intrusion detection on public iaas - kevin l. jackson
TRANSCRIPT
Intrusion Detection in Public Infrastructure-as-a-Service
Kevin L. Jackson ISA 674 – Intrusion Detection
Dr. Xinyuan (Frank) Wang
Table of Contents Introduction .................................................................................................................................................. 4
Cloud Computing Overview .......................................................................................................................... 4
Definition .................................................................................................................................................. 4
Cloud Model Evolution ............................................................................................................................. 4
Cloud Computing Service Models ......................................................................................................... 5
Cloud Security ....................................................................................................................................... 6
IaaS Deployment Models .......................................................................................................................... 6
Public Clouds ......................................................................................................................................... 6
Private Clouds ....................................................................................................................................... 7
Community Clouds ................................................................................................................................ 7
Hybrid IaaS ............................................................................................................................................ 7
Cloud Use Case Template (Gartner, 2012) ............................................................................................... 7
Applicability ........................................................................................................................................... 7
Components and Connection Scenarios ............................................................................................... 7
Direct Cloud Connection ....................................................................................................................... 9
External Cloud Connector Bridge .......................................................................................................... 9
External Cloud Connector Gateway .................................................................................................... 10
Cloud Services Broker ......................................................................................................................... 10
Public Cloud IaaS Use Cases .................................................................................................................... 11
Public Cloud IDS .......................................................................................................................................... 11
Description .............................................................................................................................................. 11
Characteristics ..................................................................................................................................... 11
IDS Placement (Chirag Modi, 2013) .................................................................................................... 12
IDS Placement for Multiple CSPs......................................................................................................... 13
IDS Management Responsibility ......................................................................................................... 14
Cloud Security State of the Art (Gartner, 2013) ..................................................................................... 14
Cloud Computing Attack Scenarios (Chirag Modi) .................................................................................. 15
Intrusion Detection & Response ............................................................................................................. 16
Public IaaS Marketplace Leaders (Gartner, 2013) ...................................................................................... 24
Public IaaS Security ................................................................................................................................. 24
Expert Observation (Leong, 2013) .......................................................................................................... 26
Public Cloud Intrusion Detection Conclusions and Recommendations ...................................................... 26
Other References ........................................................................................................................................ 28
Works Cited ................................................................................................................................................. 29
Table of Figures
Figure 1- DIrect Cloud Connection ................................................................................................................ 9
Figure 2- External Cloud Connector Bridge ................................................................................................. 10
Figure 3- External Cloud Connector Gateway ............................................................................................. 10
Figure 4- Cloud Service Broker .................................................................................................................... 11
Figure 5- IDS Components .......................................................................................................................... 12
Figure 6- IDS Placement: Multiple Clouds ................................................................................................... 13
Figure 7- IDS Placement: Single Cloud ........................................................................................................ 13
Figure 9- Gartner: Cloud Security Product Priority Matrix ......................................................................... 15
List of Tables Table 1 - Cloud IDS/IPS Options .................................................................................................................. 17
Table 2- Cloud IDS/IPS Management Authority .......................................................................................... 18
Table 3- Scenario - Internal (Private)- External ( Public) ............................................................................. 19
Table 4- Scenario: Internal (Private) – External (Community) .................................................................... 20
Table 5- Scenario: Internal (Private) – External (Public) – External (Public) ............................................... 21
Table 6- Scenario: Internal (Private) – CSB – External (Public or Community) ........................................... 22
Table 7- Scenario: Internal (Private) – External (Community) – External (Public) ...................................... 23
Table 8- Gartner IaaS Magic Quadrant CSP Security Ratings ...................................................................... 25
Introduction
Cloud computing is driving the business of information technology today.
“A recent Gartner survey on the future of IT services found that only 38 percent of all organizations surveyed indicate cloud services use today. However, 80 percent of organizations said that they intend to use cloud services in some form within 12 months, including 55 percent of the organizations not doing so today.“ (Gartner, Inc, 2013)
As companies rush to adopt cloud, however, information technology (IT) security sometimes seems to be an afterthought.
The goal of this paper is to provide a survey of the current state of IT security within public cloud infrastructure-as-a-service providers. After first providing a cloud computing overview, the paper will focus on the infrastructure-as-a-service (IaaS) deployment model, the typical home of IaaS intrusion detection components. The Gartner Cloud Use Case Framework will then be introduced as it will also serve as the framework for this survey. An in-depth review of public cloud intrusion detection studies, options and expert observations will then follow. The paper will then offer the authors conclusions and cloud computing IDS recommendations for enterprises considering a move to the cloud.
Cloud Computing Overview Definition
Cloud computing is a style of computing in which scalable and elastic IT-enabled capabilities are delivered as a service using Internet technologies. Cloud infrastructure as a service (IaaS) is a type of cloud computing service; it parallels the infrastructure and data center initiatives of IT. Cloud compute IaaS constitutes the largest segment of this market (the broader IaaS market also includes cloud storage and cloud printing).
Cloud Model Evolution
Cloud computing represents an evolution of distributed computing. In that model, software systems with their components located on networked computers, communicate and coordinate their actions by passing messages. The components interact with each other in order to achieve a common goal. Three significant characteristics of distributed systems are: concurrency of components, lack of a global clock, and independent failure of components. An important goal and challenge of distributed systems is location transparency. Examples of distributed systems vary from SOA-based systems to massively multiplayer online games to peer-to-peer applications.
