Operations & Management Area Working S. Karavettil
Group ASTA Ventures, Inc.
Internet-Draft B. Khasnabish
Intended status: Standards Track ZTE USA, Inc.
Expires: June 24, 2012 N. So
Verizon
W. Dong
Tektronix Communications
December 23, 2011
Security Framework for Virtualized Data Center Services
draft-karavettil-vdcs-security-framework-01.txt
Abstract
This document discusses the requirements and technology gaps related
to security in the virtualized data center services (VDCS). The
objective is to ensure end-to-end security for various types of
carrier services built on virtualized infrastructure. The issues
covered in this draft are focused on confidentiality and integrity of
the services in the virtualized environment; including but not
limited to infrastructure (IaaS), platform (PaaS), and application
(SaaS) services. This draft also takes into account transient nature
of identity, resources and connectivity in the virtualized
environment.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 1, 2012.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
Karavettil, et al. Expires January 1, 2012 [Page 1]
Internet-Draft Karavettil VDCS Security Framework June 2011
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Karavettil, et al. Expires January 1, 2012 [Page 2]
Internet-Draft Karavettil VDCS Security Framework June 2011
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Terminology and Abbreviation . . . . . . . . . . . . . . . . . 5
3. Problem Statement and Examples . . . . . . . . . . . . . . . . 6
3.1. Virtualized Carrier Services Users . . . . . . . . . . . . 6
3.2. Data, Information and Knowledge Base Security Problem . . 6
3.3. Lack of mandatory Application Security in Protocol . . . . 8
4. Other Gaps in Existing Implementations & New Requirements . . 10
4.1. Systems Security Gaps & New Requirements . . . . . . . . . 10
4.2. Network Security Gaps & New Requirements . . . . . . . . . 10
4.3. Mobile Security Gaps & New Requirements . . . . . . . . . 11
4.4. Physical Security Gaps & New Requirements . . . . . . . . 11
4.5. Operations & Management Security Gaps & New
Requirements . . . . . . . . . . . . . . . . . . . . . . . 12
4.6. Other New Requirements . . . . . . . . . . . . . . . . . . 13
5. Work Item for Consideration . . . . . . . . . . . . . . . . . 14
5.1. Applications & Services . . . . . . . . . . . . . . . . . 14
5.2. Infrastructure Operations & Management . . . . . . . . . . 14
6. Security Considerations . . . . . . . . . . . . . . . . . . . 15
7. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 16
8. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 17
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20
Karavettil, et al. Expires January 1, 2012 [Page 3]
Internet-Draft Karavettil VDCS Security Framework June 2011
1. Introduction
The VDCS Security Framework is a reference framework to build secure
and interoperable services on top of a virtualized infrastructure.
Currently there are a variety of infrastructure equipments (servers
and network equipments), and operational management software
(hypervisors and provisioning/monitoring applications) and software-
as-a-service that are proprietary in nature; therefore, causing
service interoperability issues and creating security gaps.
Developing protocol standards around virtualized services and the
supporting infrastructures is an integral part of the overall end-to-
end security assurance. This draft proposes a security framework and
the associated requirements for Protocols, Profiles, Network
Interfaces, Operations and Management, and Application
Interfaces(APIs) in an environment where virtualized resources are
shared among a variety of public and private subscribers/clients
seamlessly.
The current applications & services using existing protocols (e.g.,
HTTP) that are in need of security measures in a multi-tenant
virtualized environment is described. Similarly gaps in security
implementation of inter-working protocols (e.g., inter-domain BGP,
MPLS) among virtualized network infrastructure resources are
identified here.
These help design, develop and provide secure, inter-operable and on
demand self-service applications and services for users from various
vendors. This also helps reduce human interventions in provisioning
and management of resources in a more standardized manner.
Karavettil, et al. Expires January 1, 2012 [Page 4]
Internet-Draft Karavettil VDCS Security Framework June 2011
2. Terminology and Abbreviation
o CSA: Cloud Security Alliance
o CSF: Cloud Security Framework
o CSP: Cloud Service Provider
o CSRF: Cross-Site Request Forgery
o DCOPS: Data Center Operations
o GRC: Governance, Risk & Compliance
o HIPAA: Health Insurance Portability and Accountability Act
o OWASP: Open Web Application Security Project
o PCI: Payment Card Industry
o SDO: Standards Development Organizations
o SOX: Sarbanes Oxley
o VDCS: Virtualized Data Center Services
o VDI: Virtual Desktop Infrastructure
o VDI: Virtual Machine
o VPN: Virtual Private Network
o XSS: Cross-Site Scripting
Karavettil, et al. Expires January 1, 2012 [Page 5]
Internet-Draft Karavettil VDCS Security Framework June 2011
3. Problem Statement and Examples
The applications in virtualized carrier infrastructure often follow
the Client-Server model. The Server is typically a Virtual Machine
(VM) hosting various applications while performing the computing and
storage functions on top of generic server hardware. The client is a
remote machine connecting to the VM via virtual connection(s) and
sharing the same application.
