Security Management in the Cloud - Access Control

• Who should have access to what resource? (Assignment of entitlements to users)

• Why should the user have access to the resource? (Assignment of entitlements based on the user’s job functions and responsibilities)

• How should you access the resource? (What authentication method and strength are required prior to granting access to the resource)

• Who has access to what resource? (Auditing and reporting to verify entitlement assignments)

The aforementioned aspects of the access control domain should be addressed by your organization’s access policies and standards and aligned with the user’s roles and responsibilities, including end users and privileged system administrators.

1. Access Control in the Cloud

In a cloud computing consumption model, where users are accessing cloud services from any Internet-connected host, network access control will play a diminishing role. The reason is that traditional network-based access controls are focused on protecting resources from unauthorized access based on host-based attributes, which in most cases is inadequate, is not unique across users, and can cause inaccurate accounting. In the cloud, network access control manifests as cloud firewall policies enforcing host-based access control at the ingress and egress points of entry to the cloud and logical grouping of instances within the cloud. This is usually achieved using policies (rules) using standard Transmission Control Protocol/Internet Protocol (TCP/IP) parameters, including source IP, source port, destination IP, and destination port.

In contrast to network-based access control, user access control should be strongly emphasized in the cloud, since it can strongly bind a user’s identity to the resources in the cloud and will help with fine granular access control, user accounting, support for compliance, and data protection. User access management controls, including strong authentication, single sign-on (SSO), privilege management, and logging and monitoring of cloud resources, play a significant role in protecting the confidentiality and integrity of your information in the cloud.

ISO/IEC 27002 has defined six access control objectives that cover end user, privileged user, network, application, and information access control. Readers are encouraged to assess cloud services and understand the relevant ISO/IEC 27002 control objectives that mitigate the most risk for the business. The following user access management control statement from ISO 27002 is particularly relevant to cloud services:

Objective: To ensure authorized user access and to prevent unauthorized access to information systems. Formal procedures should be in place to control the allocation of access rights to information systems and services. The procedures should cover all stages in the lifecycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services. Special attention should be given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.

The following are the six control statements:

• Control access to information.

• Manage user access rights.

• Encourage good access practices.

• Control access to network services.

• Control access to operating systems.

• Control access to applications and systems.

Similar to ISO 27002, ITIL dictates an access management function that was added as a new process to ITIL v3. The decision to include this dedicated process was motivated by IT security reasons: from an IT security perspective, granting access to IT services and applications only to authorized users should be of high importance.

The objective of this function is to grant authorized users the right to use a service, while preventing access to non-authorized users. The access management processes essentially execute policies defined in IT security management.

2. Access Control: SaaS

In the SaaS delivery model, the CSP is responsible for managing all aspects of the network, server, and application infrastructure. In that model, since the application is delivered as a service to end users, usually via a web browser, network-based controls are becoming less relevant and are augmented or superseded by user access controls, e.g., authentication using a one-time password. Hence, customers should focus on user access controls (authentication, federation, privilege management, deprovisioning, etc.) to protect the information hosted by SaaS. Some SaaS services, such as Salesforce.com, augment network access control (e.g., source IP address/network-based control) to user access control in which case customers have the option to enforce access based on network and user policy parameters.

Support for user access control is not consistent across providers, and capabilities may vary. A small set of CSPs (mostly large SaaS providers, such as Salesforce.com, Google, and Microsoft) are beginning to pay attention to enterprise IAM requirements, including support for standards such as SAML that facilitate SSO using identity federation techniques. However, given the early adoption cycle by large enterprises, from an enterprise perspective the IAM capabilities are primitive at best. Customers should continue to demand that their CSPs provide IAM features, including SAML support, user provisioning using SPML, and an open API to support various user and access automation processes. Organizations should leverage their established identity management practices, processes, and architecture (e.g., IdP) to support user access management and federation.

3. Access Control: PaaS

In the PaaS delivery model, the CSP is responsible for managing access control to the network, servers, and application platform infrastructure. However, the customer is responsible for access control to the applications deployed on a PaaS platform. Access control to applications manifests as end user access management, which includes provisioning and authentication of users.

Support for user access control is not consistent across providers, and capabilities may vary. As of this writing, major PaaS providers—with the exception of Force.com and Microsoft Azure (still in beta)—offer rudimentary user access management support. Enterprises that leverage their internal identity provider (IdP) will have to understand PaaS capabilities, including support for federation. It is conceivable for a PaaS CSP to offer a standard API such as OAuth to manage authentication and access control to applications. For example, Google supports a hybrid version of an OpenID and OAuth protocol that combines the authorization and authentication flow in fewer steps to enhance usability. You could also delegate authentication to your IdP if the CSP supports federation standards, such as the Security Assertion Markup Language (SAML).

4. Access Control: IaaS

IaaS customers are entirely responsible for managing all aspects of access control to their resources in the cloud. Access to the virtual servers, virtual network, virtual storage, and applications hosted on an IaaS platform will have to be designed and managed by the customer. In an IaaS delivery model, access control management falls into one of the following two categories:

CSP infrastructure access control

Access control management to the host, network, and management applications that are owned and managed by the CSP

Customer virtual infrastructure access control

Access control management to your virtual server (virtual machines or VMs), virtual storage, virtual networks, and applications hosted on virtual servers

4.1. CSP infrastructure access control

The CSP is responsible for managing access control to the administrative network that is used to perform administrator functions. This includes access control to administrative processes, such as backups, host (hypervisor) and network maintenance, router and firewall policy management, and system monitoring and management. Access to administrative functions should be protected using strong authentication and role-based access control. Strong operational procedures should be implemented to support the provisioning and revocation of administrative privileges. Periodic access control audits and administrative user certifications should be implemented to validate least privileges and separation of duties. In this regard, the aforementioned AWS security white paper states that:

Amazon.com’s Information Security Policies, followed by AWS, are guided by the fundamental principle of least privilege. Least privilege protects customer information assets by requiring that no individual, program or system is granted more access privileges than are necessary to perform the task. Any employee found to have violated this policy may be subject to disciplinary action, including termination.