Distributed computing system are generally designed using a Service-oriented architecture (SOA), a software design and software architecture design pattern based on discrete pieces of software providing application functionality as services to other applications. This approach is typically independent of any vendor, product or technology. SOA also makes it easy for computers connected over a network to cooperate. Every computer can run an arbitrary number of services, and each service is built in a way that ensures that the service can exchange information with any other service in the network without human interaction and without the need to make changes to the underlying program itself.
The success of this model led to the proliferation of Shared services, which refers to the provision of a service by one part of an organization or group where that service had previously been found in more than one part of the organization or group. Thus the funding and resourcing of the service is shared and the providing department effectively becomes an internal service provider.
Shared services across a distributed computing platform led to the concept of a converged infrastructure which packages multiple information technology (IT) components into a single, optimized computing solution. Components of a converged infrastructure solution include servers, data storage devices, networking equipment and software for IT infrastructure management, automation and orchestration. This management approach is used to centralize the management of IT resources, consolidate systems, increase resource utilization rates, and lower costs. These objectives are enabled by the creation of pools of computers, storage and networking resources that can be shared by multiple applications and managed in a collective manner using policy driven processes.
Cloud Computing steps this concept up by delivering a converged infrastructure over a wide area network, thus enabling internet-scale computing. Cloud computing relies on sharing of resources to achieve coherence and economies of scale, similar to a utility (like the electricity grid) over a network.
Cloud Computing Service Models
Historically, cloud computing has been described and delivered through three service models; Infrastructure-as-a-Service, Platform-as-a-Service and Software-as-a-Service. Although many other as-a-service models have been proposed, this paper will only address this limited set.
Infrastructure-as-a-Service (Wikipedia, 2013)
In the most basic cloud-service model, providers of IaaS offer computers – physical or (more often) virtual machines – and other resources. (A hypervisor, such as Hyper-V or Xen or KVM or VMware ESX/ESXi, runs the virtual machines as guests. Pools of hypervisors within the cloud operational support-system can support large numbers of virtual machines and the ability to scale services up and down according to customers' varying requirements.) IaaS clouds often offer additional resources such as a virtual-machine disk image library, raw (block) and file-based storage, firewalls, load balancers, IP addresses, virtual local area networks (VLANs), and software bundles. IaaS-cloud providers supply these resources on-demand from their large pools installed in data centers. For wide-area connectivity, customers can use either the Internet or carrier clouds (dedicated virtual private networks).
Platform-as-a-Service (Wikipedia, 2013)
In the PaaS model, cloud providers deliver a computing platform, typically including operating system, programming language execution environment, database, and web server. Application developers can develop and run their software solutions on a cloud platform without the cost and complexity of buying and managing the underlying hardware and software layers. With some PaaS offers (like Windows Azure, the underlying computer and storage resources scale automatically to match application demand so that the cloud user does not have to allocate resources manually. The latter has also been proposed by an architecture aiming to facilitate real-time in cloud environments.
Software-as-a-Service (Wikipedia, 2013)
In the business model using software as a service (SaaS), users are provided access to application software and databases. Cloud providers manage the infrastructure and platforms that run the applications. SaaS is sometimes referred to as "on-demand software" and is usually priced on a pay-per-use basis. SaaS providers generally price applications using a subscription fee.
In the SaaS model, cloud providers install and operate application software in the cloud and cloud users access the software from cloud clients. Cloud users do not manage the cloud infrastructure and platform where the application runs. This eliminates the need to install and run the application on the cloud user's own computers, which simplifies maintenance and support. Cloud applications are different from other applications in their scalability—which can be achieved by cloning tasks onto multiple virtual machines at run-time to meet changing work demand.[61] Load balancers distribute the work over the set of virtual machines. This process is transparent to the cloud user, who sees only a single access point. To accommodate a large number of cloud users, cloud applications can be multitenant, that is, any machine serves more than one cloud user organization. It is common to refer to special types of cloud based application software with a similar naming convention: desktop as a service, business process as a service, test environment as a service, communication as a service.
Cloud Security
Correct security controls should be implemented according to asset, threat, and vulnerability risk assessment matrices. For ease of analysis, the multiplicity of cloud security dimensions have been aggregated into three general areas: Security and Privacy, Compliance, and Legal or Contractual Issues. Intrusion Detection is generally addressed as a component of Security and Privacy, specifically identity management.
Identity management systems are used to control access to information and computing resources. Cloud providers either integrate the customer’s identity management system into their own infrastructure, using federation or SSO technology, or provide an identity management solution of their own. IDS and IPS systems are typical part of an effective identity management system design. These systems are generally part of IaaS.
IaaS Deployment Models
The cloud computing industry generally recognizes four cloud deployment models: Public, Private, Community and Hybrid.
Public Clouds
A cloud is called a "public cloud" when the services are rendered over a network that is open for public use. Technically there may be little or no difference between public and private cloud architecture, however, security consideration may be substantially different for services (applications, storage, and other resources) that are made available by a service provider for a public audience and when communication is effected over a non-trusted network. Generally, public cloud service providers like Amazon AWS, Microsoft and Google own and operate the infrastructure and offer access only via Internet (direct connectivity is not offered)
Private Clouds
Private cloud is cloud infrastructure operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally
Community Clouds
Community cloud shares infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally. The costs are spread over fewer users than a public cloud (but more than a private cloud), so only some of the cost savings potential of cloud computing are realized.
