Architecture and design represent one important side of delivering a security posture. That’s what this book is all about: How does one go about achieving an architecture and an architectural design that represent the security needs for a system?
Answer the question with a short paragraph, with a minimum of 300 words. Count the words only in the body of your response, not the references. APA formatting but do not include a title page, abstract or table of contents. Body and references only in your post.
A minimum of two references are required. One reference for the book is acceptable but multiple references are allowed. There should be multiple citations within the body of the paper. Note that an in-text citation includes author’s name, year of publication and the page number where the paraphrased material is located.
-
ISOL536Chapters1011Presentation.pptx
University of the Cumberlands School of Computer & Information Sciences
ISOL-536 – Security Architecture & Design
Chapter 10: Mobile Security Software with Cloud Management
Chapter 10: Mobile Security Software with Cloud Management
10.1 Basic Mobile Security Architecture
10.2 Mobility Often Implies Client/Cloud
10.3 Introducing Clouds
10.3.1 Authentication Is Not a Panacea
10.3.2 The Entire Message Stack Is Important
10.4 Just Good Enough Security
10.5 Additional Security Requirements for a Mobile and Cloud Architecture
Chapter 10: Mobile Security Software with Cloud Management
In order to examine yet another architectural pattern, this example mobile security product will make use of cloud-based management software and a Software as a Service (SaaS) “reputation” service.
10.1 Basic Mobile Security Architecture
Figure 10.1 Mobile security software.
Figure 10.1 presents the architecture for a hypothetical mobile security protection system. Many of the components are the same in the two endpoint security architectures. Incoming and outbound communications have to be established and maintained. An engine must process system events and examine possibly malicious data items.
10.2 Mobility Often Implies Client/Cloud
A reputation service is so-called because many behavioral data points are kept about a particular URL, file, or Internet Protocol (IP) Address. Data is collected from various sources about the observed behavior of the object for which reputation is being calculated. A URL (or other object) will fall somewhere in a continuum from absolutely malicious to reputable (good), with various degrees of “gray” in between those two poles. Based upon the reputation rating, software can prevent access, present the problem for user decision, or passively allow the access.
Although it may not be apparent when looking at mobile devices, they do have permanent storage. Files are kept on the device’s permanent storage. Applications create files. Applications manipulate files. Device users view and edit files. Indeed, on the device’s storage, a typical operating system directory structure does, in fact, exist. There is a “tree” of directories (“folders”) that is exactly what you would find on your computer or your laptop, regardless of which of the usual operating systems you use. On many mobile operating systems, the file and directory details are hidden from the user. Most of these operating systems assume that there is but a single user who has access to all the files. Since mobile operating systems highlight application functionality, the details of file access are hidden behind application user interfaces.
10.2 Mobility Often Implies Client/Cloud – Cont.
Figure 10.2 Mobile security software with cloud management.
In at least a couple of mobile platforms, no application may install software into the kernel. As was noted in Chapter 3, the “system” area exists between the application mode and the kernel. There are three layers—application, system, and kernel (in Figures 10.1 and 10.2, the kernel is not diagrammed, as it is not relevant to this architecture). For our purposes, the security issues are approximately the same regardless of whether Intercept exists as a part of the operating system or whether it was written and installed with the application. If the intercept service is “native”—that is, a part of the operating system—obviously its secure coding and assurance is not under the control of the mobile software maker. Still, the design issues are analogous.
10.3 Introducing Clouds
Communications from each endpoint must flow across the untrusted Internet. Any number of networks and Internet providers may be crossed as packets are routed. Hence, in Figure 10.2, the arrow from the communicator reaches into the Internet, whereas disconnected arrows move to the cloud-based services. The disconnect between arrows is to indicate the unknown nature of routing, the unknown networks across which the traffic must pass.
Usually, the commercial services are “cloud” grade. That is, the services are available across the globe so that user access time is reduced. The services are always available, with failover systems that can pick up upon an instance failure. Cloud services are usually redundant and backed up to various points of presence spread out geographically so that a local catastrophe cannot bring the service down. (We will take a look at the backend architecture of a cloud service in the next analysis.)
