Virtualization Concerns and the Cloud

2 04 2013

Introduction

With the sonic boom of Cloud, Today’s CIOs are tripping over themselves to hastily push as many of their technology initiatives as possible into the Cloud.  Cloud computing has become the modern day penicillin for technology challenges allowing the Enterprise CIO to mitigate CAPEX, leverage performance driven offerings and transfer the operation, management and maintenance of infrastructure to a Cloud services provider.  While on the surface this sounds like motherhood and apple pie, it is imperative that IT leaders peel back the layers and ensure they know exactly what they are, and aren’t, buying and understand the underlying platforms supporting their IT systems and how they are delivered.  Virtualization, especially on shared platforms, inherently has a breadth of security concerns that require on-going management, regardless of whether systems are insourced or outsourced.  Most importantly, as security professionals, it is our job to ensure our companies aren’t sacrificing security principles while migrating into this modern day consumption model.

Exploring Some Basic Virtualization Concerns

The vast majority of Cloud products are built on a layer of clustered physical hardware running a hypervisor that enables  virtualization, or support for multiple virtual machines (VMs), on a single physical chassis.  Thus, the hypervisor abstracts the hardware and software layers allowing the underlying server infrastructure to provide the processing power and memory while, in many cases, the VMs cohabitate on both  (Vasudevan, McCune and Qu).  Due to the structure and interaction of the VMs with the hypervisor and then the hypervisor with the common hardware elements of the server’s computing architecture, there is constant concern around the potential vulnerabilities that this common binding can create.  Some of the key areas of concern rooted in the virtualization hierarchy include: 1) Trojaned virtual machines, 2) improperly configured security, 3) improperly configured hypervisors and 4) data leakage through offline images (Cox).  A brief outline each of these potential vulnerabilities will be provided so a better understanding of the risk can be gained.

A key concern for any virtualized Cloud consumer should be Trojan machines.  A Trojan machine can take one of many different forms, but for the purposes of this blog include an infected VM image file, a VM image file that contains malicious code or a VM sharing a common physical platform for the purposes of reconnaissance and/or attacking another VM.  A recent Trojan, Crisis, discovered by Kapersky Labs in July 2012, is able to replicate itself into a VM instance (Rashid).  While this was the first known Trojan that specifically attacks virtual machines, it is a reasonable assumption that this will be a lucrative target moving forward (Rashid).  Additionally, attacks aren’t always malicious or intentional.  It was reported that Amazon Cloud  customers determined that one of the Amazon Machine Images (AMIs) that are part of their community image library, used as base images for their Cloud service, was compromised (Cox).  In this case, the image was not intentionally being distributed, yet, customers were using a compromised machine from their initial installation. Lastly, it is conceivable that a virtual machine running on a common hypervisor and physical platform could allow a malicious operator to gain knowledge about a target VM, or even gain access to its contents.  Further, a post doctoral researcher in MIT’s Computer Science and Artificial Intelligence lab, and three of his colleagues, claimed that a snooper could land on the same VM host on Amazon’s cloud service by launching their VM at the same time as the target (Babcock).  In order to ensure proper VM behavior and optimize security, it is critical that VMs are built from known good source images, monitored for proper behavior and that shared platform exposures and understood.

While VMs create a separation between the hardware and software layers of the server infrastructure, they have also blurred the long standing boundaries between the Server Administrator and Network Engineer.  Traditionally, the network engineer has been more focused on the proper movement of data across the corporate network and, in many cases, many of the associated security functions; on the other hand,  the System Administrator has simply cared for the operation and maintenance of the server hardware.  Due to the full stack integration brought about by virtual machines and hypervisors, ranging from the server down through the network, many of the functions that have traditionally fallen to the Network Engineer, such as VLAN tagging, QoS, routing and access-lists, have now fallen to the administrators of the virtual environment  – who may or may not possess the qualifications to properly secure the environment (Cox).  The result is a gap requiring a “super IT administrator” in order to have  the breadth and depth in skills in order to fulfill all of the skill requirements to deliver virtual services using best practices.  Alternatively, the hypervisor itself needs to allow for multiple Administrators and Engineers collaborating together to optimally build and deliver a virtual machine.  Without ensuring the right skills are performing the right tasks, the same integration of functions that make VMs and Cloud an ideal environment can also convolute the management and security of the infrastructure.

While the hypervisor performs the “magic” that allows our VMs to share a common set of physical platforms, it is also a core and obvious area of exposure if not properly configured and secured.  Because the hypervisor management platform authorizes who can create, delete and change virtual machines, as well as, the accessibility between various VMs and common resources, it is critical that the hypervisor and the management platform are properly secured within a Cloud environment (Scarfone, Souppaya and Hoffman).  The first level of securing the hypervisor should address user management and access control; the ability to authenticate should provide a front line of defense to ensure scalable and tiered levels of access to Cloud administrators.  Further, authorization should restrict administrator’s access to only the resources they directly administer to reduce insider threat, mitigate risk of misconfigurations and prevent unnecessary access.  Secondly, while there are some communication functions that that are required for the basic operation of the VM, it is important that policies exist to define the rules for intra-customer VM to VM access, as well as, inter-customer  VM interactions.  Further it is critical that the policies are established and followed and then reviewed and maintained regularly.