Hybrid IaaS
Hybrid cloud is a composition of two or more clouds (private, community or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models.
Cloud Use Case Template (Gartner, 2012) Applicability
To aid organizational planning of cloud deployments, Gartner has published a series of cloud use case templates. These templates apply to an IT organization that desires to combine internal IaaS cloud infrastructure and external IaaS cloud services to deliver a federated, scalable, hybrid IaaS cloud. They are designed to help IT architects and decision makers build hybrid IaaS cloud solutions to deliver IT infrastructure services efficiently and securely.
Components and Connection Scenarios
The Gartner cloud use template is composed of the following components and connection scenarios.
Internal (Private) cloud
A private or internal cloud is an on-premises IT capability (e.g., compute, storage, and network) offered as a service by an IT organization to its business units or customers. Many components are connected together to establish an internal cloud (e.g., self-service provisioning portal, service catalog, orchestrator, and server virtualization). The internal cloud's purpose is to house IT services and initiate movement of IT services along the hybrid cloud connections to other cloud services. Gartner is using the internal cloud as an example in this template to aid in comprehension. Hybrid IaaS clouds can also exist between two external clouds. For more information on the internal cloud, Gartner designed an architectural model for internal IaaS cloud deployments
External (Public / Community) cloud
An external cloud is an IT capability offered as a service that one business hosts for another business off-premises. An external cloud can be shared among many tenants (i.e., public cloud) or dedicated to one organization or a defined list of organizations (i.e., private cloud), but it must be implemented by a third party. In this template, the internal cloud connects to the external cloud in four different connection scenarios as discussed later in this document.
However, two external clouds can connect in similar scenarios, although not depicted in this template.
Orchestrator
The orchestrator (sometimes referred to as the IT process automation tool) in IaaS cloud services automates IT operation processes across all components of the cloud stack. In a hybrid IaaS environment, the orchestrator may be responsible for:
Defining, administering, and monitoring process workflows for various IT operations (e.g., service provisioning, chargeback, asset management, service and data replication for business continuity, and disaster recovery) across IaaS cloud services
Creating and enforcing IT process automation policies
Coordinating and automating IT process execution across IaaS cloud services
Integrating with all other hybrid cloud management tools (e.g., external cloud connector, cloud services broker, and cloud services provider application programming interfaces [APIs]) to execute process workflows through predefined integration packs and/or code development (e.g., moving or replicating storage volumes between two clouds)
External (Public / Community) cloud connector
The external cloud connector (ECC) connects cloud environments to one another. Organizations
can deploy ECCs at one or both ends of the connection in either a bridge or a gateway
connection scenario. To connect environments, organizations may implement one or more
ECCs. ECCs can come in a variety of offerings (e.g., hardware appliances, virtual appliances,
software packages, logical networks, custom scripts) and include capabilities such as:
Providing a connection for internal cloud management software (e.g., capacity
management tools, chargeback systems, and disaster recovery tools) to manage
external cloud assets
Providing a secure network tunnel among cloud environments
Performing data encryption and decryption
Enforcing network transparency by connecting internal and external network
topologies
Enhancing network performance across distance through techniques such as
compression, acceleration, caching, and/or optimization
Translating storage protocols and performing storage functions such as replication,
compression, and/or deduplication to connect applications or internal storage
infrastructures to external cloud storage services
Converting virtual machines between formats (e.g., VMware Virtual Machine Disk
Format [VMDK] to Xen virtual hard disk [VHD]) before transmission
Propagating security and service-level requirements (e.g., performance, availability,
recovery time objective [RTO], and recovery point objective [RPO]) defined in the IT
service catalog
Cloud Service Broker
The cloud services broker (CSB) is a component that serves as an intermediary among cloud
environments and adds services to the cloud environments that are not readily available
without the broker. CSBs aim to aggregate cloud service providers through a single portal or
service. CSBs can come in a variety of implementations but are normally hosted externally and
include capabilities such as:
Centralized cloud management capabilities,
Integration capabilities
Governance capabilities
Direct Cloud Connection The direct cloud connection scenario exists when the two clouds directly connect without any
outside assistance such as an ECC or CSB. This is common when clouds interface across common
published APIs and general-purpose networks (e.g., Internet).
Figure 1- DIrect Cloud Connection
External Cloud Connector Bridge The ECC bridge scenario exists when an ECC is present at both ends of the connection. ECCs
possess many characteristics and provide many possible functions across clouds. In most ECC
bridge situations, the ECC is deployed as a similar vendor product or technology at both ends.
The reason for this is that ECCs perform a significant amount of intelligence at both ends to
improve or facilitate the connection, a vendors are more likely to accomplish these tasks among
their own products. ndHowever, scenarios exist where the ECC at each end does not need to be
a matching vendor product. An example of this is a virtual private network (VPN) that leverages
a well-known protocol such as Internet Protocol Security (IPsec). Each cloud may implement the
IPsec connection by using different vendor products. The key is that both ends must be
compatible.
Figure 2- External Cloud Connector Bridge
External Cloud Connector Gateway The ECC gateway scenario is similar to the ECC bridge, except that an ECC is only present on one
end of the connection.
