Cloud Security: Basics
Cloud providers consolidate access to many consumers’ data, or should we say victims’ data into a single point of (hacking) entry. Recently, the major popular clouds have increasingly become the focus of attacks by hackers. IT organizations may think that their legal liability can be outsourced, but total misconception. The contract with the IaaS vendors includes security obligations, however it does not negat the liability of the software vendor as the responsibe party. So rather than focusing on contracts and limiting liability in cloud services deals, the SaaS vendor must focus on controls and audit-ability.
The different types of cloud consumers, from the ISV that uses Amazon AWS, to the small business that uses online tools all the way to the end on-line users, have become “security smart”.They carefully consider the security of the online services they use. Today, simple on-line users verify the “https” on the URL of a credit card submission web page and may even use the browser to check the SSL vendor credibility. Software enterprise customers already have the skills to measure service security by performing frequent penetration tests to systems security’s roots. A service that fails the security tests even once harms its reliability in the long term.
The unity of the cloud enables environment hardening and better automation of security and disaster recovery procedures. On the other hand the cloud enables mobile applications to keep all the data in the cloud and thereby actually protect the data of stolen and lost devices. The economies of scale allow the IaaS vendor to invest in its security expertise which allows the dedicated security team to concentrate exclusively on the security issues. The cloud complexity is build from shared multi-tenant layers. When combined with the fact that hackers know exactly where that data stored, this presents the hacker with a lot more opportunities in the cloud environment. In principle one small breach in an unsecured cloud can enable a hacker to get a hold on an endless amount of data and computing resources. Today there are already stories about an existing black market for cloud machines.
| Cloud Security Upside | Cloud Security Downside |
| Staff skills and specialization | System complexity |
| Platform strength | Shared multi-tenant environment |
| Resource availability | Internet-facing Services |
| Backup and recovery | Loss of control |
| Mobile endpoints | Botnet of hackers |
| Cross data center | Mechanism cracking |
Source: DRAFT Cloud Computing Synopsis and Recommendations BY by NIST
In April this year, a study conducted by independent research firm Ponemon Institute and sponsored by CA Technologies, surveyed 127 cloud service providers in the U.S and Europe, representing a mix of vendors from the three cloud layers i.e, IaaS, PaaS and SaaS. According to this report, 32% of both cloud users and cloud providers believe that the cloud provider is most responsible for ensuring the security of cloud services. In sharp contrast, 69% of IaaS providers see the cloud users as most responsible for security, while only 35% of users believe they are most responsible for ensuring security. You are welcome to check the Amazon AWS and IBM SmartCloud security white papers to get an idea of what to expect.
Today software developers are still unaware of all the risks and the need to plan their services’ security. Relying on the IaaS vendors Software developers sometimes will push the security issue to the bottom of their priorities. This is strengthened when the vendor claims not to save any important data. One of the SaaS vendors we recently talked with said:
“We don’t save any important data on the servers such as credit cards number or personal details of our subscribers”.
The cloud strengthens a common security issue where the bad guys just want to install their service and use the cloud machines as additional resources to be exploited for their own interests, such as virus distribution and running some illegal computations tasks. The endless cloud resources enable the software developer an enormous range of new options, where complicated computational tasks can be done within minutes instead of days or weeks in the traditional IT world. This huge advantage can become a huge disadvantage in regards to the cloud’s security; in fact, it decreases the effectiveness of cryptography or any other software security mechanisms. Such a case happened in May this year when servers owned by Amazon were used as a staging area for the hack that caused severe harm to Sony’s online entertainment network.
One of the leading orgnization attempting to develop and define industry regulations standards is NIST, an agency of the U.S. Department of Commerce. Additionally you can find efforts being made by IEEE and DTMF to create cloud industry standards. The following list presented in the NIST report highlights privacy and security related issues that are believed to have long-term significance in the long term for the cloud computing industry:
1. Governance - The cloud infrastructure provider and its customers will need to adopt audit tools and procedures to manage and monitor how data is stored, protected, and used in order to verify enforcement of the rules defined.
2. Compliance - Accommodation of regulations and laws defined. Slowly but surely we come to see new cloud standards that are evolving. The software vendor should consider its own compliance together with its IaaS vendor. The most popular known are the ISO 27001 and the SAS 70 audit statements. There are also specific standards for government organizations (FISMA, NARA) or for specific industries such as HIPAA or PCI DSS.
3. Trust - There must be a tight collaboration of the cloud providers in the IaaS and the PaaS layers but this doesn’t mitigate the responsibility of the SaaS vendor to make sure that the arrangements be disclosed in advance of closing the agreement with its different cloud service providers.
3 - Architecture - Virtualization adds another layer of risks, including the virtual machine, network, ancillary data (such as machine images data), and application security (both server and client sides).
4 - Identity and Access Management - unauthorized access to cloud resources (including SaaS applications) puts data security and privacy at risks. In recent years new standards have been developed such as SMAL to identify the user and XACML to control access to resources.
5 - Data protection - The cloud share environment brought a new risk where an outsider user can potentially view others data. We can imagine a security problem for a SaaS vendor where one customer can view its competitor’s data - scary isn’t it ?! Data must be isolated, secured and encrypted while at rest, in transit or in use. Also standard communications protocols and certificates allow the data transferred to be protected and encrypted.
6 - Incident response - Security monitoring is vital on all the cloud layers. The service vendors must monitor and maintain response procedures in case of attack. Cloud consumers must frequently test their service providers (i.e. penetration tests) to make sure that their services meet both compliance and SLA requierments.
There are still no strict standards in today’s. Following discussions with market participants from IaaS vendors to security deployment vendors all the why to the consumers, we understand that each new cloud adapter must first understand and evaluate the risks, and plan every effort to achieve the security level that fits the service.
