Computer security principles and practice 3rd by williams stallings and brown ch05

Data-Cloud SecurityNIST SP-800-145 defines cloud computing as: “A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resource

Chapter 5

Database and Cloud Security

Database management system (DBMS)

• Suite of programs for constructing and maintaining the database

• Offers ad hoc query facilities to multiple users and applications

Databases

 Structured collection of data stored for use by

one or more applications

 Contains the relationships between data

items and groups of data items

 Can sometimes contain sensitive data that

needs to be secured

Query language

Provides a uniform interface to the database

User queries

User applications

DDL = data definition language

DML = data manipulation language

Figure 5.1 DBMS Architecture

Transaction manager File manager

Physical database

Relational Databases

 Table of data consisting of rows and columns

 Each column holds a particular type of data

 Each row contains a specific value for each column

 Ideally has one column where all values are unique, forming an identifier/key for that row

 Enables the creation of multiple tables linked together by a unique identifier that is

present in all tables

 Use a relational query language to access the database

 Allows the user to request data that fit a given set of criteria

Primary key

• Uniquely identifies a row

• Consists of one or more column names

Table 5.1 Basic Terminology for Relational Databases

Did Did Eid

(b) A view derived from the database

Figure 5.4 Relational Database Example

primary key

SQL statements can be used to:

• Create tables

• Insert and delete data in tables

• Create views

• Retrieve data with query statements

Structured Query Language

(SQL)

Standardized language to define schema, manipulate, and query data in a relational database

Several similar versions of ANSI/ISO standard

All follow the same basic syntax and semantics

SQL Injection Attacks (SQLi)

• One of the most prevalent and

dangerous network-based security

o Modify or delete data

o Execute arbitrary operating system commands

o Launch denial-of-service (DoS) attacks

Figure 5.5 Typical SQL I njection Attack Legend:

Web servers

Web application server Database servers

and Web server

Credit card data is

retrieved from

database

Subsequent text is ignored at execution time

The SQLi attack typically works by prematurely terminating a text string and

appending a new command

The SQLi attack typically works by prematurely terminating a text string and

appending a new command

Because the inserted command may have additional strings appended to it before it is executed

the attacker terminates the injected string with a comment mark “- -”

Injection Technique

• Attackers inject SQL commands by providing suitable crafted user input

• Applying user input that constructs an attack outside the realm of web requests

Physical user input

SQLi Attack Avenues

This form of attack

injects code in one or

more conditional statements so that they

always evaluate to true

This form of attack

injects code in one or

more conditional statements so that they

always evaluate to true

End-of-line commentAfter injecting code into a particular field,

legitimate code that follows are nullified through usage of end of line comments

After injecting code into

a particular field, legitimate code that follows are nullified through usage of end of line comments

Piggybacked queriesadditional queries The attacker adds

beyond the intended query, piggy-backing the attack on top of a legitimate request

The attacker adds additional queries beyond the intended query, piggy-backing the attack on top of a legitimate request

Inband Attacks

• Uses the same communication channel for injecting SQL code and retrieving results

• The retrieved data are presented directly in application Web page

• Include:

Inferential Attack

• There is no actual transfer of data, but the attacker is able to reconstruct the

information by sending particular requests and observing the resulting behavior of the Website/database server

• Include:

o Illegal/logically incorrect queries

• This attack lets an attacker gather important information about the type and structure of the backend database of a Web application

• The attack is considered a preliminary, information-gathering step for other attacks

o Blind SQL injection

• Allows attackers to infer the data present in a database system even when the system is sufficiently secure to not display any erroneous information back to the attacker

Out-of-Band Attack

• Data are retrieved using a different channel

• This can be used when there are limitations on information retrieval, but outbound connectivity from the database server is lax

• Manual defensive coding

• Check queries at runtime to

see if they conform to a model of expected queries

Run-time prevention

Run-time prevention

SQLi Countermeasures

• Three types:

Database access control system

What access rights the user has (create, insert, delete,

update, read, write)

