Secure Cloud Maintenance Protecting workloads against insider attacks

Malicious insiders are a substantial risk for today's cloud computing infrastructures. A single malicious cloud administrator can eavesdrop or damage business-critical or personally identifiable information and computations of thousands of cloud customers. To protect cloud users against such insiders, we propose a novel approach that enables a security team to protect privacy and integrity of cloud users' workloads against attacks by system administrators during operation and maintenance. We achieve this by managing the privileges of administrators during operation and maintenance while re-establishing the security of a compute node once administration is completed. By default, administrators' access to cloud servers is disabled since cloud operation is automated. For manual maintenance operations, we propose five fine-grained privilege levels that balance the security objectives of cloud users with the operational requirements of cloud administrators. We demonstrate how existing cloud architectures need to be extended to incorporate our approach. We prototyped our management approach using the OpenStack cloud platform. Policy enforcement has been prototyped by leveraging SELinux type enforcement in the KVM compute nodes, in order to demonstrate the practical feasibility of our approach.