In this case, security means protecting the information (data and
content) in an on demand self service multi-tenant virtualized
infrastructure and communication between the client and virtual host
from unauthorized access, use, disclosure, disruption, modification,
perusal, inspection, recording or destruction.
3.1. Virtualized Carrier Services Users
Security impacts all service users. User identity security and
verification needs to occur in a synchronized fashion along the
service path end-to-end. Understanding who the users are is the
critical first step in understanding the security landscape. Here is
the list of the users that the security framework has to consider.
o Consumers
* Internet Application Services Users (Internet consumers across
various internet applications)
* Enterprise Users (across various Organizations of Enterprise)
* Regulations & Compliance Auditors
* Investigations & Forensics
o Publishers
* Developers
* System Administrators, Network Administrators
* Management Users
3.2. Data, Information and Knowledge Base Security Problem
Data, information, and knowledge represent three levels of
abstraction. Data on its own carries no meaning. For data to become
information, it must be interpreted and take on a meaning. When that
information is interpreted and used practically to fulfill a purpose
Karavettil, et al. Expires January 1, 2012 [Page 6]
Internet-Draft Karavettil VDCS Security Framework June 2011
becomes knowledge.
The types of data include:
o Live
* Web Application Form Data (Structured)
* Voice
* Video
o Archive
* Database Data Structures
* Files
+ Data - PDF, DOC, Excel, etc
+ Voice archive
+ Video Archive
* Emails, Logs (unstructured)
Information security has to be developed to manage the lifecycle of
data, including data security while in use, in motion or at rest
within a virtualized infrastructure environment.
o Data/content/media (e.g. videos) authenticity
* Association and identification of data to its owner (user,
enterprise consumer, service provider, location, etc) and
access privileges.
o Data while in use
* Isolation of data while in use by the computing resources.
* Data usage managed based on access privileges based on users,
enterprise consumer, service provider.
o Data in motion
* Restricting the data transmission across geographical
boundaries based on government regulations or enterprise
policies and configurations as defined during self-service.
Karavettil, et al. Expires January 1, 2012 [Page 7]
Internet-Draft Karavettil VDCS Security Framework June 2011
o Data at rest (monitoring and management)
* Data isolation in a multi-tenant environment to protect against
side attack or admin attacks.
* Data migration managed as defined by enterprise/government
policies.
* Deletion, loss/leakage, and location of data.
In traditional data center, data/content migrates from machine to
machine and from storage devices to storage devices frequently, both
in normal operations as well as during backup/restore processes.
Some of the data that are deemed sensitive for security or regulatory
reasons can be isolated and controlled through dedicated physical
devices for storage/access, therefore relatively easy to secure.
However, in a virtualized environment, VMs are set up, relocate, shut
down dynamically on demand. The traditional physical-device-based
isolation is no longer sufficient in the new paradigm.
Data residing in a cloud environment shall go through the same
create/update/delete lifecycle as in all other cases. While the
create/update of data are easily abstracted and handled by the cloud
platform, the destruction of data in the cloud may be tricky,
especially for security/regulatory compliance purposes. Often in
these cases, cloud service providers must demonstrate complete
destruction of data taking into account of the virtual machine
migration and remote data center backups. Some of the data
destructions may be conditional based on other factors, such as legal
time limits. Therefore, there must be a data lifecycle management
function in the cloud framework based on policies defined by the
users that shall govern the create/update/delete/migrate functions of
data.
3.3. Lack of mandatory Application Security in Protocol
HTTP is the most widely used application layer protocol. It
functions as a request-response protocol in the client-server
computing model.
A Web service is a method of communication between two electronic
devices over a network. Web service is most widely implemented on
top of HTTP protocol. There are specifications defined for Web
Services like WS-Interoperability (WS-I), WS-Security, WS-Addressing,
WS-Policy, WS-Reliable Messaging, etc.
The web services specifications has not yet been widely adopted in
the application implementations, thus leaving security as a choice up
Karavettil, et al. Expires January 1, 2012 [Page 8]
Internet-Draft Karavettil VDCS Security Framework June 2011
to the developers of the organizations developing various
applications.
With the lack of mandatory security requirements there may be
significant gaps in these application implementations. Few use cases
are mentioned here to exemplify the problem:
The user identity and their session state management within an
application context are not mandated or controlled at the protocol
level thus leading to broken user session and authentication
hijacking issues from the client side.
There is also identity and access management problem as the
applications used by enterprises are spread between private and
public cloud providers, the users have to be single-signed on and
authorized with appropriate privileges to access these resources.
