Professional Documents
Culture Documents
Multitenancy - Security Risks and Countermeasures
Multitenancy - Security Risks and Countermeasures
net/publication/261342160
CITATIONS READS
19 10,158
3 authors, including:
Some of the authors of this publication are also working on these related projects:
Improving simulation based healthcare education through human actors and wearable technology View project
All content following this page was uploaded by Wayne Brown on 23 January 2018.
Athabasca University
Athabasca, Canada
Abstract— Security within the cloud is of paramount that one family may have access to another families space
importance as the interest and indeed utilization of cloud or information. Wood and Anderson describe multitenancy
computing increase. Multitenancy in particular introduces as the ability to run multiple customers on a single software
unique security risks to cloud computing as a result of more instance installed on multiple servers [1]. In the
than one tenant utilizing the same physical computer hardware.
multitenancy model, many users data and resources are
The purpose of this paper is to explore the specific risks in cloud
computing due to Multitenancy and the measures that can be located in the same computing cloud, and are controlled
taken to mitigate those risks. and distinguished through the use of tagging for the unique
identification of resources owned by individual user [1]. In
a typical multitenancy situation, the users are the tenants
Keywords: Multitenancy, Cloud Computing, Cloud Security.
and are provided with a level of control in order to
customize and tailor software and hardware to fit their
specific needs [1].
INTRODUCTION
MULTITENANCY SECURITY THREATS
Availability forms the third “pillar” of the so-called CIA MTA Cloud service offerings provide fundamental data
security pyramid, with Confidentiality and Integrity security and protection through strong encryption protocols,
forming the other two. MTA environments may pose with each tenant owning the encryption keys and in some
availability risks to some tenants, based on the activities of cases managing the creation, storage and destruction of
other tenants on the same infrastructure and platforms. their own keys.
For instance, there is risk to availability through lack of
concerted, global workload optimization, particularly for However, most CSPs suffer from a lack of “security by
batch processing (described below) and particularly within diversity”. In MTAs, the data of several (or potentially all)
SaaS CSPs. MTA clients is encrypted with the same encryption
Most Cloud workload management is based on algorithm, either AES, Blowfish, or any other industrial-
optimizing tenant resource allocations for interactive dialog strength encryption suite. However, a risk exists in that if
systems – e.g. online e-Business, social media, and time- the encryption protocol is compromised, or the cipher suite
sensitive human interaction. However, workload is actually “broken”, then the compromise of one tenant’s
optimization and resource allocation for batch-based encryption potentially enables or eases compromise of
systems is fundamentally different. Batch-based computing others [1].
typically involves single-threaded applications, Two possible countermeasure have been proposed by
asynchronous processing, serial execution of job steps, and Wood and Anderson [1]:
high rates of I/O to large sequentially organized datasets
[7]. This introduces a risk, exposed by SaaS offerings that Predicate Encryption - each master key owner
use a single application server instance to service multiple has more fine-grained control over who gets
tenants. The potential therefore exists for one tenant to grab access to encrypted data. This allows segments of
more than their allocated share of computing resources, for
a data store to be encrypted and decrypted, so that To address the need to reconcile multiple RBAC
individuals may only have access to their hierarchies within a Cloud, Tsai and Shao [6] propose an
particular segments. Compromise of an individual “ontology-based” access control mechanism for
segment does not necessarily mean that all other determining user entitlements and extend RBAC to MTA.
segments are in jeopardy. In this approach, role hierarchies are reduced to
“ontologies” or distilled role properties, which are assigned
Homomorphic Encryption – this is a mechanism to standard templates. In a given security domain, where
by which cipher text can be processed, without the multiple ontologies exist and must be enforced, the
need to decrypt data prior to processing. This templates determine similarities and differences between
eliminates or reduces the opportunity for a different ontologies at run-time. A resultant set of
malicious party to intercept decrypted data during permissions, inherited from multiple roles, can then be
processing. applied to a security principle (end user) at time of access.
This countermeasure, extended to MTA, can apply
Logical Authentication and Access Controls permissions to a role instead of a tenant, or an individual
role in multiple sessions with multiple tenants in an MTA.
