CompTIA CASP+ CAS-004 Certification: Basics of Cloud and Virtualization Security

The primary idea behind cloud computing is to place resources in a web-based data center that can be accessed from anywhere. A public cloud solution is when a firm pays another organization to host and administer this sort of environment. A private cloud solution is one in which the firm hosts the environment itself. In most cases, virtualization is at the heart of cloud computing. Virtualization of servers has become a critical component in reducing the data center’s physical footprint.

The advantages include the following:
- Reduced overall use of power in the data center
- Dynamic allocation of memory and CPU resources to the servers
- High availability provided by the ability to quickly bring up a replica server in the event of loss of the primary server
This guide looks at cloud computing and virtualization security and how these features are changing the network landscape.


Topics:
- Cloud architecture and design
- Cloud data security
- Cloud application security
- Virtualization operations
- Technical deployment models
- Virtualization advantages and disadvantages
- Cloud augmented security services
- Host provisioning and De-provisioning

Structure
- Cloud & Virtualization considerations
- Cloud Deployment and Service Models
- Virtualization Security
- Hyper Converged infrastructure
- Vulnerability Scanning

The basic focus of cloud computing was to ensure resources are available via web-based data centers accessible from any location. Virtualization of servers and network devices became a key to reducing the physical footprint in data centers. This enabled software applications, hardware infrastructure, and computing environments for multi-tenants. It changed the landscape and brought about cloud and virtual server security issues.

Deployment models
Any business can employ a variety of technological deployment strategies, such as outsourcing, insourcing, managed services, and partnerships, to combine hosts, storage systems, networks, and applications into a secure enterprise. Cloud and virtualization concerns and hosting alternatives, virtual machine vulnerabilities, safe usage of on-demand/elastic cloud computing, data remains, data aggregation, and data separation are all covered in the following sections.

Cloud and virtualization considerations
Enterprise assets may be distributed using cloud computing without the end-user knowing where the physical assets are located or how they are configured. Virtualization entails the creation of a virtual device on a physical resource, which can host several virtual devices. On a Windows computer, for example, you can run many virtual machines. However, keep in mind that each virtual machine will take some of the host computer’s resources, and the virtual machine’s configuration cannot exceed the host machine’s resources.
You must become familiar with public, private, hybrid, community, multitenancy, and single-tenancy cloud choices in order to pass the CASP test.

Public
The basic cloud computing paradigm is a public cloud, in which a service provider makes resources available to the general public over the Internet. Public cloud services can be provided for free or on a pay-per-use basis. A business or technical liaison who is responsible for maintaining the vendor relationship is required, but a cloud deployment specialist is not required. Amazon, IBM, Google, Microsoft, and a slew of other companies provide public cloud solutions. Subscribers to a public cloud model can add and remove resources as needed, depending on their subscription.

Private
A private cloud is a cloud computing concept in which a private corporation builds a cloud within its own enterprise and makes it available to its workers and partners. Private cloud services necessitate the hiring of a cloud deployment expert to administer the private cloud.

Hybrid
A hybrid cloud is a cloud computing paradigm in which a company controls and offers some resources in-house while outsourcing others to a public cloud. This strategy necessitates both a service provider connection and an in-house cloud deployment professional. To guarantee that a hybrid cloud is effectively deployed, rules must be created. Confidential data should only be stored in a private cloud.

Community
A community cloud is a cloud computing paradigm in which the cloud infrastructure is shared among a group of enterprises with similar processing requirements. The security policies that will be in place to secure the data of each company engaging in the community cloud, as well as how the cloud will be administered and maintained, should be specifically defined in this model, as illustrated below:



Figure: Cloud Deployment Models

Multitenancy
A multitenancy model is a cloud computing approach in which resources are shared by many businesses. This concept enables service providers to better control the resource use. Companies should adopt this approach to guarantee that their data is safeguarded against unwanted access by other organizations or people. Furthermore, companies should ensure that the service provider has the resources to meet the organization’s future demands. If multitenancy models are not effectively managed, one entity might consume more resources than its fair share, putting the other firms in the tenancy at risk.

Single tenancy
A cloud computing approach in which a single tenant accesses a resource is known as a single-tenancy model. This architecture ensures that the data of the tenant organization is kept safe from outsiders. This model, however, is costlier than the multitenancy paradigm.

