This article discusses key management methods for the IaaS Cloud model, and security problems to be dealt with because of its virtualization structure.
Cloud service types
Cloud computing consists mostly of three different service types: IaaS (Infrastructure-as a Service), PaaS, (Platform-as a Service), and SaaS (Software-as a Service), and four "cloud deployment modes" (Public, Private, Community, and Hybrid) that define the ways that cloud services are delivered. Each of the three cloud computing types (IaaS, PaaS, SaaS) have separate features and structures where different functions are needed to construct and maintain the required security levels against the various types of security threats. This article discusses the unique security threats and security levels required for the IaaS cloud deployment model.
The IaaS model provides the consumer with basic storage and computing capabilities as standardized services over the network. Servers, storage systems, networking equipment, data center space etc. are centralized and made available on demand to handle workloads. The cloud provider provides the hardware and the necessary software tools (in the form of abstraction layers) needed to host various platforms for cloud consumers, such as operating systems, applications, databases, etc. This can create huge savings for the consumer, as hardware and operating costs for computer systems and networks are replaced by a virtual machine accessed through the cloud.
Lack of consumer control over security
There are several drawbacks to IaaS, most of which involve the amount of control the consumer has over security measures. Whenever a customer decides to use IaaS from a cloud service provider, security measures for data, communications, etc., must depend on the security measures built in by the IaaS cloud provider. Lack of security control is what prevents many companies from transferring their computing activities to the cloud, or use it only for less sensitive data. However, the consumer does have greater control over security measures when using the Iaas cloud model, as compared to the Paas and Saas models. The consumer can control all aspects of security related to the particular virtual machine (VM) instance being used. Including database, runtimes, and applications. The provider still must implement all of the infrastructure-level security functions, which the user has no control over.
New challenges because of virtualization
Since virtualization is the foundation in the structures of most IaaS systems because of its flexibility and scale-up capabilities, new challenges are introduced when implementing a key management system for security control. It is possible to authenticate pre-defined virtual machine image templates through traditional encryption, digital signature, cryptographic hash function, or message authentication code, but these traditional methods don't always work for virtualization, because of its inherent structure. It is therefore necessary to employ cloud-specific solutions to solve many of the unique security problems associated with IaaS cloud models.
Security capabilities for service-level administrators
Based on the set of core features that are unique to the IaaS cloud model, we can identify the security capabilities associated with the exercise of these features. The following security capabilities are designed for designated service-level administrators on the consumer end, that can perform the basic operations on a virtual machine instance, including checking it out, launching it, performing the various interactions with it, and finally storing it. Each of these procedures must be authenticated and verified in a secure manner. These can be grouped as three types of security capabilities (SC).
- Authentication of pre-defined VM Image Templates used for building functional, customized VM instances
- Authentication of API calls sent by a user to the VM management interface of the cloud provider
- Maintaining secure communications while performing administrative tasks on VM instances
Key management methods used for administrative operations
The key management challenges for each one of these security capabilities can be derived from architectural solutions associated with the state of practices. Architectural solutions for these security capabilities include the use of digital signatures (verifying the authenticity of VM templates), and the use of public/private key pairs, with the corresponding public key and/or private key being made available to the consumer or provider, as needed. Other mechanisms available for assuring the integrity of the VM include the cryptographic (secure) hash function and cryptographic message authentication code mechanisms. Certificates are often used with a public key to verify the signature of commands submitted to the VM instance. Another alternative is to set up a secure session using SSH (Secure Shell) or TLS (Transport Layer Security). These methods provide a framework for public/private (asymmetric) keys or password-based client authentication. The key management challenge here is for the consumer to secure the private key used to sign the API call or command. The main challenge for solutions derived for these three security capabilities involves going through a comprehensive security analysis.
Security capabilities for general users
The following security capabilities are for general use by non-administrative users after the applications have been set up by the service-level administrator by using the previous set of security capabilities, and by executing various configuration and installation procedures. Depending on the assigned permissions, a user may interact and exercise the various application features. After the interactive work, there is a need to store the various types of data generated. These data types are: 1) Static Data – application’s source code, reference data used by applications, archived data, and logs, and 2) Application data - generated and used by applications. The application data in turn could be either structured (e.g., Database data) or unstructured (e.g., files from social feeds)
- The ability to secure the communication with application instances running on VM instances
- The ability to securely store static application support data securely (data not directly processed by applications)
- The ability to securely store application data in a structured form securely using a Database Management System (DBMS)
- The ability to securely store application data that is unstructured
Key management methods designed for general usage
The key management challenges for these four security capabilities can also be derived from architectural solutions. While a general user is interacting with IaaS services, a secure session should be set up, which provides both confidentiality and integrity with the application (service) instance. The TLS protocol, similar to SSH, is commonly used to set up secure session keys for encrypting/decrypting and for generating message authentication codes. This involves using an asymmetric key pair (private and public keys) for a service instance and an optional key pair on the client side, as well.
Static data is generally encrypted using symmetric keys, which are administered on the consumer end. To securely store structured and unstructured application data, the cloud consumer should subscribe to a database service, usually offered by the IaaS provider. The user is given an instance of the database, and the ability to configure and provide confidential protection of data. Many features are available in the database application, some of which are similar to storage-level encryption.
Alternative security solutions for data storage involve using a different encryption key for different database objects, mapping session permissions to the keys, and even having the database instance run in a different cloud than the key storage and key management system.