Gatekeeping for the Cloud
Written by Cheryl Gerber
MIT 2010 Volume: 14 Issue: 7 (August)
The authentication of users to assure security in cloud computing is more complex and demanding than meets the eye. It is the frontline of security, experts say, for if the authentication goes wrong, then a domino effect of related security concerns come tumbling down, from access control to fraud prevention and data leakage protection.
Hence, as the Department of Defense has embraced the cost advantages, ease of use and IT convenience of private cloud computing, the maintenance of secure authentication remains a top priority, as transparent private clouds evolve and increasingly interact while turbid public clouds begin to emerge on the horizon.
“If you are going to operate in a public cloud, you have to be concerned about data integrity and user access security, issues that are already addressed in a private cloud,” said Alfred Rivera, director of the Defense Information Systems Agency (DISA) Computing Services Directorate.
Rivera pointed to the Rapid Access Computing Environment (RACE), DISA’s cloud computing initiative. “We purposely put RACE in a private cloud on the NIPRNet,” he said. “We did not bolt on authentication. We built it into the infrastructure before we went live with RACE in 2008.”
One of the first policy considerations when deciding how to achieve effective authentication is how many factors to require in the process of validating users. That depends on the context and classification level of the network to which users—or data representing users—are authenticating. A sensitive but unclassified (SBU) or controlled unclassified information environment requires one or two factors only, while a secret network, such as SIPRNet or the Joint Worldwide Intelligence Command System, for carrying top secret/sensitive compartmented information requires three or four factors and/or additional layers.
Major industry players such as HP believe that more is better to assure high degrees of security. “The odds of misidentifying individuals decrease with the number of factors you use,” said Michael Donovan, chief technologist, strategic capabilities, Hewlett Packard Enterprise Services. DISA utilizes various HP technologies in RACE.
The four basic factors in the authentication process include something users have, know, are (biometrics such as fingerprinting and retina scans) and where they are located at the time they are signing into the network.
Authentication is both software (password or PIN) and hardwarebased, as with the Common Access Card (CAC). “We use basic, two-factor authentication for access to the network. First, there is validation with the CAC and second, there are virtual private network [VPN] credentials. Users must enter their PIN. Once they are authenticated to use RACE, they also have VPN and application authentication,” said Rivera.
DISA’s two-factor authentication satisfies the DoD Information Assurance Certification and Accreditation Process (DICAP), he noted.
RELIABLE AND USEABLE
The key to effective authentication is a balance between reliability and usability. “Our objective is to assure that RACE is accessible anywhere on the network no matter where you are,” Rivera said. Two-factor authentication seems to have struck a chord in the military. “Most networks are going to two-factor authentication, even the Army Knowledge Online,” said Tim Gibson, director of cybersecurity capability development, HP Enterprise Services. The AKO is a portal for quick access to practical information for soldiers and civilians.
Nonetheless, user authentication is not one size fits all, and there are various methods used to determine what fits best on a case-bycase basis. “There is a need to be pragmatic about how to implement two-factor versus multi-factor authentication based on the risk level of the network you are protecting. Assign a rate of zero to 100 for impact of exposure. Then group it into 0 to 10, 10 to 40 and 40 to 60 to determine which degree of multi-factor to apply,” said Donovan. HP oversees user authentication for the continuity of services contract extension of the Navy Marine Corps Intranet (NMCI), using CAC-based authentication to NMCI resources.
Effective authentication can prevent impersonation— an attempt to break into a network by masquerading as an authorized user. “Given that disinformation is a classic attack vector, it truly is a risk exercise. You want to have enough tests to be sure that the credentials of users are authorized,” Donovan said.
Determining the degree of secure authentication is linked to the chain of permissions. “The least privileged is a time-based and resource-access-based temporary token,” he noted.
At the same time, the longer an authentication method has been in use, the less secure it is. “Twofactor authentication is usually sufficient for strong security as long as it is based on strong mechanisms. For instance, a user-created four-character PIN that never changes is not as strong as a machine-generated random pass code that is updated every three months,” said Dave King, technical director, secure voice and data products at General Dynamics C4 Systems.
“It’s better not to use the same category of authentication twice. A password and a CAC are stronger than a PIN and a password. The reason is that I can find a way to socialengineer your password and PIN. So being diverse in your authentication methods is a better way to go,” King said.
PUBLIC CLOUDS
Given the high value in the variety and volume of unclassified information, DoD and the intelligence community are also looking at ways to secure both user authentication and data in public clouds. One company involved in this effort is SBU Advisers, which specializes in SBU information-sharing.
The company’s product, SCoI (Secure Communities of Interest) provides secure information sharing in public clouds. The security lies in the encryption of data at rest and a combination of software and hardware for user authentication.
“There’s a significant difference between user authentication in a private cloud and a public cloud. The people who access a private cloud are known, so there is a level of trust already established and the private cloud controls the access. The insider threat is more of a concern there,” said Herb Kelsey, managing director.