The ability to support multi-factor authentication between multiple
cloud providers is another requirements that would significantly
enhance the security of the application implementations based on
these protocols.
Another significant aspect that can be addressed at the protocol
level by making it mandatory is the data input validation and
encoding of data between the client and the host. This will play an
important role in maintaining data integrity without the use of other
API during application development. This helps to protection against
security vulnerabilities like Cross-Site Scripting (XSS), Cross-Site
Request Forgery and Injection (LDAP, SQL).
Karavettil, et al. Expires January 1, 2012 [Page 9]
Internet-Draft Karavettil VDCS Security Framework June 2011
4. Other Gaps in Existing Implementations & New Requirements
These topics are mentioned here to address the completeness of the
security framework where privileged users shall access or use the on
demand self-service to run these applications & services in a tenant
isolated and inter-operable virtualized environment. These may be
elaborated later as seen fit in the context of IETF protocol gaps.
4.1. Systems Security Gaps & New Requirements
The inter-operability and information exchanges between systems in
the organization domains across an enterprise or across related
enterprises are affected due to lack of proper protocol, profile
definitions and raises security concerns with certain approaches.
Transport channel encryption is a widely deployed security
implementation. While this practice helps avoid man in the middle
attack it prevents detection of malicious attacks that has got into
the system from the client side browser.
Another challenge in todays implementations and new requirements for
developing interoperable solutions in a virtualized environment are
key management in a client/host (cloud user and cloud provider)
architecture spread across multiple providers. All the key exchange
between enterprise and cloud shall be secured and protected. The
system shall be able to support the end users (consumers, or
enterprise) to hold the encryption keys and integrate with their
existing key management. When they withdraw the encryption keys from
the cloud, customers data in the cloud become inaccessible or
unreadable. It shall be protected from side attack and admin attack
such as snapshot VM to get the encryption keys. The system should be
able to support standard key management protocols between encryption
entity in the cloud and key manager in the enterprise domain such as
KMIP.
4.2. Network Security Gaps & New Requirements
o Develop security at the Protocol to accommodate various needs of
the virtual infrastructure environments and applications running
in that environment.
o Protect the channel using VPN enables secure communication between
the client and the host.
o Cloud customers depend on functional networks to access their
resources, and because networks are often not under the control of
customers, there is a risk that the cloud may not be reachable.
Karavettil, et al. Expires January 1, 2012 [Page 10]
Internet-Draft Karavettil VDCS Security Framework June 2011
o Connectivity resources (bandwidth) allocation for routing, VLAN
and other network configuration to handle multiple customers.
4.3. Mobile Security Gaps & New Requirements
With the proliferation of mobile devices and the applications that
are developed to serve the needs of consumers with better user
experience it becoming critical to protect the privacy and security
of these users during the physical loss of these devices.
Managing the identity of the user accessing a mobile device is
critical to the safety and privacy of the user content. In addition
there're high chances for private data falling into the wrong hands
via removable media access or local blue tooth connections that are
not turned off.
In some instances where the mobile devices are physically lost it may
be helpful to track the device to see if it in hands of someone or
retrieve important data from it remotely and destroy the content on
the device for safety.
Another important requirement would be the ability to seamlessly
provide content to authenticated and authorized users on their mobile
platform during transit across various networks (from various network
providers) without disruption of service.
This content may also be viewed by authorized user via various
display channels and be able to switch seamlessly from the mobile
device in their hands or in their automobile across to their
television or home personal computer.
o End-point security (protect against removable media)
o Protect against Bluetooth Connections Access
o Encryption of data
o Service Mobility Resources Allocation Services
o Locating the mobile device and ability to break it.
4.4. Physical Security Gaps & New Requirements
o Access control - What is the basis for trusting the human cloud
operators?
o Common operational picture that provides integrated view of
various alarms, alerts and notifications from various physical
Karavettil, et al. Expires January 1, 2012 [Page 11]
Internet-Draft Karavettil VDCS Security Framework June 2011
devices like video surveillance cameras, motion sensors, access
control card readers, etc.
o Roles and privileges based access to video surveillance content
and alarm notifications.
o Perimeter security of the virtualized data center operations and
provide real-time insight into security issues to the provider and
to the enterprises using their services.
o Business hours based security monitoring of provider assets.