The figure below presents the single and multiple tenancies on cloud systems:



Figure: Single & multi-tenancy

On-premise versus hosted
The trend toward virtualization is being accompanied by a shift toward on-premise vs hosted resource allocation. An on-premise cloud solution makes use of resources that are already on the company’s network or are hosted in the company’s data center. A hosted environment is one that is offered by a third party and is hosted on their physical resources.

The security implications of these two approaches must be understood by security experts, especially if the cloud deployment will be hosted on third-party resources under a shared tenancy, as presented below:



Figure: Cloud-based v/s On-Premise

Cloud service models
When choosing between architectures, there are trade-offs to consider. A private solution gives you the most control over the security of your data, but it also necessitates the resources and expertise to build, maintain, and secure it. A public cloud places your data’s security in the hands of a third party, but that third party is more adept and informed about data security and cloud management. Various degrees of service can be purchased with a public solution.

The figure below presents and discusses the cloud service models, as follows:

- Software as a Service (SaaS) is a model in which a provider delivers the full solution, including the operating system, infrastructure software, and application. The vendor may, for example, supply an email system that hosts and controls everything for the contracting firm. A firm that contracts to use Salesforce or Intuit QuickBooks through a browser rather than installing the program on every workstation is an example of this. This relieves the customer organization of the responsibility for application upgrades and other maintenance services.
- Infrastructure as a Service (IaaS): With IaaS, the provider supplies the hardware platform or data center, while the company installs and administers its own operating and application systems. The vendor merely grants access to the data center and ensures that access is maintained. A corporation that hosts all of its web servers with a third-party provider is one example of this. Customers, who use IaaS benefit from the dynamic allocation of more resources during peak activity, while those same resources are scaled back when not in use, save money.
- Platform as a Service (PaaS): With PaaS, the vendor offers the physical platform or data center, as well as the software that runs on it, such as operating systems and infrastructure software. The corporation is still in charge of the system’s administration. A corporation that engages a third party to provide a development platform for internal developers to utilize for development and testing is an example of this. Figure 10.4 illustrates the cloud service models:


Figure: Cloud Service Models

Virtualization security
Virtualization of servers has become an important aspect of lowering the data center’s physical footprint. The advantages include the following:
However, in the virtual network, most of the same security vulnerabilities that must be handled in the physical environment must also be addressed.

Virtual machines (VM) are instances of an operating system in a virtual environment. A host system can support a large number of virtual machines. The virtual machines’ resources (CPU, memory, and disc) are distributed by the hypervisor, as illustrated below. Keep in mind that each virtual server housed on a physical server must be configured with its own security methods in any virtual environment. Antivirus and anti-malware software, as well as all the latest service packs and security updates for all the software housed on the virtual machine, are among these techniques. Also, keep in mind that all virtual servers share the actual device’s resources. Any sensitive applications that must be installed on the host should be put in a chroot environment when virtualization is hosted on a Linux machine. On a UNIX-based operating system, a chroot is an operation that alters the currently running processes and its children’s root directory. A program running in such a changed environment is unable to name (and so access) files outside of the allocated directory tree.

The figure below illustrates the Virtual Machine architecture:


Figure: Virtual Machine Architecture

Type 1 versus Type 2 Hypervisors
Hypervisors are divided into two categories (refer to Figure 10.6 for different types of Hypervisors). Let’s look at the distinctions between them, as follows:
- Type 1 hypervisor: Either a Type 1 or Type 2 hypervisor handles the distribution of the physical server’s resources. A guest operating system operates above the hypervisor on a different level. Citrix XenServer, Microsoft Hyper-V, and VMware vSphere are examples of Type 1 hypervisors.
- Type 2 hypervisor: This operates on top of a traditional operating system. Guest operating systems run at the third level above the hardware, with the hypervisor layer as a unique second software layer. Type 2 hypervisors include VMware workstations and VirtualBox.
 

The figure below llustrates the type 1 and type 2 hypervisors:


Figure: Type 1 and Type 1 hypervisors

Container-based
Container-based virtualization, often known as operating system virtualization, is a modern method of virtualization. This type of server virtualization makes use of the kernel’s ability to support many separate user-space instances. Containers, virtual private servers, and virtual environments are all terms used to describe the instances. The hypervisor is replaced in this approach by operating system-level virtualization, in which an operating system’s kernel permits several separate user areas or containers. A virtual machine is not a full instance of an operating system, but rather a subset of the same operating system. Container-based virtualization is widely utilized in Linux systems, with commercial Virtuozzo and the free source OpenVZ project as examples.

