Making Least Privilege the Low-Hanging Fruit in Clouds

Failing to promote the least privilege principle in administration can lead to substantial vulnerabilities in cloud computing. A malicious insider like a compromised cloud administrator can affect security of data and workloads belonging to cloud customers. Enforcing the least privilege principle in cloud administration can fairly restrict the permissions of administrators and reduce the attack surface. However, writing a least privilege policy can be hard and error prone for cloud service providers. In this paper, we propose a framework called Least Privilege for Cloud (LPCloud) to address these concerns. LPCloud automatically produces policies for minimization of administrators' privileges at the granularity of representational state transfer (REST) application program interfaces (API), and enforces the policies without affecting current systems. Specifically, we introduce a novel algorithm to partition privileges based on dependencies between API calls. This paper presents design of LPCloud, including a service called Policy Generator which produces partitioned policies and a component named Policy Enforcer to enforce the policies. We implement a prototype of our framework in OpenStack Mitaka. Experiments indicate that LPCloud can produce proper policies to enforce the least privilege principle. Meantime, the average performance overhead is 10.1% which is in acceptable level.