Understanding Cloud Computing
Cloud computing refers to any type of computing services provided over the Internet. It has become quite popular in recent years. Cloud computing is very cheap and sometimes free, although there are some security concerns.
Three common services are provided through the cloud:
• Software-as-a-Service (SaaS) Also known as on-demand software, SaaS provides users with access to software or applications over the Internet. For example, Google provides several applications through the cloud, including Gmail for e-mail and Google Docs for other types of files, such as spreadsheets, presentations, and word processing documents. Users access the applications using a web browser providing support for different operating systems. Users can run Internet Explorer on a Windows System, Chrome on a Linux system, or just about any other current web browser on any other system.
• Platform-as-a-Service (PaaS) PaaS provides users with an operating system available over the Internet, without the need for users to purchase the hardware and software. Users can use this platform to develop their own applications and make them available over the Internet. The cloud maintains the platform, reducing operating costs for the users. Two big players in PaaS today are Amazon with Cloud Computing Services and Google with its Google App Engine.
• Infrastructure-as-a-Service (IaaS) IaaS is sometimes called hardware-asa-service, and this is a good way to think of it. Users rent access to hardware such as servers and networking infrastructure, which are maintained by the cloud provider. The user can manipulate this hardware in any way desired, but maintenance of the hardware is completely the responsibility of the cloud provider.
EXAM TIP Cloud computing includes SaaS, PaaS, and IaaS, and it’s important to know the difference between these three services.
Virtualization
Many cloud providers use virtualization technologies. For example, the Amazon Elastic Compute Cloud (Amazon EC2) makes heavy use of virtualization. When customers rent PaaS or IaaS services through Amazon EC2, they rent access to virtual systems.
NOTE Virtualization is not limited to the cloud. Organizations often use virtualization to reduce expenses such as the costs for power and cooling.
Amazon hosts powerful physical servers and any of these physical servers can host multiple virtual machines (VMs). From a user’s perspective, the virtual machine will appear the same as a physical machine. One of the benefits of Amazon EC2 is that it is elastic. Capacity can easily shrink or expand based on the demand of a customer. In this way, users pay only for what they’re using.
However, when a single physical system hosts multiple virtual systems, there are some increased risks. For example, VM Escape is a known attack against virtualized systems. An attacker can sometimes run code from within a virtual system that allows it to interact with the physical system (the host). When this succeeds, the attacker can then access all the virtual machines on the host.
As VM Escape vulnerabilities are discovered, vendors release patches. With this in mind, it’s important to keep virtual hosts up to date.
EXAM TIP VM Escape is a known attack against virtual systems. If successful, an attacker can access the host system and all virtual systems within the host.
Although VM Escape is widely considered the most serious vulnerability of virtual systems, there are others. If the physical host suffers a hardware failure, all virtual systems will also fail. Also, if a physical host is infected with malware, it’s very possible that this malware will quickly spread to all the virtual systems. The host has software running on it that allows it to have complete control over all the VMs, and malware can exploit these privileges.
Storage
Storage in the cloud is almost limitless. An organization can easily rent the storage space it needs, and that space is often very cheap; some is even free.
For example, Google Docs provides users with 1 GB of storage space for free. If you need more, you can rent 20 GB for $5 a year, based on current pricing. They also have pricing for more space if needed.
Privacy and Data Control
Privacy of data posted on the Internet has always been a concern. A good guideline to remember is that if you post data on the Internet, you have lost privacy of that data. This includes data that you store in the cloud.
Cloud computing attempts to provide users with privacy of their own data, but users should be concerned. When an organization hosts data on the Internet through a cloud provider, protection of that data is now partially dependent on the provider using adequate protection. If the provider has a failure, it’s possible that user data is exposed.
For example, in June 2011, DropBox, a cloud-based storage provider, did an update that accidentally allowed anyone to log on to any account with any password. Users could have entered the wrong username or any password and suddenly had access to someone else’s data. DropBox let users know about the problem after it was reported in the media and said that it only affected 1 percent of the users. Although 1 percent sounds like a small amount, that’s 1 percent of 25 million users, or a total of 250,000 users.
Encryption is an excellent method of providing confidentiality. If you are using encryption to protect your data in the cloud, the data should be encrypted on the client end and not in the cloud. In other words, if you want to store sensitive data in the cloud, encrypt it before posting it to the cloud. If you use encryption tools made available by the cloud provider, it’s very possible that the provider holds the decryption keys and can access the data or may inadvertently decrypt it, making available to other users.
