Let’s face it: the information that the critical infrastructure and corporations need to secure will continue to move into private and/or public cloud infrastructures. It’s an unstoppable trend, squeezing efficiencies out of technology and creating the new normal for performance, agility, accessibility and cost containment.
But it is hard to find someone who feels that cloud-based and virtualized infrastructures inherently improve Security. In theory, it COULD improve operations, and thus security, by improving on operational efficiencies, providing sophisticated fault tolerance, reducing the mean time to rebuild (rather than repair). But, regardless of the cloud model—software as a service (SaaS), infrastructure as a service (IaaS) or platform as a service (PaaS)—the very nature of the cloud approach introduces a wide range of vulnerabilities, some we know about and some that time will reveal.
The challenges, however, keep raising concerns to the CxO level, tempering adoption and begging the questions: “Who really knows the risks here? Who can I trust and what skills do we need to mitigate risk in the context of this new paradigm?”
Three key issues I have identified are:
Problem #1—The Multi-Tenant Issue: To maximize resource utilization and performance, the cloud play allows for everyone to share some underlying hardware. Unless security is designed in from the bare metal up, and can be tested against, CIOs of federal agencies and Fortune 500 companies don’t love the idea of their top secrets sitting on the same hard drive or operating on the same switch as some other unknown organization.
Solution Set—Several large vendors have come together in different teams in order to offer solutions integrating shared processes and designs that provide assurances for tenants hosted on the some physical platform. One of the most active partnerships involves Cisco, NetApp and VMWare, who have collaborated on a validated architecture that they call “Secure Multi-Tenancy”. Fast Lane has developed an intensive course addressing Implementing and Designing based on Secure Multi-Tenancy.
Problem #2—The Collapsing of Roles: A key principle of Information Security, that of the Separation of Duties, can be intrinsically broken by the move to a virtualized, cloud-based infrastructure. For example, the “virtual” network between hosts on the same blade is the responsibility of who? The Virtual Administrator now has, potentially, the keys to the kingdom.
Solution Set—While good policy, procedure and practice can offset this, the virtualized architecture itself can encourage a breakdown of segregated duties and the flattening of the networks. Good training on security fundamentals and policy enforcement that is auditable support maintaining a separation of duties. Third-party virtualization applications like CatBird’s vSecurity solution set address separation of duties, and provide extensive auditing riding on top of the HyperVisor.
Problem #3—Compliance requirements are outdated: Jay Heiser at Gartner notes that current organizational certifications, such as SAS 70 or ISO 27001/2, have yet to catch up with the new architectural issues found in the cloud. This is of course a moving target, but the speed of adoption of virtualized environments means that vulnerabilities will creep in where lazy internal auditing rules the day. Lack of accountability leads to exploited vulnerabilities.
Solution Set—While some of the regulations are still catching up, one can look to some federal agencies and standards bodies for guidance. DISA has had a VMWare ESX STIG (Security Technical Implementation Guide) since 2008 (http://iase.disa.mil/stigs/stig/index.html). The PCI DSS is said to be updating its requirements to address cloud computing and virtualization. And the “Cloud Security Alliance” has released version 2.1 of their guidance this past December. Their work is likely to be reflected or referenced among the other compliance regimes, much like the OWASP guidelines are referenced by FISSEA and PCI. Organizations with compliance concerns should ensure that their security and audit teams integrate these emerging standards into practice, regardless of the lag in requirements.
The Cloud Security Alliance (CSA) has also recently released a report entitled “Top Threats to Cloud Computing, Version 1.0” (http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf), identifying seven areas which I paraphrase below (these are not in order of severity). It’s important to note that while the CSA includes security service and product providers that are in line to benefit from attention on the challenges of secure cloud computing, the list of contributors also includes top security professionals from cloud service providers like Rackspace and eBay.
- Abuse and Nefarious Use of Cloud Computing: For example, IaaS providers have seen their services used for botnet attacks, and as a result of spam, whole IP address ranges of these hosts have been publicly blacklisted.
- Insecure Application Programming Interfaces: Reliance on the cloud provider’s API is only as secure as the code behind it.
- Malicious Insiders: This threat vector is amplified in the cloud environment. Think of it this way: the exposed threat surface just got way more complex, and sloppy internal controls, plus poor vendor management, can add up to a whole new layer of vulnerabilities.
