Intrusion Detection on Public IaaS - Kevin L. Jackson

2,539 views
2,299 views

Published on

Cloud computing is driving the business of information technology today.
“A recent Gartner survey on the future of IT services found that only 38 percent of all organizations surveyed indicate cloud services use today. However, 80 percent of organizations said that they intend to use cloud services in some form within 12 months, including 55 percent of the organizations not doing so today.“ (Gartner, Inc, 2013)
As companies rush to adopt cloud, however, information technology (IT) security sometimes seems to be an afterthought.
The goal of this paper is to provide a survey of the current state of IT security within public cloud infrastructure-as-a-service providers. After first providing a cloud computing overview, the paper will focus on the infrastructure-as-a-service (IaaS) deployment model, the typical home of IaaS intrusion detection components. The Gartner Cloud Use Case Framework will then be introduced as it will also serve as the framework for this survey. An in-depth review of public cloud intrusion detection studies, options and expert observations will then follow. The paper will then offer the authors conclusions and cloud computing IDS recommendations for enterprises considering a move to the cloud.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,539
On SlideShare
0
From Embeds
0
Number of Embeds
124
Actions
Shares
0
Downloads
58
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Intrusion Detection on Public IaaS - Kevin L. Jackson

  1. 1. Intrusion Detection in Public Infrastructure-as-a-Service Kevin L. Jackson ISA 674 – Intrusion Detection Dr. Xinyuan (Frank) Wang
  2. 2. Table of Contents Introduction .................................................................................................................................................. 4 Cloud Computing Overview .......................................................................................................................... 4 Definition .................................................................................................................................................. 4 Cloud Model Evolution ............................................................................................................................. 4 Cloud Computing Service Models ......................................................................................................... 5 Cloud Security ....................................................................................................................................... 6 IaaS Deployment Models .......................................................................................................................... 6 Public Clouds ......................................................................................................................................... 6 Private Clouds ....................................................................................................................................... 7 Community Clouds ................................................................................................................................ 7 Hybrid IaaS ............................................................................................................................................ 7 Cloud Use Case Template (Gartner, 2012) ............................................................................................... 7 Applicability........................................................................................................................................... 7 Components and Connection Scenarios ............................................................................................... 7 Direct Cloud Connection ....................................................................................................................... 9 External Cloud Connector Bridge .......................................................................................................... 9 External Cloud Connector Gateway .................................................................................................... 10 Cloud Services Broker ......................................................................................................................... 10 Public Cloud IaaS Use Cases .................................................................................................................... 11 Public Cloud IDS .......................................................................................................................................... 11 Description .............................................................................................................................................. 11 Characteristics ..................................................................................................................................... 11 IDS Placement (Chirag Modi, 2013) .................................................................................................... 12 IDS Placement for Multiple CSPs......................................................................................................... 13 IDS Management Responsibility ......................................................................................................... 14 Cloud Security State of the Art (Gartner, 2013) ..................................................................................... 14 Cloud Computing Attack Scenarios (Chirag Modi) .................................................................................. 15 Intrusion Detection & Response ............................................................................................................. 16 Public IaaS Marketplace Leaders (Gartner, 2013) ...................................................................................... 24 Public IaaS Security ................................................................................................................................. 24
  3. 3. Expert Observation (Leong, 2013) .......................................................................................................... 26 Public Cloud Intrusion Detection Conclusions and Recommendations ...................................................... 26 Other References ........................................................................................................................................ 28 Works Cited ................................................................................................................................................. 29 Table of Figures Figure 1- DIrect Cloud Connection ................................................................................................................ 9 Figure 2- External Cloud Connector Bridge................................................................................................. 10 Figure 3- External Cloud Connector Gateway ............................................................................................. 10 Figure 4- Cloud Service Broker .................................................................................................................... 11 Figure 5- IDS Components .......................................................................................................................... 12 Figure 6- IDS Placement: Multiple Clouds................................................................................................... 13 Figure 7- IDS Placement: Single Cloud ........................................................................................................ 