One of the big challenges with cloud-based reputation checks is performance. Users don’t typically want to wait a few seconds while the reputation of potential URLs is checked. Most of us have come to expect that websites are at the immediate tips of our fingers and that access and loading of the content should take place rapidly and without delay. This presents a tricky security problem.
10.3.1 Authentication Is Not a Panacea
Should the application be the entity that authenticates? Or should it be the device? Again, there are arguments back and forth about this design choice, which we won’t go into in this example. There are strong reasons for authenticating the device. And that’s the pattern that this system employs. If it’s the device that’s under management, even if the software breaks down, the management service has some concept of the device itself. If the device is lost, it can contain an identifier, regardless of whether the software on it has been reset by a thief. The mobile carrier interacts with the device; the management service, which is able to identify the device, may interact with the carrier about the device, if necessary. Both the management services and the reputation service authenticate the device, not the user. I reiterate that, in general, mobile operating systems and architectures assume a single user per device.
Should the communicator authenticate the server? TLS is being used from the device to the server. TLS always validates the server certificate before proceeding. However, that authentication typically only validates that the certificate was issued by a known Certificate Authority and that the certificate is valid for the IP address of the server. In other words, any TLS server that has a valid certificate will successfully pass the server side TLS authentication. What if our mobility security software gets directed through DNS spoofing to a malicious site? And what if that malicious site presents a valid certificate?
10.4 Just Good Enough Security
Depending upon the adversaries against whom you are protecting the device, “good enough” might well be a reliance upon the message’s digital signature alone. Alternatively, for high-security situations that require more assurance, the addition of a validation of the TLS certificate itself could be added. In addition to validating the certificate authority signing chain, also validate the certificate that is presented by the server. Make it difficult to impersonate the reputation server. There is no “right” answer to this question. It depends upon the security needs of the organization and how much risk can be tolerated.
10.4 Just Good Enough Security – Cont.
Figure 10.3 Cloud-hosted mobile device management using the Hardware Security Module (HSM).
How do you protect a secret like a private key? The addition of a Hardware Security Module (HSM) can help to protect the private key that will sign each device certificate and all the messages from the management function to the devices (as specified above). But HSM’s are not a panacea, just like the use of TLS is not a security cure-all. Deploying an HSM requires some forethought and architecture.
10.4 Just Good Enough Security – Cont.
Here is the order of processing:
The user enrolls the security application.
The user enrolls a particular device.
A device identifier is generated (must include sufficient entropy to be unpredictable).
A certificate request is generated for the device identifier on behalf of the device.
The certificate request is sent to the HSM.
A signed certificate is returned. The public key of the signing key pair will be included in the certificate.
A device certificate for that particular device identifier is returned for installation on the device.
The device can use the public key to verify the certificate signature.
After enrollment, communications from the device may not proceed before the signature over the device certificate has been verified. This can be done by comparison against a duplicate of the public key, which is kept within the directory copy maintained within the authentication system’s restricted subnet. No communication to the HSM is required in order to validate the certificate. The duplicate public key does not require additional, extraordinary protections.
10.5 Additional Security Requirements for a Mobile and Cloud Architecture
The following comprise the additional requirements that must be added to those for an endpoint anti-malware application.
Use TLS between the mobile device and cloud services. Server-side TLS authentication is required.
Each enrolled device will be issued a device identifier. Device identifiers must be unpredictable.
Generate and install a certificate on each mobile device under management. The certificate must be unique to each device. Certificate signature must be validated before cloud services may be accessed. The private key used to sign the device certificate must not be deployed to any device. A single private key may be used for all devices. A better design generates a private signing key for each customer, although consumers who individually purchase protection may all have their certificates signed by the same private key.
The private key used to sign the device certificate must be stored in an HSM or equivalent. The network must be configured such that the HSM will only accept cryptographic operations from the enrollment and management service.
All data (commands, reputations, policies, configurations, etc.) and all binaries downloaded to devices must be hashed and signed. The device software will validate the signature and the hash before any further processing.
