[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05

Operations & Management Area Working                       S. Karavettil
Group                                                ASTA Ventures, Inc.
Internet-Draft                                             B. Khasnabish
Intended status: Standards Track                           ZTE USA, Inc.
Expires: June 29, 2013                                             N. So
                                                     Tata Communications
                                                                 W. Dong
                                                Tektronix Communications
                                                       December 26, 2012

        Security Framework for Virtualized Data Center Services


   This document discusses the requirements and technology gaps related
   to security in the virtualized data center services (VDCS).  The
   objective is to ensure end-to-end security for various types of
   carrier services built on virtualized infrastructure.  The issues
   covered in this draft are focused on confidentiality and integrity of
   the services in the virtualized environment; including but not
   limited to infrastructure (IaaS), platform (PaaS), and application
   (SaaS) services.  This draft also takes into account transient nature
   of identity, resources and connectivity in the virtualized

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on June 29, 2013.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Karavettil, et al.        Expires June 29, 2013                 [Page 1]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Karavettil, et al.        Expires June 29, 2013                 [Page 2]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Terminology and Abbreviation . . . . . . . . . . . . . . . . .  5
   3.  Problem Statement and Examples . . . . . . . . . . . . . . . .  6
     3.1.  Virtualized Carrier Services Users . . . . . . . . . . . .  6
     3.2.  Data, Information and Knowledge Base Security Problem  . .  6
     3.3.  Lack of mandatory Application Security in Protocol . . . .  8
   4.  Other Gaps in Existing Implementations & New Requirements  . . 10
     4.1.  Systems Security Gaps & New Requirements . . . . . . . . . 10
     4.2.  Network Security Gaps & New Requirements . . . . . . . . . 10
     4.3.  Mobile Security Gaps & New Requirements  . . . . . . . . . 11
     4.4.  Physical Security Gaps & New Requirements  . . . . . . . . 12
     4.5.  Operations & Management Security Gaps & New
           Requirements . . . . . . . . . . . . . . . . . . . . . . . 12
     4.6.  Other New Requirements . . . . . . . . . . . . . . . . . . 13
   5.  Work Item for Consideration  . . . . . . . . . . . . . . . . . 15
     5.1.  Applications & Services  . . . . . . . . . . . . . . . . . 15
     5.2.  Infrastructure Operations & Management . . . . . . . . . . 15
   6.  Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . 16
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 17
   8.  Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 18
   9.  Acknowledgement  . . . . . . . . . . . . . . . . . . . . . . . 19
   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 20
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22

Karavettil, et al.        Expires June 29, 2013                 [Page 3]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

1.  Introduction

   The VDCS Security Framework is a reference framework to build secure
   and interoperable services on top of a virtualized infrastructure.
   Currently there are a variety of infrastructure equipments (servers
   and network equipments), and operational management software
   (hypervisors and provisioning/monitoring applications) and software-
   as-a-service that are proprietary in nature; therefore, causing
   service interoperability issues and creating security gaps.

   Developing protocol standards around virtualized services and the
   supporting infrastructures is an integral part of the overall end-to-
   end security assurance.  This draft proposes a security framework and
   the associated requirements for Protocols, Profiles, Network
   Interfaces, Operations and Management, and Application
   Interfaces(APIs) in an environment where virtualized resources are
   shared among a variety of public and private subscribers/clients

   The current applications and services using existing protocols (e.g.,
   HTTP) that are in need of security measures in a multi-tenant
   virtualized environment are described.  Similarly gaps in security
   implementation of inter-working protocols (e.g., inter-domain BGP,
   MPLS) among virtualized network infrastructure resources are
   identified here.

   These help design, develop and provide secure, inter-operable and on
   demand integrated self-service applications and services for users
   from various vendors.  This also helps to reduce human interventions
   in provisioning and management of resources in a more standardized

Karavettil, et al.        Expires June 29, 2013                 [Page 4]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