Can support a range of administrative policies

Can support a range of administrative policies

Database Access Control

o Revokes the access rights

• Typical access rights are:

Ann David Frank

Application owner

part of an application

End user

objects via a particular application but does not own any of the database objects

Administrator

for part or all of the database

Role-Based Access Control

(RBAC)

• Role-based access control eases administrative burden and improves security

• A database RBAC needs to provide the following capabilities:

• Create and delete roles

• Define permissions for a role

• Assign and cancel assignment of users to roles

• Categories of database users:

Role Permissions

Fixed Server Roles

all database functions

error logs and change passwords

Fixed Database Roles

memberships db_backupoperator Can issue DBCC, CHECKPOINT, and BACKUP statements db_denydatareader Can deny permission to select data in the database

Sensitive data

Name Position Salary ($) Department Dept Manager

(a) Employee table

(b) Two views

Name Position Salary ($) Department

(c) Table derived from combining query answers

Figure 5.8 Inference Example

Approach removes an inference channel by altering the database structure or by changing the access control regime to prevent inference

Techniques in this category often result in unnecessarily stricter access controls that

reduce availability

Techniques in this category often result in unnecessarily stricter access controls that

reduce availability

Inference detection at query time

Approach seeks to eliminate an inference channel violation during a query or series of

• Some inference detection algorithm is needed for either of these approaches

• Progress has been made in devising specific inference detection techniques for

multilevel secure databases and statistical databases

Database Encryption

for any organization

control systems, database encryption

 Can be applied to the entire database, at the record level, the attribute level, or level of the individual field

 When part or all of the database is encrypted it becomes more difficult

to perform record searching

Data owner – organization that produces

data to be made available for controlled

release

User – human entity that presents queries

to the system

Client – frontend that transforms user

queries into queries on the encrypted

data stored on the server

Server – an organization that receives the

encrypted data from a data owner and

makes them available for distribution to

clients

Query Processor

1 Original query metadata

4 Plaintext result

2 Transformed query

3 Encrypted result

Meta Data

Meta Data

Encrypted database

base

Data-Cloud Security

NIST SP-800-145 defines cloud computing as:

“A model for enabling ubiquitous, convenient, on-demand network access

to a shared pool of configurable computing resources (e.g., networks,

servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider

interaction This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment

models.”

Figure 5.11 Cloud Computing Elements

Broad Network Access

Resource Pooling

Rapid Elasticity

Public Private Hybrid Community

Software as a Service (SaaS) Platform as a Service (PaaS)

I nfrastructure as a Service (I aaS)

Figure 5.12 Cloud Service Models

(a) SaaS

Cloud Infrastructure

(visible only

to provider)

Cloud Platform

(visible only to provider)

Cloud Application Software

(provided by cloud, visible to subscriber)

(b) PaaS

Cloud Infrastructure (visible only

to provider)

Cloud Platform (visible to subscriber)

Cloud Application Software (developed by subscriber)

(c) IaaS

Cloud Infrastructure (visible to subscriber)

Cloud Platform (visible to subscriber) Cloud Application Software (developed by subscriber)

Public cloud

• The cloud infrastructure is made

available to the general public or a large

industry group and is owned by an

organization selling cloud services

• The cloud provider is responsible both for

the cloud infrastructure and for the

control of data and operations within the

cloud

Public cloud

• The cloud infrastructure is made

available to the general public or a large

industry group and is owned by an

organization selling cloud services

• The cloud provider is responsible both for

the cloud infrastructure and for the

control of data and operations within the

cloud

Private cloud

• The cloud infrastructure is operated

solely for an organization

• It may be managed by the organization or

a third party and may exist on premise or off premise

• The cloud provider is responsible only for

the infrastructure and not for the control

Private cloud

• The cloud infrastructure is operated solely for an organization

• It may be managed by the organization or

a third party and may exist on premise or off premise

• The cloud provider is responsible only for the infrastructure and not for the control

