Cloud computing is driving the business of information technology today.
“A recent Gartner survey on the future of IT services found that only 38 percent of all organizations surveyed indicate cloud services use today. However, 80 percent of organizations said that they intend to use cloud services in some form within 12 months, including 55 percent of the organizations not doing so today.“ (Gartner, Inc, 2013)
As companies rush to adopt cloud, however, information technology (IT) security sometimes seems to be an afterthought.
The goal of this paper is to provide a survey of the current state of IT security within public cloud infrastructure-as-a-service providers. After first providing a cloud computing overview, the paper will focus on the infrastructure-as-a-service (IaaS) deployment model, the typical home of IaaS intrusion detection components. The Gartner Cloud Use Case Framework will then be introduced as it will also serve as the framework for this survey. An in-depth review of public cloud intrusion detection studies, options and expert observations will then follow. The paper will then offer the authors conclusions and cloud computing IDS recommendations for enterprises considering a move to the cloud.
4. Introduction
Cloud computing is driving the business of information technology today.
“A recent Gartner survey on the future of IT services found that only 38 percent of all
organizations surveyed indicate cloud services use today. However, 80 percent of
organizations said that they intend to use cloud services in some form within 12 months,
including 55 percent of the organizations not doing so today.“ (Gartner, Inc, 2013)
As companies rush to adopt cloud, however, information technology (IT) security sometimes
seems to be an afterthought.
The goal of this paper is to provide a survey of the current state of IT security within public cloud
infrastructure-as-a-service providers. After first providing a cloud computing overview, the
paper will focus on the infrastructure-as-a-service (IaaS) deployment model, the typical home of
IaaS intrusion detection components. The Gartner Cloud Use Case Framework will then be
introduced as it will also serve as the framework for this survey. An in-depth review of public
cloud intrusion detection studies, options and expert observations will then follow. The paper
will then offer the authors conclusions and cloud computing IDS recommendations for
enterprises considering a move to the cloud.
Cloud Computing Overview
Definition
Cloud computing is a style of computing in which scalable and elastic IT-enabled capabilities are
delivered as a service using Internet technologies. Cloud infrastructure as a service (IaaS) is a
type of cloud computing service; it parallels the infrastructure and data center initiatives of IT.
Cloud compute IaaS constitutes the largest segment of this market (the broader IaaS market
also includes cloud storage and cloud printing).
Cloud Model Evolution
Cloud computing represents an evolution of distributed computing. In that model, software
systems with their components located on networked computers, communicate and coordinate
their actions by passing messages. The components interact with each other in order to achieve
a common goal. Three significant characteristics of distributed systems are: concurrency of
components, lack of a global clock, and independent failure of components. An important goal
and challenge of distributed systems is location transparency. Examples of distributed systems
vary from SOA-based systems to massively multiplayer online games to peer-to-peer
applications.
Distributed computing system are generally designed using a Service-oriented architecture
(SOA), a software design and software architecture design pattern based on discrete pieces of
software providing application functionality as services to other applications. This approach is
typically independent of any vendor, product or technology. SOA also makes it easy for
computers connected over a network to cooperate. Every computer can run an arbitrary
number of services, and each service is built in a way that ensures that the service can exchange
information with any other service in the network without human interaction and without the
need to make changes to the underlying program itself.
5. The success of this model led to the proliferation of Shared services, which refers to the
provision of a service by one part of an organization or group where that service had previously
been found in more than one part of the organization or group. Thus the funding and resourcing
of the service is shared and the providing department effectively becomes an internal service
provider.
Shared services across a distributed computing platform led to the concept of a converged
infrastructure which packages multiple information technology (IT) components into a single,
optimized computing solution. Components of a converged infrastructure solution include
servers, data storage devices, networking equipment and software for IT infrastructure
management, automation and orchestration. This management approach is used to centralize
the management of IT resources, consolidate systems, increase resource utilization rates, and
lower costs. These objectives are enabled by the creation of pools of computers, storage and
networking resources that can be shared by multiple applications and managed in a collective
manner using policy driven processes.
Cloud Computing steps this concept up by delivering a converged infrastructure over a wide
area network, thus enabling internet-scale computing. Cloud computing relies on sharing of
resources to achieve coherence and economies of scale, similar to a utility (like the electricity
grid) over a network.
Cloud Computing Service Models
Historically, cloud computing has been described and delivered through three service models;
Infrastructure-as-a-Service, Platform-as-a-Service and Software-as-a-Service. Although many
other as-a-service models have been proposed, this paper will only address this limited set.
Infrastructure-as-a-Service (Wikipedia, 2013)
In the most basic cloud-service model, providers of IaaS offer computers – physical or (more
often) virtual machines – and other resources. (A hypervisor, such as Hyper-V or Xen or KVM or
VMware ESX/ESXi, runs the virtual machines as guests. Pools of hypervisors within the cloud
operational support-system can support large numbers of virtual machines and the ability to
scale services up and down according to customers' varying requirements.) IaaS clouds often
offer additional resources such as a virtual-machine disk image library, raw (block) and filebased storage, firewalls, load balancers, IP addresses, virtual local area networks (VLANs), and
software bundles. IaaS-cloud providers supply these resources on-demand from their large
pools installed in data centers. For wide-area connectivity, customers can use either the Internet
or carrier clouds (dedicated virtual private networks).