The last concern to review is the snapshot and VM image management exposure posed by VMs and the hypervisor.  Since VMs are hardware independent, Cloud administrators have the ability to pause, stop and even take snapshots, a real-time image of the entire VM – including the contents of the memory – and store it in a file (Cox).  Since these files can be stored, moved, duplicated, etc., if the VM or memory contained sensitive or confidential data, it could create a significant risk for an organization.  If a Cloud provider is taking regular snapshots for a customer, the handling and storage of this information could pose a greater threat than the active VM itself.  Also, it is critical that VMs are properly monitored and/or decommissioned after use, as well as, VM image files are diligently secured commensurate with the level of sensitivity of the data contained within the VM (Bateman).  Ironically, the greatest expose created by the VM may not be the active VM itself, but instead the offline data that also requires full lifecycle security considerations.

So Should I Cloud?

Now that some of the primary security concerns for virtualized Cloud computing have been established and discussed, the key question is – now what?  Can Cloud computing even be trusted?  The answer is — whether a Cloud provider is used, or an Enterprise builds and hosts their own virtualized infrastructure, similar risks will exist and need to be managed.  The primary difference lies in the level of control that you, as a customer of the Cloud provider, posses to ensure that your IT resources are being managed, maintained and secured using best practices and within your policy and compliancy requirements.  No different than the enterprise, Cloud providers need to define policies, procedures and controls to manage and mitigate risks that exist with a delivering a virtualized solution.  Further, these initiatives should be clearly documented and systematically communicated to their customers.

IT leadership considering  Cloud outsourcing solutions need to understand the resources they are considering shifting to the Cloud.  This includes an awareness of all aspects of the systems including the type(and sensitivity) of the data, specific compliance requirements that might exist (e.g. PCI), recovery time and recovery point targets, the impact of downtime, the providers security practices, etc.  From there, a thorough review of the available Cloud solutions should also be conducted.  The review should include and align the critical elements identified when reviewing the systems to be outsourced.  Additionally, an understanding of how the provider sets policies, what their standard policies are and whether any customer specific flexibility exists should also be determined.  Finally, the criteria and requirements can be aligned with the potential scope of Cloud providers.  It is only from this perspective that educated decisions can be made and needs can be aligned with offerings.

Cloud is not the enemy, but more an inevitable shift in how IT resources are consumed by the Enterprise.  Awareness of what the cloud is, and isn’t, is essential; Cloud shouldn’t be a black box where you put all of your systems and data and then believe that all of your risk and exposure is gone.  Security concerns don’t dissolve into the ether by moving your systems to the Cloud.  Arguably, they are greater as the Enterprise’s focus should shift to validation and verification of the security posture of their Cloud environment.  After all, you never know who may be sharing the same virtual plane with you on the physical device hosting your VMs.

___________

Babcock, Charles. Information Week. 27 April 2012. <http://www.informationweek.com/cloud-computing/infrastructure/vmware-breach-time-to-assume-hypervisor/232901071&gt;.

Bateman, Kayleigh. Don’t Let Dormant Virtual Machines Threaten Data Centre Security. n.d. <http://www.computerweekly.com/news/1370369/Dont-let-dormant-virtual-machines-threaten-data-centre-security&gt;.

Cox, Philip. Top Security Virtualization Risks and How to Prevent Them. Islandia, 2011.

Rashid, Fahmida Y. Security Watch. 21 August 2012. <http://securitywatch.pcmag.com/none/301770-crisis-trojan-first-malware-to-target-virtual-machines&gt;.

Scarfone, Karen, Murungia Souppaya and Paul Hoffman. Guide to Security for Full Virtualization Technolgies. Gaithersburg: NIST, 2011.

Vasudevan, Amit, et al. Requirements for an Integrity-Protected Hypervisor on the X86 Hardware Virtualized Architecture. n.d.





Cloud Storage and Privacy: How much are you willing to pay to protect your data?

28 03 2013

Introduction

We have all been warned that our Internet purchasing habits and how much we share about our day-to-day lives could be placing ourselves at risk of being victimized.  However, in a recent study published by the European Network and Information Security Agency (ENISA), users, even those who have elevated concerns over privacy, do not heed some of these warnings.  In this study, a majority of consumers were willing to submit personal contact information for a mere 67¢ discount on a  $10.05 online-purchase (XRates) (N., Preibusch and Harasser).   So the question is no longer whether or not a user is willing to share information in exchange for discounts, it is how much information is he likely to share in exchange for discounted services?   This blog explores this question as applied to the adoption of cloud-based storage services.