2.  Terminology and Abbreviation

   o  CSA: Cloud Security Alliance

   o  CSF: Cloud Security Framework

   o  CSP: Cloud Service Provider

   o  CSRF: Cross-Site Request Forgery

   o  DCOPS: Data Center Operations

   o  DPI: Deep Packet Inspection

   o  ETSI: European Telecommunications Standards Institute

   o  GRC: Governance, Risk & Compliance

   o  HIPAA: Health Insurance Portability and Accountability Act

   o  LDAP: Lightweight Directory Access Protocol

   o  SQL: Structure Query Language

   o  OWASP: Open Web Application Security Project

   o  PCI: Payment Card Industry

   o  SDO: Standards Development Organizations

   o  SOX: Sarbanes Oxley

   o  VDCS: Virtualized Data Center Services

   o  VDI: Virtual Desktop Infrastructure

   o  VM: Virtual Machine

   o  VPN: Virtual Private Network

   o  XSS: Cross-Site Scripting

Karavettil, et al.        Expires June 29, 2013                 [Page 5]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

3.  Problem Statement and Examples

   The applications in virtualized carrier infrastructure often follow
   the Client-Server model.  The Server is typically a Virtual Machine
   (VM) hosting various applications while performing the computing and
   storage functions on top of generic server hardware.  The client is a
   remote machine connecting to the VM via virtual connection(s).

   In this case, security means protecting the information (data and
   content) in an on demand self service multi-tenant virtualized
   infrastructure and communication between the client and virtual host
   from unauthorized access, use, disclosure, disruption, modification,
   perusal, inspection, recording or destruction.

3.1.  Virtualized Carrier Services Users

   Security impacts all service users.  User identity security and
   verification needs to occur in a synchronized fashion along the
   service path end-to-end.  Understanding who the users are is the
   critical first step in understanding the security landscape.  Here is
   the list of the users that the security framework has to consider.

   o  Consumers

      *  Internet Application Services Users (Internet consumers across
         various internet applications)

      *  Enterprise Users (across various Organizations of Enterprise)

      *  Regulation & Compliance Auditors

      *  Investigators & Forensic Experts

   o  Publishers

      *  Developers

      *  System Administrators, Network Administrators

      *  Management Users

3.2.  Data, Information and Knowledge Base Security Problem

   Data, information, and knowledge represent three levels of
   abstraction.  Data on its own carries no meaning.  For data to become
   information, it must be interpreted and take on a meaning.  When that
   information is interpreted and used practically to fulfill a purpose,
   it becomes knowledge.

Karavettil, et al.        Expires June 29, 2013                 [Page 6]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

   The types of data include:

   o  Live

      *  Web Application Form Data (Structured)

      *  Audio

      *  Video

   o  Archive

      *  Database Data Structures

      *  Files

         +  Data - PDF, DOC, Excel, etc

         +  Voice archive

         +  Video Archive

      *  Emails, Logs (unstructured)

   Information security has to be developed to manage the lifecycle of
   data, including data security while in use, in motion or at rest
   within a virtualized infrastructure environment.

   o  Data/content/media (e.g. videos) authenticity

      *  Association and identification of data to its owner (user,
         enterprise consumer, service provider, location, etc) and
         access privileges.

   o  Data while in use

      *  Isolation of data while in use by the computing resources.

      *  Management of the data usage based on access privileges of the
         users, enterprise consumer, and service providers.

   o  Data in motion

      *  Restricting the data transmission across geographical
         boundaries based on government regulations or enterprise
         policies and configurations defined during self-service setup.

Karavettil, et al.        Expires June 29, 2013                 [Page 7]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

   o  Data at rest (monitoring and management)

      *  Data isolation in a multi-tenant environment to protect against
         side attack (across tenants) or admin attacks.

      *  Data migration managed as defined by enterprise/government

      *  Deletion, loss/leakage, and location of data.

   In traditional data center, data/content migrates from machine to
   machine and from storage devices to storage devices frequently, both
   in normal operations as well as during backup/restore processes.
   Some of the data that are deemed sensitive for security or regulatory
   reasons can be isolated and controlled through dedicated physical
   devices for storage/access, therefore relatively easy to secure.
   However, in a virtualized environment, VMs are set up, relocate, shut
   down dynamically on demand.  The traditional physical-device-based
   isolation is no longer sufficient in the new paradigm.

   Data residing in a cloud environment shall go through the same
   create/read/update/delete (CRUD) lifecycle as in all other cases.
   While the create/update of data are easily abstracted and handled by
   the cloud platform, the destruction of data in the cloud may be
   tricky, especially for security/regulatory compliance purposes.
   Often in these cases, cloud service providers must demonstrate
   complete destruction of data taking into account of the virtual
   machine migration and remote data center backups.  Some of the data
   destructions may be conditional based on other factors, such as legal
   time limits.  Therefore, there must be a data lifecycle management
   function in the cloud framework based on policies defined by the
   users that shall govern the create/read/update/delete/migrate
   functions of data.

