Cloud Computing and Security
This post is the first in a series of an in-depth review of some of the security challenges we see with cloud computing. In the following post you’ll find some very high level concerns we have regarding the innovations around cloud computing. More detailed analyses of the various cloud offerings will follow in the coming days and weeks.
Cloud computing has introduced a whole world of possibilities for everyone from the largest enterprise looking to reduce operational expenses down to the individual consumer wanting a place to store their summer vacation pictures. At first glance, the entire concept of cloud computing is a fantastic way to lower data center costs, reduce the number of personnel required to manage a system, save on software licenses and to eliminate the need to purchase a product or service that is not within your core competency.
My guess is that every enterprise is looking for some way to leverage “the cloud” in some form or fashion and the numbers of advertisements for web-based services geared to the small business and consumer are all over the mainstream media. All of these services are promising a lower cost, easier to manage solution or promising a “quicker” something whether it be a tax return or “anywhere” access to files. This generation of computing promises to be great, except for one thing: security.
By definition, security in the cloud computing infrastructure is not possible. That said, nothing is completely secure and risk free except maybe that computer that’s not plugged in and has no users or operating system but then what good is that other than to serve as a paperweight or to hold a floor down? Anyhow, ever since I was an “InfoSec toddler” three things have been driven in to my head:
1 – Confidentiality
2 – Integrity
3 – Availability
Those three simple words describe everything we need to know about security, no matter whether we call it network security, system security, IT security or that all encompassing term – information security. As I said in an earlier post on Cassandra, security is all about protecting information; I agree that it is no fun when a computer is infected with malware which causes the owner to have to rebuild a hard drive or worse, an “outbreak” occurs across multiple systems. It is bad when a gateway device or web server goes offline because of a DoS attack. However, in both of these cases if information isn’t compromised, it can be classified as an internal security event and not a reportable security incident. In fact, if it were not for the above tenets of information security, the attacks that compromised a browser flaw (a vector that was predicted by members of Cassandra Security in 2006 and 2007 to have severe implications to the security of our information) would have been nothing more than a patch event from a security perspective. Again, the time has not come to protect your critical information, it has always been here it’s just becoming more complex with advancements in technology. I would even argue that some forms of cloud computing, specifically Web 2.0 and collaboration, have led to the critical nature of the recent IE exploit that affected so many companies.
Security is all about protecting information and it has been so since the ancient Greeks would shave and tattoo a message to a slave’s head and send them across enemy lines to deliver that message. Whether we call it steganography or encryption, they found a way to protect information that needed to be delivered between two points. Yes, that person may have been at risk or, if that person was killed then the message didn’t get delivered, but there was limited harm because the enemy didn’t have the “key” to decipher the message.
This brings me back to my original point, by definition information security can not be assured in a public cloud computing environment and here’s why: the customer is still the data owner and they are ultimately the organization responsible for the CIA of their information. The act of transferring this information to someone else’s facility does not change that, rather it makes it more difficult.
Confidentiality is difficult at best and not possible at worst. In a public cloud environment, one must ask the vendor if they can guarantee the confidentiality of your data. In order to accomplish this they would have to do a few things:
- Ensure that all data is encrypted in motion and at rest
- Ensure that your data is not hosted on the same servers as other customers (While this changes a bit if all data is encrypted, there are still many concerns about keeping containers separate that affect the confidentiality or your information)
- Ensure that no unauthorized personnel have access to any of your data (This includes the hosting company’s employees. Are they insiders in your organization? Are they authorized access to your trade secrets, intellectual property and/or customer data?)
- Ensure that you manage the encryption keys, because it is possible they could make an error and use the same public/private key pair for more than two customers
- Ensure that access can be confirmed to only come from your organization
Integrity is a bit easier than confidentiality of the data is encrypted and can only be accessed by your organization, however how does the hosting company guarantee that only your organization is accessing the data or application.
- Ensure that no data can be manipulated outside of the application, if applicable
- Ensure that no data can be accessed or modified by other than authorized employees of your organization
- Ensure that the data can not be intercepted, read or modified while in transit either across the network or to a remote backup facility, should one exist
Availability is probably the most difficult because while you might have a service level agreement in place with the provider for access to their systems, you may have at least two other parties involved; those being the ISPs of the respective organizations. Can you get a guarantee from all of those organizations that your data is going to be available when you expect it to be available?
- What happens if you need access to information regarding a research project and the cloud service provider is experiencing an outage outside of their control?
- Are they hosting your data across multiple servers or systems? While this may help the availability issue within the cloud provider, it could violate the confidentiality and integrity principles above.
- Are you buying your processing time in “slices”? This too could affect availability.
While this is not all encompassing of the security complexities introduced by the cloud computing initiatives, it should give an organization plenty to think about the next time they hear the advertisement that says “My cloud is secure.” I’m not advocating to not leverage the cloud, rather quite the opposite, educate yourself before exploring the benefits of cloud computing. Stay tuned for specific research papers on the security concerns in the various types of cloud computing and the services offered in that environment.
Comments
Leave a Reply
Tweets that mention Cloud Computing and Security : Cassandra Security -- Topsy.com on 01.28.2010
[...] This post was mentioned on Twitter by John Pirc, Cassandra Security and Will Gragido, Scott Lupfer. Scott Lupfer said: just posted a new blog to start a series on Cloud Computing and Security at http://bit.ly/aGoGVC [...]
Ed Mahoney on 01.31.2010
From a reputation management perspective, is one cloud more secure than another? Is there a rating system? Wouldn’t it be cool if every time my browser connected me to a cloud service – from Sales Force.com to my Federal eFile site – a plugin queried an XML feed from Cassandra with such ratings and prompted me with security warnings?