Hyper converged infrastructure
Converged infrastructure is one in which the vendor combines all storage, networking, and computing equipment into a single physical box, making data center deployment easier (Figure 10.7). For these resources, it provides a single administration interface. The Dell System Managed system is an example of this. Without requiring any hardware modifications, hyper-convergence performs this integration with software. It also makes use of virtualization. It connects a number of services and allows them to be managed through a single interface. While this technique enables growth by simply adding additional hardware without regard to the vendor, the business becomes somewhat reliant on a single hyper-convergence provider’s solution.

The figure below illustrates hyper-converged infrastructure:


Figure: Hyper-Converged Infrastructure (HCI)

Virtual desktop infrastructure
A virtual desktop infrastructure (VDI) is a centralized server that runs desktop operating systems in a virtual environment. The desktops are accessed and executed from the server by the users.

Secure enclaves and volumes
The purpose of both secure enclaves and secure volumes is to reduce the length of time-critical data that is unencrypted while in use. Secure enclaves are processors that work with data that has been encrypted. This implies that even individuals with access to the virtual environment’s underlying hardware are unable to access the data. Windows Azure supports secure enclaves, and a secure processor stops the main processor from accessing data. In a different approach, secure volumes achieve this purpose. Unmount and hide a secure volume until it is needed. After that, it’s mounted and decrypted. The disc is encrypted and unmounted after the modifications are finished.

Cloud augmented security services
Cloud computing is all the craze these days, and everyone is scrambling to get their data “on the cloud.” However, doing so raises security concerns. What is the physical location of your data? Is it mixed together with other people’s data? Is it safe to use? It’s terrifying to entrust your data’s security to others. The sections that follow examine cloud security concerns.

Hash matching
A process known as hash matching, or hash spoofing, has been used to steal data from cloud infrastructure. The attack on Dropbox, a cloud vendor, is a good example of this vulnerability. As part of the data deduplication process, Dropbox used hashes to identify blocks of data stored by users in the cloud. When a user connects, these hashes, which are values derived from the data and used to uniquely identify the data, are used to determine whether data has changed, indicating whether a synchronization process is required. Spoofing hashes were used in the attack to gain access to arbitrary pieces of other customers’ data.
The customer whose files were being distributed was unaware of the unauthorized access because it was granted from the cloud. Dropbox has addressed the issue since it was discovered by using stronger hashing algorithms, but hash matching can still be a problem with any private, public, or hybrid cloud solution. The forces of good can use hashing as well. Hashing is a technique used by antivirus software to identify malware. When looking for malware, signature-based antivirus products look for hashes that match. The problem is that malware has evolved to the point where it can now change itself, changing its hash value. As a result, fuzzy hashing is becoming more popular. Unlike traditional hashing, which requires an exact match, fuzzy hashing looks for hashes that are close but not identical.

Vulnerability scanning
A good example of SaaS is cloud-based vulnerability scanning, which is a service that is performed from the vendor’s cloud, as presented in Figure 10.8. The benefits are the same as any other SaaS offering—no subscriber equipment is required, and there is no footprint in the local network. The vulnerability scanners and associated components are entirely installed on the client’s premises, whereas the vulnerability management platform is hosted in the cloud in the cloud-based approach. External vulnerability assessments are performed using vulnerability scanners located at the solution provider’s location, with additional scanners on the premises.

The following are some of the benefits of a cloud-based approach:
- Installation costs are low because the client does not have to complete any installation or configuration.
- Maintenance costs are low because there is only one centralized component to maintain, which the vendor does (not the end client).
- Upgrades are included in the price of your subscription.
- Costs are shared between all customers.
- The client is not required to provide any onsite equipment.
 

The figure below illustrates the vulnerability scanning dashboard:


Figure: Vulnerability Scanning Dashboard

However, there is a significant drawback. In contrast to premise-based deployments, which store data findings on the organization’s premises, cloud-based deployments keep the data on the provider’s servers. This implies that the customer is reliant on the provider to keep the vulnerability data secure.

