Cloud computing and security

21 December 2009 | Richard Chow

You can’t avoid the cloud computing topic these days. The latest is that the City of Los Angeles decided to switch its email to Google.

As with many buzzed-about topics, the extreme viewpoints are the most visible:

• Cloud computing is either “worse than stupidity: it’s a marketing hype campaign” (Richard Stallman), or, “likely to have the same impact on software that foundries have had on the hardware industry” (UC Berkeley RAD Lab).
• If you turn to the security experts, it’s either “nothing new” (Bruce Schneier), or, a “focal point in our work” (Ron Rivest).

By the way, if you haven’t heard Larry Ellison’s famous rant on this topic, it’s worth a listen:  http://www.youtube.com/v/0FacYAI6DY0.

Security as the biggest concern?

While there’s some truth in each viewpoint, it’s a little hard to untangle what’s really going on. An oft-quoted survey from IDC reports security is the biggest concern with cloud computing. As a security technologist, I care most about the security and privacy aspects of cloud computing, and “security” in the IDC survey may have meant different things to different people. So we tried to dig a little deeper.

We did our own series of interviews (in early 2009) with different members of the cloud ecosystem, and asked them to identify the security/privacy issues and the concerns of their customers.

Cloud ecosystem member	Who we interviewed
Cloud Provider	Senior Manager
Cloud Application Builder	CTO
Cloud Application Platform	Architect
Cloud Monitoring Service	CEO
Cloud User (Hybrid)	Security Architect
Cloud User (Private)	Security Architect

The key findings:

• The major worry:  loss of control of data in the cloud.  The fact that a third party now controls the data introduces new concerns, such as legal and audit.
• Larger enterprises are still cautious about the cloud. They’re not putting their most sensitive information in the cloud, such as customer SSNs, but they are willing to put confidential yet less sensitive information such as product launch spreadsheets.
• There’s a lot of uncertainty as to what the regulatory and security issues are going to be with cloud computing. It’s still considered the early days of cloud computing.

Security issues with the cloud

Many of the security issues people talk about aren’t really “new”, but have become more acute with the advent of cloud computing.

VM-Level attacks.  These are potential vulnerabilities in the hypervisor or VMM.  It’s a problem as old as virtualization, and yet clearly a bigger problem in the multi-tenant architectures common in clouds.  Vulnerabilities have appeared in VMware, Xen, and Microsoft’s Virtual PC and Virtual Server.  An interesting recent paper (“Hey, you, get off my cloud”) illustrates the potential problems of multiple VM tenancy in an Amazon EC2 environment.  One solution for the cloud user is to simply rent the whole physical machine, eliminating threats from other tenants.

Cloud application vulnerabilities. Fundamentally, there are similar vulnerabilities for any web application, but the architecture might be different and might require you to trust some cloud infrastructure.  For instance, you may be building an app on top of a cloud platform, and that platform may have vulnerabilities which you may not understand and over which you don’t have much control.

Cloud provider attacks. How much do you really trust the cloud provider?  Corporate users who keep proprietary information in the cloud run the risk of the cloud provider peeking at their data. And, the cloud provider is an attractive new attack target for phishers. For example:

“We learned that a salesforce.com employee had been the victim of a phishing scam that allowed a salesforce.com customer contact list to be copied. To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database. Information in the contact list included first and last names, company names, email addresses, telephone numbers of salesforce.com customers…” (Washington Post)

More network surface area for an attack. Network security becomes more complex because enterprises need to protect the infrastructure used to connect and interact with the cloud (including their authentication and authorization framework). The cloud is outside the firewall in many cases. It’s even possible for the cloud to attack you.

Other concerns with the cloud

Audit. The paradox is that clouds relieve responsibility for operations, yet auditing requires transparency in operations.  As Neil Roiter asks, “How do you perform an on-site audit when you have a distributed and dynamic multi-tenant computing environment spread all over the globe?” There are multiple standards (SAS 70, SOX, HIPAA, FISMA, NIST, FIPS), but none were written for the cloud — an uncertainty hanging over the industry.

Legal. Cloud users are now dealing with a third party, so need to spell out SLAs and responsibilities. Of course, it’s hard to put everything in a contract, and with such a young industry it’s even more difficult to determine what needs to go in.

By the way, the contractual obligations might be surprising.  Here’s a passage from http://aws.amazon.com/agreement:

“10.4. Non-Assertion. During and after the term of the Agreement, with respect to any of the Services that you elect to use, you will not assert, nor will you authorize, assist, or encourage any third party to assert, against us or any of our customers, end users, vendors, business partners (including third party sellers on websites operated by or on behalf of us), licensors, sublicensees or transferees, any patent infringement or other intellectual property infringement claim with respect to such Services.”

Cloud security means new techniques, and opportunities

Cheap data and analysis. Cloud computing yields enormous data sets monetized by things like advertising. Companies holding the data are under intense pressure to anonymize their data, and fear bad publicity or subpoenas from data breaches. But anonymizing data and retaining utility is difficult.  See the 33Bits of Entropy blog dedicated to the topic.

Increased demand for authentication. If cloud computing takes off, personal, financial, and medical data will be hosted in the cloud.  Software applications hosted in the cloud will require usable and secure access control, both for consumers and enterprises. We’ll need higher-assurance authentication techniques outside the firewall, including semi-automated authentication from mobile devices.

For more on cloud computing security problems and opportunities, download our paper on “Controlling data in the cloud: outsourcing computation without outsourcing control”.

Related news: on “other ways that clouds could help provide security” in Technology Review November 2009

Comments (4)