Technical Report on Deploying a highly secured OpenStack Cloud Infrastructure using BradStack as a Case Study

Cloud computing has emerged as a popular paradigm and an attractive model for providing a reliable distributed computing model.it is increasing attracting huge attention both in academic research and industrial initiatives. Cloud deployments are paramount for institution and organizations of all scales. The availability of a flexible, free open source cloud platform designed with no propriety software and the ability of its integration with legacy systems and third-party applications are fundamental. Open stack is a free and opensource software released under the terms of Apache license with a fragmented and distributed architecture making it highly flexible. This project was initiated and aimed at designing a secured cloud infrastructure called BradStack, which is built on OpenStack in the Computing Laboratory at the University of Bradford. In this report, we present and discuss the steps required in deploying a secured BradStack Multi-node cloud infrastructure and conducting Penetration testing on OpenStack Services to validate the effectiveness of the security controls on the BradStack platform. This report serves as a practical guideline, focusing on security and practical infrastructure related issues. It also serves as a reference for institutions looking at the possibilities of implementing a secured cloud solution.Comment: 38 pages, 19 figures

Infrastructure as a service: exploring network access control challenges

Cloud Computing Infrastructure as a Service (IaaS) is a great model for outsourcing IT infrastructure. It is built to offer fascinating features to support business development, such as elasticity, multi-tenancy, configurability and dynamicity. However, IaaS faces security challenges on account of its flexible nature. For this article, we studied the IaaS characteristics and investigated their related security challenges. We then elaborated these security challenges by exploring the security threats on live virtual machine migration as it is one of the main IaaS operations. We found that proper access control techniques and models are a critical element in enhancing IaaS and mitigating the identified security threats. Therefore, we investigated and contrasted the implemented and the proposed firewall architectures in IaaS as a firewall is a basic security appliance that enforces access control. We also explored and contrasted the proposed access control models in the IaaS. It was found that the traditional firewalls and access control models were not sufficient for IaaS. Therefore, there is a need to develop a proper access control model and enforcement techniques to mitigate IaaS security threats. Based on the security research trend and the results obtained in this articles exploration, we endorse an IaaS access control system built on a computational intelligent approach

Building an Emulation Environment for Cyber Security Analyses of Complex Networked Systems

Computer networks are undergoing a phenomenal growth, driven by the rapidly increasing number of nodes constituting the networks. At the same time, the number of security threats on Internet and intranet networks is constantly growing, and the testing and experimentation of cyber defense solutions requires the availability of separate, test environments that best emulate the complexity of a real system. Such environments support the deployment and monitoring of complex mission-driven network scenarios, thus enabling the study of cyber defense strategies under real and controllable traffic and attack scenarios. In this paper, we propose a methodology that makes use of a combination of techniques of network and security assessment, and the use of cloud technologies to build an emulation environment with adjustable degree of affinity with respect to actual reference networks or planned systems. As a byproduct, starting from a specific study case, we collected a dataset consisting of complete network traces comprising benign and malicious traffic, which is feature-rich and publicly available

Exploring the firewall security consistency in cloud computing during live migration

Virtualization technology adds great opportunities and challenges to the cloud computing paradigm. Resource management can be efficiently enhanced by employing Live Virtual Machine Migration (LVMM) techniques. Based on the literature of LVMM implementation in the virtualization environment, middle-boxes such as firewalls do not work effectively after LVMM as it introduces dynamic changes in network status and traffic, which may lead to critical security vulnerabilities. One key security hole is that the security context of the firewall do not move with the Virtual Machine after LVMM is triggered. This leads to inconsistency in the firewall level of protection of the migrated Virtual Machine. There is a lack in the literature of practical studies that address this problem in cloud computing platform. This paper demonstrates a practical analysis using OpenStack testbed to study the firewalls limitations in protecting virtual machines after LVMM. Two network scenarios are used to evaluate this problem. The results show that the security context problem does not exist in the stateless firewall but can exist in the stateful firewall

