You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: security.tex
+27-25
Original file line number
Diff line number
Diff line change
@@ -33,7 +33,7 @@ \subsubsection{Localization}
33
33
The data of all tenants is mixed, due to the shared database of the multi-tenancy concept.
34
34
It is therefore hard to adapt to comply with local law.\\
35
35
36
-
Although localization is a huge security issue in multi-tenancy, by itself data localization is a field of research older than the concept of multi-tenancy, as illustrated by the paper of Johnson et al.~\cite{Johnson1996Law}.
36
+
Although localization is a huge security issue in multi-tenancy, data localization in itself is a field of research older than the concept of multi-tenancy, as illustrated by the paper of Johnson et al.~\cite{Johnson1996Law}.
37
37
The potential delivery and deployment models that attempt to make multi-tenant systems comply with the issue of localization are discussed by Mahmood~\cite{Mahmood2011Security}.
38
38
Other suggestions for improvements to ensure the privacy of data in specifically multi-tenancy are made by Chen et al.~\cite{Chen2012Security}. These suggestions include a proposal for a Bayesian data distributing system, which distributes the data while attempting to uphold predefined constraints. For example, a tenant could specify that a specific set of data may only be kept in a few selected countries, to prevent breaking privacy laws in other countries.
39
39
@@ -42,19 +42,17 @@ \subsubsection{Secure Data Storage}
42
42
Data isolation is a difficult security issue for these systems, due to the fact that all tenants share the same application functionality and databases.
43
43
Malicious tenants could use potential loop holes to hack their way to access of the data of other tenants.
44
44
In contrast to regular cloud applications, multi-tenant systems are more at risk of data leakage, as tenants share a single database.
45
-
Tenants are often allowed to add custom code to these services, which makes the risk of data intrusion even bigger when precautions are not properly taken.
46
-
A multi-tenant model should therefore ensure a clear ‘firewall’ for each tenant’s data.
45
+
Tenants are often allowed to add custom code to these services, which makes the risk of data intrusion even bigger when precautions are not properly taken;
46
+
therefore, a multi-tenant model should ensure a clear ‘firewall’ for each tenant’s data.
47
47
The boundary must be ensured not only at physical level but additionally at the application level, as stated in the paper by Subashini~\cite{Subashini2011Security}.\\
48
48
%Kan nog wat over data redundancy cancellation
49
49
50
50
To ensure the secure data storing, the paper of Takahashi et al.~\cite{Takahashi2012Security} suggests the use of encrypted data manipulation using cryptographical techniques.
51
51
One such technique is called \acf{PECE}, which allows a user to encrypt a file in multiple layers, while being able to decrypt with a single key.
52
-
This technique would allow the tenant, the multi-tenant provider and any middleware providers to encrypt the data separately, while only allowing the tenant to hold the key for decryption.
52
+
This technique would allow the tenant, the multi-tenant provider and any middleware provider to encrypt the data separately, while only allowing the tenant to hold the key for decryption.
53
53
Next to that, the authors propose the use of homomorphic encryption.
54
54
This cryptographical technique enables the users to perform operations on encrypted files without the need to decrypt the files.
55
-
In a multi-tenant environment, this technique would increase the security for the tenants, because encrypted data would be decrypted and prone to leakage.
56
-
% Laatste zin lijkt niet lekker te lopen..
57
-
% Challenge: improve homomorphic encryption
55
+
In a multi-tenant environment, this technique would increase the security for the tenants, because the encrypted data would prevent confidential data leakage.
58
56
59
57
\subsubsection{Authentication and Authorization}
60
58
The matter of authentication and authorization, often referred to as access control systems by Bernabe~\cite{Bernabe2012Auth}, in multi-tenancy has been discussed extensively over the last years.
@@ -66,20 +64,20 @@ \subsubsection{Authentication and Authorization}
66
64
The multi-user authorization concept provides no capabilities to grant users privileges over multiple tenants, as noted by Calero et al.~\cite{Calero2010Auth}
67
65
This would not allow, for example, two companies or tenants to share certain data with each other, by granting each other specific privileges as a form of collaboration.
