Cloud Security Policy
This document describes operational rules imposed by CESNET on its cloud facilitites. It documents technical measures developed to achieve a reasonable level of operational security of the cloud service. The main goal of this document is to define measures and rules to limit security risks posed by cloud applications and users, and to provide feasible mechanisms to ease resolution of security incident that might happen in the cloud facilities.
The document was built with the existing EGI security policies in mind. Whenever applicable, we refer to existing policies to define the scope needed. For example, whenever 'image endorsement' is mentioned, we refer to the Security Policy for the Endorsement and Operation of Virtual Machine Images. Other policies policies, however, deal with "classic" sites, and the cloud technology presents some additional facts that are not taken into account. For instance, the cloud provider (site) cannot guarantee proper patch management of the systems (since the machines might not operated directly by the site people). We are aware of the new class of problems, though, and we realize the problems may lead to security incidents that may differ from what we face with classic grid sites. We expect some new policies will be formed. For example, from the user's point point we are missing a policy similar to the Policy on Grid Pilot Jobs, which would define e.g. the responsibilities of VM owners. As an interim step however, we decided to specify measures defined to facilitate efficient security operations and streamline the incident response and users' traceability to a level which is feasible in our cloud environment.
Security measures
Pre-runtime measures
Endorsed images
- endorsements for virtual machine images implemented
- directly, as cryptographically signed hashes
- indirectly, based on verbal agreements
- only virtual machine instances based on endorsed images are allowed to have public IP addresses
- modified and subsequently saved images are no longer considered to be endorsed by the original endorser
Trusted users
- trusted users defined as users with
- high-level identity verification
- explicit endorsement from other trusted users or site managers
- only trusted users have access to pools of public IP addresses
Restricted remote access to running virtual machines
- only the following combinations of access methods and authentication methods are allowed
- SSH with public key authentication
- SSH with GSS API authentication
- Encrypted RDP/VNC
- password-based remote authentication methods are not allowed (e.g. SSH with a plain password)
Automated pre-runtime compliance testing
- all virtual machine images and virtual machine instances based on said images must be tested for explicit compliance with the defined security profile (Cloud Security Policy)
- only compliant images and virtual machine instances based on said images can
- be published (made available to other users)
- be assigned public IP addresses
- be launched outside isolated private networks
Runtime measures
Networking insolation for L2
- running virtual machine instance will be isolated in a VLAN if
- image the instance is based on is not endorsed by a trusted user
- it does not belong to a trusted user
- it is running OS Windows
- its owner chooses to isolate it
Networking isolation for L3
- running virtual machine instance will be isolated using firewall if
- it has a public IP address
- its owner chooses to isolate it in a private network
IP logging
- every IP address given to a virtual machine instance will be tied to its owner for the duration of its lifetime (i.e. until shutdown)
- owner of the virtual machine instance is responsible for any illegal activity during its lifetime
Anti-spoofing rules for networking
- network addresses assigned to a virtual machine instance by the cloud platform are mandatory and cannot be changed by the owner at runtime
- anti-spoofing rules are enforced by the hypervisor or local network infrastructure
- an attempt to change the assigned network addresses will immediately cut off the virtual machine instance from any subsequent network communication
Automated runtime compliance testing
- all running virtual machine instances are periodically tested for compliance with the defined security profile (Cloud Security Policy)
- repeated or long-running non-compliance will result in an immediate forced shutdown of the given instance
Automated configuration changes in virtual machines
- all virtual machine images must support contextualization to the following extent
- boot-time injection of a public key for the root user (where applicable)
- boot-time change of the RDP/VNC credentials (where applicable)
Post-runtime measures
Extraction of virtual machine logs
- at the end of its lifetime (i.e. after shutdown), the contents of /var/log from the root file system of every virtual machine instance will be archived
Extraction of timestamps
- at the end of its lifetime (i.e. after shutdown), timestamps from the root file system of every virtual machine instance will be archived
Security Profile
TBD
Incident Response
- whenever possible follow general procedures stipulated by CESNET and EGI
- close cooperation with CESNET security teams