Improving Security in Software-as-a-Service Solutions

The essence of cloud computing is about moving workloads from your local IT infrastructure to a data center that scales and provides resources at a moments notice. Using a pay-as-you-go model to rent virtual infrastructure is also known as a Infrastructure-as-a-Service (IaaS) offering. This helps consumers provision hardware on-demand without the need for physical infrastructure and the challenges and costs that come with it. When moving to the cloud, however, issues regarding the confidentiality, integrity, and availability of the data and infrastructure arise, and new security challenges compared to traditional on-premises computing appear. It is important for the consumer to know exactly what is their responsibility when it comes to securing software running on IaaS platforms. Axis has one such software solution, henceforth referred to as the 'Axis-hosted cloud service'. There is a need for Axis to improve the client-cloud communication, and in this report, we detail a prototype solution for a new secure communication between client and cloud. Additionally, an evaluation of the prototype is presented. The evaluation is based on a model constructed by studying literature from state-of-the-art cloud service providers and organizations dedicated to defining best practices and critical areas of focus for cloud computing. This was collected and compiled in order to present a summary of the most important aspects to keep in mind when deploying software on an IaaS. It showed that the cloud service fulfills many industry best-practices, such as encrypting data in transit between client and cloud, using virtual private clouds to separate infrastructure credentials from unauthorized access, and following the guidelines from their infrastructure provider. It also showed areas where there was a need for improvement in order to reach a state-of-the-art level. The model proved to be a useful tool to ensure that security best practices are being met by an organization moving to the cloud, and specifically for Axis, the prototype communication solution can be used as a base for further development

Identity management in a public IaaS Cloud

In this thesis the unique environment that is the public IaaS cloud along with its differences from a traditional data center environment has been considered. The Cloud Security Alliance (CSA), states that “Managing identities and access control for enterprise applications remains one of the greatest challenges facing IT today”. The CSA also points out that “there is a lack of consistent secure methods for extending identity management into the cloud and across the cloud” [1]. This thesis examines this challenge of managing identities in the cloud by developing a list of best practices for implementing identity management in the cloud. These best practices were then tested by simulated misuse cases which were tested in a prototype of the implementation strategy. The results and analysis of the misuse cases show that the implementation of the identity management solution solves the problem of managing identities for the control of the infrastructure in the cloud. However, the analysis also shows that there are still areas where the properly implemented identity management solution fails to mitigate attacks to the infrastructure. These failures in particular are attacks that are sourced from the subscriber environments in the cloud. Finally, the best practices from this thesis also present some consistent methods for extending identity management into the cloud

Concepts of Cloud Computing and Protection of Data in Cloud Computing

The internet has changed the world in a strong way.it has traveled from the concept of parallel computing to distributed computing to grid computing and recently to cloud computing. Cloud computing is a recent trend in Information Technology that moves computing and data away from desktop and portable personal computers into large data center. The main advantage of cloud computing is the user cannot pay for infrastructure, its installation, required man power to handle such infrastructure and maintenance. Cloud computing technology is collecting success stories of savings, ease of use, ease of access and increased flexibility in controlling how resources are used at any given time to deliver computing capability. Cloud providers who can demonstrate that they protect personal information may be more truthful and therefore more attractive to potential Cloud users. The cloud service can be implemented in three different service models, such as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS). Data security and privacy protection issues are relevant to both hardware and software in the cloud architecture. This study is to review the concepts of cloud computing and different security techniques and protecting data in the cloud. Keywords: Cloud computing, Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS). DOI: 10.7176/CEIS/10-4-01 Publication date:May 31st 201

IaaS-cloud security enhancement: an intelligent attribute-based access control model and implementation

The cloud computing paradigm introduces an efficient utilisation of huge computing resources by multiple users with minimal expense and deployment effort compared to traditional computing facilities. Although cloud computing has incredible benefits, some governments and enterprises remain hesitant to transfer their computing technology to the cloud as a consequence of the associated security challenges. Security is, therefore, a significant factor in cloud computing adoption. Cloud services consist of three layers: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Cloud computing services are accessed through network connections and utilised by multi-users who can share the resources through virtualisation technology. Accordingly, an efficient access control system is crucial to prevent unauthorised access. This thesis mainly investigates the IaaS security enhancement from an access control point of view. [Continues.