Cloud security

Before you move to the cloud

Ninj@S3c
April 15, 2013 by
Ninj@S3c

What is the cloud, anyways?

The term is new, but concept is not. Throughout the history of computing, IT organizations have been using their own infrastructure to host applications, data, servers etc. Now most of them are renting the infrastructure, with remote servers to host their application or data. Organizations called service providers exist especially to provide, manage and maintain the infrastructure on which their client organization's application or data are hosted. The client organization gets access controls to manage their applications and data hosted on the remote server. This is the main idea behind cloud computing.

Learn Cloud Security

Learn Cloud Security

Get hands-on experience with cloud service provider security, cloud penetration testing, cloud security architecture and management, and more.

More precisely, cloud computing is a method of accessing, delivering and managing IT services over the internet. Network resources are provided to customers on demand. As a customer, you need not own infrastructure, you just have to just rent or pay for what you use to your cloud service provider.

Benefits of Cloud computing:

Picture 1

The organization may get benefit in terms of reduced cost, online support to flexibility. However, the major benefits can be summarized as:

Location Independent: As a customer, you need not worry about where your data is hosted. You can access and manage them from virtually anywhere in the world. All you need to be is to be connected to the Internet.

Low Total Cost of Ownership: Since you use the service provider's infrastructure and resources, you are exempted from the cost of setting up your own.

Pay-as-per-you-use: The most appealing thing is the option for pay for what or when you use. That suits well under your organization's budget.

Support: As service providers host your data on their infrastructure, the onus for maintaining and supporting the client's request is on them.

Secure and storage management: The service providers securely manage your data, and do have a backup and disaster recovery plan. Therefore, your data is always safe.

Scalability and Sustainability: Service providers have large infrastructure,high-end processors and memory devices that you may rent as per your requirements.
Resources are dynamically allocated between users. Additional resources are dynamically released when needed.

Highly Automated: Your IT personnel do not need to worry about keeping software up to date.

Maintenance: Maintenance of cloud computing applications is easier, since they don't have to be installed on each user's computer.

Types of Cloud Computing:

Infrastructure-as- a-Service (IaaS): Infrastructure-as-a-Service gives the customer a virtual server / storage with unique IP address. Amazon web servicesare an example. The user's application interface accesses the virtual servers and storage hosted by Amazon to read books online.

Platform-as-a-Service (PaaS): Platform-as-a-service is services like Software development tools hosted in provider's server and customers can access them with APIs. The users execute the application in the platforms hosted by the cloud provider through the platform or Application Program Interface (API). Google Apps is an example of platform services.

Software-as-a-Service (SaaS): Software-as-a-service model, software along with data resides in providers cloud and end customers can use both on a contract basis from the provider.

Challenges faced by the Organization:

The basic issues that an organization may face can be categorized as the following:

Privacy: You are never sure if the service provider can monitor your data, be it sensitive or not.

Security: Security concerns arise because both customer data and programs reside in the Provider premises.

Availability: The cloud service provider needs to make sure the system is available for its consumers. There are service level agreements (SLA) between the cloud service provider and the consumer that is related to the availability and performance.

The following picture (Picture 2) describes how you lose your control over data and other resources as it moves from your dedicated environment to premises of your services provider.

Picture 2

As you can see, the blocks in green shows the resources under your control, the blue blocks show when you are sharing the resources with your service provider, and finally the orange blocks depict the features under the control of your service provider. If you are hosting data, servers in your environment you have maximum control over them. However, as soon as you are renting out the resources from service providers and finally move your resources to actual cloud, you can't personally control or manage them. However, the cloud provider gives you access controls through which you can manage and control your data and other resources.

So still some organizations, especially smaller ones, are skeptical about it despite the fact that the cloud is much more cost effective for them. Rightly so, because they may have concerns about the following:

Accessibility issues: Organizations may face problems with accessing resources from the cloud if some communication outage happens due to attacks such as denial of service and distributed denial of services.

Authentication issues: There is a chance that due to some TCP/IP related attacks like IP spoofing, RIP attacks, ARP poisoning and DNS poisoning in which routing tables can be altered, organizations may not be sure of its trusted machines' authenticity.

Data Verification, tampering, loss and theft: While on a local machine, while in transit, while at rest at the unknown third-party device, or devices, and during remote back-ups.

