Cloud Computing

Security Considerations
 Some Cautions About Today's Talk/Topic
• As you likely already know, there's a LOT of hype associated with
cloud computing. I'm sorry about that (but I can't fix that)
• Cloud computing is a huge topic. It encompasses diverse models
and technologies, even though users and the trade press tend to
lump them under a common name. Covering all potential security
issues in 20 minutes is simply impossible.
• For that matter, please note that we're still discovering many of
the security issues which will challenge cloud computing!
• Why? In part, that's because cloud computing is still a work-in-
progress. Because it is rapidly evolving, what I tell today you may
quickly become irrelevant or obsolete.
• Nonetheless, there's so much thrust behind cloud computing that
we simply don't have the option of sitting back and waiting to
understand address cloud computing security issues.
2
 What's Driving Cloud Computing? Drivers Include…
• Thought leaders: Amazon, Google, Microsoft and many other
Internet thought leaders have all aligned behind the cloud
• The economy: Because cloud computing should theoretically help
sites avoid major new capital expenditures (capex) while also
controlling some ongoing operational expenses (opex), cloud
computing is potentially a "lifesaver" for financially strapped
businesses, including many major universities.
• The Feds: Cloud computing has substantial momentum in
Washington DC: it was featured in the just-released federal IT
budget; Vivek Kundra, the federal CIO, has championed creation of
[Link] , a “one-stop shop” for cloud computing services
for federal agencies; DISA has created a very successful cloud
computing project called "RACE;" and Howard Schmidt, the new
federal cyber security coordinator, has said that securing cloud
computing will be a top priority. 3
4
[Link] (Currently a Bit of A Work In Progress)

5
DISA's RACE

6
 Our Community Is Also Pressing Ahead
• Cloud computing seem to be turning up on pretty much every
networking and security mailing list I'm on

• You've heard/will be hearing a number of cloud computing talks

during this week's meeting, which is probably not surprising since
cloud computing was one of Joint Tech's explicit focus areas.

• But I'm seeing clouds everywhere.

7
 "Cyberinfrastructure Visualized:"
A Cloud, With Lots of "Security" References

8
 Why Is "Security" Everywhere on That Slide?
• Security is generally perceived as a huge issue for the cloud:

During a keynote speech to the Brookings Institution policy

forum, “Cloud Computing for Business and Society,” [Microsoft
General Counsel Brad] Smith also highlighted data from a survey
commissioned by Microsoft measuring attitudes on cloud
computing among business leaders and the general population.
The survey found that while 58 percent of the general
population and 86 percent of senior business leaders are excited
about the potential of cloud computing, more than
90 percent of these same people are concerned about the
security, access and privacy of their own data in
the cloud.
[Link]

9
 Another Data Point for Clouds and Security

Source: [Link]
10
at slide 17
 Cloud Computing Is Many Different
Things to Many Different People
• All of the following have been mentioned from time to time as
examples of “cloud computing:”
-- Amazon Web Services including the Elastic Compute
Cloud (EC2), Amazon Simple Storage Service (S3), etc.)
-- Rackspace Cloud (formerly Mosso)
-- Google’s App Engine
-- Windows’ Azure Platform (production/for-fee as of today!)
-- the OGF (including its Open Cloud Computing Interface)
-- SETI@Home, Folding@Home, [Link], etc.
-- outsourced campus email service (to Gmail or [Link]),
or outsourced spam filtering (e.g., to Postini or Ironport)
-- use of virtualization (e.g., VMware) to host departmental
systems either on local servers, or on outsourced VPS
• In reality, some of those activities are not (strictly speaking) what's
usually defined as "cloud computing," 11
 Some Generally Accepted Characteristics
• Most people would agree that true cloud computing…
-- usually has low or zero up front capital costs
-- largely eliminates operational responsibilities (e.g., if a disk
fails or a switch loses connectivity, you don’t need to fix it)
-- for the most part, cloud computing eliminates knowledge of
WHERE one’s computational work is being done; your job
is being run “somewhere” out there in the “cloud”
-- offers substantial elasticity and scalability: if you initially
need one CPU, that’s fine, but if you suddenly need 999
more, you can get them, too (and with very little delay!)
If/when demand drops, you can scale your usage back, too
-- cloud computing leverages economies of scale (running
mega data centers with tens of thousands of computers is
far less expensive (per computer) than running a small
machine room with just a modest cluster of systems)
12
 Some "Clouds" Won't Necessarily
Have All of Those Characteristics
• For instance, if your site is running a local private cloud:

-- there WILL be capital expenditures up front,

-- you (or someone at your site) WILL still care about things
like hardware failures, and
-- you likely WON'T have the illusion of a seemingly infinite
inventory of processors (or memory or disk)

Nonetheless, a local private cloud service may functionally work

the same way as a public cloud service, and hybrid cloud models
may even combine private and public cloud services in a fairly
seamless way.