3.3.  Lack of mandatory Application Security in Protocol

   HTTP is the most widely used application layer protocol.  It
   functions as a request-response protocol in the client-server
   computing model.

   A Web service is a method of communication between two electronic
   devices over a network.  Web service is most widely implemented on
   top of HTTP protocol.  There are specifications defined for Web
   Services like WS-Interoperability (WS-I), WS-Security, WS-Addressing,
   WS-Policy, WS-Reliable Messaging, etc.

   The web services specifications has not yet been widely adopted in
   the application implementations, thus leaving security as a choice up

Karavettil, et al.        Expires June 29, 2013                 [Page 8]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

   to the developers of the organizations developing various

   With the lack of mandatory security requirements there may be
   significant security gaps in these application implementations.  Few
   use cases are mentioned here to exemplify the problem:

   The user identity and their session state management within an
   application context are not mandated or controlled at the protocol
   level thus leading to broken user session and authentication
   hijacking issues from the client side.

   There is also identity and access management problem due to a lack of
   standards, as the applications used by enterprises are spread between
   private and public cloud providers, the users have to be single-
   signed on and authorized with appropriate privileges to access these
   resources.  A requirement to support multi-factor authentication
   among multiple cloud providers would significantly enhance the
   security of the application implementations.

   Another significant aspect that can be addressed at the HTTP protocol
   level is by making it mandatory to perform data input validation and
   escaping of data to the browser to protect against attacks.  This
   will be important in maintaining data integrity without the use of
   other API during application development.  This helps to protect
   against security vulnerabilities like Cross-Site Scripting (XSS),
   Cross-Site Request Forgery and Injection (LDAP, SQL).

Karavettil, et al.        Expires June 29, 2013                 [Page 9]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

4.  Other Gaps in Existing Implementations & New Requirements

   These topics are mentioned here to address the completeness of the
   security framework where privileged users shall access or use the on
   demand self-service to run these applications & services in a tenant
   isolated and inter-operable virtualized environment.  These may be
   elaborated later as seen fit in the context of IETF protocol gaps.

4.1.  Systems Security Gaps & New Requirements

   The inter-operability and information exchanges between systems in
   the organization domains across an enterprise or across related
   enterprises are affected due to lack of proper protocol, profile
   definitions and raises security concerns with certain approaches.

   Transport channel encryption is a widely deployed security
   implementation.  While this practice helps avoid man in the middle
   attack it prevents detection of malicious attacks that has got into
   the system from the client side browser.

   Another challenge in todays' implementations and new requirements for
   developing interoperable solutions in a virtualized environment are
   key management in a client/host (cloud user and cloud provider)
   architecture spread across multiple providers.  All the key exchange
   between enterprise and cloud shall be secured and protected.  The
   system shall be able to support the end users (consumers, or
   enterprise) to hold the encryption keys and integrate with their
   existing key management.  When they withdraw the encryption keys from
   the cloud, customers data in the cloud become inaccessible or
   unreadable.  It shall be protected from side attack and admin attack
   such as snapshot VM to get the encryption keys.  The system should be
   able to support standard key management protocols between encryption
   entity in the cloud and key manager in the enterprise domain such as

   These days with multi-platform devices, insufficient restrictions on
   virtualized resources access over the network increases exposure to
   attack from viruses, spyware, etc.  These may also facilitate
   undesired access to cloud based virtualized resources.  Host-based
   firewalls do not obviate the need for network-based firewalls in the
   virtualized environment.

4.2.  Network Security Gaps & New Requirements

   o  Develop security at the Protocol to accommodate various needs of
      the virtual infrastructure environments and applications running
      in that environment.

Karavettil, et al.        Expires June 29, 2013                [Page 10]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

   o  Protect the channel using VPN enables secure communication between
      the client and the host.

   o  Cloud customers depend on functional networks to access their
      resources, and because networks are often not under the control of
      customers, there is a risk that the cloud may not be reachable.

   o  Network virtualization layer 3 firewalls will need enhancements to
      support to protect the perimeter from intruders, role-based access
      control policies to protect in flight traffic within the perimeter
      and intrusion detection and prevention.

   o  Connectivity resources (bandwidth) allocation for routing, VLAN
      and other network configuration to handle multiple customers.