68
66
These systems often lack the functionality and complexity to express more advanced forms of authorization, necessary for multi-tenant systems.
69
-
Thus, the problem lies with designing more advanced schemes of authentication, where users can be granted more detailed custom privileges.\\
67
+
Thus, the problem lies with designing more advanced schemes of authentication, in which users can be granted more detailed custom privileges.\\
70
68
71
69
Noteworthy progress has been made by Bernabe~\cite{Bernabe2012Auth}, who proposes an access control model system suitable for multi-tenancy and grants high expressiveness in terms of permissions.
72
70
Additionally, this expressiveness is supported by the integration of semantic web technologies into the authorization model.
73
-
The system allows a fine-grained definition of what resources should available for each particular tenant.
74
-
Another influence in this area is the system proposed in Calero~\cite{Calero2010Auth}.
71
+
The system allows a fine-grained definition of which resources should be available for each particular tenant.
72
+
Another influence in this area is the system proposed in Calero et al.~\cite{Calero2010Auth}.
75
73
This authorization system is able to support collaboration agreements, often referred to as federations, between tenants or businesses.
76
74
77
75
\subsection{Related Security Issues}
78
76
Taking a wider scope on the subject, the surveyed papers indicate a lot of security issues closely linked to multi-tenancy.
79
77
These security issues should be taken into account due to the following two reasons.
80
78
First off, as mentioned earlier, the definition of multi-tenancy is still quite ambiguous.
81
79
It is often used to indicate all sorts of cloud services, including \ac{IaaS} and \ac{PaaS} models, as seen by Jasti et al.~\cite{Jasti2010Security}.
82
-
The scope of multi-tenancy is sometimes larger than our definition of multi-tenancy. Due to the increased scope, more security issues can be considered to belong to multi-tenancy.
80
+
The scope of multi-tenancy is sometimes larger than the definition of multi-tenancy by Bezemer et al.~\cite{bezemer2010multi}. Due to the increased scope, more security issues can be considered to belong to multi-tenancy.
83
81
Another reason for taking into account related security issues, is the fact that multi-tenancy is a high-level model.
84
82
The model depends on a bundle of underlying technologies, such as the hardware infrastructure, operating systems and server software.
85
83
Each of these technologies has a particular share of security issues, impacting the level of security of the multi-tenancy system on top. \\
In these systems, a tenant generally has the ability to migrate his custom \acp{VM} to another \acp{VMM}.
92
90
However, when a \ac{VM} is placed in a server with an untrusted \ac{VMM} it would allow \ac{VMM} to track the data flows inside the guest VM, as noted by Takahashi~\cite{Takahashi2012Security}.
93
91
94
-
Another current issue is the adaptation of VM-based Root-kits.
92
+
Another current issue is the adaptation of VM-based root-kits.
95
93
These root-kits, in contrast to traditional root-kits, do not stop at OS level, but continue to attempt to infect the supervising \ac{VMM}.
96
-
According to Takahashi~\cite{Takahashi2012Security}, several proof-of-concept VM-based root-kits, such as Blue Pill, were able to successfully identify and infect the VM, followed by the \ac{VMM}.
94
+
According to Takahashi~\cite{Takahashi2012Security}, several proof-of-concept VM-based root-kits, such as Blue Pill, were able to identify and infect the VM successfully and after that the \ac{VMM}.
97
95
98
96
\subsubsection{Virtual Machine Monitor Security}
99
97
The \acl{VMM} has the essential role of isolating and controlling the virtual machines, which in multi-tenancy are managed by the tenants.
100
98
However, an investigation was conducted by Ormandy et al.~\cite{Ormandy2007Security}of six major \acp{VMM} and emulators, using source code auditing techniques. All six systems had major flaws, leading to unexpected aborts and possible exploits.
