IaaS: Security Issues and Solutions
IaaS, or Infrastructure-as-a-Service, is the traditional cloud model provided by, e.g., Amazon AWS. Essentially, the cloud service provider offers virtual machines, containers, and/or serverless computing services. There are very few limitations on what applications can be run on the infrastructure or what tools can be used to run the applications. Many service providers also offer databases, cloud storage, security services, etc.
The general business model for IaaS is to charge for resources by the hour or based on volume. Resources can generally be purchased on demand and terminated when no longer needed. For more information, see cloud computing models.
ContentsSecurity Considerations for IaaS Insider Threats Escaping Virtual Machines, Containers, or Sandboxes Breaking Authentication Breaking Encryption
Security Considerations for IaaS
The security of any service run in the cloud depends on the security of the cloud infrastructure. Generally, it is not possible to protect a virtual machine (or a container or a serverless computing sandbox for that matter) against a compromised hypervisor. Thus, breaches involving the infrastructure are a major additional security concern beyond those facing traditional servers. On the other hand, the cloud service provider will generally keep its infrastructure well patched and properly configured, and thus the risk of certain exploitable vulnerabilities is reduced.
Employees of the cloud service provider have direct access to hardware and networks, and many have access to the hypervisors, provisioning systems, and authentication infrastructure. Thus, those privileged insiders are a potential threat.
Escaping Virtual Machines, Containers, or Sandboxes
If a customer is able to escape from a virtual machine, container, or serverless sandbox, that may permit access to the hypervisor or operating system running other customers' workloads. Once in a hypervisor, the attacker can modify code, steal secrets, and install malware on any instance on the same hardware.
The risk of such break-outs can be reduced by minimizing the number of virtualization drivers and other features supported by the hypervisor (minimize attack surface), tight use of SELinux in enforcing mode, and intrusion detection tools.
Access to the accounts used to provision (and terminate) virtual machines and other cloud services enables the attacker to simply use the cloud service's API or user interface to destroy services or grant additional access as desired. The credentials to access the cloud service could be obtained by, e.g., installing a keylogger on an administrator's desktop as a part of a broader breach on the internal network.
Obtaining any API credentials, database credentials, or private keys used by the cloud service could also provide an attacker free access to those services.
One way to gain access to the cloud is to break encryption. Most cloud services and APIs are protected using the TLS protocol, which in turn relies on PKI for authentication. The typical way to break encryption is to break the PKI.
A PKI generally provides a good level of security against casual attackers. However, browsers trust something like a hundred different root-level certificate authorities in different countries. Any of the certificate authorities can create a certificate for any user.
If the attacker (typically a government) can obtain a CA certificate from any of the certificate authorities (e.g., ostensibly for their national PKI or their military PKI), they can create new certificates for any site and, combined with network-level attacks, potentially perform a man-in-the-middle attack on any end-user or API or database connection associated with the application. The attack can then be used for stealing or modifying data, or even injecting the attacker's own commands into the connection (e.g., to install new credentials to give future access without resorting to such intrusive attacks).