System-Centric Security Countermeasures
We provide an overview of existing countermeasures that focus on one or more threats, and address gaps and challenges in Appendix A.3 of document D4.3. This section aims to present the status of cybersecurity solutions connecting them to identified threats and gaps. We discuss classes of countermeasures, each describing the most relevant solutions to date.
- C3.1 – Firewalls. Firewalls running in a virtualized environment can provide functionalities for packet filtering and services’ monitoring and can execute in hypervisor and bride modes . Hypervisor firewalls protect VMs by monitoring VM activities and sifting malicious from good traffic. To enable these firewalls, the physical host hypervisor kernel has to be modified to allow the firewalls to access VM information and virtualized network interfaces . That way hypervisor firewall can run without being in contact with the virtual network. Furthermore, perimeter and internal firewalls should be used for controlling both private and public network traffic within and outside the cloud systems, as well as detecting possible anomalies. Lastly, firewalls should be used for separating groups of VMs from production and development hosted groups .
Threats: T3.4.3 – Malicious code/software/activity, T3.4.7 – Code execution and injection (unsecured APIs), T3.4.8 – Generation and use of rogue certificates
Gaps: G3.12 – Gaps on insider threat, G3.18 – Gaps on malware exposure, G3.23 – Gaps on remote network controls
- C3.2 – Encryption and key management. Cryptography is one of the most essential means of mitigating security issues in virtualized environments. Organizations should define policies of the use of encryption and controls of cryptographic authentication and integrity, including digital signatures and key management . There are three distinct phases for protecting data in virtual environments, namely encryption of data-at-rest (protecting data from illegal acquisition and malicious CSP), encryption of data-at-transit (encrypting confidential information during internet transmission), and encryption of data on backup media (protection of misuse of stolen data) . VPN should be used to secure communication between distributed systems since they feature cryptographic tunneling protocols which enable confidentiality and authentication .
Threats: T3.2.1 – Interception of information, T3.2.2 – Unauthorized acquisition of information (data breach), T3.4.1 – Identity fraud
Gaps: G3.1 – Gaps on the use of cryptography, G3.2 – Gaps on data control, G3.11 – Gaps on insufficient identity, credential, access, and key management
- C3.3 – Virtual trusted platform module (vTPM) and trusted virtual domains (TVDs). Virtual Trusted Platform Module (vTPM) is linked to physical trusted platform modules (TPMs) through a certificate chain and is located in a specific hypervisor layer. An instance of vTPM that emulates TPM functionality for extending the chain of trust to vTPM is created for each distinct VM, where it can be invoked by a hypervisor. In the case of multitenant virtualized cloud environments, physical TPM is virtualized so it can be used by multiple VMs on a single platform. Trusted virtual domains (TVDs) are formed by clustering the related VMs on the physical machine into a platform that uses a unified security policy defined by the administrator. Malicious VMs are blocked from joining TVDs and affecting VMs of trusted users through policy requirements. Each VM on TVD has a unique identifier, which serves for identifying the assigned VMs to specific end-users and enabling VMs to run on TVD which follows predefined security guidelines and policies .
Threats: T3.2.1 – Interception of information, T3.2.2 – Unauthorized acquisition of information (data breach), T3.4.3 – Malicious code/software/activity, T3.4.4 – Generation and use of rogue certificates, T3.6.2 – Malicious insider
Gaps: G3.1 – Gaps on the use of cryptography, G3.2 – Gaps on data control, G3.3 – Gaps on multi-tenancy, isolation, and resource management
- C3.4 – Enforcing access control mechanisms (ACMs). Access control management (ACM) mechanisms for users, applications, and systems are essential for mitigating the issue of authorization abuse, as well as granting the integrity and confidentiality of resources. In virtual cloud environments, ACMs operate according to predefined security policies by restricting or limiting access to systems or processes. In VM image libraries, along with strong ACMs, each image should also use a digital signature . For the hybrid cloud, organizations should implement granular access control and utilize two distinct authentication zones (for internal and external systems) to mitigate the risks caused by compatibility issues of using both private and public clouds at the same time .Some of the most popular ACM solutions include Mandatory Access Control (MAC), Discretionary Access Control (DAC), Role-Based Access Control (RBAC) , and more recently Chipertext-Policy Attribute-Based Encryption (CP-ABE) .
