CLOUD ACCESS CONTROL AND KEY MANAGEMENT

By-Vikas Mishra and Ishika Mahawar

“Encryption is simply the method of locking and unlocking your front entrance”, said Moulds. ”It seems like that’s the large issue, but the large issue is how secure is your lock when you are not there and the way that key is secure in your pocket 24 hours a day?”

In today’s world, the modern organization’s most precious assets are their digital information stored on the cloud such as confidential files, contract, and plans ,state secrets, etc which they store online are most vulnerable of being hacked if proper access control is not given and key management plays an important role is all which will be discussed.

What is access control in the cloud computing domain?

Access control in cloud computing provides security by which the company can regulate and monitor permissions and also access to their business data by formulating various policies. Access control in cloud computing gives companies the control to restrict unauthorized user access and at the same time provide enough access for the smooth functioning of our work.

Why is access control so important?

We are in the arena where data security whether on the cloud is extremely important than anything else. Every year, the case of data breach is increasing day by day and cyber-attacks are coming more in notice with each passing day. Hence access control is the only way through which our data can remain protected on digital platforms. Businesses are transferring their work to the cloud because it provides data access to authentic users and owners from anywhere and at any instant of time by having the internet. However, there are chances that the network hackers sitting over the internet can hack the confidential data on the cloud and use it for their benefit so this is the main reason why access control in cloud computing is important.

How access control works

Access control in cloud computing involves four different processes for ensuring that only authorized persons can operate with confidential data both from inside and outside the organization. These processes are authorization, authentication, access approval and audit. This program has the right to allow or reject permission made to access certain resources based on the required credentials of the user. Multifactor authentication, which needs two or more authentication factors, is often as important part of the layered defence to guard access control systems. These access or security controls work by recognizing the individual or entity, verifying that the person or applications who or what it claims to be, and authorizing the access level and set of activity associated with the username or IP address.

Various Access Control Mechanism

There are five main types of access control mechanism available:

1) DAS- In the Discretionary Access control system, the main owner of the data decides that who can work with which particular resource.

2)  Attribute-based Access Control -In ABAC users are assigned attributes and access is granted to those users with a certain set of attributes required to access the data or the resources. Users need to be able to prove that they possess the attributes that they claim to own. For this purpose, the access control relies on authenticating the user at the site as well as at the time of a request.

3) Identity-based access control-This is effective as well as efficient method as it manages activities and provides access as per the requirement of individual needs

4) Organization based access control -This model provides users a policy designer to decide the security policies at the time of its implementation.

5)Role-based access control-In this method, security policies are maintained through the granting of security rights to roles rather than to individual users. Here, the system assigned roles to all the users and each role was assigned to a set of access privileges. Thus, the role determines the user’s access to the system based on the job role. Roles are assigned to the user based on the concept of least privileges i.e. the role is assigned with the least amount of permissions required for the job to be done.

Benefits of cloud-based access control

Whether doing online banking or posting photos on social media everything is moving to the cloud. Hence it becomes necessary to manage access control via the cloud as well which will increase the efficiency and security of the businesses that are using the cloud.

Prevent DOS to legitimate users- A denial-of-service attack is a type of cyber-attack in which malicious cyber threat actor aims to keep systems, devices or network resources busy so that legitimate users are unable to access these. By using access control helps to prevent unauthorized use of resources and only legitimate users are given access to resources so it helps to prevent DOS from intended users.

Increased security- As always companies can block access permissions immediately for suspicious users, discontinued service providers, and former employees. As a result of which businesses are switching their work to the cloud.

Scalability-In cloud it is easy to scale up or down as the size of the workforce and facilities grows or downsizes by having the same access control mechanism in place unlike the case when cloud-based platforms are not used where controlling the access to resources for users was also difficult.

Reliability-The organizations are more reliable to cloud-based access control simply because of security, efficiency and cost-effective nature of cloud-based access control.

Remote Management- Apart from security activities that can be managed remotely, it also allows administrators to review real-time logs, view live video, responds to alerts, etc. from anywhere with an internet connection.

Instant access to control and data-With a cloud-based system we don’t have to login to a mainframe computer to provision employee access, check logs or update settings. We can do this by logging into a cloud-based dashboard and we can instantly access to all to all of our data and system controls for all of our facilities.

Why do we need a key management system in a cloud computing environment?

In a cloud computing environment, the encryption can occur in the organization or the cloud.

 But the most important question for a user is:

“Who controls the keys - the cloud or the enterprise? “

If we rely on the cloud provider to hold the keys for us, then we have not solved much of a security problem because we don't know who they employ or what policies they have.

There could be an alternative for the organization using the cloud service, to encrypt the data itself before it is put into the cloud and then hold the key itself. So the data is encrypted when it leaves the organization, and is decrypted when it returns to the organization.

Although that appears to be very secure, but there is a drawback: the cloud provider only sees the encrypted data. If the user is expecting the cloud provider to perform searching or filtering or any kind of analytics on the data, then these services would be impossible because they only have the encrypted data. This means the organization can only use the cloud for ordinary services like basic storage.