4.5. Operations & Management Security Gaps & New Requirements
o Discovery of network nodes both physical and virtual and their
access privileges (for example using SNMPv3), their locations in a
virtualized infrastructure spread out physically.
o Ability to manage both physical network resources and virtual
network resources through a consistent Network Management console.
o Management of configurations across various systems, network
equipments.
o Need clarity on security control roles and responsibilities.
o Backup and recovery of information (import/export across multiple
CSPs).
o Business continuity and disaster recovery - how to maintain
continuity of operations if cloud providers fail?
o Business continuity and disaster recovery - how to maintain
continuity of operations by having redundancy across multiple
service providers?
o Management & Configuration Security
o Governance, Risk & Compliance
* Clear certification and accreditation guidelines
* Clear e-discovery guidelines
* Cloud audit assurance and log sensitivity management
* Need for clarity on how 800-53-style control guides can work
for the cloud
Karavettil, et al. Expires January 1, 2012 [Page 12]
Internet-Draft Karavettil VDCS Security Framework June 2011
* Need clear privacy guidelines
4.6. Other New Requirements
o Inter-operability across various vendor products that spans across
the Client or Host layers.
o Multi-Cloud Services integrated application at different CSPs.
o Inter-Cloud Information Exchange between CSPs.
o Visibility for Customers - How can customers observe their
workloads to be aware of their health and general status.
o Control for Customers during self service - How can customers
maintain effective control their workloads even though the
protection mechanisms and even locations of workloads may not be
known to customers.
o A tenant may have access to other tenants virtual machines,
network traffic, actual/residual data, etc.
o A tenant may impact the normal operation of other tenants, steal
their data, steal their identities, etc.
o Computer Resource Allocation Services - System, Computing,
Storage, Network resources in a virtualized infrastructure
environment.
Karavettil, et al. Expires January 1, 2012 [Page 13]
Internet-Draft Karavettil VDCS Security Framework June 2011
5. Work Item for Consideration
The various applications and interworking protocols developed by the
IETF MAY need to be extended or profiled to support the security
requirements of virtualized services and infrastructure environment.
5.1. Applications & Services
The most widely used protocol that is in use today for application &
services development areas like HTTP have been considered for the
applications in the virtualized environment. The protocol may have
to be profiled or extended with significant changes to be ready to
handle the security requirements in a virtualized environment.
5.2. Infrastructure Operations & Management
The various security parameters related to operations and management
of virtualized network resources in multiple administrative domains
may need to be defined. The results of monitoring may need to be
exchanged periodically to support the private and public virtualized
domains and infrastructure in order to maintain the expected end-to-
end security.
Karavettil, et al. Expires January 1, 2012 [Page 14]
Internet-Draft Karavettil VDCS Security Framework June 2011
6. Security Considerations
--[Editor's note] This document discusses security for virtualized
environment.
Karavettil, et al. Expires January 1, 2012 [Page 15]
Internet-Draft Karavettil VDCS Security Framework June 2011
7. Conclusion
Over the last decade the times have changed from the exponential
growth of the internet and the associated advances in technologies to
the large scale adoption of connected devices.
With this advancement we are seeing the rapid rise in security
threats and vulnerabilities to today's application and
infrastructure.
It is time to take a look at existing protocols, API's not only for
todays application and infrastructure but also to tackle the rising
threats due to the use of same technologies and protocols for the
virtualized applications and infrastructure environment development.
These shall not only cause security and interoperability problems,
but may also negatively impact further development of protocols and
services in this very important area of virtualized applications and
networking infrastructure environment. IETF is the best organization
to address these issues.
Karavettil, et al. Expires January 1, 2012 [Page 16]
Internet-Draft Karavettil VDCS Security Framework June 2011
8. Acknowledgement
--[Editor's note] Will be added in future.
Karavettil, et al. Expires January 1, 2012 [Page 17]
Internet-Draft Karavettil VDCS Security Framework June 2011
9. IANA Considerations
This document has no actions for IANA.
Karavettil, et al. Expires January 1, 2012 [Page 18]
Internet-Draft Karavettil VDCS Security Framework June 2011
10. References
[CSA] "Cloud Security Alliance".
[NIST] "National Institute of Standards and Technology".
[NCCRA] NIST Cloud Computing Reference Architecture.
[NCSA] NIST Cloud Security Architecture
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", March 1997.
[draft-so-vpn-o-cs-00.txt]
So, N., "Draft Requirement and Framework for VPN-Oriented
Cloud Services", March 2011.
Karavettil, et al. Expires January 1, 2012 [Page 19]
Internet-Draft Karavettil VDCS Security Framework June 2011
Authors' Addresses
Suren Karavettil
ASTA Ventures, Inc.
32 Hatikva Way
Chelmsford, MA 01863
USA
Phone: +001-978-857-5461
Email: surenck@gmail.com
Bhumip Khasnabish
ZTE USA, Inc.
18 Patterson Road
Lexington, MA 02421
USA
Phone: +001-781-752-8003
Email: vumip1@gmail.com
Ning So
Verizon
2400 N. Glenville Road
Richardson, TX 75082
USA
Email: ning.so@verizonbusiness.com
Wei Dong
Tektronix Communications
3033 President Bush Hwy
Plano, TX 75075
USA
Phone: +001-469-330-4000
Email: wei.dong@tek.com
Karavettil, et al. Expires January 1, 2012 [Page 20]