Figure 3- External Cloud Connector Gateway
Cloud Services Broker A cloud services broker (CSB) possesses many characteristics and provides many possible
functions among clouds. The CSB scenario is different from ECCs because the CSB sits as an
intermediary between clouds to assist with or perform integration and translation of cloud
services. In this example, the internal cloud only talks directly to the CSB and does not know
about any of the external clouds behind the CSB. The CSB may replace the functionality of the
ECC or enhance its capabilities.
Figure 4- Cloud Service Broker
Public Cloud IaaS Use Cases Gartner template components and connection scenarios yield the following five typical public cloud IaaS
addressed in this survey.
Internal (Private) – External (Public)
Internal (Private) – External (Community)
Internal (Private) – External (Public) – External (Public)
Internal (Private) – CSB – External (Public or Community)
Internal (Private) – External (Community) – External (Public)
Public Cloud IDS Description and Characteristics
Cloud IDS can be described as being composed of three components (Alharkan, 2013)
o Collection
Host Based
Network Based
o Alert Analysis
Signature Based
Anomaly Based
o Reaction
Passive IDS
Active IDS
In cloud, none of these components are entirely owned or managed by the enterprise. In these
deployments, intrusion detection is a shared responsibility with the cloud service provider.
When multiple CSP’s or a cloud service broker (CSB) is used, the coordination between the
participating entities is critical.
Figure 5- IDS Components
IDS Placement (Chirag Modi, 2013) In a cloud computing environment, IDS components are typically placed
o In Application;
o Between applications ;
o In virtualization layer; or
Cloud Intrusion Detection
Data Collection
Host Based
Network Based
Alert Analysis
Signature Based
Anomaly Based
Reaction
Passive IDS
Active IDS
o Between virtualization layers.
IDS Placement for Multiple CSPs For large enterprises, IDS placement is complicated by the use of use of multiple cloud
service providers. Figure 6 outline the critical security nodes that should be addressed.
Figure 7- IDS Placement: Single Cloud
Private Cloud
Public/Community Cloud
Public Cloud
Figure 6- IDS Placement: Multiple Clouds
IDS Management Responsibility
The complexity of IDS placement also complicates IDS management responsibility. This fact is typically not address in enterprise IT governance policies. While the enterprise will usually have responsibility for application IDS, the cloud service provider (CSP) has jurisdiction over the network between applications, within the virtualization layer and between virtualization technologies. Responsibility for protecting against intrusion on networks between public cloud service providers lies on the enterprise, or if employed, a cloud service broker (CSB). IDS management responsibility within a community cloud is left for negotiation amongst the community members.
Cloud Security State of the Art (Gartner, 2013)
In cloud computing security, there are three primary control themes; encryption, tracking/blocking and cloud security ecosystems.
Although encryption works well for protecting data, it complicates search or edit function and consumes resources for key management. It public cloud, encryption is applied as a mechanism for simultaneously preventing unwanted access from users, administrators and attackers. Encryption can potentially solve regulatory compliance concerns, such as data residency requirements.
For tracking and blocking, next-generation firewalls, gateways and desktop data loss prevention (DLP) are offer enterprises the ability to measure their use of the cloud and to block outgoing connection attempts based on organizational policy. This is enabling organizations to facilitate a controlled use of externally provisioned IT services servers, allowing employees to discover and take advantage of cloud computing, while limiting the potential for misuse.
Cloud Security Ecosystems provide a more comprehensive set of security control functions. Cloud management platforms, security as a service (SecaaS) offerings, secure Web gateway (SWG) and cloud access security brokers (CASBs) are growing in use.
Gartner cloud security product matrix, Figure 9, provides a snapshot of cloud security state-of-the-art. This overview implies that today, Cloud Intrusion Detection Services only provide moderate value to the marketplace with realization of most service occurring in 2-5 years.
Figure 8- Gartner: Cloud Security Product Priority Matrix
Cloud Computing Attack Scenarios (Chirag Modi) Most, if not all, enterprise IT attack vectors have a cloud computing corollary. Some of the more
common ones follow.
Insider attack - Authorized Cloud users may attempt to gain (and misuse) unauthorized
privileges. Insiders may commit frauds and disclose information to others (or modify
information intentionally). This poses a serious trust issue. For example, an internal DoS
attack demonstrated against the Amazon Elastic Compute Cloud (EC2) (Slaviero, 2009).
Flooding attack - In this attack, attacker tries to flood victim by sending huge number of
packets from innocent host (zombie) in network. Packets can be of type TCP, UDP, ICMP or a
mix of them. This kind of attack may be possible due to illegitimate network connections. In
case of Cloud, the requests for VMs are accessible by anyone through Internet, which may
cause DoS (or DDoS) attack via zombies. Flooding attack may raise the usage bills drastically
as the Cloud would not be able to distinguish between the normal usage and fake usage.
User to root attack - An attacker gets an access to legitimate user’s account by sniffing
password making the system vulnerable to attacker with root level access. The mechanisms
used to secure the authentication process are a frequent target. In case of Cloud, attacker
acquires access to valid user’s instances which enables him/her for gaining root level access
to VMs or host.
