Welcome!

Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: @CloudExpo

@CloudExpo: Article

Strategies for Securing Enterprise-to-Cloud Communication

IaaS vendors and Enterprise consumers share responsibilities for enabling Cloud Security

The Cloud Security Alliance (CSA) published Version 2.1 of its Guidance for Critical Areas of Focus in Cloud Computing with a significant and comprehensive set of recommendations that enterprises should incorporate within their security best practices if they are to use cloud computing in a meaningful way.

The Guidance provides broad recommendations for operational security concerns including application security, encryption & key management, and identity & access management. In this article, we will consider security implications of REST- and SOAP-based communication between consumers and specifically, Infrastructure as a Service (IaaS) providers.

Cloud Application Security
Cloud application security requires looking at classic application security models and extending these models out to dynamic and multi-tenant architectures. While planning for cloud-based application security, DMZ-resident application security should be used as the starting point. DMZ-based security enforcement models should be extended to incorporate secure enterprise-to-cloud traffic management and operational control.  IaaS cloud providers design their management APIs to accommodate consumers with varying skill sets. Popular IaaS providers (Amazon EC2, Rackspace, Opsource, GoGrid) publish RESTful APIs for keeping a low threshold-of-difficulty to accommodate a broad set of consumers that lack sophisticated SOAP-based communication stacks but can easily consume XML/JSON using RESTful interaction. Amazon EC2, however, also provides a sophisticated WDSL for SOAP-based interaction. Although cloud providers have a greater responsibility of implementing extensive application security provisions while accommodating consumers of varying technical skills, cloud consumers also have to share the burden of risk mitigation by ensuring that their API calls into the cloud providers are secure and clean. The potential for a cascading effect in a shared, multi-tenant environment is high: a single poorly formed SOAP- or REST-based API request can cause a Denial of Service (DoS) attack potentially shutting down access to the cloud management APIs for many.

Implications for Cloud Consumers
Cloud consumers, for example enterprises, usually make outbound calls into an IaaS provider using a REST-based or a SOAP-based API for provisioning and managing server instances. Such standards-based API calls provide significant flexibility and ease for automating cloud resource management. However, this flexibility also opens the door to security risks that should be addressed. Here are a few operational recommendations, expanding on the CSA Guidance for Application Security, that cloud consumers should consider for lowering their risk profile while interacting with an IaaS:

  1. Enable Encryption: Cloud consumer should use SSL (HTTPS) for encrypting data-in-motion. When available, data-at-rest encryption (WS-Security) should also be used for invoking IaaS management services. Enabling content-level encryption for SOAP and REST responses ensures that only authorized consumer can decrypt responses with their private keys and use the API for managing their cloud images.
  2. Check Requests & Responses: Before invoking a REST- or SOAP-based call to an IaaS, consumers should determine whether the invocation is in the correct format and does not contain malware and that the request message integrity has not been compromised. The response from SOAP and REST-XML/JSON calls should also be scanned for malware and possible corruption before consumption by enterprise cloud management applications. Fortunately, structured data such as XML and SOAP provide the ability to check for message hygiene through a variety of ways starting with the simplest check: XSD Schema Validation. A schema, embedded in a WSDL file, provides constraints for message data types, structure, and content (through facets). Enforcing schema validation or simple deep-content validation through regular expression for REST calls ensures that the messages adhere to their required structure. Additional checks must be performed for malware that may be transmitted in a request or response to identify and quarantine infected messages. Such protective actions can prevent malware cascading through an enterprise or its IaaS provider.
  3. Enable Web services: For building a robust and secure framework for interacting with IaaS providers, SOAP-based interaction provides richness over RESTful XML/JSON. With SOAP use, enterprises can leverage their Public Key Infrastructure (PKI) and have full key life-cycle management including the ability to issue, sign, revoke and validate X.509 certificates being used in SOAP calls. By using key-pairs, enterprises have extensive control over authentication, message integrity and privacy while interacting with an IaaS. Using X.509 with GETs in a RESTful interaction is difficult and non-standard (other than for SSL mutual authentication that most IaaS providers do not support).