Authentication and authorization form the basis for This is important where an agent, acting on behalf of the
application security. The security disciplines related to CSP, must execute a security function or audit process
enterprise identity management (authentication) and access across multiple tenants in the MTA.
management (authorization) are very mature in
conventional datacenter environments. Identity and Access Management
This rigor, however, is not always easily translated to
multi-tenant Cloud service offerings. Wood and Anderson Multitenant Cloud service offerings have a greater need
[1], supported by Tsai and Shao [6] demonstrate that so- for all the services of an integrated Identity and Access
called “virtual teams”, consisting of individuals from Management solution - single-sign-on, RBAC and
multiple geographies, cultures and backgrounds, are most delegation – every cloud implementation should include a
likely to use and support MTA Cloud solutions, and complete IAM solution [1]. IAM enables persistent
experience more frequent turnover and volatile membership authorization for customers in terms of their identity and
than conventional corporate teams. entitlement across multiple clouds.
The fundamental difficulty in access management is that There are significant challenges to applying standard
of 1). controlling many different data and application IAM standards and specifications to Cloud computing.
resources; 2). provisioning fine-grained access to those Mather et al [9] advocate the approach of “federating”
resources; and 3). designing an access control mechanism IAM solutions across multiple clouds, or across tenants in
employing a large number of authorization rules, across an MTA.
conflicting policy domains, for large numbers of users.[2] Federated Authentication - While standards are
These are precisely the environments serviced by large, generally weak and in development, some (for instance,
multi-tenant Cloud service providers. Open Authentication (OAuth and OpenID) have the ability
The most common countermeasure for this type of to extend consumer-based SSO to enterprise.[4] Users of
complexity risk is Role-Based Access Control [6]. RBAC social networking sites like Facebook are familiar with
involves two phases in assigning a privilege to a user: supplying their Facebook credentials to other websites (like
message boards, blogs, and third-party services like Twitter
phase 1 – a user is assigned to one or a small and LinkedIn) in order to establish user privileges. Similar
number of roles: solutions for enterprise systems offer a similar passport-like
phase 2 – privileges (i.e. access to resources) are experience to the end user, whereby their global credentials
assigned to roles, not users are recognized by services elsewhere in the Cloud.
Through RBAC, users acquire and accumulate Federated access management – under this model,
permissions by their membership in roles, which can be CSP’s delegate authentication to a third party through
dynamically assigned, re-assigned and revoked without Identity Management-as-a-Service (IDaaS) providers. This
changing the underlying permissions. In most cases, the can greatly simplify access management for MTA Cloud
total number of roles is typically much smaller than the service offerings. Federated access management relies on
total number of users. This tends to reduce complexity for security policy composition across multiple CSP’s (similar
access control within typical large enterprises. to service composition in SOA). This contributes to
Multi-tenant Cloud service offerings encounter this building a “global metapolicy” integrating the policies of
complexity at an even higher level. The complexity stems individual clouds. Amutairi et al [9] foresees this policy
from multiple role-based access mechanisms, or composition eventually resulting in a Virtual global
hierarchies, applying to the same user, or to the same directory service (VGDS) and a Virtual Resource Manager
resource. These hierarchies are potentially in conflict with (VRM) controlling distributed Access Control Modules
one another. (ACM) in different clouds, or on behalf of tenants in an
MTA.
to create learning contents with the sensitivities. The 5R
adaptation framework [1] is adopted the system adaptation
CONCLUSION mechanism, which allows the mobile learning system to be
By increasing awareness of privacy risks in using cloud able to provide right contents to right learner through right
Systems, users will be provided with a better insight into device at right location and right time. Based on the 5R
the environment they are considering using to store their Adaptation framework, this paper presents a learning
personal and sensitive data before making final decision content generation platform for adaptive mobile learning.