Port scanning - Through port scanning, attackers can find open ports and attack on services
running on these ports. Network related details such as IP address, MAC address, router,
gateway filtering, firewall rules, etc. can be known through this attack. In Cloud scenario,
attacker can attack offered services through port scanning (by discovering open ports upon
which these services are provided).
Virtual machine (VM) or hypervisor attack - By compromising the lower layer hypervisor,
attacker can gain control over installed VMs. For e.g. BLUEPILL (Rutkowska, 2006), SubVir
(King et al., 2006) and DKSM (Bahram et al., 2010) are some well-known attacks on virtual
layer. Through these attacks, hackers can be able to compromise installed-hypervisor to gain
control over the host. Zero-day VM vulnerabilities are also possible. A zero-day vulnerability
exploited in the HyperVM virtualization application resulted in destruction of many virtual
server based websites (Goodin, 2009).
Backdoor channel attacks - This is a passive attack which allows hacker to gain remote
access to the infected node in order to compromise user confidentiality. Using backdoor
channels, hacker can control victim’s resources and can make it as zombie to attempt DDoS
attack. In Cloud environment, attacker can get access and control Cloud user’s resources
through backdoor channel and make VM as Zombie to initiate DoS/DDoS attack.
Firewall (in Cloud) could be the common solution to prevent some of the attacks listed above.
To prevent attacks on VM/ Hypervisor, anomaly based intrusion detection techniques can be
used. For flooding attack and backdoor channel attack, either signature based intrusion
detection or anomaly based intrusion detection techniques can be used.
Intrusion Detection & Response Cloud IDS/IPS techniques can be classified as:
o Host based intrusion detection systems (HIDS)
o Network based intrusion detection systems (NIDS)
o Distributed intrusion detection systems (DIDS)
o Hypervisor-based intrusion detection systems
o Intrusion prevention system
o Intrusion detection and prevention systems
Table 1 provides a summary of how these techniques can be used to protect an enterprise cloud
deployment. Table 2 augments Table 1 by providing recommendations for IDS/IPS deployment
and monitoring authority within a cloud computing environment.
Table 1 - Cloud IDS/IPS Options
Title IDS type Technique used Positioning Pros Cons IDS architecture for Cloud environment (Vieira et al., 2010)
HIDS Signature based and Anomaly detection using ANN.
On each node False rate for unknown attack is lower since ANN used.
Requires more training time and samples for detection accuracy.
Multi-level IDS (Lee et al., 2011) HIDS Anomaly detection On each Guest OS Provides fast detection mechanism.
Requires more resources for high level users.
Self-similarity based IDS (Kwon et al., 2011)
HIDS Anomaly detection On each VM Can be used in real time. Works only for Windows system.
Abstract model of IDS (Arshad et al., 2011)
HIDS Signature based and anomaly detection
On each VM It has minimal response time and human intervention.
Experimental results are not evaluated.
VM compatible IDS architecture (Roschke et al., 2009)
NIDS Signature based detection On each VM Secures VM based on user configuration.
Multiple instances of IDS are required which degrades performance.
DDoS attack detection in virtual machine (bakshi and Yogesh, 2010)
NIDS Signature based detection On each VM Secures VM from DDoS attacks.
Can only detects known attacks.
NIDS in open source Cloud (Mazzariello et al., 2010)
NIDS Signature based detection On traditional network
Can detect several known attacks.
It cannot detect insider attacks as well as unknown attacks.
IDS as a Service (Hamad and Hoby, 2012)
NIDS Signature based detection Snort is provided as a web service
Provides user to detect known attack on his/her running service.
It cannot detect unknown attacks.
EDoS protection (Sandar and Shenai, 2012)
NIDS Signature based detection On traditional network
Blocks HTTP and XML based DDoS attack.
It cannot detect unknown attacks.
Cloud based IDS for mobile phones (Houmansadr et al., 2011)
NIDS Anomaly detection On VM Detects malicious behavior on smartphones.
It cannot be used as general purpose.
Cooperative agent based approach (Lo et al., 2008)
DIDS Signature based detection On each Cloud region
Prevents system from single point failure.
Cannot be used for all types of attacks.Computational overhead high.
Mobile agent based approach (Dastjerdi et al., 2009)
DIDS Anomaly detection On each VM Provides IDS for Cloud application regardless by their location.
Produce network load with increase of VMs attached to mobile agent.
Mutual agent based approach (Ram, 2012)
DIDS Signature based detection On each Cloud region
Detects DDoS attack in whole cloud environment.
Cannot be used to detect unknown attacks.High computational cost.
VMI-IDS based architecture. (Garfinkel and Rosenblum, 2003)
Hypervisor-based
Anomaly detection On hypervisor Detects attacks on VMs VMI IDS can be attacked. Very complex method
Xen based Host system firewall (Fagui et al., 2009)
- Prevention On each Host Prevention using user configured rules
Not used for preventing unknown attacks
IPS model based on cloud firewall linkage (Jia and Wang, 2011)
HIPS Anomaly prevention. In internal network Can be used for real time interactive defense and better optimization to Cloud firewall
Experimental results are not yet available
CP based approach - (Guan and Bao, 2009)
- Anomaly detection - - Used to detect all types of attacks. Solves limitation of computing time
Experimental results are not yet available
Table 2- Cloud IDS/IPS Management Authority
IDS/IPS Type
Characteristics/strengths Limitations/Challenges Positioning in Cloud Deployment and monitoring
authority
HIDS
Identify intrusions by monitoring host’s file
system, system calls or network events. No extra hardware required.
