IaaS: Cloud Virtual Infrastructure Threats

by admin

Previous article in series – IaaS: Hypervisor Security

Provisioning tools and VM templates are exposed to different attacks that attempt to create new unauthorized VMs or patch the VM templates to infect the other VMs that will be cloned from this template.

These new categories of security threats are a result of the new, complex, and dynamic nature of the cloud virtual infrastructure, as follows:

Multitenancy: Different users within a cloud share the same applications and the physical hardware to run their VMs. This sharing can enable information leakage exploitation and increase the attack surface and the risk of VM-to-VM or VM-to-hypervisor compromise.

Workload complexity: Server aggregation increases the amount of workload and network traffic that runs inside the cloud physical servers, which increases the complexity of managing the cloud workload.

Loss of control: Users are not aware of the location of their data and services, and the cloud providers running VMs are not aware of their contents.

Network topology: The cloud architecture is very dynamic, and the existing workload changes over time as VMs are created and removed. In addition, the mobile nature of the VMs that allows VMs to migrate from one server to another leads to non-predefined network topology.

Logical network segmentation: Within IaaS, the requirement for isolation alongside the hypervisor remains a key and fundamental activity to reduce external sniffing, monitoring, and interception of communications and other information within the relevant segments.

No physical endpoints: Due to server and network virtualization, the number of physical endpoints (e.g., switches, servers, NICs) is reduced. These physical endpoints are traditionally used in defining, managing, and protecting IT assets.

Single point of access: Hosts have a limited number of NICs available to all VMs.

When assessing relevant security configurations and connectivity models, VLANs, NATs, bridging, and segregation provide viable options to ensure the overall security posture remains strong, along with increased flexibility and performance being constant, as opposed to other mitigation controls that may impact the overall performance.

Next article in series – Security Considerations for PaaS

2 thoughts on “IaaS: Cloud Virtual Infrastructure Threats

  1. Pingback: IaaS: Hypervisor Security – Cloud Gal 42
  2. Pingback: Security Considerations for Platform as a Service (PaaS) – Cloud Gal 42

Leave a Reply

Your email address will not be published. Required fields are marked *