Platform-as-a-Service (Wikipedia, 2013)
In the PaaS model, cloud providers deliver a computing platform, typically including operating
system, programming language execution environment, database, and web server. Application
developers can develop and run their software solutions on a cloud platform without the cost
and complexity of buying and managing the underlying hardware and software layers. With
some PaaS offers (like Windows Azure, the underlying computer and storage resources scale
automatically to match application demand so that the cloud user does not have to allocate
resources manually. The latter has also been proposed by an architecture aiming to facilitate
real-time in cloud environments.
6. Software-as-a-Service (Wikipedia, 2013)
In the business model using software as a service (SaaS), users are provided access to
application software and databases. Cloud providers manage the infrastructure and platforms
that run the applications. SaaS is sometimes referred to as "on-demand software" and is usually
priced on a pay-per-use basis. SaaS providers generally price applications using a subscription
fee.
In the SaaS model, cloud providers install and operate application software in the cloud and
cloud users access the software from cloud clients. Cloud users do not manage the cloud
infrastructure and platform where the application runs. This eliminates the need to install and
run the application on the cloud user's own computers, which simplifies maintenance and
support. Cloud applications are different from other applications in their scalability—which can
be achieved by cloning tasks onto multiple virtual machines at run-time to meet changing work
demand.[61] Load balancers distribute the work over the set of virtual machines. This process is
transparent to the cloud user, who sees only a single access point. To accommodate a large
number of cloud users, cloud applications can be multitenant, that is, any machine serves more
than one cloud user organization. It is common to refer to special types of cloud based
application software with a similar naming convention: desktop as a service, business process as
a service, test environment as a service, communication as a service.
Cloud Security
Correct security controls should be implemented according to asset, threat, and vulnerability
risk assessment matrices. For ease of analysis, the multiplicity of cloud security dimensions have
been aggregated into three general areas: Security and Privacy, Compliance, and Legal or
Contractual Issues. Intrusion Detection is generally addressed as a component of Security and
Privacy, specifically identity management.
Identity management systems are used to control access to information and computing
resources. Cloud providers either integrate the customer’s identity management system into
their own infrastructure, using federation or SSO technology, or provide an identity
management solution of their own. IDS and IPS systems are typical part of an effective identity
management system design. These systems are generally part of IaaS.
IaaS Deployment Models
The cloud computing industry generally recognizes four cloud deployment models: Public,
Private, Community and Hybrid.
Public Clouds
A cloud is called a "public cloud" when the services are rendered over a network that is open for
public use. Technically there may be little or no difference between public and private cloud
architecture, however, security consideration may be substantially different for services
(applications, storage, and other resources) that are made available by a service provider for a
public audience and when communication is effected over a non-trusted network. Generally,
public cloud service providers like Amazon AWS, Microsoft and Google own and operate the
infrastructure and offer access only via Internet (direct connectivity is not offered)
7. Private Clouds
Private cloud is cloud infrastructure operated solely for a single organization, whether managed
internally or by a third-party and hosted internally or externally
Community Clouds
Community cloud shares infrastructure between several organizations from a specific
community with common concerns (security, compliance, jurisdiction, etc.), whether managed
internally or by a third-party and hosted internally or externally. The costs are spread over fewer
users than a public cloud (but more than a private cloud), so only some of the cost savings
potential of cloud computing are realized.
Hybrid IaaS
Hybrid cloud is a composition of two or more clouds (private, community or public) that remain
unique entities but are bound together, offering the benefits of multiple deployment models.
Cloud Use Case Template (Gartner, 2012)
Applicability
To aid organizational planning of cloud deployments, Gartner has published a series of cloud use
case templates. These templates apply to an IT organization that desires to combine internal
IaaS cloud infrastructure and external IaaS cloud services to deliver a federated, scalable, hybrid
IaaS cloud. They are designed to help IT architects and decision makers build hybrid IaaS cloud
solutions to deliver IT infrastructure services efficiently and securely.
Components and Connection Scenarios
The Gartner cloud use template is composed of the following components and connection
scenarios.
Internal (Private) cloud
A private or internal cloud is an on-premises IT capability (e.g., compute, storage, and network)
offered as a service by an IT organization to its business units or customers. Many components
are connected together to establish an internal cloud (e.g., self-service provisioning portal,
service catalog, orchestrator, and server virtualization). The internal cloud's purpose is to house
IT services and initiate movement of IT services along the hybrid cloud connections to other
cloud services. Gartner is using the internal cloud as an example in this template to aid in
comprehension. Hybrid IaaS clouds can also exist between two external clouds. For more
information on the internal cloud, Gartner designed an architectural model for internal IaaS
cloud deployments
External (Public / Community) cloud
An external cloud is an IT capability offered as a service that one business hosts for another
business off-premises. An external cloud can be shared among many tenants (i.e., public cloud)
or dedicated to one organization or a defined list of organizations (i.e., private cloud), but it
must be implemented by a third party. In this template, the internal cloud connects to the
external cloud in four different connection scenarios as discussed later in this document.