Need to install on each
machine (VMs, hypervisor or
host machine). It can monitor attacks only on
host where it is deployed.
On each VM, Hypervisor or
Host system. On VMs: Cloud Users. On Hypervisor: Cloud provider.
NIDS
Identify intrusions by monitoring network traffic. Need to place only on underlying network. Can monitor multiple systems at a time.
Difficult to detect
intrusions from
encrypted traffic. It helps
only for detecting
external intrusions.
Difficult to detect
network intrusions in
virtual network.
In external network or in
virtual network. Cloud provider.
Hypervisor
based IDS It allows user to monitor and analyze
communications between VMs, between
hypervisor and VM and within the hypervisor
based virtual network.
New and difficult to
understand. In hypervisor. Cloud provider.
DIDS Uses characteristics of both NIDS and HIDS, and
thus inherits benefits from both of them.
Central server may be
overloaded and difficult to
manage in centralized DIDS. High communication and
computational cost.
In external network, on Host,
on Hypervisor or on VM. On VMs: Cloud Users. For other
cases: Cloud provider.
IPS
Prevents intrusion attacks. NIPS prevent network attacks. HIPS prevent system level attacks.
Detection accuracy for
preventing attacks is lower
than IDS.
For NIPS: In external/internal
network. For HIPS: On VM or Hypervisor.
NIPS: Cloud provider. HIPS on VM: Cloud user. HIPS on Hypervisor: Cloud provider.
IDPS Effectively detect and prevent intrusion attacks. Complex architecture. Network based IDPS: In
external/internal network.
Host based IDPS: On VM or
hypervisor.
NIDPS: Cloud provider. HIDPS (on VM): Cloud user. HIDPS (on
Hypervisor): Cloud provider.
Juxtaposing Figure 6, Table 1, Table 2 and the Gartner Cloud Deployment use cases, general
rules for both Detection/Alerting Responsibility and Response/Remediation Responsibility for
enterprise cloud deployment scenarios can be surmised. These rules are summarized in Tables
3- 7 and represent a useful Cloud Computing IDS Readiness Review guideline. This type of
information could be used to enhance organizational policy and practice when public IaaS
providers are used.
Table 3- Scenario - Internal (Private)- External ( Public)
Enterprise
CSP
CSB Community
Deploy/Monitor HIDS - Virtual
Machines NIDS -
Enterprise/CSP network
Notify/Alert Relevant CSP(s)
Response/Remediation Monitor all VMs
for intrusion Remediate as
required
Deploy/Monitor HIDS – Hypervisors NIDS - Intra-CSP Networks DIDS - Internal infrastructure Hypervisor based IDS – Hypervisors NIPS - Intra-CSP networks HIPS - Hypervisors Notify/Alert Other potentially exposed Enterprise(s) Response/Remediation Monitor all VMs for intrusion Remediate as required
Table 4- Scenario: Internal (Private) – External (Community)
Enterprise
CSP
CSB Community
Deploy/Monitor HIDS - Virtual
Machines NIDS -
Enterprise/Community Network
NIDS - Intra-Enterprise Networks
Notify/Alert Other potentially
exposed Enterprise(s) Response/Remediate
Monitor all VMs for intrusion
Remediate as required
Deploy/Monitor NIDS - Inter-
Enterprise Networks
Notify/Alert Other
potentially exposed Enterprise(s)
Other potentially exposed communities
Response/Remediate Monitor all
VMs for intrusion
Remediate as required
Table 5- Scenario: Internal (Private) – External (Public) – External (Public)
Enterprise
CSP
CSB Community
Deploy/Monitor HIDS - Virtual
Machines NIDS -
Enterprise/CSP network
Inter-CSP network
Notify/Alert Relevant CSP(s)
Response/Remediation Monitor all VMs
for intrusion Remediate as
required
Deploy/Monitor HIDS –
Hypervisors NIDS - Intra-
CSP Networks DIDS - Internal
infrastructure Hypervisor
based IDS – Hypervisors
NIPS - Intra-CSP networks
HIPS - Hypervisors
Notify/Alert Other
potentially exposed Enterprise(s)
Response/Remediation Monitor all
VMs for intrusion
Remediate as required
Table 6- Scenario: Internal (Private) – CSB – External (Public or Community)
Enterprise
CSP
CSB Community
Deploy/Monitor HIDS - Virtual
Machines NIDS -
Enterprise/CSP Network
NIDS - Enterprise/CSB Network
Notify/Alert Relevant CSP(s) Relevant CSB(s)
Response/Remediation Monitor all VMs
for intrusion Remediate as
required
Deploy/Monitor HIDS –
Hypervisors NIDS - Intra-
CSP Networks
DIDS - Intra-CSP
Hypervisor based IDS – Hypervisors
NIPS - Intra-CSP networks
HIPS - Hypervisors
Notify/Alert Other
potentially exposed Enterprise(s)
Response/Remediate Monitor all
VMs for intrusion
Remediate as required
Deploy/Monitor NIDS - Inter-
CSP Networks
NIDS - Intra-CSB Networks
DIDS - Intra-CSB
NIPS - Inter-CSP networks
NIPS - Inter-CSB Networks
Notify/Alert Other
potentially exposed CSP(s)
Other potentially exposed CSB(s)
Response/Remediate Monitor all
VMs for intrusion
Remediate as required
Table 7- Scenario: Internal (Private) – External (Community) – External (Public)
Enterprise
CSP
CSB Community
Deploy/Monitor HIDS - Virtual
Machines NIDS -
Enterprise/Community Network
NIDS - Intra-Enterprise Networks
Notify/Alert Relevent CSPs
Response/Remediate Monitor all VMs for
intrusion Remediate as required
Deploy/Monitor HIDS –
Hypervisors NIDS - Intra-
CSP Networks
DIDS - Internal infrastructure
Hypervisor based IDS – Hypervisors
NIPS - Intra-CSP networks
HIPS – Hypervisors
Notify/Alert Other
potentially exposed Enterprise(s)
Response/Remediate Monitor all
VMs for intrusion
Remediate as required
Deploy/Monitor HIDS -
Community Managed Virtual Machines
NIDS - Intra-Community Networks
NIDS - Inter-Community Networks
NIDS - Inter-CSP Networks
Notify/Alert Other
potentially exposed Enterprise(s)
Relevent CSPs
Other potentially exposed communities
Response/Remediate Monitor all
VMs for intrusion
Remediate as required
Public IaaS Marketplace Leaders (Gartner, 2013) In 2013, Gartner identified fifteen IaaS providers as “Magic Quadrant” marketplace leaders.