Chapter 10: Summary
One of the big challenges with cloud-based reputation checks is performance. Users don’t typically want to wait a few seconds while the reputation of potential URLs is checked. Most of us have come to expect that websites are at the immediate tips of our fingers and that access and loading of the content should take place rapidly and without delay. This presents a tricky security problem.
As we have seen, security decisions must be based on the objectives that are to be fulfilled by the security.
Chapter 10: Summary
END
University of the Cumberlands School of Computer & Information Sciences
ISOL-536 – Security Architecture & Design
Chapter 11: Cloud Software as a Service (SaaS)
Chapter 11: Cloud Software as a Service (SaaS)
11.1 What’s So Special about Clouds?
11.2 Analysis: Peel the Onion
11.2.1 Freemium Demographics
11.2.2 Protecting Cloud Secrets
11.2.3 The Application Is a Defense
11.2.4 “Globality”
11.3 Additional Requirements for the SaaS Reputation Service
Chapter 11: Cloud Software as a Service (SaaS)
11.1 What’s So Special about Clouds?
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
In the mobility example, we represented the management of the mobility clients and the reputation service as servers in the “cloud.” Of course, these services require far more architecture than a single or even a horizontally scaled set of servers.
11.2 Analysis: Peel the Onion
From our perspective, we need to know that data are pulled and received from many sources via a data-input function. That function, like the Data Gatherer in the business analytics example, must normalize and parse many different types of data so that the data may be kept in a unitary fashion that can be processed for reputations. One logical function, therefore, is the receipt and initial processing of the various data types. Neither of the figures of the SaaS architecture in this chapter portray reputation data collection.
Figure 11.1 SaaS Reputation Service architecture (in the cloud).
Figure 11.1 represents the cloud service as it may look, logically, from the user’s, that is, the mobility security software’s, perspective. The “cloud” means that the service has multiple points of presence across the globe to be queried. Cloud also implies large scale to support thousands, even millions, of clients. The mobile device software doesn’t need to understand any of the details behind that service. In other words, the details of data retrieval, processing, rating, and responding to queries are entirely opaque to the querying software.
11.2.1 Freemium Demographics
One standard method for dealing with the fact that authentication does not protect against all attacks is to log the actions taken on the system by the authenticated entity. Logging system activity is a typical additional control. Monitoring is often employed so that, at the very least, malicious actions can be tied to a user of the system. In order to monitor, the activity first must get logged. At best, instantiation of malicious action will be noticed and can be stopped before serious damage takes place. For social media sites, logging of action sequences is critical to identifying malicious users and ejecting them from the system before they can harm other users or the system itself.
Since for the reputation service we understand that attackers can gain access, all actions taking place on the service by each device are logged. Anomalous sets of activities trigger an investigation from the 24×7, around-the-clock security monitoring team.
11.2.2 Protecting Cloud Secrets
There are certificate chaining validation methods that address this problem. And Indeed, if each enterprise customer requires a separate signing key (and most will!), then our cloud reputation service will have to employ a fairly sophisticated certificate signing and validation implementation that accounts for multiple certificate signing keys. Still, messages from the service may be signed with the same private key (so that every device can employ the public certificate/key to validate).
11.2.3 The Application Is a Defense
Even the best, most security-conscious development teams occasionally allow a serious security vulnerability to leak out into production software. So how can a service like the reputation service ensure that all non-valid input is rejected? Security software testing is beyond the scope of this book. Still, it may be worth mentioning that a typical testing strategy is to “fuzz” inputs that are likely to receive malformed messages (or other input data). When we examined the file processing chain in the endpoint security example, fuzzing was one of our recommended security controls. That software must be made to withstand poor inputs; it will be examining malicious files. In a similar way, the reputation service front end, which must receive requests from possibly malicious sources, will benefit from rigorous fuzz testing. In order to protect services further within the chain of processing, the reputation service vendor will want the front end to be as bulletproof as possible. Fuzzing is an accepted test methodology to assure a robust input defense.
11.2.3 The Application Is a Defense – Cont.
The sequencing of processing goes something like this:
A device requests a reputation for an object.