8. However, two external clouds can connect in similar scenarios, although not depicted in this
template.
Orchestrator
The orchestrator (sometimes referred to as the IT process automation tool) in IaaS cloud
services automates IT operation processes across all components of the cloud stack. In a hybrid
IaaS environment, the orchestrator may be responsible for:
Defining, administering, and monitoring process workflows for various IT operations
(e.g., service provisioning, chargeback, asset management, service and data
replication for business continuity, and disaster recovery) across IaaS cloud services
Creating and enforcing IT process automation policies
Coordinating and automating IT process execution across IaaS cloud services
Integrating with all other hybrid cloud management tools (e.g., external cloud connector, cloud
services broker, and cloud services provider application programming interfaces [APIs]) to
execute process workflows through predefined integration packs and/or code development
(e.g., moving or replicating storage volumes between two clouds)
External (Public / Community) cloud connector
The external cloud connector (ECC) connects cloud environments to one another. Organizations
can deploy ECCs at one or both ends of the connection in either a bridge or a gateway
connection scenario. To connect environments, organizations may implement one or more
ECCs. ECCs can come in a variety of offerings (e.g., hardware appliances, virtual appliances,
software packages, logical networks, custom scripts) and include capabilities such as:
Providing a connection for internal cloud management software (e.g., capacity
management tools, chargeback systems, and disaster recovery tools) to manage
external cloud assets
Providing a secure network tunnel among cloud environments
Performing data encryption and decryption
Enforcing network transparency by connecting internal and external network
topologies
Enhancing network performance across distance through techniques such as
compression, acceleration, caching, and/or optimization
Translating storage protocols and performing storage functions such as replication,
compression, and/or deduplication to connect applications or internal storage
infrastructures to external cloud storage services
Converting virtual machines between formats (e.g., VMware Virtual Machine Disk
Format [VMDK] to Xen virtual hard disk [VHD]) before transmission
Propagating security and service-level requirements (e.g., performance, availability,
recovery time objective [RTO], and recovery point objective [RPO]) defined in the IT
service catalog
Cloud Service Broker
The cloud services broker (CSB) is a component that serves as an intermediary among cloud
environments and adds services to the cloud environments that are not readily available
9. without the broker. CSBs aim to aggregate cloud service providers through a single portal or
service. CSBs can come in a variety of implementations but are normally hosted externally and
include capabilities such as:
Centralized cloud management capabilities,
Integration capabilities
Governance capabilities
Direct Cloud Connection
The direct cloud connection scenario exists when the two clouds directly connect without any
outside assistance such as an ECC or CSB. This is common when clouds interface across common
published APIs and general-purpose networks (e.g., Internet).
Figure 1- DIrect Cloud Connection
External Cloud Connector Bridge
The ECC bridge scenario exists when an ECC is present at both ends of the connection. ECCs
possess many characteristics and provide many possible functions across clouds. In most ECC
bridge situations, the ECC is deployed as a similar vendor product or technology at both ends.
The reason for this is that ECCs perform a significant amount of intelligence at both ends to
improve or facilitate the connection, a vendors are more likely to accomplish these tasks among
their own products. ndHowever, scenarios exist where the ECC at each end does not need to be
a matching vendor product. An example of this is a virtual private network (VPN) that leverages
a well-known protocol such as Internet Protocol Security (IPsec). Each cloud may implement the
IPsec connection by using different vendor products. The key is that both ends must be
compatible.
10. Figure 2- External Cloud Connector Bridge
External Cloud Connector Gateway
The ECC gateway scenario is similar to the ECC bridge, except that an ECC is only present on one
end of the connection.
Figure 3- External Cloud Connector Gateway
Cloud Services Broker
A cloud services broker (CSB) possesses many characteristics and provides many possible
functions among clouds. The CSB scenario is different from ECCs because the CSB sits as an
intermediary between clouds to assist with or perform integration and translation of cloud
services. In this example, the internal cloud only talks directly to the CSB and does not know
about any of the external clouds behind the CSB. The CSB may replace the functionality of the
ECC or enhance its capabilities.
11. Figure 4- Cloud Service Broker
Public Cloud IaaS Use Cases
Gartner template components and connection scenarios yield the following five typical public cloud IaaS
addressed in this survey.
Internal (Private) – External (Public)
Internal (Private) – External (Community)
Internal (Private) – External (Public) – External (Public)
Internal (Private) – CSB – External (Public or Community)
Internal (Private) – External (Community) – External (Public)
Public Cloud IDS
Description and Characteristics
Cloud IDS can be described as being composed of three components (Alharkan, 2013)
o Collection
Host Based
Network Based
o Alert Analysis
Signature Based
Anomaly Based
o Reaction
Passive IDS
Active IDS
In cloud, none of these components are entirely owned or managed by the enterprise. In these
deployments, intrusion detection is a shared responsibility with the cloud service provider.
12. When multiple CSP’s or a cloud service broker (CSB) is used, the coordination between the
participating entities is critical.