Threats: T3.2.1 – Interception of information, T3.2.2 – Unauthorized acquisition of information (data breach), T3.4.1 – Identity fraud, T3.6.2 – Malicious insider
Gaps: G3.1 – Gaps on the use of cryptography, G3.2 – Gaps on data control, G3.16 – Gaps on account hijacking due to the inadequate authentication
- C3.5 – Maintaining proper configuration of virtualized and cloud environments. Each component in a virtualized environment has a specific configuration. Due to the ease of cloning and copying VMs’ images, mitigation of all potential configuration risks is crucial .Hence, the configurations should be periodically assessed to maintain the trusted state of the virtual environment. Every configuration change should be documented adequately. Moreover, there are specialized tools, including CloudSploit and Dome9 that can be used for identifying configuration security issues . To ensure environmental stability and thwart potential threats, proper configuration audit and control should be established according to the defined standards. ISACA  recommends regular policy and control evaluations, synchronization, services, and file sharing configuration check-ups. Furthermore, a configuration management database (CMDB) should be maintained and information regarding suspended VMs’ images and physical-to-virtual mapping should be properly recorded.
Threats: T3.3.1 – Configuration poisoning, T3.4.2 – Denial of service
Gaps: G3.9 – Gaps on misconfiguration and inadequate change of control, G3.12 – Gaps on insider threat, G3.23 – Gaps on remote network controls, G3.24 – Gaps on the configuration of cloud storage
- C3.6 – Isolating guest operating systems. Since guest OSs and their corresponding virtual machines are the main building blocks of the virtualized environment, they have to be isolated and partitioned to mitigate potential propagation and infection of the malicious control boundaries. On top of that, virtual machines of guest OSs should be properly hardened, and security controls should be layered. Guest OSs should be updated promptly, and each guest OS should use different authorization credentials. In the case that one guest OS is compromised, all remaining guest OSs using the same hardware have to be assumed to be compromised. Guest OSs should also be examined regularly for a potential compromise.
Threats: T3.3.2 – Business process poisoning
Gaps: G3.3 – Gaps on multi-tenancy, isolation, and resource management, G3.19 – Gaps on race conditions
- C3.7 – Monitoring and maintaining hypervisor/VMM activities. As a single point of failure in the hypervisor can affect the entire virtualized environment, it is of the essence to properly secure it. The hypervisor should always be kept updated with the latest patch releases either automatically or through centralized patch management. Administrative access to the management interface of the hypervisor interface should be restricted and the virtualized infrastructure to a trusted authoritative time server should be kept synced. To maintain required security measurements, self-integrity and introspection monitoring capabilities can be used for monitoring the activities of guest OSs and hypervisor itself. Lastly, services that could open the door to possible attacks, such as clipboard and file-sharing services should be disabled, while unused hardware should be disconnected.
Threats: T3.4.2 – Denial of service, T3.4.3 – Malicious code/software/activity, T3.4.4 – Generation and use of rogue certificates, T3.4.7 – Code execution and injection (unsecured APIs), T3.6.2 – Malicious insider
Gaps: G3.5 – Gaps on security assurance and Service Level Agreements (SLAs), G3.6 – Gaps on forensics, G3.8 – Lack of visibility/control, G3.12 – Gaps on insider threat, G3.18 – Gaps on malware exposure, G3.20 – Gaps on logistic challenges to the ever-increasing cloud usage
- C3.8 – Making systems secure by default. Every system should provide minimum security requirements through the deployment and configuration of a minimum set of security controls, which should be logged and audited. That way previous actions or sequences of actions can be traced back. Moreover, security dependencies and trust boundaries between different components are an essential step in virtual networks and should be thus clearly defined. New security protocols should strictly follow predefined definitions of security objectives, impact evaluation, and backward compatibility.
Threats: T3.1.2 – Inadequate design and planning or incorrect adaptation, T3.4.3 – Malicious code/software/activity, T3.4.5 – Misuse of assurance tools, T3.4.6 – Failures of the business process
Gaps: G3.14 – Gaps on abuse and nefarious use of cloud services, G3.15 – Gaps on insecure interfaces and APIs, G3.21 – Gaps on endpoint controls, G3.20 – Gaps on logistic challenges to the ever-increasing cloud usage
- C3.9 – Raising security awareness. One of the most important security measures for ensuring the success and growth of cloud and virtualization platforms is raising security awareness among organizations and end-users. It involves educating end-users (employees) on the potential cybersecurity vulnerabilities and threats and instigating them with the best practices and procedures available. Besides preventing possible security breaches and related financial losses, an organization with security-aware employees can yield benefits related to the reputation, which could help it gain more customers and thus increase its profit. Therefore, security awareness campaigns and proper training are of utmost importance for both end-users and organizations.