Solution to the problem: Key Management Service

So is there a solution to cloud key management, which is a hybrid model where the encryption happens in the cloud but the keys are controlled by the enterprise. So the enterprise/organization, will temporarily release the keys on a need-to-know basis to the cloud provider or service to selectively decrypt the data as necessary. So, key usage happens in the cloud and key management happens in the enterprise.

Key Management Service-A Software Approach

A key management service is a software-only approach that allows the client to create and manage the encryption keys that are used to protect the sensitive data residing in the cloud. Encryption keys reside within the cloud provider’s infrastructure and are accessible only by the client. Provided on an as-a-service basis, a KMS exploits the proven capabilities of the cloud: centralized management, scalability as data and processing demands increase, high availability, low-latency processing and a consistent means of managing encryption keys within the provider’s environment.

However, a key management service by itself does not inherently provide a level of security equal to that provided by an HSM.

A hardware security module (HSM) is a physical device that yields extra security for sensitive data. This type of device is used to provide cryptographic keys for critical functions such as encryption, decryption and authentication for the use of applications, databases and identities.

That shortcoming, coupled with the disadvantages of a KMS working nicely within the cloud provider’s environment, makes the feasibility of this approach turn into a problem, particularly for organizations which require to manage encryption keys across multiple, diversified regions, countries or services. Additionally, when both encryption keys and data are held by the same entity-the cloud provider, in this instance, there is an added level of risk. Best practices recommend keeping encryption keys and data separate to reduce the possibility of a damaging data breach.

Combine HSM security with multi-cloud flexibility

The disadvantages of the KMS can be overcome by combining it with HSM.

Organizations face a tough choice, given the potential security shortcomings of a KMS and the provisioning challenges of an HSM-not to mention their inability to work outside of the cloud provider’s environment. Given all that, what’s the best way to manage encryption keys in multi cloud environments, especially those that extend globally to multiple, disparate regions and countries? Those companies that want to maintain the security level provided by on-premise HSMs while taking advantage of the superb resources and services offered by major cloud providers are in search of an option that encompasses the following criteria:

·        Cloud-neutral to support multi cloud and hybrid cloud environments and simplify the provisioning and control of encryption keys across these environments.

·        Globally available with connectivity close to cloud providers to minimize latency, optimize performance and the ability to maintain data and encryption keys at the digital edge.

·        Separation of keys and data to provide an additional level of protection against data breaches and to comply with data sovereignty regulations.

·        A private and secure HSM as a Service that provides the security level of a physical on-premise HSM, wipes out the complexity of HSM provisioning and is available in a distributed cloud environment.

With a cloud-neutral HSM as a Service, organizations employing multi cloud and hybrid cloud environments or operating globally can find a simple and accessible solution to encryption key management without sacrificing security. Keeping encryption keys separate from but close to the encrypted data provides an added level of protection from data breaches while reducing latency. HSM as a Service offers the best of both technologies, providing the benefits of HSM-level security while operating within the flexibility of a multi cloud environment.

AWS Key Management Service (KMS)

AWS Key Management Service (KMS) provides us with centralized control over the cryptographic keys used to protect our data. The service is combined with other AWS services making it easy to encrypt data that we store in these services and gives control access to the keys that decrypt it. AWS KMS is integrated with AWS CloudTrail, which provides us the ability to inspect who used which keys, on which resources, and when. AWS KMS allows developers to easily add encryption or digital signature service to their application code either directly or by using the AWS SDK.

The software development kit(SDK) for Java helps to make Amazon Web Services(AWS) applications and services available to Web browsers across many devices and operating systems.

The AWS Encryption SDK supports AWS KMS by behaving as a master key provider for developers who need to encrypt/decrypt data locally within their applications.

Using AWS KMS, we can create new keys whenever we wish and can control who can manage keys and who can use them. The service automatically keeps older versions of the master key available to decrypt previously encrypted data. We can manage our master keys and audit their usage from the AWS Management Console.

Challenges of Access Control and Key Management

Ø  Managing cryptographic keys can be a challenge, especially for larger organizations that rely upon cryptography for various applications. The primary problems that are associated with managing cryptographic keys include:

     Ø    Keeping Application Integrations Up to Date

Ø  Using the correct methodology to update system certificates and keys

Ø  Dealing with proprietary issues when keeping track of crypto updates with legacy systems

Ø  Locating remote devices that need to be updated

Ø  Lacking overview as to the purpose, location and why various systems are used

Conclusion and Future Scope
Cloud computing provides a much better platform for businesses but as it is an emerging technology so there are still some barriers and hurdles for data security and privacy issues. As many organizations are shifting to the cloud so data security might be a big challenge in the near future. Though some techniques are present for data protection in the cloud such as IAM, key management, etc. there are still some gaps to be filled by making these techniques more effective and discovering new techniques for data protection. By doing so a trust will be built between the cloud service providers and consumers and more organizations will switch to the cloud.
References:

1.     https://aws.amazon.com/kms/

2.     https://bit.ly/2RG5bqq

3.     https://bit.ly/2V9aUHt

4.     https://bit.ly/2wEts96

5.     https://bit.ly/2RDC3A5