Cloud Intrusion
Detection
Data Collection
Alert Analysis
Reaction
Host Based
Signature Based
Passive IDS
Network Based
Anomaly Based
Active IDS
Figure 5- IDS Components
IDS Placement (Chirag Modi, 2013)
In a cloud computing environment, IDS components are typically placed
o
o
o
In Application;
Between applications ;
In virtualization layer; or
13. o
Between virtualization layers.
Figure 7- IDS Placement: Single Cloud
Public/Community
Cloud
Public
Cloud
Private
Cloud
Figure 6- IDS Placement: Multiple Clouds
IDS Placement for Multiple CSPs
For large enterprises, IDS placement is complicated by the use of use of multiple cloud
service providers. Figure 6 outline the critical security nodes that should be addressed.
14. IDS Management Responsibility
The complexity of IDS placement also complicates IDS management responsibility. This fact is
typically not address in enterprise IT governance policies. While the enterprise will usually have
responsibility for application IDS, the cloud service provider (CSP) has jurisdiction over the
network between applications, within the virtualization layer and between virtualization
technologies. Responsibility for protecting against intrusion on networks between public cloud
service providers lies on the enterprise, or if employed, a cloud service broker (CSB). IDS
management responsibility within a community cloud is left for negotiation amongst the
community members.
Cloud Security State of the Art (Gartner, 2013)
In cloud computing security, there are three primary control themes; encryption,
tracking/blocking and cloud security ecosystems.
Although encryption works well for protecting data, it complicates search or edit function and
consumes resources for key management. It public cloud, encryption is applied as a mechanism
for simultaneously preventing unwanted access from users, administrators and attackers.
Encryption can potentially solve regulatory compliance concerns, such as data residency
requirements.
For tracking and blocking, next-generation firewalls, gateways and desktop data loss prevention
(DLP) are offer enterprises the ability to measure their use of the cloud and to block outgoing
connection attempts based on organizational policy. This is enabling organizations to facilitate a
controlled use of externally provisioned IT services servers, allowing employees to discover and
take advantage of cloud computing, while limiting the potential for misuse.
Cloud Security Ecosystems provide a more comprehensive set of security control functions.
Cloud management platforms, security as a service (SecaaS) offerings, secure Web gateway
(SWG) and cloud access security brokers (CASBs) are growing in use.
Gartner cloud security product matrix, Figure 9, provides a snapshot of cloud security state-ofthe-art. This overview implies that today, Cloud Intrusion Detection Services only provide
moderate value to the marketplace with realization of most service occurring in 2-5 years.
15. Figure 8- Gartner: Cloud Security Product Priority Matrix
Cloud Computing Attack Scenarios (Chirag Modi)
Most, if not all, enterprise IT attack vectors have a cloud computing corollary. Some of the more
common ones follow.
Insider attack - Authorized Cloud users may attempt to gain (and misuse) unauthorized
privileges. Insiders may commit frauds and disclose information to others (or modify
information intentionally). This poses a serious trust issue. For example, an internal DoS
attack demonstrated against the Amazon Elastic Compute Cloud (EC2) (Slaviero, 2009).
Flooding attack - In this attack, attacker tries to flood victim by sending huge number of
packets from innocent host (zombie) in network. Packets can be of type TCP, UDP, ICMP or a
16. mix of them. This kind of attack may be possible due to illegitimate network connections. In
case of Cloud, the requests for VMs are accessible by anyone through Internet, which may
cause DoS (or DDoS) attack via zombies. Flooding attack may raise the usage bills drastically
as the Cloud would not be able to distinguish between the normal usage and fake usage.
User to root attack - An attacker gets an access to legitimate user’s account by sniffing
password making the system vulnerable to attacker with root level access. The mechanisms
used to secure the authentication process are a frequent target. In case of Cloud, attacker
acquires access to valid user’s instances which enables him/her for gaining root level access
to VMs or host.
Port scanning - Through port scanning, attackers can find open ports and attack on services
running on these ports. Network related details such as IP address, MAC address, router,
gateway filtering, firewall rules, etc. can be known through this attack. In Cloud scenario,
attacker can attack offered services through port scanning (by discovering open ports upon
which these services are provided).
Virtual machine (VM) or hypervisor attack - By compromising the lower layer hypervisor,
attacker can gain control over installed VMs. For e.g. BLUEPILL (Rutkowska, 2006), SubVir
(King et al., 2006) and DKSM (Bahram et al., 2010) are some well-known attacks on virtual
layer. Through these attacks, hackers can be able to compromise installed-hypervisor to gain
control over the host. Zero-day VM vulnerabilities are also possible. A zero-day vulnerability
exploited in the HyperVM virtualization application resulted in destruction of many virtual
server based websites (Goodin, 2009).
Backdoor channel attacks - This is a passive attack which allows hacker to gain remote
access to the infected node in order to compromise user confidentiality. Using backdoor
channels, hacker can control victim’s resources and can make it as zombie to attempt DDoS
attack. In Cloud environment, attacker can get access and control Cloud user’s resources
through backdoor channel and make VM as Zombie to initiate DoS/DDoS attack.
Firewall (in Cloud) could be the common solution to prevent some of the attacks listed above.
To prevent attacks on VM/ Hypervisor, anomaly based intrusion detection techniques can be
used. For flooding attack and backdoor channel attack, either signature based intrusion
detection or anomaly based intrusion detection techniques can be used.
