Security assessment of Eucalyptus' web management interface

Abstract

Three approaches exist for a company to migrate its services in the cloud. The first is select the most appropriate commercial cloud provider, such as Microsoft, Amazon, Google or SalesForce, and to rent their resources and deploy its services. These cloud service providers The second approach is to build a private cloud with some of the open source cloud frameworks like Eucalyptus, OpenStack, OpenNebula or CloudStack. Finally, the third option is to build a hybrid cloud, i.e., to split the services and to migrate the confidential and private services in its own private cloud, which could be open source, while the public and non confidential services and data to migrate in some public commercial cloud. Commercial cloud providers encash for their resources as a service, but offer and guarantee secured resources and huge availability of minimum 99.9% through a SLAs (Service Level Agreements). On the other hand, building an open source private cloud is the lowest starting investment, which does not guarantee neither security nor availability. Therefore, it is important for a company to assess the security of the open source cloud frameworks, especially their web management interface since it is the front end application, through which a user can get an unauthorized access to the company's data or applications. Eucalyptus is one of the most common open source cloud frameworks for building IaaS (Infrastructure as a Service) private or hybrid clouds, which also has its own web management interface to manage the cloud resources. In this paper, we assess the security of the cloud framework web management interface of the newest version of the Eucalyptus cloud. The results of the security assessment analysis show that the cloud web management interface is vulnerable. We assess the security vulnerabilities and propose measures how to secure them.