How much privacy are we willing to sacrifice?

As evidenced by the ENISA study, it turns out that most people have a price, and if this study is any indication, the price is not very high.  In many cases, in the presence “free services”, many of us are willing to supply employment history, email addresses of our closest family and friends, phone numbers, birthdays, and political views – to name a few.   So, it turns out that nothing really is for free.  The price paid for free services is personal information that can be used to support targeted advertising revenue – based on your observed behaviors, spending patterns, your political, social, and financial associations, and more importantly, who you know.  By allowing service providers to observe you, they are able to develop a personal profile that can be sold to their ‘affiliates’ (Google).  To gain insight into what is being sold to affiliates, this author conducted a simple experiment using the third-party plug-in, PrivacyFix,  a tool that estimates the advertising value of Google account profiles.   For the experiment, the Google account was configured with a public profile (Google+) to include links to employment history, more than 100 friends, colleagues, and family, and an association with Carnegie Mellon University.  Even configured to blocks placed on most tracking mechanisms, this Google Plus account allows Google to track 55% of pages visited, and is valued at $25.30 per year in advertising (Anonymous).   This $25.30 subsidizes the free services Google provides, effectively offsetting the pricing of paid services.

Cloud based storage services are based on this same model – Google, DropBox, and Box.net (to name a few) offer free cloud-based storage services with options to increase your capacity.  Basic service starts at 5 GBytes, with increasing levels of storage capacity awarded through new customer referrals (e.g. family, friends, and colleagues) (DropBox).  For capacity needs beyond the default 5GByte level, subscription prices start for as little as $.17 per GByte per year (DollyDrive), and include “free” add-on services to support backup and recovery, revision control, but most importantly:  data sharing and collaboration.  Data sharing and collaboration promotes expansion of the customer base, but also promotes vendor lock by virtue of a shared infrastructure.

Strengths & Weaknesses of Commercial Cloud Storage Options

In spite of these somewhat troubling privacy concerns, new Cloud Storage service providers seem to be popping up each year, and while the cost of paid services still offered at a higher price point than local storage, there are some compelling reasons for migrating to the cloud in some cases.

Table 1 identifies some of the key strengths of weaknesses of todays cloud storage solutions as compared to local storage alone.  For most consumers, the key strengths that differentiate cloud storage from local storage (without software & hardware capital investment) is the infrastructure that supports collaboration and the ability to backup and restore data to an offsite location.

Strengths Weaknesses
Increased productivity – data can be seamlessly accessed across devices and operating systems (DropBox). Data Transfer Latency.  As compared to local data transfers, digital transfer technology can be 6800 times slower.[1]
Ease of setup and use.  Many cloud storage service providers include operating system plug-ins to provide accessible cloud storage as a locally mapped storage device. Confidential Information such as your name, likeness, age, email addresses and names of colleagues and friends, and unencrypted data may be shared with unknown third parties (Google).
Flexible Pricing.  Services range from free, to referral based, to pay as you go, to subscription based services (DropBox). Limited liability policies.  Many service providers require that the customer indemnify the service provider against claims for damage (Google).
Data Revision Recovery.  Many services provide the ability to track changes and recover previously saved versions of files (Dolly Drive). Dependency on external provider.  Service Provider may reserve the right to change the terms of agreements at any time (including the right to suspend or discontinue services) (Google).
Data Sharing & Collaboration.  Shared data can be configured to automatically replicate across subscribed devices and users, facilitating improved productivity for shared data (DropBox). Variable Security.  While security and redundancy can be built into any given platform, each provider balances differing sets of quality attributes, which may expose users at unintended vulnerabilities (Borgmann, T. and Herfert).
Elasticity.  Cloud storage capacity is resizable without the need for capital investment. Service switching Interoperability.   Switching service providers is possible; however, some providers deliver unique services, which are not easily transportable to a new service provider (e.g. Dolly Drive Backup versus Microsoft Azure).
Off-site storage.  In the event of catastrophic loss of local storage and processing hardware, Cloud based storage provides a low-hurdle alternative to backup and safe storage. Pricing for paid services.  In 2013, local hard-disk storage cost less expensive than cloud-based storage[2].

Table 1, Cloud Storage Strengths and Weakness

The big weaknesses are the limited liability and the potential exposure and spillage of confidential information.  Data Transfer latency, while not a show-stopper, is a significant hurdle to more wide-spread adoption, especially in light of the fact that the average data transfer rates in the United States are nearly 6800-times slower than local disk access (Streams) (Seagate).  Some mitigation strategies exist, such as pre-seeding data stores to mitigate latency, however, this remains to be a significant hurdle for some users.  If we assume that the ENISA study represents a predictive model for cloud storage adoption, then liability and confidentiality are not viewed as weaknesses, so the only weakness that really stands in the path of widespread adoption is price. Today, pricing of cloud-base storage for consumer level plans is about 4 times that of  than local storage (assuming that the average user capitalizes the cost of hard disk space every two years), generally starting at $.17 per GByte per year[1].