13 Figure 9- Gartner: Cloud Security Product Priority Matrix ......................................................................... 15 List of Tables Table 1 - Cloud IDS/IPS Options .................................................................................................................. 17 Table 2- Cloud IDS/IPS Management Authority .......................................................................................... 18 Table 3- Scenario - Internal (Private)- External ( Public) ............................................................................. 19 Table 4- Scenario: Internal (Private) – External (Community) .................................................................... 20 Table 5- Scenario: Internal (Private) – External (Public) – External (Public) ............................................... 21 Table 6- Scenario: Internal (Private) – CSB – External (Public or Community) ........................................... 22 Table 7- Scenario: Internal (Private) – External (Community) – External (Public) ...................................... 23 Table 8- Gartner IaaS Magic Quadrant CSP Security Ratings ...................................................................... 25
  4. 4. Introduction Cloud computing is driving the business of information technology today. “A recent Gartner survey on the future of IT services found that only 38 percent of all organizations surveyed indicate cloud services use today. However, 80 percent of organizations said that they intend to use cloud services in some form within 12 months, including 55 percent of the organizations not doing so today.“ (Gartner, Inc, 2013) As companies rush to adopt cloud, however, information technology (IT) security sometimes seems to be an afterthought. The goal of this paper is to provide a survey of the current state of IT security within public cloud infrastructure-as-a-service providers. After first providing a cloud computing overview, the paper will focus on the infrastructure-as-a-service (IaaS) deployment model, the typical home of IaaS intrusion detection components. The Gartner Cloud Use Case Framework will then be introduced as it will also serve as the framework for this survey. An in-depth review of public cloud intrusion detection studies, options and expert observations will then follow. The paper will then offer the authors conclusions and cloud computing IDS recommendations for enterprises considering a move to the cloud. Cloud Computing Overview Definition Cloud computing is a style of computing in which scalable and elastic IT-enabled capabilities are delivered as a service using Internet technologies. Cloud infrastructure as a service (IaaS) is a type of cloud computing service; it parallels the infrastructure and data center initiatives of IT. Cloud compute IaaS constitutes the largest segment of this market (the broader IaaS market also includes cloud storage and cloud printing). Cloud Model Evolution Cloud computing represents an evolution of distributed computing. In that model, software systems with their components located on networked computers, communicate and coordinate their actions by passing messages. The components interact with each other in order to achieve a common goal. Three significant characteristics of distributed systems are: concurrency of components, lack of a global clock, and independent failure of components. An important goal and challenge of distributed systems is location transparency. Examples of distributed systems vary from SOA-based systems to massively multiplayer online games to peer-to-peer applications. Distributed computing system are generally designed using a Service-oriented architecture (SOA), a software design and software architecture design pattern based on discrete pieces of software providing application functionality as services to other applications. This approach is typically independent of any vendor, product or technology. SOA also makes it easy for computers connected over a network to cooperate. Every computer can run an arbitrary number of services, and each service is built in a way that ensures that the service can exchange information with any other service in the network without human interaction and without the need to make changes to the underlying program itself.
  5. 5. The success of this model led to the proliferation of Shared services, which refers to the provision of a service by one part of an organization or group where that service had previously been found in more than one part of the organization or group. Thus the funding and resourcing of the service is shared and the providing department effectively becomes an internal service provider. Shared services across a distributed computing platform led to the concept of a converged infrastructure which packages multiple information technology (IT) components into a single, optimized computing solution. Components of a converged infrastructure solution include servers, data storage devices, networking equipment and software for IT infrastructure management, automation and orchestration. This management approach is used to centralize the management of IT resources, consolidate systems, increase resource utilization rates, and lower costs. These objectives are enabled by the creation of pools of computers, storage and networking resources that can be shared by multiple applications and managed in a collective manner using policy driven processes. Cloud Computing steps this concept up by delivering a converged infrastructure over a wide area network, thus enabling internet-scale computing. Cloud computing relies on sharing of resources to achieve coherence and economies of scale, similar to a utility (like the electricity grid) over a network. Cloud Computing Service Models Historically, cloud computing has been described and delivered through three service models; Infrastructure-as-a-Service, Platform-as-a-Service and Software-as-a-Service. Although many other as-a-service models have been proposed, this paper will only address this limited set. Infrastructure-as-a-Service (Wikipedia, 2013) In the most basic cloud-service model, providers of IaaS offer computers – physical or (more often) virtual machines – and other resources. (A hypervisor, such as Hyper-V or Xen or KVM or VMware ESX/ESXi, runs the virtual machines as guests. Pools of hypervisors within the cloud operational support-system can support large numbers of virtual machines and the ability to scale services up and down according to customers' varying requirements.) IaaS clouds often offer additional resources such as a virtual-machine disk image library, raw (block) and filebased storage, firewalls, load balancers, IP addresses, virtual local area networks (VLANs), and software bundles. IaaS-cloud providers supply these resources on-demand from their large pools installed in data centers. For wide-area connectivity, customers can use either the Internet or carrier clouds (dedicated virtual private networks). Platform-as-a-Service (Wikipedia, 2013) In the PaaS model, cloud providers deliver a computing platform, typically including operating system, programming language execution environment, database, and web server. Application developers can develop and run their software solutions on a cloud platform without the cost and complexity of buying and managing the underlying hardware and software layers. With some PaaS offers (like Windows Azure, the underlying computer and storage resources scale automatically to match application demand so that the cloud user does not have to allocate resources manually. The latter has also been proposed by an architecture aiming to facilitate real-time in cloud environments.