Compliance
Organizations that need to comply with laws and regulations need to be careful when using the cloud, especially for data storage. The security provided over the cloud is often inadequate to protect some data.
For example, the United States Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates the protection of health-related data. This includes any data that directly relates to patients of medical facilities and also any data collected about an individual’s health. Many non–health-related organizations must comply with HIPAA because they collect information on users for insurance and health plans.
Some cloud providers comply with specific laws, but other providers do not. If an organization stores their data in the cloud with a provider that is not compliant, the organization is also not compliant and subject to fines based on the law.
Chapter Review
Access control systems use identification and authentication. Identification occurs when a subject professes an identity and authentication occurs when the user proves the identity.
The three factors of authentication are something you know (such as passwords), something you have (such as proximity cards), and something you are (using biometrics). Most organizations use written password policies to define requirements. For example, passwords should be strong, changed often, and never given out or written down. Technology is used to audit systems and ensure that the password policy is followed.
Proximity cards, smart cards, and hardware tokens are examples of something you have. These methods are commonly combined with an additional factor of authentication. For example, smart cards often require a user to enter a PIN also. When more than one authentication factor is used, it is called multifactor authentication.
Biometrics includes fingerprints, retinal and iris scans, face and voice recognition, keystroke dynamics, and handwriting and represent the “something you are” factor. When evaluating the effectiveness of biometrics, you should consider the type 1 and type 2 errors. The False Reject Rate (FRR or type 1 error) refers to the percentage of times a system falsely rejects a known user. The False Accept Rate (FAR or type 2 error) refers to the percentage of times a biometric system falsely identifies an unknown user as a known user. The Crossover Error Rate (CER) indicates the point where the FAR and FRR are equal. Lower CERs indicate a better biometric system.
Single sign-on (SSO) allows a user to authenticate once for a system. The user can then access any resources in the system (as long as the user has access) without authenticating again. Many SSO systems used federated access, providing centralized authentication for different systems.
One-time passwords are used only once and reduce the risk of users being impersonated. Hardware tokens use synchronous one-time passwords that change regularly and are synchronized with an authentication server. OPIE and S/KEY are other technologies that use one-time passwords.
Access controls enforce security. For example, a security kernel (a central part of an operating system) enforces security for the operating system by monitoring subjects and objects. Examples of subjects are users, computers, and applications. Examples of objects include data, hardware, and facilities. Access controls can be logical (implemented with technology such as a security kernel) or physical (such as locked doors).
Several access control models are used. The DAC model provides the most granular control. Individual users own the objects and can provide permissions to subjects as desired. DAC is used with file systems such as NTFS and NFS. The RBAC model uses roles. Subjects (such as users) are placed into roles, and permissions to objects are assigned directly to the role. In non-DAC models, security administrators control access.
The MAC model is an example of a non-DAC model. It provides the highest level of security, is used by the military, and uses labels. Both subjects and objects are assigned labels and when the labels match, access is granted. Several architectures are based on the MAC model. The Bell-LaPadula model has a primary goal of ensuring confidentiality and uses rules of no read up and no write down. The Biba model has a primary goal of ensuring integrity and uses rules of no read down and no write up. The Clark-Wilson model provides integrity by using certification and enforcement rules to enforce separation of duties. The Chinese Wall helps prevent conflicts of interest by preventing access to data organized in conflict-of-interest classes.
Identity management includes provisioning, maintenance, and entitlement. Provisioning includes creating accounts and providing appropriate access. Many organizations use roles or groups to manage access to resources. Account management ensures that accounts use appropriate password policies and are disabled when the employee is no longer working for the company. Entitlement refers to privileges granted to users and helps ensure that the principle of least privilege is followed.
Cloud computing includes SaaS, IaaS, and PaaS. Although cloud computing provides reduced costs for many users, it also includes increased risk. Data hosted in the cloud can easily be compromised due to errors or problems with the cloud provider. Encrypting data on the client end can help provide confidentiality of data, but encrypting data using a cloud provider’s encryption services often does not provide adequate protection.
Questions
1. A user provides a user logon name to profess an identity. What is this called?
A. Authentication
B. Accountability
C. Identification
D. Accounting
2. What must occur before a system can implement access controls?
A. Identification and authentication
B. Identification and accountability
C. Authentication and accounting
D. Accountability and availability
3. Which of the following methods are used for authentication?
A. Something you say, something you think, and something you are
B. Something you know, something you have, and something you type
C. Something you know, something you say, and something you are
D. Something you know, something you have, and something you are
4. You are planning a password policy for your organization. What is the recommended minimum amount of time that can elapse before a password should be changed?