This designation covered all the common use cases for cloud IaaS, including development and
testing, production environments (including those supporting mission-critical workloads) for
both internal and customer-facing applications, batch computing (including high-performance
computing [HPC]) and disaster recovery. All the providers claim to have high security standards
but the extent of these security controls varied significantly. All providers offer multifactor
authentication and most offered additional security services. All evaluated providers also met
common regulatory compliance needs ( SSAE 16, ISO 27001, etc.)
Magic Quadrant providers also offered a firewall intrusion detection system/intrusion
prevention systems as part of their offering. Although a few offer only access control lists (ACLs),
none offered any self-service network security. All providers offer customers a self-service
ability to create complex network topologies with multiple network segments and multiple
virtual network interface cards (NICs).
All the providers allow customers to bring their own VM images, allowing customers to create
snapshots of existing VMs within their own internal data center, and then directly import them
into the provider's cloud. This also allows the import of VM appliances and other prepackaged
VM images from independent software vendors (ISVs).
Public IaaS Security
As part of the Magic Quadrant analysis, Gartner also compared these same 15 public cloud IaaS
providers against nine critical capabilities across four use cases. Security and compliance
encompassed features that are important to security, compliance, risk management and
governance. It covers specific security measures such as network access control lists (ACLs),
intrusion detection and prevention systems (IDS/IPS), multifactor authentication and
encryption. It also includes aspects such as the availability of audits, logging and reporting, and
the ability to use the service if you have regulatory compliance needs, such as those of the
Payment Card Industry Data Security Standard (PCI DSS), the Federal Information Security
Management Act (FISMA) and the Health Insurance Portability and Accountability Act (HIPAA).
This was a comparison within a broad categories, not granular capabilities; they are inclusive of
a range of features, and we do not provide a comprehensive list of these features. Because each
of the categories includes a large number of features, the scoring in each category is directional.
In general, a score of 3 indicates that a provider is able to fulfill the most critical features in that
category. However, it is possible that a provider may be missing some important features in that
category, yet has other strengths that increase its score in that category. Comparison results are
provided in Table 8.
Table 8- Gartner IaaS Magic Quadrant CSP Security Ratings
Product Security and Compliance Rating
Amazon Web Services 3.7
CSC BIZ-Cloud VPE 4
Dimension Data Public CaaS 2.7
Fujitsu Cloud IaaS Trusted Public S5 2.5
GoGrid 3.8
HP Public Cloud 1.3
IBM Softlayer CLoudLayer Computing 3.1
IBM Smart-Cloud Enterprise 1
Joyent 3.2
Microsoft Windows Azure Infrastructure Services 1.7
Rackspace Public Cloud 2.3
Savvis Symphony VPDC 4.5
Tier 3 2
Verizon Terremark Enterprise Cloud 4.7
Virtustream 5
Expert Observation (Leong, 2013)
During this survey project, there was also an opportunity to interview Ms Lydia Leoung, a Research Vice President at Gartner. Ms Leoung research focus is on cloud computing, particularly infrastructure as a service (IaaS). Because cloud computing is reshaping the IT landscape, her research covers a broad range of topics related to the transformation of IT organizations, data centers and technology providers. She works primarily with IT organizations, but also produces strategic and quantitative research targeted at service providers, vendors and investors. She was also Gartner's Analyst of the Year in 2010. During the interview, Ms Leoung highlighted the following points.
Cloud infrastructure security is a shared responsibility between the service provider and the user. The user is generally responsible for host based security while the CSP is responsible for network based security
Initially customer request the provisioning of the maximum level of available security, including IDS and IPS, but typically balk at the price. They typically finalize on simple firewall and ACL solutions.
CSPs typically give the user full access and control of the firewall
While IDS and IPS services are offered by a few CSPs, customers are typically not willing to bear the high cost. High marketplace cost is driven by CSP inability to mass configure these types of solutions.