  6. 6. Software-as-a-Service (Wikipedia, 2013) In the business model using software as a service (SaaS), users are provided access to application software and databases. Cloud providers manage the infrastructure and platforms that run the applications. SaaS is sometimes referred to as "on-demand software" and is usually priced on a pay-per-use basis. SaaS providers generally price applications using a subscription fee. In the SaaS model, cloud providers install and operate application software in the cloud and cloud users access the software from cloud clients. Cloud users do not manage the cloud infrastructure and platform where the application runs. This eliminates the need to install and run the application on the cloud user's own computers, which simplifies maintenance and support. Cloud applications are different from other applications in their scalability—which can be achieved by cloning tasks onto multiple virtual machines at run-time to meet changing work demand.[61] Load balancers distribute the work over the set of virtual machines. This process is transparent to the cloud user, who sees only a single access point. To accommodate a large number of cloud users, cloud applications can be multitenant, that is, any machine serves more than one cloud user organization. It is common to refer to special types of cloud based application software with a similar naming convention: desktop as a service, business process as a service, test environment as a service, communication as a service. Cloud Security Correct security controls should be implemented according to asset, threat, and vulnerability risk assessment matrices. For ease of analysis, the multiplicity of cloud security dimensions have been aggregated into three general areas: Security and Privacy, Compliance, and Legal or Contractual Issues. Intrusion Detection is generally addressed as a component of Security and Privacy, specifically identity management. Identity management systems are used to control access to information and computing resources. Cloud providers either integrate the customer’s identity management system into their own infrastructure, using federation or SSO technology, or provide an identity management solution of their own. IDS and IPS systems are typical part of an effective identity management system design. These systems are generally part of IaaS. IaaS Deployment Models The cloud computing industry generally recognizes four cloud deployment models: Public, Private, Community and Hybrid. Public Clouds A cloud is called a "public cloud" when the services are rendered over a network that is open for public use. Technically there may be little or no difference between public and private cloud architecture, however, security consideration may be substantially different for services (applications, storage, and other resources) that are made available by a service provider for a public audience and when communication is effected over a non-trusted network. Generally, public cloud service providers like Amazon AWS, Microsoft and Google own and operate the infrastructure and offer access only via Internet (direct connectivity is not offered)
  7. 7. Private Clouds Private cloud is cloud infrastructure operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally Community Clouds Community cloud shares infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally. The costs are spread over fewer users than a public cloud (but more than a private cloud), so only some of the cost savings potential of cloud computing are realized. Hybrid IaaS Hybrid cloud is a composition of two or more clouds (private, community or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models. Cloud Use Case Template (Gartner, 2012) Applicability To aid organizational planning of cloud deployments, Gartner has published a series of cloud use case templates. These templates apply to an IT organization that desires to combine internal IaaS cloud infrastructure and external IaaS cloud services to deliver a federated, scalable, hybrid IaaS cloud. They are designed to help IT architects and decision makers build hybrid IaaS cloud solutions to deliver IT infrastructure services efficiently and securely. Components and Connection Scenarios The Gartner cloud use template is composed of the following components and connection scenarios. Internal (Private) cloud A private or internal cloud is an on-premises IT capability (e.g., compute, storage, and network) offered as a service by an IT organization to its business units or customers. Many components are connected together to establish an internal cloud (e.g., self-service provisioning portal, service catalog, orchestrator, and server virtualization). The internal cloud's purpose is to house IT services and initiate movement of IT services along the hybrid cloud connections to other cloud services. Gartner is using the internal cloud as an example in this template to aid in comprehension. Hybrid IaaS clouds can also exist between two external clouds. For more information on the internal cloud, Gartner designed an architectural model for internal IaaS cloud deployments External (Public / Community) cloud An external cloud is an IT capability offered as a service that one business hosts for another business off-premises. An external cloud can be shared among many tenants (i.e., public cloud) or dedicated to one organization or a defined list of organizations (i.e., private cloud), but it must be implemented by a third party. In this template, the internal cloud connects to the external cloud in four different connection scenarios as discussed later in this document.
  8. 8. However, two external clouds can connect in similar scenarios, although not depicted in this template. Orchestrator The orchestrator (sometimes referred to as the IT process automation tool) in IaaS cloud services automates IT operation processes across all components of the cloud stack. In a hybrid IaaS environment, the orchestrator may be responsible for:  Defining, administering, and monitoring process workflows for various IT operations (e.g., service provisioning, chargeback, asset management, service and data replication for business continuity, and disaster recovery) across IaaS cloud services  Creating and enforcing IT process automation policies  Coordinating and automating IT process execution across IaaS cloud services Integrating with all other hybrid cloud management tools (e.g., external cloud connector, cloud services broker, and cloud services provider application programming interfaces [APIs]) to execute process workflows through predefined integration packs and/or code development (e.g., moving or replicating storage volumes between two clouds) External (Public / Community) cloud connector The external cloud connector (ECC) connects cloud environments to one another. Organizations can deploy ECCs at one or both ends of the connection in either a bridge or a gateway connection scenario. To connect environments, organizations may implement one or more ECCs. ECCs can come in a variety of offerings (e.g., hardware appliances, virtual appliances, software packages, logical networks, custom scripts) and include capabilities such as:  Providing a connection for internal cloud management software (e.g., capacity management tools, chargeback systems, and disaster recovery tools) to manage external cloud assets  Providing a secure network tunnel among cloud environments  Performing data encryption and decryption  Enforcing network transparency by connecting internal and external network topologies  Enhancing network performance across distance through techniques such as compression, acceleration, caching, and/or optimization  Translating storage protocols and performing storage functions such as replication, compression, and/or deduplication to connect applications or internal storage infrastructures to external cloud storage services  Converting virtual machines between formats (e.g., VMware Virtual Machine Disk Format [VMDK] to Xen virtual hard disk [VHD]) before transmission  Propagating security and service-level requirements (e.g., performance, availability, recovery time objective [RTO], and recovery point objective [RPO]) defined in the IT service catalog Cloud Service Broker The cloud services broker (CSB) is a component that serves as an intermediary among cloud environments and adds services to the cloud environments that are not readily available
  9. 9. without the broker. CSBs aim to aggregate cloud service providers through a single portal or service. CSBs can come in a variety of implementations but are normally hosted externally and include capabilities such as:  Centralized cloud management capabilities,  Integration capabilities  Governance capabilities Direct Cloud Connection The direct cloud connection scenario exists when the two clouds directly connect without any outside assistance such as an ECC or CSB. This is common when clouds interface across common published APIs and general-purpose networks (e.g., Internet). Figure 1- DIrect Cloud Connection External Cloud Connector Bridge The ECC bridge scenario exists when an ECC is present at both ends of the connection. ECCs possess many characteristics and provide many possible functions across clouds. In most ECC bridge situations, the ECC is deployed as a similar vendor product or technology at both ends. The reason for this is that ECCs perform a significant amount of intelligence at both ends to improve or facilitate the connection, a vendors are more likely to accomplish these tasks among their own products. ndHowever, scenarios exist where the ECC at each end does not need to be a matching vendor product. An example of this is a virtual private network (VPN) that leverages a well-known protocol such as Internet Protocol Security (IPsec). Each cloud may implement the IPsec connection by using different vendor products. The key is that both ends must be compatible.