Threats: T3.1.1 – Information leakage/sharing due to human errors, T3.1.2 – Inadequate design and planning or incorrect adaptation, T3.4.6 – Failures of the business process, T3.4.8 – Phishing – COVID19, T3.6.1– Skill shortage, T3.6.3 – The lack of awareness – COVID19, T3.6.4 – Personal cloud service adoption – COVID19, T3.6.5 – Cloud sprawl – COVID19
Gaps: G3.4 – Gaps on roles and human resources, G3.6 – Gaps on forensics, G3.10 – Gaps on lack of cloud security architecture and strategy, G3.22 – Gaps on Cloud user awareness
- C3.10 – Enforcing regulations. More regulations are necessary for ensuring that manufacturers and vendors prioritize security and provide guidelines on the use of the cloud, and thus providing the necessary level of transparency to the organizations and end-users. Programs and policies such as CSAs Security, Trust and Assurance Registry (STAR) program  and the EU General Data Protection Regulation (GDPR)  should be enacted across the global level. STAR program, which is globally used by customers, providers, industries, and governments provides different assurance requirements and maturity levels of providers and end-users, while the GDPR introduced mandatory notification schema which coerces data controllers to report data breaches promptly. Moreover, it ensures that data controllers reach data breaches according to the provided guidelines .
Threats: T3.4.5 – Misuse of assurance tools, T3.5.1– Violation of laws or regulations, T3.6.5 – Cloud sprawl – COVID19
Gaps: G3.5 – Gaps on security assurance and Service Level Agreements (SLAs), G3.7 – Gaps on standards/regulations, G3.10 – Gaps on lack of cloud security architecture and strategy
Highlights on Identified Countermeasures
Once enabled, hypervisor firewalls can protect VMs by monitoring their activities and separating good from malicious traffic, while internal firewalls can control both public and private network traffic within and outside the cloud. Protecting data in a virtual environment is performed in three phases, namely data-at-rest, encryption of data in-transit, and encryption of data on backup media. TVDs are formed by grouping the related VMs on the physical machine into a platform that uses unified security defined by the administrator while blocking compromised VMs. In the hybrid cloud, granular access control, as well as internal and external systems’ authentications can be used for mitigating the compatibility issues of private and public clouds. To prevent cloning and copying of VMs’ images and to sustain the trusted mode it is necessary to periodically access configurations. Both VMs and guest OSs have to be properly hardened and monitored regularly to mitigate the potential infection spreading. Moreover, self-integrity and introspection monitoring capabilities can be used to monitor and maintain required security actions of hypervisors and guest OSs. Lastly, every system should be designed in a way that provides minimum security requirements through the deployment and configuration of recorded security controls.
 S. Brohi, M. Bamiah, M. Brohi and R. Kamran, “Identifying and Ana-lyzing Security Threats to Virtualized Cloud Computing Infrastructures.,” Proceed-ings of International of Cloud Computing, Technologies, Applications & Manage-ment, pp. 151-155, 2012.
 A. F. S. Althobaiti, “Analyzing security threats to virtual machines monitor in cloud computing environment,” Journal of Information Security, vol. 8, nº 01, p. 1, 2017
 IOT SECURITY: UNDERSTANDING THE DANGERS AND MITIGATING THREATS, https://www.analyticsinsight.net/iot-security-understanding-the-dangers-and-mitigating-threats/
 ISO 27001 suggests the use of cryptography to deal with unintentional leakages and prevent unauthorized access to sensitive data and systems. However, encryption key management is challenging. Also according to NIST publications, the security for cryptographic keys adds an additional complexity, due to more consumer-provider relationships and the variety of infrastructures “on which both the key management system and protected resources are located”.
 A. Iqbal, C. Pattinson and A.-L. Kor, “Performance Monitoring of Virtual Machines (VMs) of Type I and II hypervisors with SNMPv3.,” World Congress on Sustainable Technologies (WCST), pp. 98-99, 2015.
 See http://www.nist.gov
 See https://cloudsecurityalliance.org
 D. Ferraiolo, J. Cugini and D. R. Kuhn, “Role-based access control (RBAC): Features and motivations,” em Proceedings of 11th annual computer security application conference, 1995, pp. 241-48.
 J. Bethencourt, A. Sahai e B. Waters, “Ciphertext-policy attribute-based encryption,” em 2007 IEEE symposium on security and privacy (SP’07), IEEE, 2007, pp. 321-334
 Security aspects of virtualization, https://www.enisa.europa.eu/publications/security-aspects-of-virtualization
 See http://www.isaca.org/
 Security Assurance in Cloud Adoption, https://www.capgemini.com/wp-content/uploads/2017/07/security_assurance_in_cloud_adoption.pdf
 Chapin, M., et al; Implication of the General Data Protection Regulation, March 2018, https://www.aacrao.org/docs/default-source/signature-initiative-docs/gdpr/gdpr_discussiondraft_03272018_v2.pdf?sfvrsn=4556dd66_0
 Bird & Bird, “Personal data Breaches and Notification,” https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/42–guide-to-the-gdpr–personal-data-breaches-and-notification.pdf?la=en