Implications for Cloud Providers
IaaS vendors usually provide a simple-to-use, web-based UI that enables user to manage cloud-based server images. This web-based interface is great to get up and running quickly, however, for enterprises that deploy numerous images, automated scripting for image management is essential. Most IaaS vendors provide REST, SOAP or Command Line scripting APIs for automating image management functions. Here are a few operational recommendations, expanding on the CSA Guidance for Application Security, that cloud providers should consider for lowering their risk profile:

  1. Provide standards-based flexibility: From the simplest of RESTful XML/JSON GETs to sophisticated signed SOAP requests with embedded X.509, IaaS providers have to address requirements from users with highly-varied technical skills. For large enterprise customers, IaaS vendors must provide strong authentication capabilities and rich SOAP-based interaction, whereas for smaller companies that may not have technical skill for handling a SOAP stack, simple RESTful interaction is usually preferred. Within simple, RESTful type interaction, there is a glaring lack of standardization on identity token use. Enterprises serious about using IaaS have to consider multi-cloud deployments for higher reliability. Standards-based identity tokens - perhaps OAuth for RESTful APIs and WS-X.509 for SOAP APIs - will provide a common management framework for enterprises to build redundancy through multi-cloud deployments.
  2. Enable comprehensive encryption: IaaS vendors must provide both data-in-motion security via protocols such as SSL and data-at-rest security through standards such as WS-Security for satisfying corporate security requirements. All IaaS vendors provide SSL-based encryption for invoking management APIs, however, content-level encryption for data-at-rest is not implement. IaaS providers such as Amazon EC2 support X.509 certificates for authentication and also provides WS-Signature capabilities for their SOAP-based API. Other IaaS vendors should provide such SOAP-based APIs along with more granular security controls. IaaS vendors should support SOAP APIs and provide granular encryption for XML/SOAP responses as an additional level of encryption control so that only enterprises with strict ownership and control of their private keys can view encrypted information within a XML/SOAP response.
  3. Perform comprehensive API testing: Before releasing a set cloud management calls to consumers, the APIs should be thoroughly tested across all exposed interaction formats, e.g., JSON/XML-REST and SOAP over HTTP(S).  The testing should be comprehensive and should cover four aspects of testing:  functional, performance, interoperability, and security.  Functional testing ensures that the cloud provisioning and management calls behave as expected and that no regression errors have been introduced.  Such functional testing has to cover all message types, identity tokens and security artifacts.  Performance testing can establish concurrency and throughput profiles for the APIs.  Interoperability testing ensures the APIs are consumable by the widest array of application platforms.  Adhering to WS-I Basic Profiles, for example, ensures that service description (WSDL) for the cloud management API can be used by .NET, Java, and LAMP environments with relative ease.  Finally, and perhaps, the most overlooked aspect of testing is a full penetration and security test for the IaaS management API that identifies REST, XML and SOAP-based vulnerabilities before the IaaS is exposed for public consumption. The multiplicative effect of a multi-tenant setting and multiple configuration APIs results is a dramatic expansion of the attack surface area. Identifying and remediating such risks through exhaustive penetration testing should be an essential component of IaaS providers Application Security operational plan.

Conclusions
Cloud application security requires extending risk planning and analysis beyond corporate boundaries. Enterprises that are already comfortable with deploying applications in the DMZ for deep integration with external trading partner have already laid the fo undations for interacting securely with IaaS cloud providers. Such mature enterprises have already figured out how to invoke external APIs via XML/SOAP, manage their identity tokens, encrypt communication and monitor traffic. Utilizing IaaS provider APIs and building a reliable multi-cloud application strategy requires extending their existing application infrastructure for centralized cloud management and control. Cloud providers, public and private, on-premise and off-premise have a higher burden of managing cloud application security than cloud service consumers. Cloud providers are required to balance security with flexibility. Greater security may discourage users with lower technical skills whereas enterprise customers may expect only the highest level of security. Cloud vendors should continue to focus on providing flexibility while extending security options available to users. They should also consider using standards-based identity tokens and work towards a standard management API that enables enterprises to build secure and reliable multi-cloud deployments.

References

  1. Guidance for Critical Areas of Focus in Cloud Computing
  2. Beginner's Guide to OAUTH
  3. Understanding WS-Security
  4. Pillars of SOA Testing

More Stories By Mamoon Yunus

Mamoon Yunus is an industry-honored CEO and visionary in Web Services-based technologies. As the founder of Forum Systems, he pioneered XML Security Gateways & Firewalls and was granted a patent for XML Gateway Appliances. He has spearheaded Forum's direction and strategy for eight generations of award-winning XML Security products. Prior to Forum Systems, Yunus was a Global Systems Engineer for webMethods (NASD: WEBM) where he developed XML-based business integration and architecture plans for Global 2000 companies such as GE, Pepsi, Siemens, and Mass Mutual. He has held various high-level executive positions at Informix (acquired by IBM) and Cambridge Technology Group.

He holds two Graduate Degrees in Engineering from MIT and a BSME from Georgia Institute of Technology. InfoWorld recognized Yunus as one of four "Up and coming CTOs to watch in 2004." He is a sought-after speaker at industry conferences such as RSA, Gartner, Web Services Edge, CSI, Network Interop, and Microsoft TechEd. Yunus has the distinction of showcasing Forum Systems' entrepreneurial leadership as a case study at the MIT Sloan School of Management. He has also been featured on CNBC as Terry Bradshaw's "Pick of the Week."