The query response process (front end) requests a reputation from the reputation processor.
The reputation is returned to the device.
It is also placed in the cache for rapid retrieval, should a subsequent request for the same information be made.
New data come in about the object.
In the back-end data store, the object reputation changes.
The reputation change triggers the reputation processing component to check the cache for the presence of the reputation.
If found (i.e., it’s still in the cache), the reputation in the cache is deleted, forcing the front end to refresh the reputation when it is next queried.
11.2.4 “Globality”
In Figure 11.2, you will see that the back-end is actually not discrete but connected and replicated to all the points of presence across the globe. This is very typical for a global SaaS service. It’s desirable to keep processing as close to the consumer as possible. Consequently, all the reputations must be replicated to each point of presence. This means that across the globe, in each data center that hosts the service, the front end, the processing service, and the reputation data are duplicated. If the reputation service is to be accurate everywhere, this replication of data has to be very fast so that a reputation query in Singapore is as accurate and up-to-date as a query in London or Hawaii. This need for the rapid dissemination of updates and rigorous duplication of data everywhere implies that the back-end can be thought of as one global system rather than discrete points. At the back-end, all the systems are connected, as they must be to achieve the performance and accuracy required from a global cloud service.
11.2.4 “Globality” – Cont.
There are three architecture patterns that seem to be emerging to provide sufficient tenant data protection.
Encrypt data as it enters the service; decrypt data when it exits – Encryption as data enter the service and decryption at exit is the preferred solution from the customer’s perspective, as long as the keying materials are held by the customer or the customer’s trusted third party.
Separate processing within the infrastructure – Each customer essentially receives distinct infrastructure and processing. Separation at the infrastructure layer is very popular with services that offer a “platform” and infrastructure, that is, Platform as a Service (PaaS) or Infrastructure as a service (IaaS).Each customer essentially receive distinct infrastructure and processing.
Encapsulate data such that it remains segregated as it is processed – If the vendor requires economies acquired from building a highly shared application (many SaaS vendors try to reap these economies) then the simple, obvious solutions will not work.
11.3 Additional Requirements for the SaaS Reputation Service
The following list of requirements focuses on the different, cloud aspects of this architecture. Earlier chapters covered in some depth other aspects, such as endpoint requirements, web requirements, and administrative needs.
The calculation processor will not read from the reputation cache. A message will be sent from the calculation processor to the cache to execute a delete of all references to an object in the cache. Failure of the deletion will be logged. No acknowledgment will be returned by the cache in response to the deletion message.
Reputation request messages must be constructed by the web front end. Only the queried object will be passed to the calculation processor.
The front end will sanitize and validate messages from the mobile device. Any message that fails validation in form or data must be rejected.
Before reputation requests will be received, a device certificate, signed by the private key of the reputation service, must be validated by the reputation front end. Certificate validation failure must cease all further communications.
11.3 Additional Requirements for the SaaS Reputation Service – Cont.
All customer reputation requests and request histories will be encapsulated with an unpredictable token. The token will be related to a cryptographic hash. The hash is the only value to be associated to service tenants. The hash-to-client relationship must be kept in a separate network segment, under separate administrative control (different team) from the application administrative team and from the storage and data administrators. Hash-to-token correlation will be done by a separate process running in the back-end, unexposed to any processing outside the internal back-end networks. Wherever stored, tenant reputation histories will be tagged with the token only. No mention of customer identity can be placed within that administrative domain or network segment.
Reputation data will be pushed from the data farm on the internal network to each reputation data instance.
Reputation data instances will exist on a segregated network that only receives requests from the reputation calculation and processing module.
11.3 Additional Requirements for the SaaS Reputation Service – Cont.
There will be four distinct layers:
The DMZ, bastion layer containing the web service termination. Authentication of device certificates will take place before a reputation request may be made.
A front end module that validates requests before any processing may occur. Requests will be
regenerated before they are passed on to subsequent layers. Objects about which a reputation query
is made may only be passed from the front end after careful validation and format check. The
reputation cache is placed in this segment. It receives requests only from the front end.