Intrusion Detection & Response
Cloud IDS/IPS techniques can be classified as:
o
o
o
o
o
o
Host based intrusion detection systems (HIDS)
Network based intrusion detection systems (NIDS)
Distributed intrusion detection systems (DIDS)
Hypervisor-based intrusion detection systems
Intrusion prevention system
Intrusion detection and prevention systems
17. Table 1 provides a summary of how these techniques can be used to protect an enterprise cloud
deployment. Table 2 augments Table 1 by providing recommendations for IDS/IPS deployment
and monitoring authority within a cloud computing environment.
Table 1 - Cloud IDS/IPS Options
Title
IDS type
Technique used
Positioning
Pros
Cons
IDS architecture for Cloud
environment (Vieira et al., 2010)
HIDS
Signature based and Anomaly
detection using ANN.
On each node
False rate for unknown
attack is lower since
ANN used.
Requires more training time and
samples for detection accuracy.
Multi-level IDS (Lee et al., 2011)
HIDS
Anomaly detection
On each Guest OS
Provides fast detection
mechanism.
Requires more resources for high
level users.
Self-similarity based IDS (Kwon et
al., 2011)
HIDS
Anomaly detection
On each VM
Can be used in real time.
Works only for Windows system.
Abstract model of IDS (Arshad et
al., 2011)
HIDS
Signature based and anomaly
detection
On each VM
Experimental results are not
evaluated.
VM compatible IDS architecture
(Roschke et al., 2009)
NIDS
Signature based detection
On each VM
It has minimal response
time and human
intervention.
Secures VM based on
user configuration.
DDoS attack detection in virtual
machine (bakshi and Yogesh, 2010)
NIDS
Signature based detection
On each VM
Secures VM from DDoS
attacks.
Can only detects known attacks.
NIDS in open source Cloud
(Mazzariello et al., 2010)
NIDS
Signature based detection
On traditional
network
Can detect several
known attacks.
It cannot detect insider attacks as
well as unknown attacks.
IDS as a Service (Hamad and Hoby,
2012)
NIDS
Signature based detection
Snort is provided as
a web service
It cannot detect unknown attacks.
EDoS protection (Sandar and Shenai,
2012)
NIDS
Signature based detection
On traditional
network
Provides user to detect
known attack on his/her
running service.
Blocks HTTP and XML
based DDoS attack.
Cloud based IDS for mobile phones
(Houmansadr et al., 2011)
NIDS
Anomaly detection
On VM
It cannot be used as general
purpose.
Cooperative agent based approach
(Lo et al., 2008)
DIDS
Signature based detection
On each Cloud
region
Detects malicious
behavior on
smartphones.
Prevents system from
single point failure.
Mobile agent based approach
(Dastjerdi et al., 2009)
DIDS
Anomaly detection
On each VM
Provides IDS for Cloud
application regardless
by their location.
Produce network load with increase
of VMs attached to mobile agent.
Mutual agent based approach (Ram,
2012)
DIDS
Signature based detection
On each Cloud
region
Cannot be used to detect unknown
attacks.High computational cost.
Anomaly detection
On hypervisor
Detects DDoS attack in
whole cloud
environment.
Detects attacks on VMs
Prevention
On each Host
Prevention using user
configured rules
Not used for preventing unknown
attacks
HIPS
Anomaly prevention.
In internal network
Experimental results are not yet
available
-
Anomaly detection -
-
Can be used for real
time interactive defense
and better optimization
to Cloud firewall
Used to detect all types
of attacks. Solves
limitation of computing
time
VMI-IDS based architecture.
(Garfinkel and Rosenblum, 2003)
Xen based Host system firewall
(Fagui et al., 2009)
IPS model based on cloud firewall
linkage (Jia and Wang, 2011)
CP based approach - (Guan and Bao,
2009)
Hypervisorbased
-
Multiple instances of IDS are
required which degrades
performance.
It cannot detect unknown attacks.
Cannot be used for all types of
attacks.Computational overhead
high.
VMI IDS can be attacked. Very
complex method
Experimental results are not yet
available
18. Table 2- Cloud IDS/IPS Management Authority
IDS/IPS
Type
HIDS
NIDS
Hypervisor
based IDS
DIDS
Characteristics/strengths
Identify intrusions by monitoring host’s file
system, system calls or network events.
No extra hardware required.
Identify intrusions by monitoring network traffic.
Need to place only on underlying network.
Can monitor multiple systems at a time.
It allows user to monitor and analyze
communications between VMs, between
hypervisor and VM and within the hypervisor
based virtual network.
Uses characteristics of both NIDS and HIDS, and
thus inherits benefits from both of them.
Limitations/Challenges
Need to install on each
machine (VMs, hypervisor or
host machine).
It can monitor attacks only on
host where it is deployed.
Difficult to detect
intrusions from
encrypted traffic. It helps
only for detecting
external intrusions.
Difficult to detect
network intrusions in
virtual network.
New and difficult to
understand.
Central server may be
overloaded and difficult to
manage in centralized DIDS.
High communication and
computational cost.
Positioning in Cloud
Deployment and monitoring
authority
On each VM, Hypervisor or
Host system.