Information transmitted from the client through the Internet poses a certain degree of risk, because of issues of data ownership; enterprises should spend time getting to know their providers and their regulations as much as possible before assigning some trivial applications first to test the water

Data segregation: Data in the cloud is typically in a shared environment alongside data from other customers. The cloud provider should give evidence that encryption schemes were designed and tested by experienced specialists.

Recovery: A proper recovery and backup plan should be in place. Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure. In addition, the timeframe within which restoration will be complete is a concern.

Physical access issues: Both the issue of an organization's staff not having physical access to the machines storing and processing a data, and the issue of unknown third parties having physical access to the machines.

If we summarize, these are some top potential threats of cloud computing that must be thought about instead of moving to the cloud blindly. The Cloud Security Alliance identifies following potential risks:

  1. Abuse and Nefarious Use of Cloud Computing: Cloud providers offer their customers the illusion of unlimited computing, network, and storage capacity. There are registration processes where anyone with a valid credit card can register and immediately begin using cloud services. By abusing the relative anonymity behind these registration and usage models, spammers, malicious code authors, and other criminals have been able to conduct their activities with relative impunity.

    Cloud computing providers are actively being targeted, partially because their relatively weak registration systems facilitate anonymity, and providers' fraud detection capabilities are limited. Criminals continue to leverage new technologies to improve their reach, avoid detection, and improve the effectiveness of their activities.

    Examples: IaaS offerings have hosted the Zeus botnet, Infostealer Trojan horses, and downloads for Microsoft Office and Adobe PDF exploits.

  2. Insecure Interfaces and APIs: Cloud computing providers expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. The security and availability of general cloud services is dependent upon the security of these basic APIs. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy.

    Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability and accountability.

    Examples: Anonymous access and/or reusable tokens or passwords, clear-text authentication or transmission of content, inflexible access controls or improper authorizations, limited monitoring and logging capabilities, unknown service or API dependencies.

  3. Malicious Insiders: This threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure. For example, a provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance.
    The impact that malicious insiders can have on an organization is considerable, given their level of access and ability to infiltrate organizations and assets. Brand damage, financial impact, and productivity losses are just some of the ways a malicious insider can effect an operation.
  4. Shared Technology Issues: Often, the underlying components that make up this infrastructure (e.g., CPU caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture. To address this gap, a virtualization hypervisor mediates access between guest operating systems and the physical compute resources. Still, even hypervisors have exhibited flaws that have enabled guest operating systems to gain inappropriate levels of control or influence on the underlying platform. Attackers may focus on how to affect the operations of other cloud customers, and how to gain unauthorized access to data.
  5. Data Loss or Leakage: There are many ways to compromise data. Deletion or alteration of records without a backup of the original content is an obvious example. Unlinking a record from a larger context may render it unrecoverable, as can storage on unreliable media. Loss of an encoding key may result in effective destruction. There is damage to one's brand and reputation

    --a loss could significantly impact employee, partner, and customer morale and trust.

  6. Account or Service Hijacking: If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites. Your account or service instances may become a new base for the attacker. With stolen credentials, attackers can often access critical areas of deployed cloud computing services, allowing them to compromise the confidentiality, integrity and availability of those services.
  7. Unknown Risk Profile: Versions of software, code updates, security practices, vulnerability profiles, intrusion attempts, and security design, are all important factors for estimating your company's security posture. Information about who is sharing your infrastructure may be pertinent, in addition to network intrusion logs, redirection attempts and/or successes, and other logs. When adopting a cloud service, the features and functionality may be well advertised, but what about details or compliance of the internal security procedures, configuration hardening, patching, auditing, and logging? How is your data and related logs stored, and who has access to them? What information if any will the vendor disclose in the event of a security incident?

References:

http://en.wikipedia.org/wiki/Cloud_computing

Learn Cloud Security

Learn Cloud Security

Get hands-on experience with cloud service provider security, cloud penetration testing, cloud security architecture and management, and more.

http://cloudsecurtyalliance.org

Ninj@S3c
Ninj@S3c

Ninj@S3c is a Security Analyst with a leading MNC. He is predominantly focused on Application Security, Network Security and Wireless Security. Beyond this, he’s interested in Reverse Engineering and Forensics.