Privacy and Security Risks with Cloud Computing Infrastructure (IaaS, SaaS)
-
Upload
mstanislav -
Category
Documents
-
view
118 -
download
0
Transcript of Privacy and Security Risks with Cloud Computing Infrastructure (IaaS, SaaS)
5/11/2018 Privacy and Security Risks with Cloud Computing Infrastructure (IaaS, SaaS) - sl...
http://slidepdf.com/reader/full/privacy-and-security-risks-with-cloud-computing-infrastructu
Privacy and Security Risks with CloudComputing Infrastructure (IaaS, SaaS)
Mark Stanislav
Abstract
Computing infrastructure management is often of huge cost in terms of
both manual labor to support and maintain, as well as capital expenditures
to continually purchase new machines and replacement parts.
Virtualization technology allows administrators to leverage third-party
resources in order to achieve similar infrastructure implementations for a
fraction of the cost. A mitigating factor of this infrastructure convenience
and cost saving, however, is much of the inherent security gained by self-
managing resources. While the days of IBM big-iron mainframe
computing is well behind us, shared-resource computing on a smaller
scale is quickly making an impact on the IT landscape.
As this shift in computing infrastructure becomes more prevalent, are we
prepared to handle the influx of new attack vectors and security concerns
that are a part of cloud computing?
5/11/2018 Privacy and Security Risks with Cloud Computing Infrastructure (IaaS, SaaS) - sl...
http://slidepdf.com/reader/full/privacy-and-security-risks-with-cloud-computing-infrastructu
The ubiquity of cost-efficient hardware resources has created a momentum behind
changing the infrastructure paradigm of “each service receives a separate server”. This unofficial
standard has sound reasoning behind it because it separates the failure of one piece of hardware
or security breach from other services. In modern computing, however, we are able to eliminate
the need to maintain 100 servers in a rack to separate 100 services. Rather, we are able to
consolidate those machines into, maybe, 10 high-performance, capacity-centric computing
powerhouses. This consolidation through virtualization technology grants us the ability to start
creating new avenues in infrastructure.
Infrastructure as a Service (IaaS) provides a variance of resources for everyone, from the
two-person web hosting company to the large enterprises, to take advantage of, allowing portions
or the totality of their computing infrastructure to be ran outside of their walls. By removing the
physical ownership of hardware resources and meshing in virtualization technologies, companies
are now able to pay for their computing needs on a usage basis with no worry of “what if our
hard drive dies?” or “how will we get a new fan for this server over-night?”. These traditional IT
concerns are now highly mitigated by professionals who have gigantic resources on hand with
huge fault-tolerance and redundancy in place that normal companies will never be able to attain.
However, just as every convenience in information technology has a trade-off in the realm of
security, IaaS has its own list of concerns for the security-conscious administrator or legal team.
Amazon’s cloud-computing offerings are far-and-away some of the most well-known
examples of what a company can take advantage of if they are in the market to off-set their
physical infrastructure with machines, databases, load balancers, and other technology into the
cloud. Take, for example, Amazon’s EC2 (Elastic Cloud Computing) infrastructure which uses
5/11/2018 Privacy and Security Risks with Cloud Computing Infrastructure (IaaS, SaaS) - sl...
http://slidepdf.com/reader/full/privacy-and-security-risks-with-cloud-computing-infrastructu
virtualization to allow technology consumers to quickly deploy hundreds of custom virtual
machines (VM) with no human interaction at all. More so, the cost of running these VM
deployments is predicated only on usage -- both bandwidth and system uptime. With such ease of
deployment and a juggernaut of an infrastructure company like Amazon behind the
implementation, it’s fairly simple to just shift your entire company onto their cloud platform. The
one cost not computed for you, however, is the one of security risk to your company’s
information and availability.
Amazon’s EC2 uses a well-known virtualization technology released by Citrix called
“Xen”. A quick introduction to this virtualization platform would make it known that through
using an administrative console (xm console <vm-id>), a system’s administrator is able to
remotely connect to a VM as if they were standing in front of the monitor directly attached to a
regular computer. It’s no secret that every computer has at least one administrator; but what
about a company like Amazon who may have hundreds or thousands of people tasked with
maintaing their impressive backend? A computer within your walls is accessible generally by
maybe a external hacker or a rogue insider, but what about letting random IT contractors have
full access to your systems, off-site, as much as they want? The image of security begins to
lessen with the cloud.