“However, in a public cloud you do not have the same first line of defense in which you control the network and authorize who’s on that network. You have no idea who may or may not have access to your data, including the people who manage it and the other users alongside you on that system. Additionally, you will not know which servers are storing your data, so protecting your data while it is stored in the public cloud is critical,” he said.
Kelsey emphasizes the importance of strong user attribution and security processes in public clouds. “The whole reason you want to authenticate people is to attribute good and bad actions to them. As soon as the data is unencrypted, the game is over. That’s when the insider threat rises. So you must know when you expose the unencrypted data to the user to make sure to retain control of the data, to prevent it from being shared inappropriately,” he said.
McAfee, meanwhile, wraps authentication into a larger portfolio offering. In March, DISA awarded the company a multiyear enterprise license with DoD for multifaceted security management. It includes the maintenance and continuous enhancement of DISA’s Host Based Security System (HBSS).
McAfee Host Intrusion Prevention Systems (HIPS) is the underlying technology of the DISA HBSS solution, which the agency has been expanding throughout DoD, including to the Air Force, via a follow-on Network Centric Solutions contract, and to the SIPRNet.
For large-scale security management, McAfee uses E-Policy Orchestrator (EPO), among other products, for the HBSS. “Through EPO, our centralized policy enforcement tool to manage policy across the organization, we can turn on any number of our partners’ user authentication and sign-on solutions,” said Scott Chasin, chief technology officer, McAfee Content and Cloud Security.
“When we look at identity security in the cloud, we think the solution starts with a single sign-on. Then you have the ability to layer on either two-factor or multi-factor authentication as well as compliant fraud detection and advanced access control technologies,” said Chasin.
From a security management perspective, McAfee couples user authentication with access control. “It’s important to look at the full context of an access request, including identity, role and attributebased access control,” said Chasin.
User authentication in cloud computing does not always originate with a human being as the user. There is also a growing degree of automated authentication. “Authentication is also about authenticating transactions from one application to another or from one cloud to another. However, whether it’s a session-based layer with people authenticating, or a transaction-based layer with systems authenticating, identity is the centerpiece for how security is managed,” he added.
SOFTWARE SOLUTIONS
One of the largest worldwide providers of information security is RSA, the security division of EMC Corp. RSA SecureID provides both hardware and softwarebased two-factor authentication. The software represents something a user knows while the hardware is something a user has, a physical secure token, similar to a USB thumb drive. The software solution automatically changes passwords every 60 seconds. The RSA SecurID 800 Hybrid Authenticator adds a smart chip to the hardware for additional security.
One of RSA’s software solutions, Adaptive Authentication, follows users beyond initial authentication in software-as-a-service deployments. As a risk and fraud detection platform, it uses multifactor authentication and measures more than 100 risk indicators as it monitors user activities based on profiles and policies. A unique risk score is assigned to each user activity. RSA assesses authentication risk based on the financial motivation of a potential threat. “Degree of security is directly proportional to the increasing cost to break,” said Sam Curry, RSA chief technologist, adding that the assessment includes the cost of breaking systems using other systems.
Curry points out that the growing adoption of cloud computing and data-to-data authentication exposes the security vulnerability of software. “Cloud infrastructure shakes up the trust we have established. It’s freed up everyone from the hardware, but now the software is a single point of failure,” he said. “With the Common Criteria certification’s seven earned assurance levels, if you need to reach the highest levels of security, you have to be in hardware.”
The Common Criteria for Information Technology Security Evaluation is an ISO standard for computer security certification. It specifies the security requirements for compliance at seven different Evaluation Assurance Levels, with EAL 1 the most basic and least expensive and EAL 7 the most stringent and expensive to implement.
The bottom line is that hardware is more difficult and expensive to break than software. “Although hardware technology is harder to innovate and slower to update, compared with software, which is fast and easy, hardware is trusted because there are fewer scenarios under which it can be broken, and those scenarios cost more,” he said.
Increased mobility is also one of the advantages and problems of cloud computing. “There are tradeoffs in the cloud to achieve higher security. Previously, you could be sure of location. You could point to a physical machine with the data in it. But now, your data can go anywhere so you need the ability to determine how and where the data will flow. It’s up to us to build controls and define channels which carry out policies. And we need the ability to authenticate what the data is running on to see if it’s an approved place to be,” said Curry.
PUBLIC KEYS
Public key infrastructure (PKI) is a classic cryptographic method of authenticating users and data to systems by coupling half of an encrypted key with the other half which decrypts it. One is a public key; the other is a private key, and the private key cannot be derived from the public key. A certification authority records the linking of the user or data to its public key in a digitally signed document called a public key certificate, which can be used for Secure Socket Layer (SSL) clients, servers, email and other venues.
SSL is a network protocol for assuring secure transmission of data on the Internet. SSL is gradually being upgraded to next version of the protocol called Transport Layer Security.
“If one uses PKI and the CAC with client-authenticated SSL, it will provide strong authentication in cloud computing. With client-authenticated SSL, the clients authenticate themselves with a private key. Unless there is a Trojan horse in the client machine, the client cannot be masqueraded,” said Santosh Chokhani, founder and chief executive officer of CygnaCom Solutions, a subsidiary of Entrust.