Moore’s Law and Storage

Now, if we take into account the pricing history of hard drives and capacity over the last thirty years (Figure 1 and Figure 2), we note that there is a close correlation to Moore’s Law.[2]  Note that in the years between 1992 and 2012 two years, the cost per Megabyte and drops by half every two years.  While it is too early to definitively predict, early evidence does suggest that Moore’s law may prove to predict the future of pricing for Cloud-based storage.  Just since 2011, the starting capacity for free services have doubled, and the pricing on paid services has dropped by half[3].

1
2

Deciding How Much to Adopt

While most users are likely continue using only the “free services” until such time that the price point for paid services drops below the cost of purchasing new hardware, the other strengths referenced in Table 1 may drive early adopters to migrate toward cloud-based storage solutions sooner.  For these early adopters, a cost-decision model may help to identify and quantify relevant economic facets.  Such a decision model would quantify up-front costs, annual investments costs, and operational costs to arrive at a total cost of ownership (Bibi, Katsaros and Bozanis):

TCO/Yr = Cu + Cad + Co

Where Cu are the total upfront costs (enrollment fees and setup, acquisition of hardware and software), Cad are annual investment (annual subscription fees and maintenance fees), and Co represents operational costs, such as annual Internet connection costs, utilities, and in some cases the cost of off-site storage and travel.

__________

Anonymous. PrivacyFix Plug-in Results on Google Plus Author. February 2013.

Bibi, S., D. Katsaros and P. Bozanis. “Business Application Acquisition.” IEEE Software (2012): 86-93.

Borgmann, M., et al. “The Security of Cloud Storage Services.” Technical. Fraunhofer Institute for Secure Information Technology, 2012.

Dolly Drive. “Cloud backup for Mac.” Dolly Drive. February 2013 <http://www.dollydrive.com&gt;.

DollyDrive. Pricing & Plans. February 2013. February 2013 <https://get.dollydrive.com/purchase&gt;.

DropBox. “Dropbox – Tour.” Dropbox. February 2013 <https://www.dropbox.com/tour/2&gt;.

—. “Plans – Simplify your life.” DropBox. February 2013 <https://www.dropbox.com/pricing&gt;.

Google. “Google Apps Terms of Service.” Google Apps. Google. Feburary 2013 <http://www.google.com/apps/intl/en/terms/standard_terms.html&gt;.

McCallum, J. Disk Drive Prices. February 2012. February 2013 <http://www.jcmit.com/diskprice.htm&gt;.

N., Jentzsch., S. Preibusch and A. Harasser. Study on monetising privacy, An economic modelf for pricing personal information. Technical. European Netowrk and Information Security Agency. Berlin: ENISA, 2012.

Seagate. “Hard Drive Data Sheet.” December 2012. Seagate.com. February 2013 <http://www.seagate.com/files/staticfiles/docs/pdf/datasheet/disc/barracuda-desktop-hdd-ds-1770-1-1212us.pdf&gt;.

Streams, K. Global Internet Speeds creep back to 2012. August 2012. February 2013 <http://www.theverge.com/2012/8/9/3230626/akamai-global-internet-speed&gt;.

XRates. Historical Lookup Euro Rates Table. 27 February 2012. 18 February 2013 <http://www.x-rates.com/historical/?from=EUR&amount=1.00&date=2012-02-27&gt;.

 


[1] According to the Internet archive waybackmachine.org:  DropBox Pricing 2011-2013.

[2] A profoundly accurate prediction by Intel co-founder Gordon Moore once stated that the number of transistors on a processor would double every two years.

[3] According to the Internet archive waybackmachine.org:  DropBox Pricing 2011-2013.


[1] Assuming a typical uplink data transfer rate of 7 Mb/s (Streams) as compared to SATA hard disk transfer rates is excess of 6 GB/s (Seagate).

[2] Based on 2012 prices of SATA II hard disk price:  $.07/GB as compared to Cloud-based Storage solution priced at  $.17/GB/Yr.

 





Public clouds help everyone! The good, bad, and ugly…

21 03 2013

The Good

Public clouds offer a growing set of capabilities to consumers and its adoption is only growing. Gartner predicts compute specific services will grow to $20.2 billion in 2016 (qtd. in Columbus).  Whether you are looking for capital reduction, ease of access, quick provisioning, or the ability to scale massively, cloud takes the hard work out of it. Public cloud operating models support online registration and pay-as-you-go billing which allows anyone with a credit card to consume the service.  This new consumption model allows organizations and individuals to consume potentially massive amounts of resources with minimal upfront costs or technical know-how.