4.3.  Mobile Security Gaps & New Requirements

   With the proliferation of mobile devices and the applications that
   are developed to serve the needs of consumers with better user
   experience it's becoming critical to protect the privacy and security
   of these users during the physical loss of these devices.

   The data center operations infrastructure including the networks need
   becoming more and more application aware through deep packet
   inspection (DPI) this in turn leads to interesting privacy and
   regulatory compliance issues.  The data in motion when flowing
   through the network may be analyzed for better application awareness
   but should be done with a short memory span and no data in temporary
   store to avoid legal ramifications.

   Managing the identity of the user accessing a mobile device is
   critical to the safety and privacy of the user content.  In addition
   there're high chances for private data falling into the wrong hands
   via removable media access or local blue tooth connections that are
   not turned off.

   In some instances where the mobile devices are physically lost it may
   be helpful to track the device to see if it's in hands of someone or
   retrieve important data from it remotely and destroy the content on
   the device for safety.

   Another important requirement would be the ability to seamlessly
   provide content to authenticated and authorized users on their mobile
   platform during transit across various networks (from various network
   providers) without disruption of service.  This content may also be
   viewed by authorized user via various display channels and be able to
   switch seamlessly from the mobile device in their hands or in their
   automobile across to their television or home personal computer.

Karavettil, et al.        Expires June 29, 2013                [Page 11]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

   Governance and regulatory compliance requires that certain sensitive
   data be managed within certain boundaries though the user and mobile
   device may be across the geographic boundaries.  This is very common
   application in the healthcare industry.

   Few security requirements in the mobile area include:

   o  End-point security (protect against removable media)

   o  Protect against Bluetooth Connections Access

   o  Encryption of data

   o  Protect session during service mobility

   o  Locating the mobile device and ability to break it

   o  Location awareness for data store irrespective of the mobility of

4.4.  Physical Security Gaps & New Requirements

   o  Access control - What is the basis for trusting the human cloud

   o  Common operational picture that provides integrated view of
      various alarms, alerts and notifications from various physical
      devices like video surveillance cameras, motion sensors, access
      control card readers, etc.

   o  Role-based and privilege-based access to video surveillance
      content and alarm notifications.

   o  Perimeter security of the virtualized data center operations and
      provide real-time insight into security issues to the provider and
      to the enterprises using their services.

   o  Business hours based security monitoring of provider assets.

4.5.  Operations & Management Security Gaps & New Requirements

   o  Discovery of network nodes both physical and virtual and their
      access privileges (for example using SNMPv3), their locations in a
      virtualized infrastructure spread out physically.

   o  Ability to manage both physical network resources and virtual
      network resources through a consistent Network Management console.

Karavettil, et al.        Expires June 29, 2013                [Page 12]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

   o  Management of configurations across various systems, network

   o  Need clarity on security control roles and responsibilities.

   o  Backup and recovery of information (import/export across multiple

   o  Business continuity and disaster recovery - how to maintain
      continuity of operations if cloud providers fail?

   o  Business continuity and disaster recovery - how to maintain
      continuity of operations by having redundancy across multiple
      service providers?

   o  Management & Configuration Security

   o  Governance, Risk & Compliance

      *  Clear certification and accreditation guidelines

      *  Clear e-discovery guidelines

      *  Cloud audit assurance and log sensitivity management

      *  Need for clarity on how 800-53-style control guides can work
         for the cloud

      *  Need clear privacy guidelines

      *  Lawful interception needs in the cloud virtualized service

4.6.  Other New Requirements

   o  Inter-operability across various vendor products that spans across
      the Client or Host layers.

   o  Multi-Cloud Services integrated application at different CSPs.

   o  Inter-Cloud Information Exchange between CSPs.

   o  Visibility for Customers - ability for customers to observe the
      health of their VM instance and general status of their workloads.

   o  Control for Customers during self service - ability for customers
      to maintain effective control their workloads even though the
      protection mechanisms and even locations of workloads may not be

Karavettil, et al.        Expires June 29, 2013                [Page 13]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

      known to customers.

   o  Protect virtual machines, network traffic, actual/residual data,
      and other resources of a tenant against unauthorized access by
      another tenant.

   o  Provide normal availability to tenants incase of failure of other
      tenant application, protect their data, and their identities.

   o  Computer Resource Allocation Services- ability to allocate System,
      Computing, Storage, Network resources in a virtualized
      infrastructure environment.