101
99
102
-
Additionally there is the problem of the detectability of the \ac{VMM}’s. Ideally, the \ac{VMM} is completely transparent; the tenant has no notion what kind of \ac{VMM} is running the virtual machines.
100
+
Additionally there is the problem of the detectability of the \ac{VMM}’s.
101
+
Ideally, the \ac{VMM} is completely transparent; the tenant has no notion what kind of \ac{VMM} is running the virtual machines.
103
102
However, as argued in the paper by Takahashi~\cite{Takahashi2012Security}, the idea of complete \ac{VMM} transparency is unrealistic.
104
-
Clues provided by the \ac{VMM}, such as time sources and overhead, which can be used to identify the type of \ac{VMM}
103
+
Clues provided by the \ac{VMM}, such as time sources and overhead, can be used to identify the type of \ac{VMM}.
105
104
The detectability of the \ac{VMM} creates the opportunity for malicious users to target specific \ac{VMM} systems and versions.
Web-dependent Application Security ensures the accessibility of the data.
109
-
The importance of good security practices in the application-layer is be illustrated by Wade et al.~\cite{Wade2008Security}.
110
-
The report about data breaches on the Verizon Business platform, reports that 39\% of the data breaches occur in the service/application layer, which comprises the multi-tenant section. The \ac{OWASP}\footnote{http://owasptop10.googlecode.com/files/OWASP\%20Top\%2010\%20-\%202013.pdf (march 2014)} has identified the 10 greatest security risks faced by network-dependent applications.\\
108
+
The importance of good security practices in the application-layer is being illustrated by Wade et al.~\cite{Wade2008Security}.
109
+
The report about data breaches on the Verizon Business platform states that 39\% of the data breaches occur in the service/application layer, which comprises the multi-tenant section. The \ac{OWASP}\footnote{http://owasptop10.googlecode.com/files/OWASP\%20Top\%2010\%20-\%202013.pdf (march 2014)} has identified the 10 greatest security risks faced by network-dependent applications.\\
111
110
112
111
In Takahashi et al.~\cite{Takahashi2012Security} the authors describe a couple of ways to detect vulnerabilities in the server-side and client-side of the web application.
113
112
Endpoint risk detection techniques detect client-side vulnerabilities at the endpoint (the user).
114
-
There are a good number of implementations, such as FLAX~\cite{saxena10kudzu} and Zozzle~\cite{curtsinger2011zozzle} that target JavaScript issues.
113
+
There ia a good number of implementations, such as FLAX~\cite{saxena10kudzu} and Zozzle~\cite{curtsinger2011zozzle} that target JavaScript issues.
115
114
Another form of detection is called the middle-box risk detection.
116
115
This kind of detection requires no adjustments of the code, as the detection is performed in between the server and client-side, using custom HTTP requests.
117
116
Projects implementing this kind detection, such as SpyProxy\footnote{\url{http://homes.cs.washington.edu/~gribble/papers/spyproxy.pdf} (march 2014)}, BrowserShield\footnote{\url{http://research.microsoft.com/en-us/news/features/browsershield.aspx} (march 2014)} and WebShield\footnote{\url{http://www.isoc.org/isoc/conferences/ndss/11/pdf/6_2.pdf} (march 2014)}, are still in early development stages, but these projects already look very promising.
118
117
119
118
\subsubsection{Data Integrity and Network Security}
120
-
With the dependence on extensive usage of networks, the multi-tenancy model is highly dependent on good network security.
119
+
With the extensive usage of networks, the multi-tenancy model is highly dependent on good network security.
121
120
Multi-tenant systems have an extended emphasis on data integrity, because data transmissions of one tenant also need to be secure on the internal level of the multi-tenant system to prevent other tenants from accessing the potentially classified data.
122
121
According to Subashini~\cite{Subashini2011Security}, one of the biggest challenges with multi-tenant services is transaction management.
123
122
At the protocol level, HTTP does not offer any support for transaction or guaranteed delivery of packets.