The Bad

Because public clouds are designed to accommodate the largest of capacity requests, they are typically built with massive supporting infrastructures and have access to near limitless bandwidth.   As access typically only requires a credit card, it is readily available to anyone; even fraudulent consumers, hackers, or cyber terrorists.  These “aggressors” can access and use cloud resources by registering with stolen credit cards or by compromising exposed resources if poorly protected.  It does not take much effort or money to get a stolen credit card in an “Amazon-Like Online Bazaar” (Riley). The fact is that fraudulent consumers can sign up through an automated system, make use of a stolen card, and begin to provision resources without anyone physically verifying their identity.  As these models are typically pay-as-you-go monthly services it can be weeks before a fraudulent consumer is identified through a failed billing.  Since fraudulent activities can last for several weeks before remediation occurs, these aggressors can consume the resources and conduct their business at the cost of the provider.

The Ugly

Not only are these aggressors able to utilize a cloud for weeks, they are accessing resources that are “unlimited and can be appropriated in any quantity at any time” (Mell and Grance 2).  This creates a burstable resource that may not have been available to fraudulent use in the past. Large infrastructure and bandwidth are generally expensive, it would be risky for aggressors to procure and operate a legitimate environment for illegitimate uses.  The risk of seizure would always be a concern. With massive cloud infrastructures aggressors can provision, clone, and migrate systems around the world faster than ever possible with physical infrastructure and without complicated malware. If IP addresses get blacklisted, they simply request a new one from the system and they are back online.  Assuming for a moment you have access to three public cloud providers for only 20 days, each with five sites to provision to, each averaging five minutes per clone of a virtual machine, an aggressor could provision more than 82,000 virtual machines in 19 days.  This is more than enough to spend a day causing havoc with a large wide spread distributed denial of service attack. In just the time it would take to identify and process mitigation strategies even the largest of targets could be jeopardized.  Though unlikely, the idea of cloud as an asset for aggressors on the internet should be acknowledged. What are the possibilities with this kind of resource in the wrong hands?

The Problem

Who is ultimately responsible for ensuring legitimate use of these massive public clouds? Is the service provider wholly responsible? Surely a provider cannot be expected to analyze all packets that transverse its network in search of malicious intent. Or should they? It will drive costs up though may be unrealistic in some situations.  Service providers do share responsibility in reducing the amount of fraud in these environments as it reduces available resources for legitimate customers.   As a public cloud operator and evangelist of cloud services, I believe that these issues must be dealt with as a community.  Everything is going to the cloud, it important that organizations update their business continuity plans and practice a layered defense.  Service providers must also develop policies and procedures to support the identification and removal of fraudulent consumers and aggressors.  Finally, government agencies need to update policies and processes to deal with evidence gathering and forensic operations in these large multi-tenant environments.

_________

Columbus, Louis. “Forecasting Public Cloud Adoption in the Enterprise.” Forbes. Forbes Magazine, 02 July 2012. Web. 04 Feb. 2013.

Mell, Peter, and Timothy Grance. NIST Definition of Cloud Computing. Publication no. 800-145. Gaithersburg: National Institute of Standards and Technology, 2011. Print

Riley, Michael. “Stolen Credit Cards Go for $3.50 at Amazon-Like Online Bazaar.” Bloomberg. Bloomberg L.P., 19 Dec. 2011. Web. 04 Feb. 2013.





Security Perspective on Cloud Computing

1 10 2012

There’s a lively discussion about the cloud computing. It’s getting popular before majority people even get to really understand it, no mention realizing the security problems. So what is cloud? Are you taking the advantage of it? Before the discussion about the cloud security, let’s get to know it first.

What is cloud computing?

According to NIST, cloud computing is “a model for enabling ubiquitous, convenient, on- demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”1 It relates to several latest technologies like distributed system, utility computing, virtualization and so on. These technologies are changing the whole business model from selling physical production to service. Though it’s still a new technology, most people have enjoyed it. With drop box and Apple iCloud, People no longer have to save their data on physical disks, but only leave them on the network. Actually, big companies benefit more. With cloud, they can integrate resources on several servers, instead of installing them on every computer. It really saves them considerable expense on IT management and fix cost.

Security issues in cloud computing

What’s the bad news? Actually, there’re some highly mentioned security problems in cloud2, which prevent people getting close to it.

  • First, just like our computer administrator authority, if VM hypervisor is vulnerable, it’ll be a target of malicious people. If hackers control the hypervisor, they can manipulate customers’ private data, or provide malicious service. It charges a significant high requirement on VMs’ security capability to guarantee data confidentiality. Though many providers claimed high security level of productions, declaration was always broken.
  • Secondly, based on the implementation of cloud security itself, the more people use cloud, the more secure the cloud is. In brief, every client in the cloud net is a security monitor. The lager amount of monitors will make it easier to find an attack and send report to the server. It’s really a good implementation, but it requires collecting data from customer. Then who will be responsible for securing the data while the environment is on exposure to an attack? This is a question.
  • Finally, as a core feature of cloud: virtualization, compromises all host network flow3, which intensively attract hackers’ attention. How to take great advantage of this layer while avoiding intensive attack is a heated discussion problem.