Karavettil, et al.        Expires June 29, 2013                [Page 14]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

5.  Work Item for Consideration

   The various applications and interworking protocols developed by the
   IETF MAY need to be extended or profiled to support the security
   requirements of virtualized services and infrastructure environment.

5.1.  Applications & Services

   The most widely used protocol that is in use today for application &
   services development areas HTTP have been considered for the
   applications in the virtualized environment.  The protocol may have
   to be profiled or extended with significant changes to be ready to
   handle the security requirements in a virtualized environment.

5.2.  Infrastructure Operations & Management

   The various security parameters related to operations and management
   of virtualized network resources in multiple administrative domains
   may need to be defined.  The results of monitoring may need to be
   exchanged periodically to support the private and public virtualized
   domains and infrastructure in order to maintain the expected end-to-
   end security.

Karavettil, et al.        Expires June 29, 2013                [Page 15]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

6.  Case Study

   Will be added in future.  Looking forward to contributions in this

Karavettil, et al.        Expires June 29, 2013                [Page 16]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

7.  Security Considerations

   This document discusses security for virtualized environment.

Karavettil, et al.        Expires June 29, 2013                [Page 17]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

8.  Conclusion

   Over the last decade the times have changed from the exponential
   growth of the internet and the associated advances in technologies to
   the large scale adoption of connected devices.

   With this advancement we are seeing the rapid rise in security
   threats and vulnerabilities to today's application and

   It is time to take a look at existing protocols, API's not only for
   todays application and infrastructure but also to tackle the rising
   threats due to the use of same technologies and protocols for the
   virtualized applications and infrastructure environment development.

   These shall not only cause security and interoperability problems,
   but may also negatively impact further development of protocols and
   services in this very important area of virtualized applications and
   networking infrastructure environment.  IETF is the best organization
   to address these issues.

Karavettil, et al.        Expires June 29, 2013                [Page 18]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

9.  Acknowledgement

   The authors would like to thank Zachary Zeltsan for his valuable
   review and comments on this document.The authors would also like to
   thank Tony Rutkowski for his useful suggestions on the document.

Karavettil, et al.        Expires June 29, 2013                [Page 19]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

10.  IANA Considerations

   This document has no actions for IANA.

Karavettil, et al.        Expires June 29, 2013                [Page 20]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

11.  References

   [CSA]      "Cloud Security Alliance".

   [ETSI]     "European Telecommunications Standards Institute".

   [ITU-T]    "ITU-T Focus Group on Cloud Computing (FG Cloud), WA 1-3
              Cloud security", June 2012.

   [NCCRA]    "NIST Cloud Computing Reference Architecture".

   [NCSA]     "NIST Cloud Security Architecture", June 2012.

   [NIST]     "National Institute of Standards and Technology".

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", March 1997.

   [SCIM]     "System for Cross-Domain Identity Management", June 2012.

              Baker, F., "On Firewalls in Internet Security", June 2012.

              So, N., "Draft Requirement and Framework for VPN-Oriented
              Cloud Services", March 2011.

              Wei, Y., "NVO3 Security Framework", June 2012.

Karavettil, et al.        Expires June 29, 2013                [Page 21]

Internet-Draft     Karavettil VDCS Security Framework      December 2012

Authors' Addresses

   Suren Karavettil
   ASTA Ventures, Inc.
   32 Hatikva Way
   Chelmsford, MA 01863

   Phone: +001-978-857-5461
   Email: surenck@gmail.com

   Bhumip Khasnabish
   ZTE USA, Inc.
   18 Patterson Road
   Lexington, MA 02421

   Phone: +001-781-752-8003
   Email: vumip1@gmail.com

   Ning So
   Tata Communications
   2613 Fairbourne Cir.
   Plano, TX 75082

   Phone: +001-972-955-0914
   Email: ning.so@tatacommunications.com

   Wei Dong
   Tektronix Communications
   3033 President Bush Hwy
   Plano, TX 75075

   Phone: +001-469-330-4000
   Email: wei.dong@tek.com

Karavettil, et al.        Expires June 29, 2013                [Page 22]

Html markup produced by rfcmarkup 1.124, available from https://tools.ietf.org/tools/rfcmarkup/