Enterprise & Cloud Computing Security – Part II
By Evi Rachmilewitz, ClickSoftware Contributor
In the last cloud computing security post we looked at some of the overall security concerns of the cloud. The goal of this post is to demonstrate that public clouds of leading companies are safe. In fact, they are probably safer than most in-house datacenters.
This post will refer to security measures taken by a company like Amazon, one of the leading cloud computing providers. When architecting its IaaS offering people at Amazon knew that the key to success is security. If Amazon allows security holes in its cloud environment it won’t be able to grow and sustain its cloud computing business. Hence security is built into the company’s datacenters as an integrated part, right from design.
Security in the IT world is made of various layers. This includes the physical layer, the registration layer, the API layer and the network layer. A comprehensive solution has to address each layer independently and provide strengthened security around it. Amazon does it in the following way:
As a result of being a world leader in online commerce, Amazon has years of experience in constructing and operating large scale datacenters. Amazon uses a state of the art “security by obscurity” concept in which it builds its datacenters in nondescript facilities. For example several of its datacenters are located in buildings within residential neighborhoods with no signage or markings. In addition, physical access is controlled at the perimeter level and at the building level by professional security staff using state-of-the-art intrusion detection systems. Authorized staff has to use two-factor authentication several times to access datacenter floors. One could summarize that Amazon’s datacenters are the company’s Fort Knox facilities and are treated as such.
SAS 70 Certification
Amazon has achieved the Statement and Auditing Number 70: Service Organizations, Type II certification. The SAS 70 certification requires 6 months of evidence collection in a steady state before the audit can begin. This and similar certifications provide outside confirmation defined by the American Institute of Certified Public Accountants (AICPA) that the provider has established adequate internal controls.
The registration layer of Amazon’s cloud service is comprised of a billing validation process. The process is made of levels. In the first level subscribers are requested to insert their credit card and billing address. They are then presented with a randomly generated pin number. In the second level subscribers are asked to call Amazon and insert the pin number they were presented with. In the next phase subscribers must provide their username and password. The password must be strong and comprise of a mixture of letters, numbers and special characters.
The API layer is protected with access keys. This means that every API call requires an access key to get invoked. Subscribers can either select an Amazon generated key or even better, issue their own key on their local machine. The generated keys work alongside with x.509 certificates. These certificates are based on public key cryptography. Without getting into the bits and bytes of cryptography algorithms I would write that the certificate itself is public and it contains a digital signature created with a private key. When a subscriber invokes an API request, a digital signature is created along with the x.509 certificate. When the provider (Amazon) gets the request it uses the public key in the certificate to decrypt the signature and confirm the authenticity of the requester. The provider also makes sure that the certificate matches the one on file.
Key pairs ensure that only a permitted subscriber has access to an instance. Subscribers can select whether to use the same key pair for all instances or one pair for a particular type of instance. Like the x.509 protocol, key pairs are generated using a private key. This key must be kept secret and hidden.
Amazon’s public cloud is offered with a firewall. The inbound firewall is configured in a deny mode which means that subscribers must explicitly allow inbound traffic. Control and changes to the firewall aren’t controlled by the instance itself but require the subscriber’s x.509 certificate and key to authorize changes. Thus an extra layer of security is added.
As far as network goes it is important to mention that Amazon and other public cloud providers offer their services on their own infrastructure, an infrastructure that was a major Internet destination for all kinds of cyber-attacks. The experience Amazon gained from fighting these attacks is reflected in its public cloud offering. It knows for example to mitigate Distributed Denial of Service (DDoS) attacks by using SYN cookies, connection limiting methods and an extended internal bandwidth that exceeds their provider-supplied Internet bandwidth.
To sum up, public cloud access-control measures such as those outlined in this post are of vital importance to maintain the identity, authentication and authorization of users of the cloud at all times. We can clearly see how seriously security is handled by a company like Amazon in all layers: physical, registration, API and network.