Security breaches are typically seen at the application level, not within the infrastructure
No hypervisor attacks have been observed to date
Public Cloud Intrusion Detection Conclusions and Recommendations
There is a significant amount of published literature and ongoing research on public IaaS security. Unfortunately, the hard lessons learned in the development of modern and robust enterprise IT platforms is not being employed as these same enterprises transition to cloud computing. This survey has led me to the following conclusions:
IDS responsibilities driven by relevant scenario
IDS and IPS use is not prevalent in the marketplace due to high cost
If IDS or IPS is used, the use scenario will drive IDS detection, response and remediation planning
Cloud IDS Readiness Chart should be used to evaluate Enterprise, CSP, CSB and Community IDS readiness
Economic pressures to leverage the scale and efficiencies of cloud platform are butting up against the economic pressures of paying for adequate security. To help balance these competing requirements, managers should understand what risk are being assumed based on the relevant cloud deployment scenario. Senior IT manager should also develop their own Cloud
Computing IDS Readiness Review guideline and institutionalize that guidance as part of their organizations cloud deployment strategy.
Other References o Distributed Intrusion Detection in Clouds Using Mobile Agents
Authors: Dastjerdi, A.V. ; Univ. of Melbourne, Melbourne, VIC, Australia ; Bakar, K.A. ; Tabatabaei, S.G.H.
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5359505&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5359505
o A survey on security issues in service delivery models of cloud computing
Authors: S. Subashini, V. Kavitha http://www.sciencedirect.com/science/article/pii/S1084804510001281
o Can Public-Cloud Security Meet Its Unique Challenges? Author: Kaufman, L.M. ; BAE Systems http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5523865&url=http%3A
%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5523865 o Intrusion Detection in the Cloud
Authors: Roschke, S. ; Hasso Plattner Inst. (HPI), Univ. of Potsdam, Potsdam, Germany ; Feng Cheng ; Meinel, C.
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5380611&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5380611
o IDSaaS: Intrusion Detection System as a Service in Public Clouds Authors: Turki Alharkan , Patrick Martin http://dl.acm.org/citation.cfm?id=2310128
o DCDIDP: A Distributed, Collaborative, and Data-driven Intrusion Detection and Prevention Framework for Cloud Computing Environments
Authors: Taghavi Zargar, Saman and Takabi, Hassan and Joshi, James B.D http://d-scholarship.pitt.edu/13461/
o INTRUSION DETECTION ON CLOUD APPLICATIONS Author: Venkat Reddy, K. Sharath Kumar, V. Hari Prasad http://ijcsmc.com/docs/papers/September2013/V2I9201303.pdf
o An architecture for overlaying private clouds on public providers Authors: Shtern, M. ; York Univ., Toronto, ON, Canada ; Simmons, B. ; Smit, M. ;
Litoiu, M. http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6380044&url=http%3A
%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D6380044 o Detection of Distributed Attacks in Hybrid & Public Cloud Networks
Authors: Hassan, S.R. ; FEMTO-ST Inst., Univ. of Franche-Comte (UFC), Montbeli ard, France ; Bourgeois, J. ; Sunderam, V. ; Li Xiong
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6391805&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D6391805
o A Cloud-based Intrusion Detection Service framework Public Cloud IDS Comparison Authors: Yassin, W. Fac. of Comput. Sci. & Inf. Technol., Univ. Putra Malaysia,
Serdang, Malaysia Udzir, N.I. ; Muda, Z. ; Abdullah, A. ; Abdullah, M.T. http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=6246098&url=h
ttp%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D6246098
o A Novel Approach to Analyzing for Detecting Malicious Network Activity Using a Cloud Computing Testbed
Authors: Junwon Lee, Jaeik Cho, Jungtaek Seo, Taeshik Shon, Dongho Won
http://link.springer.com/article/10.1007/s11036-012-0375-1
Works Cited Alharkan, T. (2013). IDSAAS: Intrusion Detection Systems as a Service in Public CLouds. Kingston, Ontario,
Canada: Queen's University.
Chirag Modi, D. P. (2013). A survey of intrusion detection techniques in Cloud. Journal of Network and
Computer Applications, 42-57.
Gartner. (2012). Hybrid IaaS. Stamford, CT: Gartner Inc.
Gartner. (2013). Critical Capabilities for Public Cloud Infrastructure as a Service. Stamford, CT: Gartner
Inc.
Gartner. (2013). Hype Cycle for Cloud Security. Stamford, CT: Gartner, Inc.
Gartner. (2013). Magic Quadrant for CLoud Infrastructure as a Service. Stamford, CT: Gartner Inc.
Gartner, Inc. (2013, December 12). Gartner Says the Road to Increased Enterprise Cloud Usage Will
Largely Run Through Tactical Business Solutions Addressing Specific Issues. Retrieved from
www.gartner.com: http://www.gartner.com/newsroom/id/2581315
Leong, L. (2013, November 25). Cloud Computing Market Analyst. (K. L. Jackson, Interviewer)
Peter Mell, T. G. (2013, November 29). The NIST Definition of CLoud Computing. Retrieved from National
Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-
145/SP800-145.pdf
Wikipedia. (2013, December 12). Cloud Computing. Retrieved from en.wikipedia.org:
http://en.wikipedia.org/wiki/Cloud_computing