8 - 9 March 2016

Brussels, Belgium


Secure Federated Intercloud Tool Box

Monique Morrow
The Situation
Challenges posed by new technology transitions: Multi-tenancy is a good example. Instead of having a physically dedicated infrastructure (servers, switches, storage) for each application, business unit, or function, large virtual and cloud infrastructures use multi-tenancy to logically separate those business groups that require a protected and trusted virtual computing environment. Secure data flow between these segmented environments must ensure that data flows only into and out of its assigned tenant and only persons or services with approved access to that tenant can add or retrieve data.
Visibility: Maintaining compliance and providing visibility into the virtual and cloud data center is of primary concern. Customers want to ensure that the security controls that are used in the physical world are also present in the virtual domain.  
Proliferation of mobile devices: IT departments are grasping for any standard or proven approaches that make bring your own device (BYOD) access of enterprise resources both secure and reliable. The task is dauntingly complex, and new and unforeseen consequences of BYOD are cropping up regularly.

Taking an architectural approach helps in resolving these challenges by:
  1. Hardening an infrastructure before a security threat;
  2. Performing forensics and mitigation during a security incident and;
  3. Performing post-mortem procedures after an event to avoid similar incidents in the future.
An attacker may attempt to use the Intercloud framework to launch various attacks against other systems.  The Intercloud framework provides various functions that can be abused by an attacker.  
Clearly the chain –of-trust rule must be in place when considering a federated model.
In general the attacker may wish to do the following:
  1. Compromise the confidentiality, authenticity, and availability of network functions and data flowing over the network;
  2. Compromise the confidentiality, authenticity and availability of network attached devices and data on those devices;
  3. Compromise the access control or availability of devices used by the Intercloud framework;
  4. Compromise the access control or availability of services provided by the Inter-cloud framework;
  5. Obtain services or resources under false pretenses. 
The value of the assets affected is variable from trivial to large amounts of money. An attacker is assumed to have access to network links and therefore can act as a man-in-the-middle that might be able to observe and modify all traffic. The attacker could modify any portion of the message including the address, header and payload.  The attacker could selectively insert and delete messages. The attacker may not have access to all links simultaneously, however the attacker can capture a packet at one location and replay it at another immediately or at some later point in time of his choice. It is possible that some links may be difficult to compromise because of physical security and other topological restrictions, however such restrictions typically limit the ways in which the system can be deployed and are undesirable. If such restrictions are part of the solution then the system needs to still evaluate how attacks on other links can compromise the protected link (off path attacks). An enumeration of what solution aspects rely upon the security of the link in order to determine the risk associated with compromise and how much resources should be spent on protecting it. 
Attacks on Devices and Hosts
It is possible that an attacker may be able to compromise the devices and hosts that make up the solution. In general an attacker given enough resources and compromise any host, however not all hosts present the same risk of compromise. A host may be compromised remotely because of software design or implementation vulnerabilities.  All hosts may also be compromised through local physical access. A host compromise may be complete in which all information on the host and functions of the host are available to an attacker.  A host may be compromised so it can be used in an unauthorized manner, but not all information may be compromised. A host may be rendered unavailable without compromising the functions it performs or data that it contains. The analysis should consider what happens if hosts are compromised in certain ways what the effect is on the system. This helps identify which hosted functions and data are the most important to protect. Some hosts will be critical and require more resources expenditure by the customer and vendor to assure security. The analysis should also consider whether an authorized host can be used in an inappropriate way by an attacker. 
Attack Vectors
This section describes potential vectors for an attacker to reach their goals.  This analysis in the following sections of the document will focus on vectors that make use of the Inter-Cloud framework.  They do not cover threats and mitigation outside of the Inter-Cloud framework other than to describe the possible use as an attack vector manipulated by the Intercloud framework.

Network Vectors
Since the Intercloud framework has a protocol that is carried over the Internet, its messages can potentially be observed and manipulated by an attacker.
  • An attacker may generate, manipulate or delete messages that control the workloads.
  • An attacker may manipulate responses from end systems to falsify data so the administrator thinks that the resource is other than what it should be or the state of a workload is different than what it actually is. ?
  • An attacker may observe protocol messages and extract information, such as topology information, performance information, and physical location that may be useful in planning physical or cyber attacks.  
  • An attacker may attempt to manipulate protocol messages to attack a workload through the network. 
  • An attacker may observe, generate and manipulate protocol messages in order to attack the Intercloud framework or other systems. 
Host and Device Compromise
A host or device may be partially or completely compromised by an attacker.   If an attacker fully compromises a host then he can use the host or device to perform any function for which it is authorized and obtain and modify any data that is on the host.  Only some of the data and functions are available on a host that is partially compromised.   
Service Discovery
A participant in the Intercloud framework uses a discovery mechanism so that its' service can be discovered by the Intercloud  framework.  This allows the endpoints of the Intercloud framework to create an inventory of services.  
These messages will contain identity and attribute information. If these messages are spoofed then the endpoints will have an incorrect understanding of what services are available.  Therefore, these messages should be accompanied by entity authentication and integrity protection.     