Sandboxing
Sandboxing refers to the separation of virtual environments for the purposes of security (Figure 10.9). Sandboxed appliances have previously been used to supplement a network’s security features. In a secure environment, these appliances are used to test suspicious files.

Sandboxing in the cloud has some advantages over sandboxing on-premises, as follows:
- It has no hardware limitations, making it scalable and elastic; it can track malware for hours or days.
- It can be updated with any operating system type and version, and it is not geographically restricted.

The potential drawback is that many sandboxing products are incompatible with a wide range of applications and utilities, including antivirus software.
 

The figure below illustrates sandboxing behavior:


Figure: Sandboxing Behaviour

Content filtering
Web content filtering can be provided as a cloud-based service. All content is examined by the providers in this case. The advantages are the same for all cloud solutions – equipment savings and support for the content filtering process while maintaining process control.

Cloud security broker
A cloud security broker, also known as a cloud access security broker (CASB), is a software layer that acts as a gatekeeper between an organization’s on-premise network and the cloud environment of the provider. In this strategic location, it can provide a wide range of services. Skyhigh Networks and Netskope are two vendors in the cloud access security space.

The figure below llustrates the cloud security broker:


Figure: Cloud Security Broker

Security as a Service
Security as a Service (SecaaS) is another cloud-based service. Many businesses lack the necessary skill sets to provide the required security services, and it is not cost-effective to acquire them. It may make sense for these businesses to hire a security firm that can provide the following advantages:
- Cost savings
- Consistent and uniform protection
- Virus definition updates on a regular basis
- More security expertise
- Quicker user provisioning
- Administrative tasks outsourced
- Intuitive administrative interface

Managed security service providers
Managed security service providers (MSSPs) take the concept of SecaaS a step further by offering the option of fully outsourcing all information assurance to a third party. If a company decides to use a third-party identity service, such as cloud computing, security experts must be involved in the implementation’s integration with internal services and resources. This integration can be difficult, especially if the provider’s solution is incompatible with internal systems. Cloud identity, directory synchronization, and federated identity are all features that most third-party identity services offer. Amazon Web Services (AWS), AWS Identity and Access Management (IAM) service, and Oracle Identity Management are examples of these services.

Vulnerabilities associated with hosts
When virtualized, guest systems may share a common host machine. Security issues can arise when this happens and the systems sharing the host have different security requirements. The sections that follow examine some of these issues as well as some preventative measures that can be taken.

VMEscape
The attacker “breaks out” of a VM’s normally isolated state and interacts directly with the hypervisor in a VMEscape attack. Because VMs frequently share physical resources, an attacker who can figure out how his VM’s virtual resources map to the physical resources will be able to attack the real physical resources directly. The attacker can affect all the VMs, the hypervisor, and possibly other programs on that machine if he can modify his virtual memory in a way that exploits how the physical resources are mapped to each VM. Virtual servers should only be on the same physical server as others in their network segment to help mitigate a VMEscape attack.

Privilege elevation
The risks of privilege elevation, or escalation, in a virtualized environment may be equal to or greater than in a physical environment in some cases. Any flaws introduced to those calls by the hypervisor while handling calls between the guest operating system and the hardware could allow an attacker to escalate privileges in the guest operating system. A recent vulnerability in VMware’s ESX Server, Workstation, Fusion, and View products could have resulted in host escalation. VMware quickly issued a security update to address the flaw. To avoid privilege escalation, make sure all virtualization products have the most recent updates and patches.

Live VM migration
One of the benefits of a virtualized environment is the system’s ability to migrate a virtual machine from one host to another as needed. This is referred to as a “live migration”. Attackers can exploit a network vulnerability to gain unauthorized access to VMs when they are on the network between secured perimeters. With access to VM images, attackers can embed malicious code to launch attacks on the data centers where VMs travel. Because the protocols used for migration are frequently not encrypted, a man-in-the-middle attack on the VM while it is in transit is possible. The encryption of the images where they are stored is the key to preventing man-in-the-middle attacks.

Data remnants
Protect sensitive data that has been inadvertently replicated in VMs as a result of cloud maintenance functions or remnant data left in terminated VMs. Furthermore, if data is moved, residual data may be left behind, making it accessible to unauthorized users. Any remaining data in the old location should be shredded, but data remnants may persist depending on security practices. With confidential data in private clouds and any sensitive data in public clouds, this can be a problem. Commercial products, such as those made by Blancco, are available to permanently erase data from computers, servers, data center equipment, and smartphones. Any existing technology cannot recover data erased by Blancco. Blancco also generates a report for each erasure to ensure compliance.

