service Level Agreement (SLA) (Shacklett, 2011). SLA acts as a trust relationship between the provider and the customer (any organization in our case) to have a minimum set bar on the time during which the applications may not be available of fully functional for back up or maintenance or other reasons. This further leads the organizations to have a well-defined backup contingency schedule to match the unavailability of the system. Ideally a cloud system should not only detect possible intrusions but also to have the means to repel it. To achieve this kind of security services like Network Access Control (NAC) and Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS) which enables a network to rely on pre-defined yet adaptable attack signatures and profiles to stop an attack before it can launch with full strength and blacklist or block the IP address or source which the attack originate for both inside and outside attackers is a must. (Halrton, 2010)