CygnaCom specializes in providing PKI and cryptography technology and services. The company also runs two labs, accredited by the National Institute of Standards and Technology (NIST) and NSA, for testing products. One is the Security Evaluation Laboratory, which tests for compliance with Common Criteria. The other is the Cryptographic Equipment Assessment Laboratory, which tests hardware and software cryptographic modules for compliance with the Federal Information Processing Standard 140-2 for security.
The higher the security level, the deeper security experts dig into the technology. “As applications become more sensitive, it becomes more important to have strong authentication. In the cloud environment, cryptographic secrets derived from the authentication protocol should be used to secure the communication channel used for subsequent transactions with appropriate confidentiality, integrity and anti-replay services applied,” said Chokhani.
Chokhani created three sections of the X.509 ISO standard used for PKI and privilege management infrastructure. “The three sections I wrote are the certification path validation, the processing for the certificate revocation list and the policy processing,” he said.
Just as cloud computing is evolving, so are the standards to secure it. One example is Microsoft’s Cryptographic API (CAPI) toolkit, which complies with X.509. “CAPI has security problems in processing some of the X.509 extensions. In addition, the way CAPI and CNG build certification paths can lead to excessive delays, denial of service and erroneous results,” Chokhani said.
CAPI is evolving into Cryptographic Next Generation (CNG), which may resolve these security issues eventually.
Given the paradigm shift of cloud computing, it seems natural for security to be a problem. “Security is more complex in the distributed model of cloud computing since security is better when it’s centralized,” said Doc Shankhar, distinguished engineer, IBM Federal.
“Surveys show the top concerns with cloud computing are security, availability and trustworthiness. To establish adequate security and trust depends on how you write the service level agreement [SLA] between the customer and the provider,” he said. The SLAs established in contracts specify agreed-upon levels of performance, and not meeting those levels often results in penalties.
Security experts concur that more is better. “Good security always uses layers of defense. Five fences are better than two fences,” said Shankar, while adding that the type of authentication implemented depends on the situation.
“If users are logging on at home at night, then you would want multifactor authentication. If users are logging on in a secure building, then one factor could be sufficient. If privileged users are accessing sensitive information from an insecure area at an insecure time, say at 3 a.m., then you want to be sure that the information is absolutely secure,” he said.
Shankar and other technology experts say that protecting data is still their biggest concern with cloud computing. “We’re not ready yet to put the most sensitive data on the cloud. The biggest concern is protecting the authentication database. It’s outside your premises now, not physically located in an IT shop, and often you don’t know where it’s stored and protected. It could be located far away in a foreign country. Right now, you protect it by writing good SLAs,” he said.
DESIGNED FROM SCRATCH
Another concern with the service-oriented architecture of cloud computing is the abstraction of users from the actions they take on a system. “When automated services are acting on behalf of users, they are not automatically attributable,” said Robert Ames, deputy chief technology officer of IBM Federal. “We’re decoupling the infrastructure, so we must look at how we have a true understanding of who is doing what to whom and when.”
This includes the need to assure that re-authentication is to the correct data, and that authentication is sustained throughout the system. “There’s an identity chain that impersonates the user at every level, so we need to verify at every step of identity propagation at every level,” said Shankar.
The Air Force and IBM are now tackling the problem by designing security from scratch into cloud infrastructure. In December 2009, the Air Force awarded IBM Research a task order to develop and demonstrate a secure cloud computing infrastructure pilot that could support defense and intelligence networks. The mission oriented cloud architecture hardware and software solution will provide virtualization of physical computing assets, remote management, automated security policy enforcement, mission-prioritized work flow management and dynamic scalability, Ames said.
Other cloud security issues include wireless and remote user authentication. To allay some of those concerns, a NIST standard provides minimum technical requirements for remotely authenticating the identity of users at four levels of authentication. But as software-based authentication grows, so does the need to increase security specifics to determine what type of authentication can flow from what sort of computing zone to another.
Increasingly, user authentication is not provided a la carte, but wrapped into cloud hosting solutions provided by such companies as NaviSite, which complies with NIST recommended security controls for federal information systems.
Many cloud providers are keenly aware of the security issues and turn to the standards to mitigate those concerns. “We have NIST auditors come in to assess our methodology and assure our compliance,” said Chris Patterson, product manager, NaviSite Infrastructure Services.
NaviSite also ties user authentication tightly to the application in use. “Each application requires something different,” said Patterson. The company determines which method of authentication to use based on the nature of the application.
Finally, the cloud security market seems to be consolidating by folding authentication into larger security offerings. In May, Symantec acquired Verisign’s identity and authentication business, which includes SSL Certificate and PKI services, Verisign Trust Services and Verisign Identity Protection Authentication Service. Like NaviSite, Verisign complies with the NIST standard.
“We have solutions that are appropriate for any of the four levels that NIST has released,” said Kerry Loftus, vice president of Verisign user authentication. The company also provides risk-based authentication techniques such as user patterns of behavior, geo-location and IP address to verify the legitimacy of the authentication. ♦