124
-
Thus, to ensure transactions are indeed delivered one needs to implement this functionality into the multi-tenancy system.\\
123
+
Thus, to ensure transactions are being delivered correctly, one needs to implement this functionality into the multi-tenancy system.\\
125
124
126
125
Currently there are some standards available trying to fix this security issue, namely WS-Transaction\footnote{http://msdn.microsoft.com/en-us/library/ms951262.aspx (march 2014)} and WS-Reliability.
127
-
However, as noted by Subashini et al.~\cite{Subashini2011Security} and confirmed by our web-based survey based upon these techniques, these standards haven’t reached technical maturity yet and have therefore yet to experience full adoption by the majority of the multi-tenancy providers.
128
-
Since the publishing of the paper by Subashini.~\cite{Subashini2011Security}, WS-reliability has since been superseded by ReliableMessaging\footnote{http://docs.oasis-open.org/ws-rx/wsrm/200702/wsrm-1.1-spec-os-01.pdf (march 2014)}.
126
+
However, as noted by Subashini et al.~\cite{Subashini2011Security} and confirmed by our web-based survey based upon these techniques, these standards have not reached technical maturity yet and therefore lack full adoption by the majority of the multi-tenancy providers.
127
+
Since the publishing of the paper by Subashini et al.~\cite{Subashini2011Security}, WS-reliability has since been superseded by ReliableMessaging\footnote{http://docs.oasis-open.org/ws-rx/wsrm/200702/wsrm-1.1-spec-os-01.pdf (march 2014)}.
129
128
130
129
\subsection{Research Agenda for Security}\label{sec:security_agenda}
131
130
The survey of the literature regarding security revealed the following recommendations for researchers to look in to.
132
131
\begin{itemize}
133
132
\item\textbf{Analysis of proposed authentication models}.
134
-
The papers of Bernabe~\cite{Bernabe2012Auth} and Calero~\cite{Calero2010Auth} proposes an intensive analysis of the proposed authentication models. Furthermore, there needs to be more research on more advanced authorization models, next to having more experimentation with different database-systems for the proposed authorization system.
133
+
The papers of Bernabe~\cite{Bernabe2012Auth} and Calero~\cite{Calero2010Auth} propose an intensive analysis of the proposed authentication models.
134
+
Furthermore, there needs to be more research on more advanced authorization models, next to having more experimentation with different database-systems for the proposed authorization system.
135
135
\item\textbf{Tradeoff between security and performance}.
136
-
Although a lot of security measures are proposed to secure multi-tenant systems, more research should dedicated to finding a balance between security and performance, according to Guo~\cite{guo2007framework} and Hashizume~\cite{Hashizume2013Security}. Traditional and new Security mechanisms should be redesigned to increase the effectiveness of the mechanisms in multi-tenancy environments.
136
+
Although a lot of security measures are proposed to secure multi-tenant systems, more research should dedicated to finding the optimal balance between security and performance, according to Guo~\cite{guo2007framework} and Hashizume~\cite{Hashizume2013Security}.
137
+
Traditional and new security mechanisms should be redesigned to increase the effectiveness of the mechanisms in multi-tenancy environments.
137
138
\item\textbf{Improve data security}.
138
-
More research needs to be conducted on techniques to ensure that data of tenants is completely isolated. Currently, many papers, such as Jasti~\cite{Jasti2010Security}, Merino~\cite{Merino2011Security} and Takahashi~\cite{Takahashi2012Security}, have pointed out that there are many methods on different levels, ranging from VM security to data localization, to comprise confidential data.
139
+
More research needs to be conducted on techniques to ensure that data of tenants is completely isolated.
140
+
Currently, many papers, such as Jasti~\cite{Jasti2010Security}, Merino~\cite{Merino2011Security} and Takahashi~\cite{Takahashi2012Security}, have pointed out that there are many methods on different levels, ranging from VM security to data localization, to comprise confidential data.
0 commit comments