  10. 10. Figure 2- External Cloud Connector Bridge External Cloud Connector Gateway The ECC gateway scenario is similar to the ECC bridge, except that an ECC is only present on one end of the connection. Figure 3- External Cloud Connector Gateway Cloud Services Broker A cloud services broker (CSB) possesses many characteristics and provides many possible functions among clouds. The CSB scenario is different from ECCs because the CSB sits as an intermediary between clouds to assist with or perform integration and translation of cloud services. In this example, the internal cloud only talks directly to the CSB and does not know about any of the external clouds behind the CSB. The CSB may replace the functionality of the ECC or enhance its capabilities.
  11. 11. Figure 4- Cloud Service Broker Public Cloud IaaS Use Cases Gartner template components and connection scenarios yield the following five typical public cloud IaaS addressed in this survey.      Internal (Private) – External (Public) Internal (Private) – External (Community) Internal (Private) – External (Public) – External (Public) Internal (Private) – CSB – External (Public or Community) Internal (Private) – External (Community) – External (Public) Public Cloud IDS Description and Characteristics Cloud IDS can be described as being composed of three components (Alharkan, 2013) o Collection  Host Based  Network Based o Alert Analysis  Signature Based  Anomaly Based o Reaction  Passive IDS  Active IDS In cloud, none of these components are entirely owned or managed by the enterprise. In these deployments, intrusion detection is a shared responsibility with the cloud service provider.
  12. 12. When multiple CSP’s or a cloud service broker (CSB) is used, the coordination between the participating entities is critical. Cloud Intrusion Detection Data Collection Alert Analysis Reaction Host Based Signature Based Passive IDS Network Based Anomaly Based Active IDS Figure 5- IDS Components IDS Placement (Chirag Modi, 2013) In a cloud computing environment, IDS components are typically placed o o o In Application; Between applications ; In virtualization layer; or
  13. 13. o Between virtualization layers. Figure 7- IDS Placement: Single Cloud Public/Community Cloud Public Cloud Private Cloud Figure 6- IDS Placement: Multiple Clouds IDS Placement for Multiple CSPs For large enterprises, IDS placement is complicated by the use of use of multiple cloud service providers. Figure 6 outline the critical security nodes that should be addressed.
  14. 14. IDS Management Responsibility The complexity of IDS placement also complicates IDS management responsibility. This fact is typically not address in enterprise IT governance policies. While the enterprise will usually have responsibility for application IDS, the cloud service provider (CSP) has jurisdiction over the network between applications, within the virtualization layer and between virtualization technologies. Responsibility for protecting against intrusion on networks between public cloud service providers lies on the enterprise, or if employed, a cloud service broker (CSB). IDS management responsibility within a community cloud is left for negotiation amongst the community members. Cloud Security State of the Art (Gartner, 2013) In cloud computing security, there are three primary control themes; encryption, tracking/blocking and cloud security ecosystems. Although encryption works well for protecting data, it complicates search or edit function and consumes resources for key management. It public cloud, encryption is applied as a mechanism for simultaneously preventing unwanted access from users, administrators and attackers. Encryption can potentially solve regulatory compliance concerns, such as data residency requirements. For tracking and blocking, next-generation firewalls, gateways and desktop data loss prevention (DLP) are offer enterprises the ability to measure their use of the cloud and to block outgoing connection attempts based on organizational policy. This is enabling organizations to facilitate a controlled use of externally provisioned IT services servers, allowing employees to discover and take advantage of cloud computing, while limiting the potential for misuse. Cloud Security Ecosystems provide a more comprehensive set of security control functions. Cloud management platforms, security as a service (SecaaS) offerings, secure Web gateway (SWG) and cloud access security brokers (CASBs) are growing in use. Gartner cloud security product matrix, Figure 9, provides a snapshot of cloud security state-ofthe-art. This overview implies that today, Cloud Intrusion Detection Services only provide moderate value to the marketplace with realization of most service occurring in 2-5 years.