During the most recent Super Bowl, a digital marketing company utilized Amazon EC2
to help handle the slam of web traffic for clients who were advertising during the game. Because
of EC2, the millions of web site queries done in a small window was handled; a feat that would
have been near impossible without purchasing huge amounts of extra hardware that would be
used once and then sold. In this scenario, the client agreed to the usage of cloud computing to
5/11/2018 Privacy and Security Risks with Cloud Computing Infrastructure (IaaS, SaaS) - sl...
http://slidepdf.com/reader/full/privacy-and-security-risks-with-cloud-computing-infrastructu
help fulfill their request for service. A concern that should be at the front of cloud computing
discussions by IT staff everywhere is: what are the legal implications of storing customer data at
an unknown location, with unknown metrics of security, and unverified people administrating
those data storage devices?
In July of 2009, a hacker broke into Google Apps accounts of a Twitter administrative
assistant, compromising confidential company documents. Twitter, a giant in technology
themselves, used Google Apps to store and transfer files amongst company employees, using
Google’s resources in a “Software as a Service” (SaaS) manner, leveraging a component of
Google’s cloud offerings. Rather than simply setting up an internal company file-share that
would only be accessible on-site or through a VPN, Twitter opened themselves up to not only
having confidential data compromised, but potentially leaking methods to further compromise
their physical infrastructure. What if Twitter VPN credentials were part of the file-share?
Information security is often about mitigating threats, but in this example, Twitter actually
created brand-new vectors.
One aspect of EC2 that may seem innocuous is the usage of the 10/8 private network
space for virtual machines to conduct their network traffic through. Many systems administrators
may be familiar with locking-down threats of an external nature, but how much does the every-
day administrator know about internal network security? There’s a potential for administrators to
simply find and replace firewall rules for their transition from on-site hardware to the cloud,
forgetting that while they may have a public IP address, the actual network resource they are
connected to is in existence on Amazon’s virtual backplane. The ability to port-scan huge private
IP blocks is likely to turn up at least a few notable security vulnerabilities -- could one be a
5/11/2018 Privacy and Security Risks with Cloud Computing Infrastructure (IaaS, SaaS) - sl...
http://slidepdf.com/reader/full/privacy-and-security-risks-with-cloud-computing-infrastructu
Fortune 500 company? One threat of the cloud is simply the lacking knowledge of systems
administrators being unaware of maintaing tight enough security to leverage shared resources.
A study called “Hey, You, Get Off of My Cloud” speaks about how it was possible to
deploy virtual machines on Amazon’s infrastructure until one was co-resident of the same
hardware as a ‘target’ VM. Once a VM occupies the same hardware as a target, side-channel
attacks provide a possible avenue to compromise resources. More so, targeted Denial of Service
(DoS) attacks become a realization if machine RAM, CPU, cache, bandwidth, and other physical
resources can be overwhelmed by the guests through exploitation or aggressive usage. If a
potential attacker was able to surmise the location of a target’s virtual machine and gain co-
residency with enough VMs of their own, there is increased potential to internally DoS resources
that may have been done prior using large bot-nets and floods of internet traffic. The security
landscape changes and new attack vectors open as resources are less easily managed by those
who care most about their availability and reliability.
The east-coast power outage in 2003 made many aware of the fragility of our power grid
and, more so, the potential for that fragility to be used against us in an attack of terrorism. Before
that outage, most were oblivious to the concern that we need to more fervently strengthen this
core resource of daily life. Companies such as Rackspace and Amazon face large-scale
challenges to provide high-availability computing resources to millions of customers, each of
whom may have their own enemies and threats. While a company like eBay may be the constant
target of hackers and generalized attacks daily, a small, but profitable, internet company may
rarely see any sort of threats. By utilizing third-party consolidated infrastructure, those targeted
often and those targeted rarely are both now using the same machine. By being allocated to the
5/11/2018 Privacy and Security Risks with Cloud Computing Infrastructure (IaaS, SaaS) - sl...
http://slidepdf.com/reader/full/privacy-and-security-risks-with-cloud-computing-infrastructu
same bandwidth or computing resources, there is an increased chance that a small company who
never was threatened before may be the ever apparent “innocent bystander” in this new age of
computing with IaaS.
On the other-side of having a highly scalable infrastructure on a moment’s notice, there’s
a real threat of traditional bot-nets growing beyond their boundaries within cloud infrastructure.