A. Passwords should be changed before at least one day has elapsed.
B. Passwords should be changed before at least five days has elapsed.
C. Passwords should be changed at least every 90 days.
D. Passwords should be changed at least every 120 days.
5. Which of the following choices does not ensure that a password is strong?
A. Ensuring that the password is of a sufficient length
B. Ensuring that the password is changed frequently
C. Ensuring that the password has a mixture of different character types
D. Ensuring that the password does not include any part of the user’s name
6. When is it acceptable for a user to give out a password to another person?
A. Never
B. Only when asked to by the user’s banking facility
C. Only when asked to by the user’s Internet service provider (ISP)
D. Only when asked to by a fellow worker whom they trust
7. What form(s) of authentication are individuals using when they authenticate with a smart card and a PIN?
A. Something they have only
B. Something they know only
C. Something they have and something they know
D. Something they have and something they are
8. Of the following choices, what is not used for biometrics?
A. Fingerprints
B. Retinal scans
C. Voice recognition
D. Patter recognition
E. Keyboard dynamics
9. When evaluating a biometric system for accuracy, what should you consider?
A. FRF
B. FAER
C. CER
D. CEFR
10. What is SSO?
A. A system that requires user credentials once and uses the same credentials for the entire session
B. An authentication system that requires users to use different credentials for each resource they access
C. A secure system used for operations
D. Any network that employs secure access controls
11. Which of the following is not used for SSO?
A. Kerberos
B. Decentralized authentication
C. KryptoKnight
D. SESAME
12. What can be used to allow users to access multiple systems owned and managed by different organizations after logging on only once?
A. Clark-Wilson
B. Chinese Wall
C. Federated access
D. Software-as-a-Service
13. Of the following choices, which one is true for a one-time password?
A. Hardware tokens are asynchronous.
B. OPIE uses AES to encrypt the password.
C. Bell-LaPadula uses synchronous one-time passwords.
D. S/KEY uses MD4 or MD5 to create a hash.
14. Of the following choices, what enforces logical access controls?
A. The security kernel enforces logical access controls.
B. The security guards enforce logical access controls.
C. Alarm systems enforce logical access controls.
D. Cipher locks enforce logical access controls.
15. Of the following choices, what is not an example of a technology that uses a one-time password?
A. S/Key
B. OPIE
C. Biometrics
D. Hardware-based token
16. Which of the following models help to enforce the principle of separation of duties?
A. Chinese Wall and Clark-Wilson
B. Chinese Wall and Biba
C. Clark-Wilson and Bell-LaPadula
D. Biba and Bell-LaPadula
17. What is RBAC?
A. Role-based Access Control
B. Risk-based Access Control
C. Risk Buffer Acceptance Containment
D. Role-based Accountability Computer
18. What can be used to prevent a user from reusing the same password?
A. Minimum password age
B. Maximum password age
C. Password length
D. Password history
19. What should be done if a user leaves the company?
A. Delete the user’s account as soon as possible.
B. Disable the user’s account as soon as possible.
C. Change the user’s password as soon as possible.
D. Change the user’s permissions as soon as possible.
20. What can used to disable an account if a user enters the wrong password too many times?
A. A password policy
B. An account lockout policy
C. A password history
D. De-provisioning accounts
21. Which of the following is an example of Software-as-a-Service (SaaS)?
A. Access to an operating system over the Internet
B. Access to a server over the Internet
C. Web-based e-mail
D. VM Escape
22. Which of the following represents the greatest risk to virtual systems?
A. Confidentiality
B. VM Escape
C. Increased costs for power and cooling
D. Loss of control of data in the cloud
Answers
1. C. Identification is the act of a user professing an identity to a system. Authentication occurs if the user can also provide other credentials, such as a password. Accountability is possible if a system can identify users and track their activities. Accounting is provided by logging.
2. A. Identification and authentication are the primary controls of most access control systems. Identification is the act of a user professing an identity, and authentication occurs when the user’s credentials (such as a password) are verified with a database. Accountability is not provided if users have not been identified and authenticated. Similarly, you can’t provide accurate accounting if users haven’t been identified and authenticated.
3. D. The three factors of authentication are something you know, something you have, and something you are. These factors are not known as something you think, something you type, or something you say.