Data security considerations
Multiple customers’ virtual machines can be hosted on a single server or platform in a cloud deployment. If not handled properly in either case, security vulnerabilities may arise. Let’s take a look at these concerns.

Vulnerabilities with single server hosting
This situation allows a company to avoid a large investment in computing resources that will be used for only a short time. Assuming that the provisioned resources are dedicated to a single company, the main vulnerability associated with on-demand provisioning is traces of proprietary data that can remain on the virtual machine and may be exploited.
Let’s look at an example. Say that a security architect is seeking to outsource company server resources to a commercial cloud service provider. The provider under consideration has a reputation for poorly controlling physical access to data centers and has been the victim of social engineering attacks. The service provider regularly assigns VMs from multiple clients to the same physical resource. When conducting the final risk assessment, the security architect should take into consideration the likelihood that a malicious user will obtain proprietary information by gaining local access to the hypervisor platform. Virtual machines (VMs) from multiple organizations are hosted on a physical server in virtualization deployments. The resources of a single physical computer are shared by all VMs hosted on that physical server. All organizations with VMs on that physical server are affected if the physical server crashes or is compromised. User access to virtual machines should be configured, managed, and audited properly. To ensure that each VM is properly protected, appropriate security controls, such as anti-virus/malware, access control lists, and auditing must be implemented on each one. Physical server resource depletion, network resource performance, and traffic filtering between virtual machines are all risks to consider.

Multiple VMs and multiple data types/owners
In some virtualization deployments, a single platform hosts the VMs of multiple organizations. If all of the servers hosting VMs use the same platform, attackers will have an easier time attacking the other host servers once the platform has been discovered. If all physical servers use VMware to host virtual machines, any vulnerabilities found in that platform could be exploited on all host computers. Misconfigured platforms, separation of duties, and the application of security policy to network interfaces are all risks to consider. If a company’s web servers, application servers, and database servers are to be virtualized, the virtual host machines should be secured by only allowing access through a secure management interface and restricting physical and network access to the host console.

Resources provisioning and de-provisioning
Virtual solution deployment and decommissioning should follow certain best practices, just like physical resource deployment and decommissioning. The process of provisioning is the addition of a resource for use, and the process of de-provisioning is the removal of a resource from use. In both virtualization and cloud environments, provisioning and de-provisioning are critical, especially if the enterprise is paying per resource or based on resource uptime. The proper provisioning and de-provisioning procedures should be documented and followed by security professionals.

Virtual devices
When virtual devices are provisioned in a cloud environment, some method of securing access to the resource (such as VMs) should be in place to ensure that the provider no longer has direct access. Only the customer should have access, and it should be secured with some sort of identifying key or ID number. To ensure that this occurs, SLAs should be scrutinized.

The figure below presents the Virtual devices to choose, using the Portal:


Figure: Virtual Devices
 

The figure below presents the choice of hardware to select as a virtual server that says an application developer may want to use for testing his/her application on a mobile platform:


Figure: Virtual device hardware selection

Data remnants
When a computer or another resource is no longer in use, data remnants are data that is left behind. The best way to protect this information is to use data encryption. Without the original encryption key, data that has been encrypted cannot be recovered. An unauthorized user can access data remnants if resources, particularly hard drives, are reused frequently. Administrators must be familiar with the types of data stored on physical drives. This aids them in determining whether or not data remnants are a concern. The organization may not be concerned about data remnants if the data stored on a drive is not private or confidential. If the data on the drive is private or confidential, however, the organization should consider asset reuse and disposal policies. Data remnants must be destroyed using a method commensurate with the sensitivity of the data, or the data must be permanently encrypted and the key destroyed, according to cloud provider SLAs.

Conclusion
This guide covers cloud and virtualization concepts and considerations for hosting on cloud v/s on-premise, and discusses the cloud deployment models and hypervisors along with hyper-converged infrastructure. This guide also describes the vulnerabilities associated with a single server hosting multiple apps and data as well as the vulnerabilities associated with a single platform hosting multiple virtual machines.