On VMs: Cloud Users. On
Hypervisor: Cloud provider.
In external network or in
virtual network.
Cloud provider.
In hypervisor.
Cloud provider.
In external network, on Host, On VMs: Cloud Users. For other
on Hypervisor or on VM.
cases: Cloud provider.
IPS
Prevents intrusion attacks.
NIPS prevent network attacks.
HIPS prevent system level attacks.
IDPS
Detection accuracy for
preventing attacks is lower
than IDS.
Effectively detect and prevent intrusion attacks.
Complex architecture.
For NIPS: In external/internal NIPS: Cloud provider. HIPS on
network. For HIPS: On VM or VM: Cloud user. HIPS on
Hypervisor: Cloud provider.
Hypervisor.
Network based IDPS: In
external/internal network.
Host based IDPS: On VM or
hypervisor.
NIDPS: Cloud provider. HIDPS
(on VM): Cloud user. HIDPS (on
Hypervisor): Cloud provider.
19. Juxtaposing Figure 6, Table 1, Table 2 and the Gartner Cloud Deployment use cases, general
rules for both Detection/Alerting Responsibility and Response/Remediation Responsibility for
enterprise cloud deployment scenarios can be surmised. These rules are summarized in Tables
3- 7 and represent a useful Cloud Computing IDS Readiness Review guideline. This type of
information could be used to enhance organizational policy and practice when public IaaS
providers are used.
Table 3- Scenario - Internal (Private)- External ( Public)
Enterprise
CSP
Deploy/Monitor
HIDS - Virtual
Machines
NIDS Enterprise/CSP
network
Notify/Alert
Relevant CSP(s)
Response/Remediation
Monitor all VMs
for intrusion
Remediate as
required
Deploy/Monitor
HIDS – Hypervisors
NIDS - Intra-CSP
Networks
DIDS - Internal
infrastructure
Hypervisor based IDS –
Hypervisors
NIPS - Intra-CSP
networks
HIPS - Hypervisors
Notify/Alert
Other potentially
exposed Enterprise(s)
Response/Remediation
Monitor all VMs for
intrusion
Remediate as required
CSB
Community
20. Table 4- Scenario: Internal (Private) – External (Community)
Enterprise
Deploy/Monitor
HIDS - Virtual
Machines
NIDS Enterprise/Community
Network
NIDS - Intra-Enterprise
Networks
Notify/Alert
Other potentially
exposed Enterprise(s)
Response/Remediate
Monitor all VMs for
intrusion
Remediate as required
CSP
CSB
Community
Deploy/Monitor
NIDS - InterEnterprise
Networks
Notify/Alert
Other
potentially
exposed
Enterprise(s)
Other
potentially
exposed
communities
Response/Remediate
Monitor all
VMs for
intrusion
Remediate
as required
21. Table 5- Scenario: Internal (Private) – External (Public) – External (Public)
Enterprise
CSP
Deploy/Monitor
HIDS - Virtual
Machines
NIDS Enterprise/CSP
network
Inter-CSP
network
Notify/Alert
Relevant CSP(s)
Response/Remediation
Monitor all VMs
for intrusion
Remediate as
required
Deploy/Monitor
HIDS –
Hypervisors
NIDS - IntraCSP Networks
DIDS - Internal
infrastructure
Hypervisor
based IDS –
Hypervisors
NIPS - IntraCSP networks
HIPS Hypervisors
Notify/Alert
Other
potentially
exposed
Enterprise(s)
Response/Remediation
Monitor all
VMs for
intrusion
Remediate as
required
CSB
Community
22. Table 6- Scenario: Internal (Private) – CSB – External (Public or Community)
Enterprise
CSP
CSB
Deploy/Monitor
HIDS - Virtual
Machines
NIDS Enterprise/CSP
Network
NIDS Enterprise/CSB
Network
Notify/Alert
Relevant CSP(s)
Relevant CSB(s)
Response/Remediation
Monitor all VMs
for intrusion
Remediate as
required
Deploy/Monitor
Deploy/Monitor
HIDS –
NIDS - InterHypervisors
CSP
NIDS - IntraNetworks
CSP
NIDS - IntraNetworks
CSB
DIDS - IntraNetworks
CSP
DIDS - Intra Hypervisor
CSB
based IDS –
NIPS - InterHypervisors
CSP
NIPS - Intranetworks
CSP
NIPS - Internetworks
CSB
HIPS Networks
Hypervisors
Notify/Alert
Notify/Alert
Other
Other
potentially
potentially
exposed
exposed
CSP(s)
Enterprise(s)
Other
Response/Remediate
potentially
Monitor all
exposed
VMs for
CSB(s)
intrusion
Response/Remediate
Remediate
Monitor all
as required
VMs for
intrusion
Remediate
as required
Community
23. Table 7- Scenario: Internal (Private) – External (Community) – External (Public)
Enterprise
CSP
Deploy/Monitor
Deploy/Monitor
HIDS - Virtual
HIDS –
Machines
Hypervisors
NIDS - Intra NIDS CSP
Enterprise/Community
Networks
Network
DIDS NIDS - Intra-Enterprise
Internal
Networks
infrastructure
Notify/Alert
Hypervisor
Relevent CSPs
based IDS –
Response/Remediate
Hypervisors
Monitor all VMs for
NIPS - Intraintrusion
CSP networks
Remediate as required
HIPS –
Hypervisors
Notify/Alert
Other
potentially
exposed
Enterprise(s)
Response/Remediate
Monitor all
VMs for
intrusion
Remediate as
required
CSB
Community
Deploy/Monitor
HIDS Community
Managed
Virtual
Machines
NIDS - IntraCommunity
Networks
NIDS - InterCommunity
Networks
NIDS - InterCSP
Networks
Notify/Alert
Other
potentially
exposed
Enterprise(s)
Relevent
CSPs
Other
potentially
exposed
communities
Response/Remediate
Monitor all
VMs for
intrusion
Remediate
as required
24. Public IaaS Marketplace Leaders (Gartner, 2013)
In 2013, Gartner identified fifteen IaaS providers as “Magic Quadrant” marketplace leaders.