Community cloud

• The cloud infrastructure is shared by

several organizations and supports a

specific community that has shared

concerns

• It may be managed by the organizations

or a third party and may exist on premise

or off premise

Community cloud

• The cloud infrastructure is shared by

several organizations and supports a

specific community that has shared

concerns

• It may be managed by the organizations

or a third party and may exist on premise

or off premise

Hybrid cloud

• The cloud infrastructure is a composition

of two or more clouds that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability

Hybrid cloud

• The cloud infrastructure is a composition

of two or more clouds that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability

NIST Deployment Models

Enterprise Cloud User

-Cloud service provider

Figure 5.13 Cloud Computing Context

Cloud Computing Reference

Architecture

• NIST SP 500-292 establishes a reference architecture described as follows:

“The NIST cloud computing reference architecture focuses on the requirements of

‘what’ cloud services provide, not a ‘how to’ design solution and implementation The reference architecture is intended to facilitate the understanding of the operational intricacies in cloud computing It does not represent the system architecture of a specific cloud computing system; instead it is a tool for describing, discussing, and developing a system-specific architecture using a common framework of reference.”

Objectives

• NIST developed the reference architecture with the following objectives in mind:

o To illustrate and understand the various cloud services in the context of an overall cloud computing

Figure 5.14 NI ST Cloud Computing Reference Architecture

Service Aggregation

Service Arbitrage

Cloud Broker Cloud Provider

Service Management PaaS

Hardware Physical Resource Layer

Facility

Resource Abstraction and Control Layer

IaaS

Business Support

Abuse and nefarious use of cloud computing

Abuse and nefarious use of cloud computing

Insecure interfaces and

APIs

Insecure interfaces and

APIs Malicious insiders

Account or service hijacking

Unknown risk profile

Cloud Security Risks

The Cloud Security Alliance lists the following as the top cloud specific security threats:

Data protection

Evaluate the suitability of the cloud provider’s data management solutions for the organizational data concerned and the ability to control access to data, to secure data while at rest, in transit, and in use, and to sanitize data

Take into consideration the risk of collating organizational data with those of other organizations whose threat profiles are high or whose data collectively represent significant concentrated value

Fully understand and weigh the risks involved in cryptographic key management with the facilities available in the cloud environment and the processes established by the cloud provider

Availability

Understand the contract provisions and procedures for availability, data backup and recovery, and disaster recovery, and ensure that they meet the organization’s continuity and contingency planning requirements

Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations can be immediately resumed, and that all operations can be eventually reinstituted in a timely and organized manner

Table 5.4 NIST Guidelines on Cloud Security and Privacy Issues and Recommendations

(This table can be found on page 190

in the textbook.)

The threat of data compromise increases in the cloud

Risks and challenges

that are unique to

Gives the subscriber complete control over administrative tasks related to security

Multi-tenant model

Provides a predefined environment for the cloud subscriber that is shared with other tenants typically through tagging data with a subscriber identifier

Gives the appearance of exclusive use of the instance but relies on the cloud provider to establish and maintain a secure database environment

Data Protection in the Cloud

Cloud Security

As A Service

• SecaaS

• Is a segment of the SaaS offering of a CP

• Defined by The Cloud Security Alliance as the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers’ on-premise systems

Figure 5.15 Elements of Cloud Security as a Service

Cloud service clients and adversaries

Identity and access management Network security

Data loss prevention

Web security

Intrusion management

Encryption

E-mail security

Security assessments Security information and event management Business continuity and disaster recovery

• Database access control

o SQL-based access definition

o Cascading authorizations

o Role-based access control

• Database encryption

• Cloud computing

o Cloud computing elements

o Cloud computing reference architecture

• Cloud security risks and countermeasures

• Data protection in the cloud

• Cloud security as a service

• The need for database security

• Database management systems

• Relational databases

o Elements of a relational database system

o Structured Query Language

• SQL injection attacks

o A typical SQLi attack

o The injection technique

o SQLi attack avenues and types

o SQLi countermeasures

• Inference