in regarding to what service to use. [1] However, Section 2 discusses the 5R adaptation framework and its
before Cloud Computing can be considered for significance. The learning content generation platform is
widespread adoption as a tool to support those working discussed in section 3. Section 4 discusses the next steps
remotely there are a number of issues that must be and future research to be taken.The 5r adaptive
considered and addressed. Principally amongst frameworkConceptThe 5R Adaptive framework [1] is
these are the implementation of privacy and security in described as learning at the right location, using the right
the cloud to support multiple users. This becomes a device, at the right time by the right learner and having the
significant issue when CSPs adopt a multitenancy right contents. The 5R framework creates the platform for
environment for the implementation of their clouds. [1] an adaptive location based mobile learning. The location of
CSP can be self-interested, untrustworthy and the learner, device being used, the time learning is to take
possibly malicious. They might hide the truth of their errors place and learner’s learning profile, style, and progress are
to escape the punishment or degrade the service level to all brought together when choosing the right learning
reduce cost. [4] From this perspective, cloud computing content to deliver to the learner. SignificanceIncorporating
should have the capability to compartmentalize the 5R’s – location, learner, time, contents, and device
each customer and CSP and support security duty produces the right learning contents that are available at the
separation. [10] his growth in mobile technology right location and right time, as well as for the right learner
development has lowered the prices for mobile devices based on learner’s learning profile, style, and progression,
allowing them to be available to majority of people [3]. and the type of device he/she is using. The 5R adaptation
Mobile computing devices have become ubiquitous. framework enables the learning management system to
Current technologies have allowed for the access of provide adaptive and personalized content for mobile
information via wireless media such as mobile computing learners.SystemIn this paper, we present the learning
devices and mobile smart phones. One no longer needs to content creation platform that allows the learning content
be connected by wire to access the Internet for information. developers, such as instructors, to create the location-based
Information can be accessed anytime and anywhere. This learning contents with the 5R sensitivities. The platform
growth in the use of mobile computing devices has helped ensures that learning contents developed are a result of the
to gain the research interests in the areas of mobile learning combination of the 5R input ontology [1]. The inputs of the
technologies and applications. It has also opened the way platform and their metadata relationships are described
for more research on mobile learning theory and pedagogy based on the 5R ontology shown in figure 1 below:
[4].Mobile Learning helps complements traditional
classroom learning by shifting the learning process more to
the student and creating a learner-centered environment [7].
This type of learning environment encourages independent
learning among students as well as gives students the
opportunity to build onto what they have learned in the
classroom. Mobile learning can takes place anytime and
anywhere not only when the learner is at a fixed location
[2]. It providers a unique opportunity for integrating real
world objects into learning contents, which makes it
possible to provide location-aware and context-aware
contents to learners. To implement the location-based
adaptive mobile learning, the learning system has to be able
to provide the adaptive learning contents based on the
learner’s current location as well as other information, such
as learner’s profile. Mobile devices’ location awareness and
the capability of interacting with environment can be used
to sense or identify the learners’ current physical location.
On the other hand, the learning management system has to
have the learning contents with the sensitivities to be
retrieved through the adaptation mechanism. In this paper,
we present an adaptive learning content generation platform
that serves for the content developers, instructors and others
Administration
Backend
Database
User Registration
5R Adaptive
Learning
Management
System
Content Creation
Platform
Presentation
Layer
Web/mobile
Applications
(Mobile Virtual User
Campus)
Object_For_Content
FK2 Content_ID
FK1 Object_ID
Course_Level
Learning_Object FK3 Material_ID Learning_Materials
Location_Range
PK Object_ID PK Material_ID
Object_Name Material_Name
Object_Pic Material_Content
Object_Description Material_Type
Latitude FK1 Device
Learning_Content
Longitude Device_Features
Altitude PK Content_ID Content_Description
FK1 Locate_By Instructions
Locate_By_Text FK1 Major Assignments
Start_Time Content_Name
End_Time FK3 Course
Days Keywords
Position_By
PK Position_By
Position_Type
Major Device
PK Major_ID PK Device_ID
Major_Name Manufacturer
Platform
Course
Device_Features
PK Course_ID
Major_ID
Course_Name Fetaure
Description
Summary
Risk Counter-Measure Lack of “security by diversity”. In Predicate Encryption -
MTAs, the data of several clients
Data isolation Data management protocols is encrypted with the same Homomorphic Encryption
encryption algorithm,
Interference between tenants 1 Platform attestation,
because of tenant workloads. 2 Vigilance on the part of the CSP, Access management - designing an Role-Based Access Control
in maintaining, patching and access control mechanism
upgrading their hypervisor employing a large number of
software authorization rules, across
3 Four-step workload planning conflicting policy domains, for
approach: large numbers of users.
e. Initial Performance
Evaluation