This designation covered all the common use cases for cloud IaaS, including development and
testing, production environments (including those supporting mission-critical workloads) for
both internal and customer-facing applications, batch computing (including high-performance
computing [HPC]) and disaster recovery. All the providers claim to have high security standards
but the extent of these security controls varied significantly. All providers offer multifactor
authentication and most offered additional security services. All evaluated providers also met
common regulatory compliance needs ( SSAE 16, ISO 27001, etc.)
Magic Quadrant providers also offered a firewall intrusion detection system/intrusion
prevention systems as part of their offering. Although a few offer only access control lists (ACLs),
none offered any self-service network security. All providers offer customers a self-service
ability to create complex network topologies with multiple network segments and multiple
virtual network interface cards (NICs).
All the providers allow customers to bring their own VM images, allowing customers to create
snapshots of existing VMs within their own internal data center, and then directly import them
into the provider's cloud. This also allows the import of VM appliances and other prepackaged
VM images from independent software vendors (ISVs).
Public IaaS Security
As part of the Magic Quadrant analysis, Gartner also compared these same 15 public cloud IaaS
providers against nine critical capabilities across four use cases. Security and compliance
encompassed features that are important to security, compliance, risk management and
governance. It covers specific security measures such as network access control lists (ACLs),
intrusion detection and prevention systems (IDS/IPS), multifactor authentication and
encryption. It also includes aspects such as the availability of audits, logging and reporting, and
the ability to use the service if you have regulatory compliance needs, such as those of the
Payment Card Industry Data Security Standard (PCI DSS), the Federal Information Security
Management Act (FISMA) and the Health Insurance Portability and Accountability Act (HIPAA).
This was a comparison within a broad categories, not granular capabilities; they are inclusive of
a range of features, and we do not provide a comprehensive list of these features. Because each
of the categories includes a large number of features, the scoring in each category is directional.
In general, a score of 3 indicates that a provider is able to fulfill the most critical features in that
category. However, it is possible that a provider may be missing some important features in that
category, yet has other strengths that increase its score in that category. Comparison results are
provided in Table 8.
25. Table 8- Gartner IaaS Magic Quadrant CSP Security Ratings
Product
Security and
Compliance Rating
Amazon Web Services
3.7
CSC BIZ-Cloud VPE
4
Dimension Data Public CaaS
2.7
Fujitsu Cloud IaaS Trusted Public S5
2.5
GoGrid
3.8
HP Public Cloud
1.3
IBM Softlayer CLoudLayer Computing
3.1
IBM Smart-Cloud Enterprise
1
Joyent
3.2
Microsoft Windows Azure Infrastructure Services
1.7
Rackspace Public Cloud
2.3
Savvis Symphony VPDC
4.5
Tier 3
2
Verizon Terremark Enterprise Cloud
4.7
Virtustream
5
26. Expert Observation (Leong, 2013)
During this survey project, there was also an opportunity to interview Ms Lydia Leoung, a
Research Vice President at Gartner. Ms Leoung research focus is on cloud computing,
particularly infrastructure as a service (IaaS). Because cloud computing is reshaping the IT
landscape, her research covers a broad range of topics related to the transformation of IT
organizations, data centers and technology providers. She works primarily with IT organizations,
but also produces strategic and quantitative research targeted at service providers, vendors and
investors. She was also Gartner's Analyst of the Year in 2010. During the interview, Ms Leoung
highlighted the following points.
Cloud infrastructure security is a shared responsibility between the service provider and
the user. The user is generally responsible for host based security while the CSP is
responsible for network based security
Initially customer request the provisioning of the maximum level of available security,
including IDS and IPS, but typically balk at the price. They typically finalize on simple
firewall and ACL solutions.
CSPs typically give the user full access and control of the firewall
While IDS and IPS services are offered by a few CSPs, customers are typically not willing
to bear the high cost. High marketplace cost is driven by CSP inability to mass configure
these types of solutions.