Shell-hosting companies have often been a target of fraudulent credit card and PayPal account
abuse since they are able to provide remote system resources with no verification of the
“customer”. In order to create a virtual machine account with services such as Amazon EC2,
Rackspace Cloud, or even Grand Rapids, MI native Fivebean, all that is required is a few
minutes and a credit card. A scaled attack could be created if one stolen credit card was used to
instance thousands of virtual machines from a few companies. Multiply this threat with scripting
and hundreds of credit cards, and one consolidated attack could DoS gigantic computing
resources with the same ease as a regular infected-host bot-net. The need for protection now is
not just for those who use cloud computing resources, but those who could be attacked through a
planned abuse of their ubiquitous nature. This risk will only grow larger, as more Virtual Private
Server (VPS) companies come into play.
The landscape for cloud computing may be concerning for early adopters but efforts are
in place and growing to help make the cloud a better place for companies to exist in. CloudAudit/
A6 aims to provide “a common interface and namespace that allows cloud computing providers
to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS),
platform (PaaS), and application (SaaS) environments”. The CloudAudit/A6 effort includes
members who work for companies such as Cisco, Telus, Google, VMWare, Microsoft, Akamai,
5/11/2018 Privacy and Security Risks with Cloud Computing Infrastructure (IaaS, SaaS) - sl...
http://slidepdf.com/reader/full/privacy-and-security-risks-with-cloud-computing-infrastructu
and other giants of technology. The Cloud Security Alliance (CSA) also exists to provide
guidance in best practices around cloud services and infrastructure for companies. They aim to
create consensus around guidelines to take confusion out of how to handle this emerging
juggernaut of computing. The CSA membership includes employees of eBay, ING, Sallie Mae,
Sun, RSA Security, Visa, McAfee, and PGP. Recommendations for standards also exist, such as
SAS70 and ISO27001, until full cloud-specific ones are created.
It’s unlikely that even a large-scale cloud computing comprise will stop its momentum.
Ideas which save money and man-power will always be hard to say no to. The downfall of
mainframe computing was that in order to utilize it, you had to have huge machines consuming
lots of power and exorbitant service contracts. In our modern computing era, those issues are
gone, and, once again, we return to a shared resources model of computing -- simpler and more
elegant than ever. The benefits to cloud computing are too vast to ignore, and, as most concerns
in information security, a decision for any participant in the paradigm shift will be the same as
always: how much convenience do we require to part with some of our security? Hopefully,
groups such as CloudAudit/A6 and CSA will provide that answer sooner than later.
5/11/2018 Privacy and Security Risks with Cloud Computing Infrastructure (IaaS, SaaS) - sl...
http://slidepdf.com/reader/full/privacy-and-security-risks-with-cloud-computing-infrastructu
References
Binning, D. (2009). Top five cloud computing security issues. Retrieved March 10, 2010 from
ComputerWeekly.com: http://www.computerweekly.com/articles/2010/01/12/235782/top-five-
cloud-computing-security-issues.htm.
Brodkin, J. (2008). Gartner: Seven cloud-computing security risks. Retrieved March 12, 2010from InfoWorld: http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-
security-risks-853.
Cloud computing security. (2010). In Wikipedia, The Free Encyclopedia. Retrieved March 29,
2010, from http://en.wikipedia.org/w/index.php?
title=Cloud_computing_security&oldid=352128529
Keizer, G. (2009). Hacker break-in of Twitter e-mail yields secret docs. Retrieved March 10,
2010from ComputerWorld: http://www.computerworld.com/s/article/9135591/
hacker_break_in_of_twitter_e_mail_yields_secret_docs.
Messmer, E. (2009). Cloud Security Alliance formed to promote best practices . Retrieved March
10, 2010 from NetworkWorld: http://www.networkworld.com/news/2009/033109-cloud-
security-alliance.html.
Ristenpart, T.,Savage, S., Shacham, H., & Tromer, E. (2009). Hey, You, Get Off of My Cloud!
Exploring Information Leakage in Third-Party Compute Clouds . Retrieved March 15, 2010
from 16th ACM Conference on Computer and Communications Security: http://
cseweb.ucsd.edu/~hovav/papers/rtss09.html.
Vizard, M. (2010). Gauging Cloud Security. Retrieved March 15, 2010 from CTOEdge: http://
www.ctoedge.com/content/gauging-cloud-security.