4. C. Passwords should be changed at least every 90 days, but more secure organizations decrease this time to somewhere between 30 and 60 days. It’s often recommended that the maximum (not minimum) amount of time before changing the password be set to at least one day. Waiting four months (120 days) is too long.
5. B. A password should be changed regularly but, by doing so, it doesn’t ensure the password is strong. For example, if it is changed from “pass” to “word,” it is not strong. The other options all contribute to the strength of a password.
6. A. It is never acceptable for a user to give out a password to another person. The password proves a user’s identity, and if others have it, they can impersonate the user. Social engineers often ask users to give out their passwords (such as in phishing e-mails) and many users do, only to have their identities stolen.
7. C. The two factors of authentication are something they have (the smart card) and something they know (the PIN). The third factor of authentication is something you are (using biometrics), but neither a smart card nor a PIN uses biometrics.
8. D. Pattern recognition is not a specific method used for biometrics, but fingerprints, retinal scans, voice recognition, and face recognition are all biometric methods.
9. C. The Crossover Error Rate (CER) identifies where the False Accept Rate (FAR) matches the False Reject Rate (FRR). CER, FAR, and FRR are three main performance measurements used in biometrics. The acronyms are not used for biometric accuracy.
10. A. Single sign-on requires users to log on once and it uses the same credentials for any other resources accessed during the session. Users are not required to use different credentials for each resource.
11. B. Centralized (not decentralized) authentication systems are needed for advanced single sign-on (SSO). SSO allows a user to log on once, and then the same credentials are used to access resources without requiring the user to log on again. Kerberos, KryptoKnight, and SESAME are all technologies used to implement SSO.
12. C. Federated access single sign-on (SSO) systems allow users to access systems owned and managed by different organizations by logging once using credentials recognized by the federated access system. Clark-Wilson and Chinese Wall are access control models, and both enforce separation of duties. Software-as-a-Service (SaaS) is a cloud computing technology that provides users with access to software or application over the Internet.
13. D. Both S/KEY and OPIE use MD4 or MD5 to create a hash used in one-time passwords. Hardware tokens are synchronous, not asynchronous. Bell-LaPadula is an access control architecture that enforces confidentiality.
14. A. The security kernel enforces logical access controls on an operating system. All the other access controls are examples of physical access controls.
15. C. Biometrics authenticates an individual based on his or her physical characteristics, such as the user’s fingerprint or keyboard dynamics. The other three are examples of technologies that use one-time passwords.
16. A. Both the Clark-Wilson and Chinese Wall access control models enforce the principle of separation of duties. The Clark-Wilson model also enforces integrity and the Chinese Wall model also enforces confidentiality. Biba enforces integrity. Bell-LaPadula enforces confidentiality.
17. A. RBAC is an acronym for Role-based Access Control. Permissions are assigned to subjects based on theirs roles. The other answers are not valid security terms; only their initials are the correct letters.
18. D. Password history remembers a user’s previous passwords (such as the user’s past 24 passwords) and prevents users from reusing any password in the history. The minimum password age is used with the password history to prevent users from changing their password repeatedly to get back to the original password. It is often set to one day. The maximum password age identifies when users must change their passwords. The password length identifies the minimum number of characters in the password.
19. B. User accounts should be disabled as soon as possible after the user leaves the company under any circumstances. The account should not be disabled until it’s determined that the account is not needed. Changing the password without disabling the account will still allow the account to be used. Disabling the account will remove the access and is more direct than changing permissions.
20. B. An account lockout policy can disable an account if a user (or an attacker) enters the wrong password too many times. The threshold is often set to three or five, causing an account to be locked out after a user enters the wrong password three or five times, respectively. A password policy ensures that users create strong passwords and regularly change their password. Password history prevents users from reusing the same password. De-provisioning refers to ensuring that user rights and permissions are adjusted when users change jobs.
21. C. Web-based e-mail is an example of SaaS. SaaS is also known as on-demand software and it provides users with access to software or applications over the Internet. Platform-as-a-Service (PaaS) is a cloud computing service where users have access to a platform with an operating system. Infrastructure-as-a-Service (IaaS) provides users with access to hardware such as servers or network devices. VM Escape is an attack on virtual systems.
22. B. VM Escape is a known attack against virtual systems. If the attack is successful, an attacker can access the host system and all virtual systems within the host. Loss of confidentiality (not confidentiality) is a risk that can be reduced with encryption. Virtualization reduces costs for power and cooling. Loss of control of data stored in the cloud is a risk associated with cloud computing, but organizations can use virtual systems internally to keep control of their data.