Security breaches are typically seen at the application level, not within the
infrastructure
No hypervisor attacks have been observed to date
Public Cloud Intrusion Detection Conclusions and Recommendations
There is a significant amount of published literature and ongoing research on public IaaS
security. Unfortunately, the hard lessons learned in the development of modern and robust
enterprise IT platforms is not being employed as these same enterprises transition to cloud
computing. This survey has led me to the following conclusions:
IDS responsibilities driven by relevant scenario
IDS and IPS use is not prevalent in the marketplace due to high cost
If IDS or IPS is used, the use scenario will drive IDS detection, response and remediation
planning
Cloud IDS Readiness Chart should be used to evaluate Enterprise, CSP, CSB and
Community IDS readiness
Economic pressures to leverage the scale and efficiencies of cloud platform are butting up
against the economic pressures of paying for adequate security. To help balance these
competing requirements, managers should understand what risk are being assumed based on
the relevant cloud deployment scenario. Senior IT manager should also develop their own Cloud
27. Computing IDS Readiness Review guideline and institutionalize that guidance as part of their
organizations cloud deployment strategy.
28. Other References
o
o
o
o
o
o
o
o
o
o
o
Distributed Intrusion Detection in Clouds Using Mobile Agents
Authors: Dastjerdi, A.V. ; Univ. of Melbourne, Melbourne, VIC, Australia ; Bakar,
K.A. ; Tabatabaei, S.G.H.
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5359505&url=http%3A
%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5359505
A survey on security issues in service delivery models of cloud computing
Authors: S. Subashini, V. Kavitha
http://www.sciencedirect.com/science/article/pii/S1084804510001281
Can Public-Cloud Security Meet Its Unique Challenges?
Author: Kaufman, L.M. ; BAE Systems
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5523865&url=http%3A
%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5523865
Intrusion Detection in the Cloud
Authors: Roschke, S. ; Hasso Plattner Inst. (HPI), Univ. of Potsdam, Potsdam,
Germany ; Feng Cheng ; Meinel, C.
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5380611&url=http%3A
%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5380611
IDSaaS: Intrusion Detection System as a Service in Public Clouds
Authors: Turki Alharkan , Patrick Martin
http://dl.acm.org/citation.cfm?id=2310128
DCDIDP: A Distributed, Collaborative, and Data-driven Intrusion Detection and
Prevention Framework for Cloud Computing Environments
Authors: Taghavi Zargar, Saman and Takabi, Hassan and Joshi, James B.D
http://d-scholarship.pitt.edu/13461/
INTRUSION DETECTION ON CLOUD APPLICATIONS
Author: Venkat Reddy, K. Sharath Kumar, V. Hari Prasad
http://ijcsmc.com/docs/papers/September2013/V2I9201303.pdf
An architecture for overlaying private clouds on public providers
Authors: Shtern, M. ; York Univ., Toronto, ON, Canada ; Simmons, B. ; Smit, M. ;
Litoiu, M.
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6380044&url=http%3A
%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D6380044
Detection of Distributed Attacks in Hybrid & Public Cloud Networks
Authors: Hassan, S.R. ; FEMTO-ST Inst., Univ. of Franche-Comte (UFC), Montbeli
ard, France ; Bourgeois, J. ; Sunderam, V. ; Li Xiong
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6391805&url=http%3A
%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D6391805
A Cloud-based Intrusion Detection Service framework Public Cloud IDS Comparison
Authors: Yassin, W. Fac. of Comput. Sci. & Inf. Technol., Univ. Putra Malaysia,
Serdang, Malaysia Udzir, N.I. ; Muda, Z. ; Abdullah, A. ; Abdullah, M.T.
http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=6246098&url=h
ttp%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D624
6098
A Novel Approach to Analyzing for Detecting Malicious Network Activity Using a Cloud
Computing Testbed
Authors: Junwon Lee, Jaeik Cho, Jungtaek Seo, Taeshik Shon, Dongho Won
29.
http://link.springer.com/article/10.1007/s11036-012-0375-1
Works Cited
Alharkan, T. (2013). IDSAAS: Intrusion Detection Systems as a Service in Public CLouds. Kingston, Ontario,
Canada: Queen's University.
Chirag Modi, D. P. (2013). A survey of intrusion detection techniques in Cloud. Journal of Network and
Computer Applications, 42-57.
Gartner. (2012). Hybrid IaaS. Stamford, CT: Gartner Inc.
Gartner. (2013). Critical Capabilities for Public Cloud Infrastructure as a Service. Stamford, CT: Gartner
Inc.
Gartner. (2013). Hype Cycle for Cloud Security. Stamford, CT: Gartner, Inc.
Gartner. (2013). Magic Quadrant for CLoud Infrastructure as a Service. Stamford, CT: Gartner Inc.
Gartner, Inc. (2013, December 12). Gartner Says the Road to Increased Enterprise Cloud Usage Will
Largely Run Through Tactical Business Solutions Addressing Specific Issues. Retrieved from
www.gartner.com: http://www.gartner.com/newsroom/id/2581315
Leong, L. (2013, November 25). Cloud Computing Market Analyst. (K. L. Jackson, Interviewer)
Peter Mell, T. G. (2013, November 29). The NIST Definition of CLoud Computing. Retrieved from National
Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800145/SP800-145.pdf
Wikipedia. (2013, December 12). Cloud Computing. Retrieved from en.wikipedia.org:
http://en.wikipedia.org/wiki/Cloud_computing