Wednesday Jan 28, 2009

Security Recommendations for IaaS Providers


While under intense interest in the industry today, Cloud Computing (Cloud) will not be able to realize its full potential without strong security assurances offered by Cloud providers.  The type of security controls and the level of assurance required will vary by Cloud layer (IaaS, PaaS, SaaS) and also by the degree to which the Cloud is shared (public, private, hybrid) and interconnected with other services.  The goal of this article is to highlight a few security recommendations that apply to IaaS Cloud architectures.


Before we begin, a few definitions are provided to ensure that everyone is working from the same page:

  • Cloud Resources. (Resources) Virtualized compute, storage, networking, infrastructure and application services.

  • Cloud Provider. (Provider) The owner of the Cloud Computing architecture and all of its Cloud Resources.  The Cloud Provider provisions Cloud Resources based upon requests (and optionally payment) from Cloud Customers.

  • Cloud Customer. (Customer) The entity who requests, purchases, rents and/or leverages Cloud Resources makes available by a Cloud Provider. Using the allocated Cloud Resources, a Cloud Customer can optionally deploy and share content, functionality, applications and services that can be accessed and used by Cloud Consumers.

  • Cloud Consumer. (Consumer) The entity who accesses or makes use of content, functionality, applications and services being offered by a Cloud Customer.

Security Recommendations for Providers of Cloud Computing Services

To promote greater security as well as customer confidence in and adoption of Cloud Computing architectures and services, Cloud Providers are strongly encouraged to embrace and embody the following three recommendations:
  • Recommendation #1: All management and control interactions between Cloud Providers and Cloud Customers must take place over secure channels that utilize standards-based protocols and support authentication, authorization, confidentiality, integrity and accountability.  Without these basic protections, the provider and its customers are vulnerable to unwanted disclosure, impersonation, identity and/or service theft or misuse, and repudiation.  These protections must exist for Customers when they access the services offered by the Cloud Provider for the purposes of signup, provisioning, payment, monitoring, and other management and control related functions.

    • Note #1: Providers should move to offer strong mutual authentication mechanisms for their Customers in order to provide greater protection for Customer accounts. Given that management and control interactions have very real financial impact, it is critical that these mechanisms be protected by more than just a simple password.

    • Note #2: If a Provider must use password authentication to grant Customer access to account, control and management functions, then the Provider should take steps to ensure that the passwords chosen are strong and passed only over encrypted channels. Today, very few Providers enforce strong password composition rules that are otherwise in effect throughout modern enterprises. Additional access monitoring to detect and prevent fraudulent access is also advised.

  • Recommendation #2: By default, Resources allocated by the Provider shall not interact with any other Resource not owned by the same Customer.  This includes (physical or virtual) compute, networking and storage resources, (virtual) applications and services, and other related objects.  The Customer to which a Resource is assigned is called its “owner”.  This recommendation is necessary to ensure that objects that exist in the Cloud are not inadvertently exposed to unauthorized consumers.

    • Note #3: The Provider may offer a mechanism to allow Customers to manage access to the Resources that they own thereby allowing other Customers or Cloud Consumers to access their content and services.  A default deny policy is recommended regardless of what other access configurations may be possible.

    • Note #4: If some aspect of a Resource is to be shared between multiple Customers, the Provider must implement security controls that ensure that the intended owner of the object is compartmentalized from the rest of the population.  The Provider must enforce sufficient protections preventing unauthorized access, manipulation or destruction of objects under their care.  That is, a Provider must be able to demonstrate that security protections are in place preventing Customer A from accessing, manipulating or destroying Resources associated with Customer B.  Ideally, these controls will be validated using a trusted third party who will act as an auditor.  The Provider should make available (sanitized) audit reports to Customers as requested.

  • Recommendation #3: Providers must implement controls preventing the accidental or malicious access, use, modification or destruction of Resources under their care.  As Providers have physical access to the underlying infrastructure, they can circumvent many common security protections.  Consequently, it is imperative that Providers implement controls that restrict their own employees access to Resources.  Further, all authorized access must be audited and regularly reviewed in order to promote accountability and ensure that actions are taken in accordance with their stated security policy.
It should be stated that these recommendations should be implemented in a manner that does not significantly compromise a Customer's ability to easily, efficiently and reliably use the Cloud services offered by the Provider. In future articles, I would like to explore these areas in more detail as well as discuss some of the security burden that is placed squarely on IaaS Customers.

Technorati Tag:


This area of cyberspace is dedicated the goal of raising cybersecurity awareness. This blog will discuss cybersecurity risks, trends, news and best practices with a focus on improving mission assurance.


« August 2016