The reputation calculator/processor, which only receives reformed requests from the front end.
The local reputation instance for a point of presence, which will only receive requests for data from the calculation module.
The front end request processing input must pass rigorous fuzz testing before release.
The calculation module’s request handling processing chain must pass rigorous fuzz testing before release.
An HSM will be employed at each node to perform certificate, message, and data signing operations. Multiple private keys, including customer specific keys, must be supported. Every node must validate every device certificate.*
Chapter 11: Summary
An architecture specific to global cloud products with many points of presence is the network interconnection. One way to achieve this is to establish a series of connections using VPN or IPsec tunnels over the Internet. For a performance sensitive SaaS, the vagaries of Internet routing will influence transmission times. Hence, although essentially secure across the hostile Internet, such an architecture is likely to be unsuitable for this purpose. Instead, where performance and security must both be served, a private network is often the better choice.
Chapter 11: Summary
END
image4.emf
image5.emf
image6.emf
image7.emf
image8.emf
image1.emf
USEFUL NOTES FOR:
Architecture and design represent one important side of delivering a security posture. That’s what this book is all about: How does one go about achieving an architecture and an architectural design that represent the security needs for a system?
Introduction
Security is a complex topic with many facets. It has to do with everything from how buildings are designed and constructed, to how they are managed and maintained, to how people behave while they’re there. Security is also a function of what kind of information we have access to and the rules that govern who can have access to it. But you don’t need an expert in architecture or design to understand that security needs lots of elements all at once: architecturally speaking, for example, you need space for building structures; water sources for flushing toilets, keeping buildings cool; electricity from generators; and so on.
An architecture can be decomposed into smaller pieces, each of which is a domain. Central to the idea of a domain is that it is a bounded area.
An architecture can be decomposed into smaller pieces, each of which is a domain. Central to the idea of a domain is that it is a bounded area.
The concept has been around for decades and has been used in many different ways by different people, but there are some basic principles that remain consistent across all implementations:
A domain should have its own responsibilities and boundaries.
Each piece must be autonomous from other pieces (i.e., no dependencies).
In any architecture, there will of course be structural elements that also stand alone. A structural element could be a single piece of equipment, such as a router, or one type of communication channel, such as an Ethernet.
There are structural elements in any architecture, but they’re not necessarily security related. Structural elements might be physical or logical. For example, a router is a structural element that can be thought of as an area where packets of data move from one part of the network to another; i.e., it’s both physical and logical at once. On the other hand, Ethernet cables are also both physical and logical: They form some sort of link between two devices on your network (like a computer or smartphone), but these links can also be manipulated by hackers so that they steal data from another device connected via this cable—this would make you think about things like encryption keys being stolen by someone who has access to these wires!
The behavior defines what activities the system will do while it is running and how these activities interact with each other and with the environment. The behavior includes the functions performed by the system and the order in which they are performed.
The behavior defines what activities the system will do while it is running and how these activities interact with each other and with the environment. The behavior includes the functions performed by the system and the order in which they are performed.
Behaviors can be described by use case models, user stories or simply just descriptions with natural language as long as it is clear enough for you to understand its purpose without having to read through an entire specification document.
The design has both functional requirements and non-functional requirements. Functional requirements are often described by using use case models, user stories, or simply just descriptions with natural language. Functionality requirements are statements about what the system should do. Non-functional requirements can include properties such as performance or security policies.
Functional requirements are often described by using use case models, user stories, or simply just descriptions with natural language. Functionality requirements are statements about what the system should do. Non-functional requirements can include properties such as performance or security policies.
The design has both functional requirements and non-functional requirements. Functional requirements are often described by using use case models, user stories, or simply just descriptions with natural language
Conclusion
In this chapter, we have explored how to develop an architecture and design for a system. The discussion has focused on two key points: domain boundaries and the concept of behavior. First, we looked at how you can break down functionality into smaller pieces that are easier to understand and manage. Second, we discussed why it’s important not to lose sight of your security requirements when designing an architecture or badging up systems with badges!