Risk of Device Compromise
Any device may be partially or completely compromised with a network, however in general some hosts have a higher risk of compromise than others.   This may be due to their physical location, vulnerabilities in their software, number and type of users that operate the system, and type of hardware amongst other things. 
Endpoints have varying levels of risk associated with being compromised, some will be heavily protected and others may be out in the open with almost no protection.   They will be implemented on a wide variety of systems with a wide variety of usage models.  A general assumption for the Intercloud framework is that endpoints as a general class have a high risk of compromise as they are directly interfaced to the Internet.
Peer Entity Authentication
Peer entity authentication establishes the identity of a peer as the first step in determining what level of trust and authorization to place in it.  In order to perform peer entity authentication it is necessary to assign an identity to each entity that can be cryptographically verified.   It is desirable for authentication to be mutual.  Different types of entities can make use of different types of credentials to establish identity.  Some types of credentials that are typically supported are pre-shared keys, certificates, passwords, tokens, and smart cards. Peer entity authentication forms the basis for providing identity-based accounting and auditing.   The authentication credentials or authentication mechanism may provide a way to establish cryptographic key material to provide message authentication, integrity protection and encryption.  Credential based authorization provides a mechanism that allows an entity to prove it is authorized for some purpose.  The authorization credential can be directly tied to an identity authenticated during peer entity authentication.  Some examples of this include a attribute certificates and SAML assertions.  In other cases it may be a separately validated credential such as a group symmetric key that proves membership in a group.    In the later case it may not be possible to uniquely identify any one peer in a group so identity based accounting and auditing is more of a challenge.   The mechanism for proving possession of the authorization credentials may provide a way to establish cryptographic key material to provide message authentication, integrity protection and encryption. 
Message Integrity and Authentication
Message integrity and authentication techniques ensure that data transmitted between peers has not been modified.   These mechanisms are rooted in key material based on peer entity authentication or authorization credentials.  If the authenticated key material is based on peer entity authentication then only the communicating peers have the authorization to modify or generate messages.  If the key material is based directly on an authorization credential then any authorized party can modify or generate messages. Message integrity should also take care to mitigate replay attacks.  

Encryption is used to protect messages from unauthorized viewing.   Encryption keys can be based on peer authentication credentials or exchanges, in which case they protect the data from unauthorized viewing by anyone but the communicating parties.  If the encryption keys are based directly on authorization credentials or exchanges then any authorized party can observe the messages.
Accounting and Auditing
Accounting and auditing are used to monitor and validate correct operation of the framework.  All authorized transactions should be logged along with the identities and authorizations involved.   Note that if the logged identities are not based on peer entity authentication it may not be possible to trace back a problem directly to the misbehaving entity.

Identity-Based Authorization
In many cases, authorization is performed by taking an identity that is authenticated during peer entity authentication and using it to look up authorizations in an ACL or database.  Note that other identities besides peer identities may be used to look up entries in a database, however if these are not tied to peer entity authentication in some way identity-based accounting and auditing will be difficult. 
There is always a risk that part of the system may be compromised.  Principles of containment attempt to contain the risk of compromise of a given component as much as possible to limit how far the compromise can propagate throughout the system.  
Principle of Least Privilege
A component should not be given more privilege than what is necessary for it to perform its function.   This prevents a compromised component from over stepping its bounds and directly affecting unrelated areas of the system.
Separation of duties
The more functions a single entity performs the more valuable that entity becomes and the greater the resources needed to protect it.   Separation of duties goes hand-in-hand with least privilege to prevent compromised components from overstepping their bounds.  Separating out highly privileged components helps to reduce management costs by allowing security administrators to focus their resources. 

Managed Threat Defense
Due to the enormous volumes of network traffic generated on today’s enterprise networks it is difficult for customers to discover threat indicators in a comprehensive way. Shortages and costs of trained staff add to the difficulties. Even when threats are detected, customers with large and complex networks face difficulty in efficiently mitigating detected vulnerabilities and threats. Properly optimizing and configuring the production network becomes a challenge in many customer environments.

Cyber-insurance as a Service
Examples of Potential Coverage Areas:
  • Liability of companies arising from a breach of data protection laws and the management of personal data
  • Cover for 3rd party claims against the insured for breach of personal information (employee and customer) and corporate information
  • Data administrative investigations and fines from data protection regulators that are insurable at law
  • Crisis Management – includes: cyber incident response services following a data breach, PR repair of company and individual reputations, breach coaching, and notification and monitoring costs associated with a breach of information
  • Electronic data- includes: data restoration, recollection and recreation following a security breach or data leak
  • Data Liability – includes: personal data, corporate data, outsourcing and network security
  • Business / Network interruption – loss of net profit as a result of a material interruption to the insured’s network, after a DDOS attack or network security breach
  • Multimedia Liability – covering damage and defence costs incurred in connection with a breach of 3rd party intellectual property, or negligence in connection with electronic content
  • Cyber / Privacy Extortion – covering ransom payment (extortion loss) to 3rd parties incurred in terminating a security threat


Monique J. Morrow, CTO-Evangelist –New Frontiers