• Ubuntu's enterprise cloud offering is a nice example of this. 13

14
So What About Security in the Cloud?
 In Some Ways, "Cloud Computing Security"
Is No Different Than "Regular Security"
• For example, many applications interface with end users via the
web. All the normal OWASP web security vulnerabilities
-- things like SQL injection, cross site scripting, cross site request
forgeries, etc., -- all of those vulnerabilities are just
as relevant to applications running on the cloud as they are to
applications running on conventional hosting.
• Similarly, consider physical security. A data center full of servers
supporting cloud computing is internally and externally
indistinguishable from a data center full of "regular" servers. In
each case, it will be important for the data center to be physically
secure against unauthorized access or potential natural disasters,
but there are no special new physical security requirements which
suddenly appear simply because one of those facilities is
supporting cloud computing
16
There Are Some Unique Cloud-Related Areas Which We're
NOT Going To Worry About Today
• Contracting for Cloud Services: Even though contractual terms
(including things like SLAs) can be used to mitigate some risks, I'm
not a lawyer, and I'm not going to pretend to be one, so we're not
going to cover issues related to contracting for cloud services.
Fortunately, NACUA did a great job discussing this topic in a recent
seminar, see
[Link]/meetings/VirtualSEminars/december2009/[Link]
• Compliance, Auditing and eDiscovery: Because this meeting is
primarily about research and education, not business processes
and university administration, we will not consider the potential
need for cloud computing to be compliant with Payment Card
Industry security standards, FERPA, HIPAA, GLBA, or other related
compliance mandates.
• So what are some cloud-related security issues?
17
 The "A" in The Security "C-I-A" Objectives
• Computer and network security is fundamentally about three
goals/objectives:

-- confidentiality (C)
-- integrity (I), and
-- availability (A).

• Availability is the area where cloud based infrastructure appears

to have had its largest (or at least most highly publicized)
challenges to date.

• For example, consider some of the cloud-related

outages which have been widely reported…

18
Bitbucket, DDoS'd Off The Air

19
Maintenance Induced Cascading Failures

20
 It's Not Just The Network: Storage Is Key, Too

See [Link]

However, see also: Microsoft Confirms Data Recovery for Sidekick Users
[Link]
21
And Let's Not Forget About Power Issues

22
 Mitigating Cloud Computing Availability Issues
• Risk analysts will tell you that when you confront a risk, you can try
to eliminate the risk, you can mitigate/minimize the impact of the
risk, or you can simply accept the risk.
• If you truly require non-stop availability, you can try using multiple
cloud providers, or you could use public and private cloud nodes to
improve redundancy.
• Some cloud computing services also offer service divided into
multiple "regions." By deploying infrastructure in multiple regions,
isolation from "single-region-only" events (such as the power
outage mentioned previously) can be obtained.
• Availability issues may also be able to be at least partially mitigated
at the application level by things like local caching.
• Sometimes, though, it may simply make financial sense for you to
just accept the risk of a rare and brief outage. (Remember, 99.99
availability==> 52+ minutes downtime/yr) 23
 Mitigating Data Loss Risks
• The risk of data loss (as in the T-Mobile Sidekick case) is an
exception to the availability discussion on the preceding slide.
Users may be able to tolerate an occasional service interrup-tion,
but non-recoverable data losses can kill a business.
• Most cloud computing services use distributed and replicated
global file systems which are designed to insure that hardware
failures (or even loss of an entire data center) will not result in any
permanent data loss, but I believe there is still value in doing a
traditional off site backup of one's data, whether that data is in use
by traditional servers or cloud computing servers.
• When looking for solutions, make sure you find ones that backs up
data FROM the cloud (many backup solutions are meant to backup
local data TO the cloud!)

24
 Cloud Computing And Perimeter Security
• While I'm not a huge fan of firewalls (as I've previously discussed
at the Spring 2008 I2MM in "Cyberinfrastructure Architectures,
Security and Advanced Applications," see
[Link] ), at
least some sites do find value in sheltering at least some parts of
their infrastructure behind a firewall.
• There may be a misconception that cloud computing resources
can't be sheltered behind a firewall (see for example "HP's Hurd:
Cloud computing has its limits (especially when you face 1,000
attacks a day)," Oct 20th, 2009, [Link]
p=26247 )
• Contrast that with "Amazon Web Services: Overview of Security
Processes" (see the refs at the back). AWS has a mandatory
inbound firewall configured in a default deny mode, and
customers must explicitly open ports inbound. 25
 Cloud Computing & Host-Based Intrusion Detection
• While I'm not very enthusiastic about firewalls, I am a big fan of
well-instrumented/well-monitored systems and networks.
• Choosing cloud computing does not necessarily mean forgoing
your ability to monitor systems for hostile activity.
One example of a tool that can help with this task is OSSEC (the
Open Source Host-Based Intrusion Detection System), an IDS
which supports virtualized environments:

26
 Cloud Computing Also Relies
on the Security of Virtualization
• Because cloud computing is built on top of virtualization, if there
are security issues with virtualization, then there will also security
issues with cloud computing.
• For example, could someone escape from a guest virtual machine
instance to the host OS? While the community has traditionally
been somewhat skeptical of this possibility, that changed with
Blackhat USA 2009, where Kostya Kortchinsky of Immunity Inc.
presented "Cloudburst: A VMware Guest to Host Escape Story",
see
[Link]
[Link]
• Kostya opined: "VMware isn't an additional security layer, it's just
another layer to find bugs in" [put another way, running a
virtualization product increases the attack surface]
27
 Choice of Cloud Provider
• Cloud computing is a form of outsourcing, and you need a high
level of trust in the entities you'll be partnering with.

• It may seem daunting at first to realize that your application

depends (critically!) on the trustworthiness of your cloud
providers, but this is not really anything new -- today, even if
you're not using the cloud, you already rely on and trust:

-- network service providers,

-- hardware vendors,
-- software vendors,
-- service providers,
-- data sources, etc.

Your cloud provider will be just one more entity on that list. 28
 Cloud Provider Location
• You actually want to know (roughly) where your cloud lives.
• For example, one of the ways that cloud computing companies
keep their costs low is by locating their mega data centers in
locations where labor, electricity and real estate costs are low, and
network connectivity is good.
• Thus, your cloud provider could be working someplace you
may never have heard of, such as The Dalles, Oregon,
where power is cheap and fiber is plentiful, or just as easily
someplace overseas.
• If your application and data do end up at an international site,
those systems will be subject to the laws and policies of that
jurisdiction. Are you comfortable with that framework?
• Are you also confident that international connectivity will remain
up and uncongested? Can you live with the latencies involved?
29
 Cloud Provider Employees
• If you're like most sites, you're probably pretty careful about the
employees you hire for critical roles (such as sysadmins and
network enginers). But what about your cloud provider? If your
cloud provider has careless or untrustworthy system
administrators, the integrity/privacy of your data's at risk.
• How can you tell if your cloud provider has careful and trustworthy
employees? Ask them!
-- Do backgrounds get checked before people get hired?
-- Do employees receive extensive in-house training?
-- Do employees hold relevant certifications?
-- Do checklists get used for critical operations?
-- Are system administrator actions tracked and auditable on
a post hoc basis if there's an anomalous event?
-- Do administrative privileges get promptly removed when
employees leave or change their responsibilities?
30
 Cloud Provider Transparency
• You will only be able to assess the sufficiency of cloud provider
security practices if the cloud provider is willing to disclose its
security practices to you.
• If your provider treats security practices as a confidential or
business proprietary thing, and won't disclose their security
practices to you, you'll have a hard time assessing the sufficiency
of their security practices. Unfortunately, you may need to
consider using a different provider.
• Remember: "Trust, but verify." [A proverb frequently quoted by
President Reagan during arms control negotiations]
• I'm not known for being a big Microsoft cheerleader, but Microsoft
deserves recognition for promoting both their Cloud Computing
Advancement Act and pressing cloud vendors to police themselves
when it comes to transparency. See
[Link]/presspass/presskits/cloudpolicy/ 31
 An Example of The Wrong Approach

Source: [Link]
[Link] 32
 Provider Failures Are Also A Real Possibility
• Even for a red-hot technology like cloud computing, there is no
guarantee that your providers will financially survive. What will
you do if your provider liquidates?

33
 Pen Testing; Working Incidents In The Cloud
• Standard pen testing processes which you may use on your own
infrastructure may not be an option in an outsourced environment
(the cloud provider may not be able to distinguish your tests from
an actual attack, or your tests may potentially impact other users in
unacceptable ways)

• If you do have a security incident involving cloud-based operations,

how will you handle investigating and working that incident? Will
you have the access logs and network traffic logs you may need?
Will you be able to tell what data may have been exfiltrated from
your application?

• What if your system ends up being the origin of an attack? Are you
comfortable with your provider's processes for disclosing
information about you and your processes/data? 34
 OECD, The Cloud, and Privacy

Cloud Computing and Public Policy, 14 October 2009

[Link]

35