  15. 15. Figure 8- Gartner: Cloud Security Product Priority Matrix Cloud Computing Attack Scenarios (Chirag Modi) Most, if not all, enterprise IT attack vectors have a cloud computing corollary. Some of the more common ones follow. Insider attack - Authorized Cloud users may attempt to gain (and misuse) unauthorized privileges. Insiders may commit frauds and disclose information to others (or modify information intentionally). This poses a serious trust issue. For example, an internal DoS attack demonstrated against the Amazon Elastic Compute Cloud (EC2) (Slaviero, 2009). Flooding attack - In this attack, attacker tries to flood victim by sending huge number of packets from innocent host (zombie) in network. Packets can be of type TCP, UDP, ICMP or a
  16. 16. mix of them. This kind of attack may be possible due to illegitimate network connections. In case of Cloud, the requests for VMs are accessible by anyone through Internet, which may cause DoS (or DDoS) attack via zombies. Flooding attack may raise the usage bills drastically as the Cloud would not be able to distinguish between the normal usage and fake usage. User to root attack - An attacker gets an access to legitimate user’s account by sniffing password making the system vulnerable to attacker with root level access. The mechanisms used to secure the authentication process are a frequent target. In case of Cloud, attacker acquires access to valid user’s instances which enables him/her for gaining root level access to VMs or host. Port scanning - Through port scanning, attackers can find open ports and attack on services running on these ports. Network related details such as IP address, MAC address, router, gateway filtering, firewall rules, etc. can be known through this attack. In Cloud scenario, attacker can attack offered services through port scanning (by discovering open ports upon which these services are provided). Virtual machine (VM) or hypervisor attack - By compromising the lower layer hypervisor, attacker can gain control over installed VMs. For e.g. BLUEPILL (Rutkowska, 2006), SubVir (King et al., 2006) and DKSM (Bahram et al., 2010) are some well-known attacks on virtual layer. Through these attacks, hackers can be able to compromise installed-hypervisor to gain control over the host. Zero-day VM vulnerabilities are also possible. A zero-day vulnerability exploited in the HyperVM virtualization application resulted in destruction of many virtual server based websites (Goodin, 2009). Backdoor channel attacks - This is a passive attack which allows hacker to gain remote access to the infected node in order to compromise user confidentiality. Using backdoor channels, hacker can control victim’s resources and can make it as zombie to attempt DDoS attack. In Cloud environment, attacker can get access and control Cloud user’s resources through backdoor channel and make VM as Zombie to initiate DoS/DDoS attack. Firewall (in Cloud) could be the common solution to prevent some of the attacks listed above. To prevent attacks on VM/ Hypervisor, anomaly based intrusion detection techniques can be used. For flooding attack and backdoor channel attack, either signature based intrusion detection or anomaly based intrusion detection techniques can be used. Intrusion Detection & Response Cloud IDS/IPS techniques can be classified as: o o o o o o Host based intrusion detection systems (HIDS) Network based intrusion detection systems (NIDS) Distributed intrusion detection systems (DIDS) Hypervisor-based intrusion detection systems Intrusion prevention system Intrusion detection and prevention systems
  17. 17. Table 1 provides a summary of how these techniques can be used to protect an enterprise cloud deployment. Table 2 augments Table 1 by providing recommendations for IDS/IPS deployment and monitoring authority within a cloud computing environment. Table 1 - Cloud IDS/IPS Options Title IDS type Technique used Positioning Pros Cons IDS architecture for Cloud environment (Vieira et al., 2010) HIDS Signature based and Anomaly detection using ANN. On each node False rate for unknown attack is lower since ANN used. Requires more training time and samples for detection accuracy. Multi-level IDS (Lee et al., 2011) HIDS Anomaly detection On each Guest OS Provides fast detection mechanism. Requires more resources for high level users. Self-similarity based IDS (Kwon et al., 2011) HIDS Anomaly detection On each VM Can be used in real time. Works only for Windows system. Abstract model of IDS (Arshad et al., 2011) HIDS Signature based and anomaly detection On each VM Experimental results are not evaluated. VM compatible IDS architecture (Roschke et al., 2009) NIDS Signature based detection On each VM It has minimal response time and human intervention. Secures VM based on user configuration. DDoS attack detection in virtual machine (bakshi and Yogesh, 2010) NIDS Signature based detection On each VM Secures VM from DDoS attacks. Can only detects known attacks. NIDS in open source Cloud (Mazzariello et al., 2010) NIDS Signature based detection On traditional network Can detect several known attacks. It cannot detect insider attacks as well as unknown attacks. IDS as a Service (Hamad and Hoby, 2012) NIDS Signature based detection Snort is provided as a web service It cannot detect unknown attacks. EDoS protection (Sandar and Shenai, 2012) NIDS Signature based detection On traditional network Provides user to detect known attack on his/her running service. Blocks HTTP and XML based DDoS attack. Cloud based IDS for mobile phones (Houmansadr et al., 2011) NIDS Anomaly detection On VM It cannot be used as general purpose. Cooperative agent based approach (Lo et al., 2008) DIDS Signature based detection On each Cloud region Detects malicious behavior on smartphones. Prevents system from single point failure. Mobile agent based approach (Dastjerdi et al., 2009) DIDS Anomaly detection On each VM Provides IDS for Cloud application regardless by their location. Produce network load with increase of VMs attached to mobile agent. Mutual agent based approach (Ram, 2012) DIDS Signature based detection On each Cloud region Cannot be used to detect unknown attacks.High computational cost. Anomaly detection On hypervisor Detects DDoS attack in whole cloud environment. Detects attacks on VMs Prevention On each Host Prevention using user configured rules Not used for preventing unknown attacks HIPS Anomaly prevention. In internal network Experimental results are not yet available - Anomaly detection - - Can be used for real time interactive defense and better optimization to Cloud firewall Used to detect all types of attacks. Solves limitation of computing time VMI-IDS based architecture. (Garfinkel and Rosenblum, 2003) Xen based Host system firewall (Fagui et al., 2009) IPS model based on cloud firewall linkage (Jia and Wang, 2011) CP based approach - (Guan and Bao, 2009) Hypervisorbased - Multiple instances of IDS are required which degrades performance. It cannot detect unknown attacks. Cannot be used for all types of attacks.Computational overhead high. VMI IDS can be attacked. Very complex method Experimental results are not yet available
