View article

Multi-tenant infrastructure clouds can bear great complexity and can be exposed to security issues. Even if one only analyzes the static configuration of hosts, VMs, network and storage as well as their inter-connectivity, one faces a complex system. Configuration and topology changes make the system a moving target and can introduce violations of a security policy, for instance, manifest in incorrect deployment or isolation breaches. Although there have been analyses of isolation failures in complex static configurations of clouds, such as Bleikertz et al.[3], the analysis of dynamic configuration changes is largely missing [2].

Misconfigurations and Insider Attacks Even if committed unintentionally, misconfigurations are among the most prominent causes for security failures in infrastructure clouds. The ENISA report on cloud security risks [5] names isolation failure as major technical risk, with misconfiguration, lack of resource isolation and ill-defined role-based access policies as notable root vulnerabilities. If committed intentionally by a malicious insider, misconfigurations expose the infrastructure to greater risks. The CSA threat report [4] as well as the ENISA report agree to insider attacks as a TOP 10 cloud security risk as well as malicious insiders as a “very high impact” technical risk [5]. The analysis of all configuration changes is crucial here, as the insider could create a transient insecure state to attack the system and change it to a secure configuration before the next security analysis. Therefore, there is a need to analyze management operations for their security properties and to achieve overall accountability for administrator actions. The …