- Shared Technology Vulnerabilities: If the CPU underlying the IaaS solution is found to have vulnerabilities, its conceivable that the hypervisor could allow escalated privilege access to VMs from the Host OS (these type of flaws have occurred in VMware and other hypervisors and will likely happen again).
- Data Loss/Leakage: the Cloud Security Alliance recognizes that the threat of data compromise is increased in the cloud due to unique issues with cloud architecture, and advise a very tight approach to AAA controls.
- Account, Service & Traffic Hijacking: The CSA does not provide a great amount of info here as to why the threat surface is increased here, but we can imagine plenty of scenarios where an instantiation of a cloud presence is under less scrutiny from an audit perspective, and leads to new threats or vantage points for further attacks.
- Unknown Risk Profile: To put it simply, there are the threats that you know and there’s the threats that you don’t know about, and of the two the latter is much scarier.
Tags: Cloud, cybersecurity, Security, virtualization
Hi Cloud Ninja,
I would say that the updated BP doc on the Azure Solution does in fact answer my concerns. I will keep an eye on how Azure fairs in terms of Cloud Security.
Thanks,
Barry
Barry – you raise some great points – here’s a refreshed Security BP doc [June 2010] & addresses them. Let me know.
-cn
http://www.globalfoundationservices.com/security/documents/SecurityBestPracticesWindowsAzureApps.pdf
And to follow up on the standards issue raised in the previous post, for a couple of good looks at Vendor Neutral approaches to securing the cloud:
1. The CSA’s Cloud Security Controls matrix does a nice job of attempting fill in the gaps regarding compliance initiatives like PCI and HIPAA, with this Matrix that guides cloud providers and customers on how to vet security controls in place: http://www.cloudsecurityalliance.org/cm.html
2. The Cloud Audit group released some of this info as recently as last week, focused on the unique aspects of auditing the cloud: http://bit.ly/cN9lnR
Hi Cloud Ninja, thanks for adding the MS dimension to the discussion. Certainly MS security controls are a key part of the overall picture, and I am a big fan of the work done by MS on SDL and threat modeling. I worked with your guys David LeBlanc and Michael Howard on turning their seminal work, Writing Secure Code, into several different courses. On the project I had the good fortune of having Dinis Cruz, thought leader of OWASP on my team, and we all had robust discussions over a year or so on Application Security within the context of MS environments.
At the time, one contentious issue was perhaps a precursor to my key concern with Cloud Security: the Secure Multi-Tenancy issue. Back in those days (2003/2004) Dinis and others expressed a great deal of concern with the insecure design inherent in the Full Trust ASP.NET model, particularly as it relates to co-hosting of entities on the same servers (see http://bit.ly/aTbkBY for more info on this MS Security melodrama).
From the links you sent me, I see your services are following general best practices, many that MS has had a good part in developing and evangelizing, but I am not seeing any detail beyond the generalities on how the physical aspects of MS cloud services are secured. How do you deal with the lower layers of the IP stack? What standard are you working with in terms of the architecture in the data center? Is there any VMware behind the platform, or is it all HyperV? How is MS dealing with the differences inherent in the cloud? I also see that the documents you referred to bragging about being SAS 70 and ISO 27001 compliant, both of which, as I mentioned in the blog are not up to date in terms of Cloud Security’s different set of concerns.
Again, thanks for adding your comments, and hopefully we can keep a dialogue going.
Barry
This is a great outline of important security issues. IMHO, when considering security, 2 items need to be addressed:
1) Physical security of the hardware 2) Security of the Data – here are some resources I’ve found that discuss this and act as guidelines when considering security and the cloud:
Physical security:
http://www.globalfoundationservices.com/security/index.html
http://www.globalfoundationservices.com/security/documents/SecuringtheMSCloudMay09.pdf
Data Security:
http://www.research.microsoft.com/en-us/projects/cryptocloud/
http://www.research.microsoft.com/en-us/projects/secpal/
thoughts?
hope that helps
-cn
[...] This post was mentioned on Twitter by Fast Lane Training, Barry Kaufman. Barry Kaufman said: Top 10 concerns facing Cloud Cyber Security Warriors – http://b2l.me/35sdj (via @fastlaneus) [...]