[THIS TEXT COMING SOON] This is a Paragraph. Click on "Edit Text" or double click on the text box to start editing the content and make sure to add any relevant details or information that you want to share with your visitors.
In recent years, several cross-tenant / isolation escape vulnerabilities have been discovered in various multi-tenant cloud services which could have potentially enabled malicious tenants to access data belonging to other customers.
Examples of these vulnerabilities include: ExtraReplica, SuperGlue, AzureScape, CloudFormation credential leak, AutoWarp, ChaosDB, SynLapse, IDOR in AWS Lake Formation, AttachMe and Hell’s Keychain.
In light of these security implications and based on the lessons we’ve learned over the course of our own cloud vulnerability research – which we believe are applicable to both PaaS and SaaS – we propose herein a practical framework for reasoning about tenant isolation in cloud applications.
This framework attempts to build on prior work by cloud service providers and government agencies on the subject of tenant isolation. It is not meant to serve as an alternative to existing prescriptive cloud architecture guidance on security , and neither should it be viewed as a replacement for prevailing general threat modelling frameworks . Instead, this framework serves to specifically model the threat of unauthorized cross-tenant access and should therefore be used as part of a broader threat modelling process. We have chosen to focus our attention on isolating complex customer-facing interfaces in an attempt to dismantle the larger problem of a full architecture analysis. Moreover, this “interface-oriented” approach allows us to take on the perspective of a would-be attacker observing the environment from the outside in, while “following the untrusted data”, so to speak.
Prior work includes AWS’s SaaS Tenant Isolation Strategies, Azure’s guidance for secure isolation, IBM’s article on handling multiple tenants in their public cloud, and Oracle’s “Isolate Resources and Control Access” section in their Best Practices Framework, as well as guidance by the UK’s National Cyber Security Centre (NCSC); in particular, “Technically enforced separation in the cloud”, Cloud security guidance, ncsc.gov.uk and the principle of “Separation between customers", e.g., the Security pillar of the AWS Well-Architected Framework, the Security, privacy, and compliance category of Google’s Cloud Architecture Framework, the Secure phase of Microsoft’s Cloud Adoption Framework for Azure, and the Best practices framework for Oracle Cloud Infrastructure. In addition, this framework was inspired by PASTA, Microsoft’s STRIDE and Carnegie Melon’s Hybrid Threat Modeling Method; see also AWS’s “How to approach threat modeling”, OWASP’s Threat Modeling Cheat Sheet and the principles outlined in the Threat Modeling Manifesto.