Commercial cloud security in high-impact deploymentsStory
August 13, 2014
As sensitive resources are increasingly migrated to the commercial cloud, developers must address the system management needs of highly secure environments.
Cloud computing is a cost-effective, scalable, and flexible mechanism for enterprise IT service delivery for both the public and private sectors. The Department of Defense (DoD) is making great strides with its cloud computing strategy to accelerate IT delivery and innovation. This effort seeks to achieve major cost savings in hosting sensitive data on efficiently managed commercial cloud environments. As such platforms are being investigated, special attention must be given to security within virtualized cloud environments that are supported by vast amounts of extremely complex software.
In order to host government-owned data, Cloud Service Providers (CSPs) must comply with a series of baseline standards under the Federal Risk and Authorization Management Program (FedRAMP). A CSP must also comply with a stricter set of security controls required by the DoD in order to appear in the Defense Information System Agency’s (DISA) Enterprise Cloud Service Broker (ECSB) catalog. Inclusion grants provisional acceptance at Impact Levels 1 and 2, which correspond to low-risk unclassified public and unclassified private information. The Impact Levels assigned by DISA describe data as low-, moderate-, or high-risk according to Federal Information Process Standard Publication (FIPS) 199.
Higher-risk unclassified data and classified data, which occur at Impact Levels 3-5 and 6 respectively, are where the bulk of the cost savings for a commercial cloud migration would occur. There are currently no CSPs authorized for Impact Levels 3-5, and no draft standards have been released for Impact Level 6.
The main concerns revolve around the fact that clouds are inherently virtual, which means that they use software as a solution. This fact is a key selling point for Software as a Service (SaaS) and Infrastructure as a Service (IaaS) providers; infrastructures can be brought up and torn down on demand. However, the usual data and software security concerns still apply. Commercial clouds are fundamentally multitenant, and great care must be given to ensure data and computation separation among various cohabitating cloud customers. Data must be protected while in motion and at rest, while monitoring provisions must be in place to ensure high availability and facilitate event auditing.
The largest obstacle in the way of migrating DoD infrastructure to a commercial cloud has been the necessary assurance that different data domains remain separated. Hypervisors are typically the first layer of software that runs on the cloud computing platforms used to abstract software service dependencies from physical hardware. This hardware abstraction is commonly referred to as virtualization. While virtualization gives CSPs the ability to seamlessly add, remove, and transfer services without always having to make physical infrastructure changes, it also increases the total amount of software complexity running in cloud computing platforms and introduces threat vectors that are commonly overlooked.
Isolation is the most important function of a hypervisor to support secure computing clouds. In traditional information systems, security is achieved by controlling and monitoring the network traffic between computing nodes. Sustaining a secure virtual computing environment also relies on controlling communication between computing nodes. However, on a virtualized platform, controlling network traffic is insufficient. There are many ways for guest operating systems to communicate with each other through means other than virtual network interfaces. These other means of communication are referred to as “side channels” and they arise from the utilization of the shared resources on a virtualization platform such as the processor, memory, network, storage devices, and virtualization subinterfaces.
An ideal secure hypervisor prohibits all unauthorized forms of communication between guest operating systems and the hypervisor and explicitly controls the shared physical resources on a hardware platform to mitigate side-channel exploitation. Strictly controlling isolation of memory resources, CPU time, and devices are all necessary to guarantee mitigation of channel bypasses. Figure 1 depicts how residual instructions or data from a virtual machine can be exposed when switching shared resource context to other virtual machines on the same platform.
Figure 1: When switching shared resource context to other virtual machines on the same platform, strict control of memory resources, CPU time, and devices are needed to prevent exposure of residual instructions or data.
(Click graphic to zoom by 1.9x)
One benefit of utilizing the cloud for storage is that data can be replicated across data centers regionally and globally, which is significant for both integrity and availability. However, the transmission of data between data centers and from the originating host all occur across the public Internet. This leaves the data open to confidentiality attacks while the data is in motion.
When storing data in the cloud, physical protection boundaries are no longer within the organization and a degree of trust that mechanisms are in place to protect the data must be extended to the CSP. Unauthorized digital access to data storage facilities and insider threats within the cloud provider are the primary concerns with data at rest.
As the cloud is inherently virtual, there are no guarantees about physical media; additionally, reliance upon protection of physical devices is not possible. Even if physical device presence can be guaranteed, features such as Trusted Platform Modules provide a modicum of trust for a given software stack but cannot protect the data itself from software vulnerabilities. Therefore, multiple forms of encryption using strong cryptography are necessary. With data and services spreading across platforms and physical locations, encryption mechanisms must be more granular than the standard encryption methods commonly used within organizations today, such as VPNs and encrypting drives. Encrypting information flows not only provides data separation, but also enforces confidentiality while data is in transit. With layered encryption schemes for data in storage, the information is protected from both infiltration and exfiltration attacks. By combining these encryption mechanisms with a robust key-management scheme that is physically protected within the organization, the necessary assurances for data confidentiality can be maintained.
System management principles such as monitoring and auditing are just as important in the cloud extensions of the organization. Having the ability to monitor and quickly respond to real-time events is not only important to the user, but also to the cloud provider.
The multitenant structure of a consumer cloud means that virtual software instances must coexist and not interfere with each other, not only with the application resources but also within the virtual infrastructure. The best way to ensure that software resources are not disruptive is with low-level continuous monitoring of interactions, together with provisioning data guards where necessary (see Figure 2).
Figure 2: Low-level continuous monitoring of interactions – together with provisioning data guards when necessary – can ensure that virtual software instances coexist and do not disrupt the entire virtual infrastructure.
(Click graphic to zoom by 1.9x)
By monitoring the interaction at a level lower than the nodes being monitored, appropriate actions can be taken in real-time. These actions can include ensuring availability by restarting resources that have unexpectedly gone down, or halting during catastrophic events like the detection of software tampering. The ability to audit these events is also beneficial for forensic analysis and future prevention.
The DoD can realize enormous budget savings from infrastructure, personnel, power, and physical space by migrating resources to the commercial cloud. As higher Impact Level architectures are reviewed – either for hybrid deployment with milCloud (DISA’s private cloud service portfolio) or a full-scale deployment to a CSP – the architecture must ensure strict data separation policies, utilize strong and granular cryptographic schemes, and provide for real-time and reactive monitoring and audit capabilities. LynxSecure, the Separation Kernel Hypervisor from Lynx Software Technologies, provides a strong foundation for ensuring that software policies are strictly enforced, including resource partitioning, scheduling, and data information flows. Its built-in continuous monitoring and audit capabilities addresses the system management needs necessary for secure environments.
Chris Honaker is a Security Specialist for Lynx Software Technologies. Chris has more than 15 years of experience in software engineering, system design, and security architectures. He has a Bachelor of Computer Science degree from Capital University and is currently pursuing a Master of Information Technology degree from Virginia Tech. He can be contacted at [email protected].
Lynx Software Technologies 408-979-3900 www.lynx.com