EBU6502_cloud_computing_notes/1-5-security.md

Security

Definitions (not important)

Computer security

• CIA triangle

Cloud secirity

• large scale, and complex

Other areas

• OS
  • Updates
  • Unix access control (protect paths)
• VM
  • insecure VM
  • tampered VM
• Application layer

Security attacks

Types of attacks in cloud computing

• Eavesdropping
• Direct access
• Cross site attack
• Denial of service
• Upgrader attack
• Intrusion

Common examples

• Distributed Denial of Service attack: prevent legitimate cloud users from accessing cloud services
• SQL Injection
• Cross site scripting
• Hijacking of account or services

Enforcing Security

Types of mitigations

• Preventive: Before attack
• Detective: When attacked
• Corrective: After attacked

Mitigations

Subscriber level

• Access Control list: Deny unauthorized access
• Secure by design
• Firewalls: Web Application Firewall

Service level

• CSP (Cloud Service Handler) securely handle sensitive data and its Liabilities
• Rules on governing the ownership of data
• Geographical regions, where data will be stored

Implementing Cloud security and trust policies

Fancy words

• Audit trails: monitor the users
  • Trace changes, by using software like AIDE(File changes) and AWS CloudTrail(User and API activity)
  • Logs
• Physical security: HW, SW, db should not be physically accessible to unauthorized persons
• Application security: Cloud service should be secure
• Identity management: use ACL and SSO to control identity
• Privacy, confidentiality and security: legal obligation
• Data integrity
• Data confidentiality

Servlet security

Definition

• Address the following(CIA)
  • Confidentiality
  • Integrity
  • Authentication and authorization

Realm

• Definition: complete file and path, that stores authentication information in servlet
• Usually stored in conf, named tomcat-users.xml
• Example:

    <tomcat-users>
    <role rolename=“Admin” />
    <role rolename=“Guest” />
    <role rolename=“Manager” />
    <role rolename=“Student” />
    <user username=“Lu” password=“mylu” roles=“Guest, Student” />
    <user username=“Mathew” password=“matt” roles=“Admin, Manager” />
    </tomcat-users>
  

Authentication

• Using password protection in apache servlet:
• example login-config:

  <login-config>
      <auth-method>BASIC</auth-method>
  </login-config>
  

• possible values:
  • BASIC: plaintext is used and sent, base64 encoded, least secure
  • DIGEST: more secure, still not encrypted
  • CLIENT-CERT: secure, use public key infrastructures(PKI), and encrypted
  • FORM: customized authentication based on vendor, opt in encryption
• The first three use standard browser pop up for authentication
• FORM need to be implemented manually

Confidentiality and Integrity

• Using deployment descriptor, which protects data in transit:
• example deployment descriptor:

  <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL>/transport-
      guarantee>
  </user-data-constraint>
  

• Possible values:
  • NON: default, plain text, insecure
  • INTEGRAL: Can't be changed
  • CONFIDENTIAL: won't be seen by anyone on the net
• The last two use SSL(Secure Socket Layer) to implement it

AWS Security

Stupid fancy words:

• AWS Day One Best Practice
• AWS security and compliance programs
• AWS Shared Responsibility Model
• AWS Identity and Access Management (IAM)
• AWS Trusted Advisor
• AWS CloudTrail
• AWS Config
• AWS Shield
• AWS WAF (Web Application Firewall)
• Constant patching, updates (browsers, antiviruses, etc) and monitoring

Responsibility

• AWS: Security of the cloud
• Customers: Security in the cloud

IAM: Identity and Access Management

• Definition: web service that helps you securely control access to AWS resources
• Use it to control who can sign in(authentication) and is authorized to use stuff
• AWS account root user:
  • When user first sign in to AWS, they have full control over every service
  • Best practice:
    • Use it to create IAM user
    • Lock away the root user credentials
    • Use root only to perform few account and service management services

IAM MFA

• Definition: Multi factor authentication
• Adds extra security
• Forms:
  • SMS based: send a 6 digit code to user's phone, and user is required to type the code

Security and trust

• Legal bindings
  • SLA
  • Data sharing, and location
• Hypervisor: created by 3rd party
• Middleware: Security features
• relation:
  • Security is the key to mutual trust

Trust

Conditions for trust

• Risk: because there would be loss, which is important
• Interdependence: The client and provider rely on each other

Phases

• Build phase
• Stability phase
• Dissolution phase

Cryptography

Pub-key cryptography

• use key pairs, a private key and a public key, asymmetric encryption
• private key is kept safely

Envelope encryption

• Multi layer encryption
• encrypting plaintext data with data key, then encrypting data key under another key
• Can have multiple layers of encryption
• AWS KMS (Key management service) uses this to encrypt user data
  • Use KMS to encrypt the key for other encryption, and store the encrypted key

AWS Security services

Encrypting stuff

• KMS: Key management, use HSM(Hardware Security Modules), and integrated to CloudTrail to track key usage
• Cloud HSM: Cloud Hardware Security Module
  • To generate, manage and use your own encryption keys.
  • Standard compiant: Can be integrated to JCE, and CryptoNG libraries

Managing SSL/TLS certificates

• Certificate manager: deploy, manage and renew SSL/TLS certificates, for AWS services or your own
  • Simplify the process of managing the certificates, which is used for web traffic

DDoS attacks

• AWS Shield to mitigate against it