Actually, the problems above not only present within cloud computing, they also exist in traditional datacenter network. But conventional security policy or encryption plan is not always compatible in cloud environment4. Cloud architecture requires dedicated design both in security policy and technical safeguard. Then, what’s the plan of those famous cloud providers?

  • Google claims that they split files into parts and store them in multiple files on different machines. 5Besides, with files randomly named, it’s really hard for a hacker or some malicious insider to steal certain file. Also they encrypt data and invite third party to intrude their system to test reliability. Finally, if the hardware goes bad,they will use the device called “the crusher” to destroy the data. Here’s a question, is there any plan for recovery the destroyed data or is there any backup policy?
  • Apple featured their cloud service (iCloud) by claiming that data will be encrypted both in transmission and storage.6

A Crucial Truth of Cloud Security

Whatever the providers claimed, security breach always happened. For example, online storage service drop box was hacked and led to many of its members received trash emails this August7. Then we should ask: who is responsible for cloud security? Surprisingly, it’s us, instead of service provider! NIST pointed out: “Accountability for security and privacy in public cloud deployments cannot be delegated to a cloud provider and remains an obligation for the organization to fulfill.”8

Do you have a plan for cloud security?

The statement from NIST leaves people scratching their heads about protection of data stored on a remote machine, which they don’t even know where the server is. There’re several least protections we cloud user can do to protect our data:

  • Do remember to backup important files both on cloud and local disks.
  • Do not use the same user-ID and password on different sites.
  • Do not link all of your accounts together.9

In closing, cloud computing, as a newly developed technology, will face serious challenges in a long period. It requires careful design on security policy, technical protection and related law. It will surely benefit us to a great extent and ultimately change the relationship between computer world and human being. But before that, be sure that you already have a nice plan for cloud security.

_____________

  1. 1 NIST: Special Publication 800-145. The NIST Definition of Cloud Computing. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
  2. 2 Vic Winkler. Cloud Computing: Virtual Cloud Security Concerns. TechNet Magazine, December, 2011. http://technet.microsoft.com/en-us/magazine/hh641415.aspx
  3. 3 Kathleen Hickey. Dark cloud: Study finds security risks in virtualization. March. 8, 2010. http://gcn.com/articles/2010/03/18/dark-cloud-security.aspx
  4. 4 Securing the cloud – VMware white paper. http://www.savvis.com/en- us/info_center/documents/savvis_vmw_whitepaper_0809.pdf
  5. 5 Dan Rowinski. How Dose Google Protect Your Data in the Cloud? July 22nd, 2011. http://www.readwriteweb.com/archives/how_does_google_protect_your_data_in_t he_cloud.php
  6. 6 iCloud: iCloud security and privacy overview. http://support.apple.com/kb/HT4865
  7. 7 Mark Prigg. Cloud safety: Internet storage service Drop box admits security breach as fears grow over storing information online. Mail Online, Aug 1st, 2012. http://www.dailymail.co.uk/sciencetech/article-2182229/Dropbox-Storage- service-admits-security-breach-fears-grow-storing-information-online.html
  8. 8 NIST: Special Publication 800-144. Guidelines on Security and Privacy in Public Cloud Computing. http://csrc.nist.gov/publications/nistpubs/800-144/SP800- 144.pdf
  9. 9 John D. Scutter, CNN. How to protect your cloud data from hacks. Aug. 9, 2012. http://www.cnn.com/2012/08/09/tech/web/cloud-security-tips/index.html




Cloud computing

15 08 2012

Cloud computing is taking on a larger role in the way we use technology.  In our personal and professional lives, we use iPads, iPods and other iDevices to connect to Apple’s cloud, which contains everything from our vacation photos and workout playlists to our budget spreadsheets and business presentation slideshows (we also use Android devices to do the same with Google’s cloud).  We love the convenience of being able to access our data from anywhere, at anytime, and that we don’t have to worry about purchasing or toting around storage devices with limited space.

A similar movement is taking place in the business realm, as well.  According to an article at Comupterworld, the “market for public cloud infrastructure, platforms and applications is large and growing much more quickly than any other type of IT spending.”  The article cites various studies which predict the market to reach anywhere from $56 billion to $100 billion by the year 2014, but all of the numbers are moving upward (it states that the market was $16 billion in 2010) [1].

However, cloud computing is not completely free from scruples held by potential adopters.  A Forbes article recently cited a North Bridge Venture Partners survey of 785 companies and revealed that only 50% of responders expressed “complete confidence” in this form of data management.  “Security remains the primary inhibitor to adoption in the burgeoning cloud marketplace with 55% of respondents identifying it as a concern,” the article states. [2]  With great legal, financial, and reputational stakes at risk, it is understandable why some business organizations may be shy about outsourcing the management and protection of sensitive data to outside entities.