  18. 18. Table 2- Cloud IDS/IPS Management Authority IDS/IPS Type HIDS NIDS Hypervisor based IDS DIDS Characteristics/strengths Identify intrusions by monitoring host’s file system, system calls or network events. No extra hardware required. Identify intrusions by monitoring network traffic. Need to place only on underlying network. Can monitor multiple systems at a time. It allows user to monitor and analyze communications between VMs, between hypervisor and VM and within the hypervisor based virtual network. Uses characteristics of both NIDS and HIDS, and thus inherits benefits from both of them. Limitations/Challenges Need to install on each machine (VMs, hypervisor or host machine). It can monitor attacks only on host where it is deployed. Difficult to detect intrusions from encrypted traffic. It helps only for detecting external intrusions. Difficult to detect network intrusions in virtual network. New and difficult to understand. Central server may be overloaded and difficult to manage in centralized DIDS. High communication and computational cost. Positioning in Cloud Deployment and monitoring authority On each VM, Hypervisor or Host system. On VMs: Cloud Users. On Hypervisor: Cloud provider. In external network or in virtual network. Cloud provider. In hypervisor. Cloud provider. In external network, on Host, On VMs: Cloud Users. For other on Hypervisor or on VM. cases: Cloud provider. IPS Prevents intrusion attacks. NIPS prevent network attacks. HIPS prevent system level attacks. IDPS Detection accuracy for preventing attacks is lower than IDS. Effectively detect and prevent intrusion attacks. Complex architecture. For NIPS: In external/internal NIPS: Cloud provider. HIPS on network. For HIPS: On VM or VM: Cloud user. HIPS on Hypervisor: Cloud provider. Hypervisor. Network based IDPS: In external/internal network. Host based IDPS: On VM or hypervisor. NIDPS: Cloud provider. HIDPS (on VM): Cloud user. HIDPS (on Hypervisor): Cloud provider.
  19. 19. Juxtaposing Figure 6, Table 1, Table 2 and the Gartner Cloud Deployment use cases, general rules for both Detection/Alerting Responsibility and Response/Remediation Responsibility for enterprise cloud deployment scenarios can be surmised. These rules are summarized in Tables 3- 7 and represent a useful Cloud Computing IDS Readiness Review guideline. This type of information could be used to enhance organizational policy and practice when public IaaS providers are used. Table 3- Scenario - Internal (Private)- External ( Public) Enterprise CSP Deploy/Monitor  HIDS - Virtual Machines  NIDS Enterprise/CSP network Notify/Alert  Relevant CSP(s) Response/Remediation  Monitor all VMs for intrusion  Remediate as required Deploy/Monitor HIDS – Hypervisors NIDS - Intra-CSP Networks DIDS - Internal infrastructure Hypervisor based IDS – Hypervisors NIPS - Intra-CSP networks HIPS - Hypervisors Notify/Alert Other potentially exposed Enterprise(s) Response/Remediation Monitor all VMs for intrusion Remediate as required CSB Community
  20. 20. Table 4- Scenario: Internal (Private) – External (Community) Enterprise Deploy/Monitor  HIDS - Virtual Machines  NIDS Enterprise/Community Network  NIDS - Intra-Enterprise Networks Notify/Alert  Other potentially exposed Enterprise(s) Response/Remediate  Monitor all VMs for intrusion  Remediate as required CSP CSB Community Deploy/Monitor  NIDS - InterEnterprise Networks Notify/Alert  Other potentially exposed Enterprise(s)  Other potentially exposed communities Response/Remediate  Monitor all VMs for intrusion  Remediate as required
  21. 21. Table 5- Scenario: Internal (Private) – External (Public) – External (Public) Enterprise CSP Deploy/Monitor  HIDS - Virtual Machines  NIDS Enterprise/CSP network  Inter-CSP network Notify/Alert  Relevant CSP(s) Response/Remediation  Monitor all VMs for intrusion  Remediate as required Deploy/Monitor  HIDS – Hypervisors  NIDS - IntraCSP Networks  DIDS - Internal infrastructure  Hypervisor based IDS – Hypervisors  NIPS - IntraCSP networks  HIPS Hypervisors Notify/Alert  Other potentially exposed Enterprise(s) Response/Remediation  Monitor all VMs for intrusion  Remediate as required CSB Community
  22. 22. Table 6- Scenario: Internal (Private) – CSB – External (Public or Community) Enterprise CSP CSB Deploy/Monitor  HIDS - Virtual Machines  NIDS Enterprise/CSP Network  NIDS Enterprise/CSB Network Notify/Alert  Relevant CSP(s)  Relevant CSB(s) Response/Remediation  Monitor all VMs for intrusion  Remediate as required Deploy/Monitor Deploy/Monitor  HIDS –  NIDS - InterHypervisors CSP  NIDS - IntraNetworks CSP  NIDS - IntraNetworks CSB  DIDS - IntraNetworks CSP  DIDS - Intra Hypervisor CSB based IDS –  NIPS - InterHypervisors CSP  NIPS - Intranetworks CSP  NIPS - Internetworks CSB  HIPS Networks Hypervisors Notify/Alert Notify/Alert  Other  Other potentially potentially exposed exposed CSP(s) Enterprise(s)  Other Response/Remediate potentially  Monitor all exposed VMs for CSB(s) intrusion Response/Remediate  Remediate  Monitor all as required VMs for intrusion  Remediate as required Community
  23. 23. Table 7- Scenario: Internal (Private) – External (Community) – External (Public) Enterprise CSP Deploy/Monitor Deploy/Monitor  HIDS - Virtual  HIDS – Machines Hypervisors  NIDS - Intra NIDS CSP Enterprise/Community Networks Network  DIDS  NIDS - Intra-Enterprise Internal Networks infrastructure Notify/Alert  Hypervisor  Relevent CSPs based IDS – Response/Remediate Hypervisors  Monitor all VMs for  NIPS - Intraintrusion CSP networks  Remediate as required  HIPS – Hypervisors Notify/Alert  Other potentially exposed Enterprise(s) Response/Remediate  Monitor all VMs for intrusion  Remediate as required CSB Community Deploy/Monitor  HIDS Community Managed Virtual Machines  NIDS - IntraCommunity Networks  NIDS - InterCommunity Networks  NIDS - InterCSP Networks Notify/Alert  Other potentially exposed Enterprise(s)  Relevent CSPs  Other potentially exposed communities Response/Remediate  Monitor all VMs for intrusion  Remediate as required