@ThingsExpo Stories
There is huge complexity in implementing a successful digital business that requires efficient on-premise and cloud back-end infrastructure, IT and Internet of Things (IoT) data, analytics, Machine Learning, Artificial Intelligence (AI) and Digital Applications. In the data center alone, there are physical and virtual infrastructures, multiple operating systems, multiple applications and new and emerging business and technological paradigms such as cloud computing and XaaS. And then there are pe...
SYS-CON Events announced today that Daiya Industry will exhibit at the Japanese Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Daiya Industry specializes in orthotic support systems and assistive devices with pneumatic artificial muscles in order to contribute to an extended healthy life expectancy. For more information, please visit https://www.daiyak.co.jp/en/.
Real IoT production deployments running at scale are collecting sensor data from hundreds / thousands / millions of devices. The goal is to take business-critical actions on the real-time data and find insights from stored datasets. In his session at @ThingsExpo, John Walicki, Watson IoT Developer Advocate at IBM Cloud, will provide a fast-paced developer journey that follows the IoT sensor data from generation, to edge gateway, to edge analytics, to encryption, to the IBM Bluemix cloud, to Wa...
In his session at @ThingsExpo, Greg Gorman is the Director, IoT Developer Ecosystem, Watson IoT, will provide a short tutorial on Node-RED, a Node.js-based programming tool for wiring together hardware devices, APIs and online services in new and interesting ways. It provides a browser-based editor that makes it easy to wire together flows using a wide range of nodes in the palette that can be deployed to its runtime in a single-click. There is a large library of contributed nodes that help so...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
Agile has finally jumped the technology shark, expanding outside the software world. Enterprises are now increasingly adopting Agile practices across their organizations in order to successfully navigate the disruptive waters that threaten to drown them. In our quest for establishing change as a core competency in our organizations, this business-centric notion of Agile is an essential component of Agile Digital Transformation. In the years since the publication of the Agile Manifesto, the conn...
SYS-CON Events announced today that App2Cloud will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. App2Cloud is an online Platform, specializing in migrating legacy applications to any Cloud Providers (AWS, Azure, Google Cloud).
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, will introduce two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a mu...
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
Mobile device usage has increased exponentially during the past several years, as consumers rely on handhelds for everything from news and weather to banking and purchases. What can we expect in the next few years? The way in which we interact with our devices will fundamentally change, as businesses leverage Artificial Intelligence. We already see this taking shape as businesses leverage AI for cost savings and customer responsiveness. This trend will continue, as AI is used for more sophistica...
SYS-CON Events announced today that SourceForge has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. SourceForge is the largest, most trusted destination for Open Source Software development, collaboration, discovery and download on the web serving over 32 million viewers, 150 million downloads and over 460,000 active development projects each and every month.
SYS-CON Events announced today that Massive Networks will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Massive Networks mission is simple. To help your business operate seamlessly with fast, reliable, and secure internet and network solutions. Improve your customer's experience with outstanding connections to your cloud.
SYS-CON Events announced today that DXWorldExpo has been named “Global Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Digital Transformation is the key issue driving the global enterprise IT business. Digital Transformation is most prominent among Global 2000 enterprises and government institutions.
SYS-CON Events announced today that WineSOFT will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Based in Seoul and Irvine, WineSOFT is an innovative software house focusing on internet infrastructure solutions. The venture started as a bootstrap start-up in 2010 by focusing on making the internet faster and more powerful. WineSOFT’s knowledge is based on the expertise of TCP/IP, VPN, SS...
SYS-CON Events announced today that Akvelon will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Akvelon is a business and technology consulting firm that specializes in applying cutting-edge technology to problems in fields as diverse as mobile technology, sports technology, finance, and healthcare.
SYS-CON Events announced today that TechTarget has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TechTarget storage websites are the best online information resource for news, tips and expert advice for the storage, backup and disaster recovery markets.
SYS-CON Events announced today that Dasher Technologies will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Dasher Technologies, Inc. ® is a premier IT solution provider that delivers expert technical resources along with trusted account executives to architect and deliver complete IT solutions and services to help our clients execute their goals, plans and objectives. Since 1999, we've...
DevOps at Cloud Expo – being held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real r...
No hype cycles or predictions of a gazillion things here. IoT is here. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, an Associate Partner of Analytics, IoT & Cybersecurity at M&S Consulting, will present a step-by-step plan to develop your technology implementation strategy. He will discuss the evaluation of communication standards and IoT messaging protocols, dat...
SYS-CON Events announced today that Massive Networks, that helps your business operate seamlessly with fast, reliable, and secure internet and network solutions, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. As a premier telecommunications provider, Massive Networks is headquartered out of Louisville, Colorado. With years of experience under their belt, their team of...