However, new developments in data management may change this.  One notable breakthrough includes “fully homomorphic encryption,” developed by IBM.  This method

uses a mathematical object called an ideal lattice, to allow people to fully interact with encrypted data in ways previously thought impossible. The implications of the technique mean that computer vendors storing the confidential, electronic data of others will be able to fully analyze data on their client’s behalf without expensive interaction with the client, and without seeing any of the private data. With Gentry’s technique, states a release, the analysis of encrypted information can yield the same detailed analysis as if the original data was fully visible to all. [3]
Such a technique would provide useful in many business contexts.  For example, a healthcare organization who entrusts the management of patient data to a cloud provider may wish to request a report of the number of patients presenting with a particular complaint, or the frequency with which a particular medication was administered over the past month.  With fully homomorphic encryption, the provider could generate such a report without needing to directly view any sensitive patient information.

While the ascent into the cloud is likely to continue, developments in data security will play a large factor in speeding its acceptance.

_____________

[1] http://blogs.computerworld.com/16863/cloud_computing_by_the_numbers_what_do_all_the_statistics_mean

[2] http://www.forbes.com/sites/joemckendrick/2012/06/20/cloud-computing-simply-isnt-that-scary-anymore-survey/

[3] http://www.banktech.com/risk-management/218101557





Cloud Computing

6 08 2012

Cloud computing is taking on a larger role in the way we use technology.  In our personal and professional lives, we use iPads, iPods and other iDevices to connect to Apple’s cloud, which contains everything from our vacation photos and workout playlists to our budget spreadsheets and business presentation slideshows (we also use Android devices to do the same with Google’s cloud).  We love the convenience of being able to access our data from anywhere, at anytime, and that we don’t have to worry about purchasing or toting around storage devices with limited space.

A similar movement is taking place in the business realm, as well.  According to an article at Comupterworld, the “market for public cloud infrastructure, platforms and applications is large and growing much more quickly than any other type of IT spending.”  The article cites various studies which predict the market to reach anywhere from $56 billion to $100 billion by the year 2014, but all of the numbers are moving upward (it states that the market was $16 billion in 2010) [1].

However, cloud computing is not completely free from scruples held by potential adopters.  A Forbes article recently cited a North Bridge Venture Partners survey of 785 companies and revealed that only 50% of responders expressed “complete confidence” in this form of data management.  “Security remains the primary inhibitor to adoption in the burgeoning cloud marketplace with 55% of respondents identifying it as a concern,” the article states. [2]  With great legal, financial, and reputational stakes at risk, it is understandable why some business organizations may be shy about outsourcing the management and protection of sensitive data to outside entities.

However, new developments in data management may change this.  One notable breakthrough includes “fully homomorphic encryption,” developed by IBM.  This method

uses a mathematical object called an ideal lattice, to allow people to fully interact with encrypted data in ways previously thought impossible. The implications of the technique mean that computer vendors storing the confidential, electronic data of others will be able to fully analyze data on their client’s behalf without expensive interaction with the client, and without seeing any of the private data. With Gentry’s technique, states a release, the analysis of encrypted information can yield the same detailed analysis as if the original data was fully visible to all. [3]
Such a technique would provide useful in many business contexts.  For example, a healthcare organization who entrusts the management of patient data to a cloud provider may wish to request a report of the number of patients presenting with a particular complaint, or the frequency with which a particular medication was administered over the past month.  With fully homomorphic encryption, the provider could generate such a report without needing to directly view any sensitive patient information.

While the ascent into the cloud is likely to continue, developments in data security will play a large factor in speeding its acceptance.
______________

[1] http://blogs.computerworld.com/16863/cloud_computing_by_the_numbers_what_do_all_the_statistics_mean

[2] http://www.forbes.com/sites/joemckendrick/2012/06/20/cloud-computing-simply-isnt-that-scary-anymore-survey/

[3] http://www.banktech.com/risk-management/218101557





Debunking the myth: A secure cloud is possible!!

5 07 2012

Let’s face it, cloud computing is the “big thing” in IT today. Many companies are reaping the benefits of cloud computing (i.e. “the cloud”): simplified management, rapid scalability, and reduced capital expenditures [1]. Other companies, however, are hesitant to “jump on the bandwagon”. The two main concerns that these companies have are SECURITY and AVAILABILITY. The belief is that cloud computing cannot provide that same level of security, control, and availability as an “on-premise” datacenter because the span of control belongs to the cloud provider (instead of the company itself). This is the first misconception of cloud computing: the consumer has no insight into the “behind the scenes”. The next misconception is that the consumer has no ability to influence the decision-making of the cloud provider. Lastly is the misconception that the cloud vendors do not want to do anything (i.e. since they are the “middle man”, they need not take proactive measures to protect your “piece of the cloud”). We will examine each one of these misconceptions, and see whether they hold true, or whether they are being debunked.