  24. 24. Public IaaS Marketplace Leaders (Gartner, 2013) In 2013, Gartner identified fifteen IaaS providers as “Magic Quadrant” marketplace leaders. This designation covered all the common use cases for cloud IaaS, including development and testing, production environments (including those supporting mission-critical workloads) for both internal and customer-facing applications, batch computing (including high-performance computing [HPC]) and disaster recovery. All the providers claim to have high security standards but the extent of these security controls varied significantly. All providers offer multifactor authentication and most offered additional security services. All evaluated providers also met common regulatory compliance needs ( SSAE 16, ISO 27001, etc.) Magic Quadrant providers also offered a firewall intrusion detection system/intrusion prevention systems as part of their offering. Although a few offer only access control lists (ACLs), none offered any self-service network security. All providers offer customers a self-service ability to create complex network topologies with multiple network segments and multiple virtual network interface cards (NICs). All the providers allow customers to bring their own VM images, allowing customers to create snapshots of existing VMs within their own internal data center, and then directly import them into the provider's cloud. This also allows the import of VM appliances and other prepackaged VM images from independent software vendors (ISVs). Public IaaS Security As part of the Magic Quadrant analysis, Gartner also compared these same 15 public cloud IaaS providers against nine critical capabilities across four use cases. Security and compliance encompassed features that are important to security, compliance, risk management and governance. It covers specific security measures such as network access control lists (ACLs), intrusion detection and prevention systems (IDS/IPS), multifactor authentication and encryption. It also includes aspects such as the availability of audits, logging and reporting, and the ability to use the service if you have regulatory compliance needs, such as those of the Payment Card Industry Data Security Standard (PCI DSS), the Federal Information Security Management Act (FISMA) and the Health Insurance Portability and Accountability Act (HIPAA). This was a comparison within a broad categories, not granular capabilities; they are inclusive of a range of features, and we do not provide a comprehensive list of these features. Because each of the categories includes a large number of features, the scoring in each category is directional. In general, a score of 3 indicates that a provider is able to fulfill the most critical features in that category. However, it is possible that a provider may be missing some important features in that category, yet has other strengths that increase its score in that category. Comparison results are provided in Table 8.
  25. 25. Table 8- Gartner IaaS Magic Quadrant CSP Security Ratings Product Security and Compliance Rating Amazon Web Services 3.7 CSC BIZ-Cloud VPE 4 Dimension Data Public CaaS 2.7 Fujitsu Cloud IaaS Trusted Public S5 2.5 GoGrid 3.8 HP Public Cloud 1.3 IBM Softlayer CLoudLayer Computing 3.1 IBM Smart-Cloud Enterprise 1 Joyent 3.2 Microsoft Windows Azure Infrastructure Services 1.7 Rackspace Public Cloud 2.3 Savvis Symphony VPDC 4.5 Tier 3 2 Verizon Terremark Enterprise Cloud 4.7 Virtustream 5
  26. 26. Expert Observation (Leong, 2013) During this survey project, there was also an opportunity to interview Ms Lydia Leoung, a Research Vice President at Gartner. Ms Leoung research focus is on cloud computing, particularly infrastructure as a service (IaaS). Because cloud computing is reshaping the IT landscape, her research covers a broad range of topics related to the transformation of IT organizations, data centers and technology providers. She works primarily with IT organizations, but also produces strategic and quantitative research targeted at service providers, vendors and investors. She was also Gartner's Analyst of the Year in 2010. During the interview, Ms Leoung highlighted the following points.  Cloud infrastructure security is a shared responsibility between the service provider and the user. The user is generally responsible for host based security while the CSP is responsible for network based security  Initially customer request the provisioning of the maximum level of available security, including IDS and IPS, but typically balk at the price. They typically finalize on simple firewall and ACL solutions.  CSPs typically give the user full access and control of the firewall  While IDS and IPS services are offered by a few CSPs, customers are typically not willing to bear the high cost. High marketplace cost is driven by CSP inability to mass configure these types of solutions.  Security breaches are typically seen at the application level, not within the infrastructure  No hypervisor attacks have been observed to date Public Cloud Intrusion Detection Conclusions and Recommendations There is a significant amount of published literature and ongoing research on public IaaS security. Unfortunately, the hard lessons learned in the development of modern and robust enterprise IT platforms is not being employed as these same enterprises transition to cloud computing. This survey has led me to the following conclusions:  IDS responsibilities driven by relevant scenario  IDS and IPS use is not prevalent in the marketplace due to high cost  If IDS or IPS is used, the use scenario will drive IDS detection, response and remediation planning  Cloud IDS Readiness Chart should be used to evaluate Enterprise, CSP, CSB and Community IDS readiness Economic pressures to leverage the scale and efficiencies of cloud platform are butting up against the economic pressures of paying for adequate security. To help balance these competing requirements, managers should understand what risk are being assumed based on the relevant cloud deployment scenario. Senior IT manager should also develop their own Cloud
  27. 27. Computing IDS Readiness Review guideline and institutionalize that guidance as part of their organizations cloud deployment strategy.
