Let’s face it: the information that the critical infrastructure and corporations need to secure will continue to move into private and/or public cloud infrastructures. It’s an unstoppable trend, squeezing efficiencies out of technology and creating the new normal for performance, agility, accessibility and cost containment.
But it is hard to find someone who feels that cloud-based and virtualized infrastructures inherently improve Security. In theory, it COULD improve operations, and thus security, by improving on operational efficiencies, providing sophisticated fault tolerance, reducing the mean time to rebuild (rather than repair). But, regardless of the cloud model—software as a service (SaaS), infrastructure as a service (IaaS) or platform as a service (PaaS)—the very nature of the cloud approach introduces a wide range of vulnerabilities, some we know about and some that time will reveal.
The challenges, however, keep raising concerns to the CxO level, tempering adoption and begging the questions: “Who really knows the risks here? Who can I trust and what skills do we need to mitigate risk in the context of this new paradigm?”
Three key issues I have identified are:
Problem #1—The Multi-Tenant Issue: To maximize resource utilization and performance, the cloud play allows for everyone to share some underlying hardware. Unless security is designed in from the bare metal up, and can be tested against, CIOs of federal agencies and Fortune 500 companies don’t love the idea of their top secrets sitting on the same hard drive or operating on the same switch as some other unknown organization.
Solution Set—Several large vendors have come together in different teams in order to offer solutions integrating shared processes and designs that provide assurances for tenants hosted on the some physical platform. One of the most active partnerships involves Cisco, NetApp and VMWare, who have collaborated on a validated architecture that they call “Secure Multi-Tenancy”. Fast Lane has developed an intensive course addressing Implementing and Designing based on Secure Multi-Tenancy.
Problem #2—The Collapsing of Roles: A key principle of Information Security, that of the Separation of Duties, can be intrinsically broken by the move to a virtualized, cloud-based infrastructure. For example, the “virtual” network between hosts on the same blade is the responsibility of who? The Virtual Administrator now has, potentially, the keys to the kingdom.
Solution Set—While good policy, procedure and practice can offset this, the virtualized architecture itself can encourage a breakdown of segregated duties and the flattening of the networks. Good training on security fundamentals and policy enforcement that is auditable support maintaining a separation of duties. Third-party virtualization applications like CatBird’s vSecurity solution set address separation of duties, and provide extensive auditing riding on top of the HyperVisor.
Problem #3—Compliance requirements are outdated: Jay Heiser at Gartner notes that current organizational certifications, such as SAS 70 or ISO 27001/2, have yet to catch up with the new architectural issues found in the cloud. This is of course a moving target, but the speed of adoption of virtualized environments means that vulnerabilities will creep in where lazy internal auditing rules the day. Lack of accountability leads to exploited vulnerabilities.
Solution Set—While some of the regulations are still catching up, one can look to some federal agencies and standards bodies for guidance. DISA has had a VMWare ESX STIG (Security Technical Implementation Guide) since 2008 (http://iase.disa.mil/stigs/stig/index.html). The PCI DSS is said to be updating its requirements to address cloud computing and virtualization. And the “Cloud Security Alliance” has released version 2.1 of their guidance this past December. Their work is likely to be reflected or referenced among the other compliance regimes, much like the OWASP guidelines are referenced by FISSEA and PCI. Organizations with compliance concerns should ensure that their security and audit teams integrate these emerging standards into practice, regardless of the lag in requirements.
The Cloud Security Alliance (CSA) has also recently released a report entitled “Top Threats to Cloud Computing, Version 1.0” (http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf), identifying seven areas which I paraphrase below (these are not in order of severity). It’s important to note that while the CSA includes security service and product providers that are in line to benefit from attention on the challenges of secure cloud computing, the list of contributors also includes top security professionals from cloud service providers like Rackspace and eBay.
- Abuse and Nefarious Use of Cloud Computing: For example, IaaS providers have seen their services used for botnet attacks, and as a result of spam, whole IP address ranges of these hosts have been publicly blacklisted.
- Insecure Application Programming Interfaces: Reliance on the cloud provider’s API is only as secure as the code behind it.
- Malicious Insiders: This threat vector is amplified in the cloud environment. Think of it this way: the exposed threat surface just got way more complex, and sloppy internal controls, plus poor vendor management, can add up to a whole new layer of vulnerabilities.
- Shared Technology Vulnerabilities: If the CPU underlying the IaaS solution is found to have vulnerabilities, its conceivable that the hypervisor could allow escalated privilege access to VMs from the Host OS (these type of flaws have occurred in VMware and other hypervisors and will likely happen again).
- Data Loss/Leakage: the Cloud Security Alliance recognizes that the threat of data compromise is increased in the cloud due to unique issues with cloud architecture, and advise a very tight approach to AAA controls.
- Account, Service & Traffic Hijacking: The CSA does not provide a great amount of info here as to why the threat surface is increased here, but we can imagine plenty of scenarios where an instantiation of a cloud presence is under less scrutiny from an audit perspective, and leads to new threats or vantage points for further attacks.
- Unknown Risk Profile: To put it simply, there are the threats that you know and there’s the threats that you don’t know about, and of the two the latter is much scarier.