Physical Security

The first area of concern is physical security. Companies believe that since they do not “hold the keys”, they do not have any control over the physical security of their data (within the cloud). This can easily be debunked by including documented procedures and procedures for Access Control, Information Security Management, and Physical Security within your service agreement/contract [1]. Furthermore, a consumer should inquire in to how the provider insures the policies & procedures set forth (i.e. user training, policy review & audit procedures, and change management policy) [1]. Even further, one may review the internal deployment processes & procedures to see how IT assets (hardware, software, etc.) are installed, configured, and tested prior to deployment [2]. The old saying “knowing is half the battle” certainly holds true. The more that a consumer knows, the “easier” they will feel (especially in the areas of security).

Application/Data Security

Your data is your most valued asset. You want to ensure that your data does not fall into the wrong hands. It is important to understand your data and its sensitivity/classification, and how this impacts your vendor’s cloud design. Will your data be stored encrypted within the cloud? Will it be stored in “isolation” (i.e. completely segregated from other data within the cloud)? How does the application access/store/manipulate/delete/archive your data, and are secure tools used to do so (such as HTTPS/SSL and/or VPN for In-transit encrypted communication, Encrypted data storage devices, etc.) [2]?

Infrastructure Design

The design & implementation of the cloud provider’s data center(s) should be one of your top concerns. Are all components (Hardware, Software, etc.) highly available and fully redundant? What are the data retention/deletion/archival processes & procedures? Am I at risk for data breach because of these [3]? Is my company’s data truly segregated from your other clients? The IBM Cloud Security Approach is to “Secure by Design” [4], what design/implementation approach has your cloud vendor followed? The use of virtualization, both for networks (i.e. VLANs) and application/database tiers (i.e. VMWare) has become a blueprint for many cloud providers today [5]. What technology is your provider going to use and why? Keeping in mind, “one size does not fit all” [4], what is your vendor doing to ensure that they meet your specific needs (i.e. do they need to change their design, infrastructure, process/procedures, etc.)?

The list of questions that one should ask goes on and on (see “Questions to Ask” section in the article “Securing the Cloud From the Outside-In” [1]). The important thing is that your fully understand the design & implementation of “your cloud”, and that it meets your needs

Influence & Control

Some may say that this is all well and good, but how do I have any say in what my cloud vendor does? The key lies within your service contracts, more specifically, your service level agreements (SLAs). SLAs used to be simple: simply state the basic services needed and maybe include some “uptime” requirements. Now, SLAs have become more in-depth, providing exact detail for which services are required, which level of security is required, and including financial penalties for incidents, outages, data breaches, and so on. It is these financial penalties that are the main “motivating factor”. The customer never wants to have to collect these penalties. They want stable, available, and secure services provided to them. So they make these penalties so distinct (and costly), that it becomes the best interest of the cloud provider to ensure that they never have to pay them. Another motivating factor is business growth and publicity. These vendors want to attract other clients (increase revenue), they do not want negative publicity (such as a data breach) because this drives away business (not only new business, but also their existing clients).

Conclusion

So, it is possible to get secure & available services from the cloud, we just need to ask the right questions and provide the right level of detail within the service contracts. Cloud vendors are highly motivated to ensure that their solutions are secure & highly available. Cloud computing offers many enticing benefits, coupled with the debunking of myths pertaining to security and availability, these benefits may outweigh any perceived risks and provide the solution that consumers are looking for.

[1] Hamilton, Mary Beth. “Securing the Cloud From the Outside-In”. Wall Street and Technology. 21 Mar 2012. Web. 18 Jun 2012 <http://wallstreetandtech.com/articles/232602908>

[2] Strom, David. “How Secure Is The Cloud?” Tom’s Hardware. 22 Dec 2010. Web. 18 Jun 2012 <http://www.tomshardware.com/reviews/cloud-computing-security,2829.html>

[3] Rubens, Paul. “Ensuring Data Security in the Cloud”. eSecurityPlanet: Security Trends. 11 May 2011. Web. 20 Jun 2012 <http://www.esecurityplanet.com/trends/article.php/3933241/Ensuring-Data-Security-in-the-Cloud.htm>

[4] Coleman, Nick. “Securing The Cloud: Questions and Answers”. Wired: Cloudline. 12 Oct 2011. Web. 18 Jun 2012 <http://www.wired.com/cloudline/2011/10/525/>

[5] “Securing the Cloud: A Review of Cloud Computing, Security Implications and Best Practices”. VMWare White Paper. Web. 17 Jun 2012 <http://www.savvis.com/en-us/info_center/documents/savvis_vmw_whitepaper_0809.pdf>