  28. 28. Other References o o o o o o o o o o o Distributed Intrusion Detection in Clouds Using Mobile Agents  Authors: Dastjerdi, A.V. ; Univ. of Melbourne, Melbourne, VIC, Australia ; Bakar, K.A. ; Tabatabaei, S.G.H.  http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5359505&url=http%3A %2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5359505 A survey on security issues in service delivery models of cloud computing  Authors: S. Subashini, V. Kavitha  http://www.sciencedirect.com/science/article/pii/S1084804510001281 Can Public-Cloud Security Meet Its Unique Challenges?  Author: Kaufman, L.M. ; BAE Systems  http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5523865&url=http%3A %2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5523865 Intrusion Detection in the Cloud  Authors: Roschke, S. ; Hasso Plattner Inst. (HPI), Univ. of Potsdam, Potsdam, Germany ; Feng Cheng ; Meinel, C.  http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5380611&url=http%3A %2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5380611 IDSaaS: Intrusion Detection System as a Service in Public Clouds  Authors: Turki Alharkan , Patrick Martin  http://dl.acm.org/citation.cfm?id=2310128 DCDIDP: A Distributed, Collaborative, and Data-driven Intrusion Detection and Prevention Framework for Cloud Computing Environments  Authors: Taghavi Zargar, Saman and Takabi, Hassan and Joshi, James B.D  http://d-scholarship.pitt.edu/13461/ INTRUSION DETECTION ON CLOUD APPLICATIONS  Author: Venkat Reddy, K. Sharath Kumar, V. Hari Prasad  http://ijcsmc.com/docs/papers/September2013/V2I9201303.pdf An architecture for overlaying private clouds on public providers  Authors: Shtern, M. ; York Univ., Toronto, ON, Canada ; Simmons, B. ; Smit, M. ; Litoiu, M.  http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6380044&url=http%3A %2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D6380044 Detection of Distributed Attacks in Hybrid & Public Cloud Networks  Authors: Hassan, S.R. ; FEMTO-ST Inst., Univ. of Franche-Comte (UFC), Montbeli ard, France ; Bourgeois, J. ; Sunderam, V. ; Li Xiong  http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6391805&url=http%3A %2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D6391805 A Cloud-based Intrusion Detection Service framework Public Cloud IDS Comparison  Authors: Yassin, W. Fac. of Comput. Sci. & Inf. Technol., Univ. Putra Malaysia, Serdang, Malaysia Udzir, N.I. ; Muda, Z. ; Abdullah, A. ; Abdullah, M.T.  http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=6246098&url=h ttp%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D624 6098 A Novel Approach to Analyzing for Detecting Malicious Network Activity Using a Cloud Computing Testbed  Authors: Junwon Lee, Jaeik Cho, Jungtaek Seo, Taeshik Shon, Dongho Won
  29. 29.  http://link.springer.com/article/10.1007/s11036-012-0375-1 Works Cited Alharkan, T. (2013). IDSAAS: Intrusion Detection Systems as a Service in Public CLouds. Kingston, Ontario, Canada: Queen's University. Chirag Modi, D. P. (2013). A survey of intrusion detection techniques in Cloud. Journal of Network and Computer Applications, 42-57. Gartner. (2012). Hybrid IaaS. Stamford, CT: Gartner Inc. Gartner. (2013). Critical Capabilities for Public Cloud Infrastructure as a Service. Stamford, CT: Gartner Inc. Gartner. (2013). Hype Cycle for Cloud Security. Stamford, CT: Gartner, Inc. Gartner. (2013). Magic Quadrant for CLoud Infrastructure as a Service. Stamford, CT: Gartner Inc. Gartner, Inc. (2013, December 12). Gartner Says the Road to Increased Enterprise Cloud Usage Will Largely Run Through Tactical Business Solutions Addressing Specific Issues. Retrieved from www.gartner.com: http://www.gartner.com/newsroom/id/2581315 Leong, L. (2013, November 25). Cloud Computing Market Analyst. (K. L. Jackson, Interviewer) Peter Mell, T. G. (2013, November 29). The NIST Definition of CLoud Computing. Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800145/SP800-145.pdf Wikipedia. (2013, December 12). Cloud Computing. Retrieved from en.wikipedia.org: http://en.wikipedia.org/wiki/Cloud_computing

×