4.2. Customer virtual infrastructure access control

To start with, IaaS customers must understand the virtual resources (network, host, firewall, load balancers, management console, etc.) and the available protection mechanisms to restrict access to authorized users. It is not uncommon for CSPs to provide customers with full root access and administrative control over rented virtual servers. In addition, customers can be assigned privileges to manage network access policies for both the ingress and egress of their virtual network and virtual servers. Hence, the customer is responsible for taking the necessary steps to protect access to virtual resources.

Note:

It is a standard practice for IaaS CSPs to provide APIs (REST, SOAP, or HTTP with XML/JavaScript Object Notation [JSON]) to perform most management functions, such as access control from a remote location. Some providers also offer a web-based console from which access control features can be invoked. Organizations consuming IaaS services should design and implement access management processes with access request or approval and a gatekeeper, and maintain a catalog of privileged users who have access to IaaS resources.

Consider the following areas when managing access control of your infrastructure in the cloud:

Network access control

Check with the provider on the default configuration of the network access that is typically enforced by a firewall managed by the CSP. It is customary for CSPs to deny all access to your virtual servers by default (factory settings), which automatically denies all inbound traffic to your virtual servers. This forces you to explicitly add new rules to allow access to your virtual servers in the cloud—for example, allow access to IP 10.0.0.1 from 192.168.0.1 to port 22 (Secure Shell or SSH), where 10.0.0.1 is the IP address of the virtual server and 192.168.0.1 is the trusted IP address from which 10.0.0.1 can be accessed using SSH. Amazon EC2 offers network group features that allow the creation of multiple security groups to enforce different ingress policies as needed. According to Amazon, a customer can control each security group with a PEM-encoded X.509 certificate and restrict traffic to each EC2 instance by protocol, service port, or source IP address.

Virtual server access control

Virtual servers running your preferred OS (Linux, Solaris, or Windows) should be protected with access controls, such as OS authentication mechanisms. It is a standard practice to configure Unix servers with SSH-based logins with strong authentication. Strong authentication protects against several security threats (e.g., IP spoofing, fake routes, man-in-the-middle, and DNS spoofing). The authentication methods include Rivest-Shamir-Adleman (RSA) encryption algorithm-based host authentication, pure RSA authentication, one-time passwords with S/Key, and authentication using Kerberos. When using RSA keys, it is recommended that the keys are stored in a secure form of media and that they are secured with a passphrase. These measures help to protect your keys from unauthorized users.

Cloud management station

Management of your virtual resources on the cloud is usually accomplished from a client system with applications that manipulate remote resources using a CSP-proprietary API (REST, SOAP, or HTTP with XML/JSON). A client management toolkit (supplied by the CSP) is installed on the management station, which interacts with the CSP management service via the published API. Because the station contains sensitive information, including host and user keys, and firewall policies, the cloud management station should be viewed as a command and control center for the cloud infrastructure. Hence, access to the management station should be protected with strong authentication and sound access provisioning procedures.

Web-based console

Some CSPs supplement the cloud management station with a web-based console feature by which customers can manage access to their virtual infrastructure in the cloud. The console offers an alternative means to the cloud management station for managing the cloud infrastructure. Similar to the management station, the console offers access to sensitive information, including access to your host keys and firewall policies with just a few mouse clicks; it acts as a management station for your cloud infrastructure. Because the web console is a powerful tool that can control your virtual network and virtual server instances, you should adequately protect console access. For example, the web console should be accessed only with HTTPS protocol.

5. Access Control Summary

Access control is a critical security management function in the SPI (SaaS, PaaS, and IaaS) cloud delivery model and across the standard deployment models (public, private, and hybrid). Access management is critical to protecting your information hosted in SPI clouds and may be the primary means of security control in the absence of encryption and other data controls. As of this writing, access management features in public clouds are not consistent and are still evolving. In their current form, access control capabilities offered by CSPs may not be adequate for enterprise customers, for the following reasons:

• Access control mechanisms, practices, and processes are not standardized across CSPs. To effectively manage access control to their virtual cloud infrastructure, customers have to make an extra effort to understand the CSP-specific access control features and customize them on a CSP basis.

• The lack of a standard API across CSPs makes it very difficult to manage access across multiple clouds. For example, SAML support is not available from any of the major CSPs, including AWS.

• User access controls to cloud resources are generally weak. Access controls from CSPs typically support granular network-level access management, but coarse user access management. User access controls mostly address the authentication aspects and are rudimentary at best for managing user authorization to the cloud infrastructure. CSPs should offer granular privilege access based on roles that support the principles of least privilege and separation of duties (e.g., console manager, network access manager, zone manager, host manager).

In summary, from an enterprise customer perspective, access management is an essential security process to protect the confidentiality, integrity, and availability (CIA) of information hosted in the cloud. A robust access management program should include procedures for provisioning, timely deprovisioning, flexible authentication, privilege management, accounting, auditing, and support for compliance management. Cloud customers should understand the CSP-specific access control features for networks, systems, and applications, and appropriately manage access.