LECTURE 3 "UNIT 4"

LECTURE 4

CLOUD SECURITY DESIGN PRINCIPLES

Historically, computer software was not written with security in mind; but because of the increasing frequency and sophistication of malicious attacks against information systems, modern software design methodologies include security as a primary objective. With cloud computing systems seeking to meet multiple objectives, such as cost, performance, reliability, maintainability, and security, trade-offs have to be made. A completely secure system will exhibit poor performance characteristics or might not function at all.

Technically competent hackers can usually find a way to break into a computer system, given enough time and resources. The goal is to have a system that is secure enough for everyday use while exhibiting reasonable performance and reliability characteristics.

In a 1974 paper that is still relevant today, Saltzer and Schroeder of the University of Virginia addressed the protection of information stored in a computer system by focusing on hardware and software issues that are necessary to support information protection. The paper presented the following 11 security design principles:

·         Least privilege

·         Separation of duties

·         Defense in depth

·         Fail Safe

·         Economy of mechanism

      Complete Mediation

·         Open design

·         Least common mechanism

·         Psychological acceptability

·         Weakest link

Leveraging existing components

1. Least Privilege

The principle of least privilege maintains that an individual, process, or other type of entity should be given the minimum privileges and resources for the minimum period of time required to complete a task. This approach reduces the opportunity for unauthorized access to sensitive information.

2. Separation of Duties

Separation of duties requires that completion of a specified sensitive activity or access to sensitive objects is dependent on the satisfaction of a plurality of conditions. For example, an authorization would require signatures of more than one individual, or the arming of a weapons system would require two individuals with different keys. Thus, separation of duties forces collusion among entities in order to compromise the system.

The fundamental characteristics of these principles are summarized in the following sections

3. Defense in Depth

Defense in depth is the application of multiple layers of protection wherein a subsequent layer will provide protection if a previous layer is breached.

4. Fail Safe

Fail safe means that if a cloud system fails it should fail to a state in which the security of the system and its data are not compromised.

5. Economy of Mechanism

Economy of mechanism promotes simple and comprehensible design and implementation of protection mechanisms, so that unintended access paths do not exist or can be readily identified and eliminated.

6. Complete Mediation

In complete meditation, every request by a subject to access an object in a computer system must undergo a valid and effective authorization procedure. Complete mediation entails the following:

1. Identification of the entity making the access request.

2. Verification that the request has not changed since its initiation.

3. Application of the appropriate authorization procedures.

4. Reexamination of previously authorized requests by the same entity.

7. Open Design

There has always been an ongoing discussion about the merits and strengths of security designs that are kept secret versus designs that are open to scrutiny and evaluation by the community at large. A good example is an encryption system. Some feel that keeping the encryption algorithm secret makes it more difficult to break. The opposing philosophy believes that exposing the algorithm to review and study by experts at large while keeping the encryption key secret leads to a stronger algorithm because the experts have a higher probability of discovering weaknesses in it.

8. Least Common Mechanism

This principle states that a minimum number of protection mechanisms should be common to multiple users, as shared access paths can be sources of unauthorized information exchange. Shared access paths that provide unintentional data transfers are known as covert channels. Thus, the least common mechanism promotes the least possible sharing of common security mechanisms.

9. Psychological Acceptability

Psychological acceptability refers to the ease of use and intuitiveness of the user interface that controls and interacts with the cloud access control mechanisms. Users must be able to understand the user interface and use it without having to interpret complex instructions.

10. Weakest Link

As in the old saying “A chain is only as strong as its weakest link,” the security of a cloud system is only as good as its weakest component. Thus, it is important to identify the weakest mechanisms in the security chain and layers of defense, and improve them so that risks to the system are mitigated to an acceptable level.

11. Leveraging Existing Components

 It is an approach that can be used to increase cloud system security by leveraging existing components is to partition the system into defended subunits. Then, if a security mechanism is penetrated for one sub-unit, it will not affect the other sub-units, and damage to the computing resources will be minimized.

SECURE CLOUD SOFTWARE REQUIREMENTS

“Cloud software security requirements address necessary attributes for software behavior and limitations on software functionality, whereas cloud software requirements are concerned with necessary software functionality and performance specifications.”

The requirements for secure cloud software are concerned with nonfunctional issues such as minimizing or eliminating vulnerabilities and ensuring that the software will perform as required, even under attack. This goal is distinct from security functionality in software, which addresses areas that derive from the information security policy, such as identification, authentication, and authorization.

Department of Defense Data and Analysis Center for Software (DACS) state that all software shares the following three security needs:

·         It must be dependable under anticipated operating conditions, and remain dependable under hostile operating conditions.

·         It must be trustworthy in its own behavior, and in its inability to be compromised by an attacker through exploitation of vulnerabilities or insertion of malicious code.

·         It must be resilient enough to recover quickly to full operational capability with a minimum of damage to itself, the resources and data it handles, and the external components with which it interacts.

In the following sections, cloud software considerations related to functional security and secure properties are explored in the context of software requirements engineering. Secure requirements for security-related cloud software functions generally define what the software has to accomplish to perform a task securely.

Secure Development Practices

There are many methods for developing code. Any of them can be used to develop a secure cloud application. Every development model must have both requirements and testing. In some models, the requirements may emerge over time. It is very important that security requirements are established early in the development process.

Security in a cloud application tends to be subtle and invisible. Security is prominent at only two times in the development life cycle: requirements definition and testing. At other times, deadlines, capabilities, performance, the look and feel, and dozens of other issues tend to push security to the back. This is why it is important to ensure that security requirements are prominent at the beginning of the software development life cycle. In many respects, the tools and techniques used to design and develop clean, efficient cloud applications will support the development of secure code as well.

Special attention, however, should be shown in the following areas:

·         Handling data — some data is more sensitive and requires special handling.

·         Code practices — Care must be taken not to expose too much information to a would-be attacker.

·         Language options — Consider the strengths and weakness of the language used.

·         Input validation and content injection — Data (content) entered by a user should never have direct access to a command or a query.

·         Physical security of the system — Physical access to the cloud servers should be restricted.

Approaches to Cloud Software Requirements Engineering

Cloud system software requirements engineering demands extensive interaction with the user, and the product of the process includes both nonfunctional and functional software performance characteristics. Below Figure illustrates the major elements of the software requirements engineering process.

Figure below illustrates additional elements that can be used to augment traditional software requirements engineering to increase cloud software security.