Cloud Computing Vulnerabilities and Policies
Cloud Computing Vulnerabilities and Policies
“Cloud computing is an evolving paradigm with tremendous momentum, but its unique aspects exacerbate security and privacy challenges, (Takabi, et. al. 2010).” This statement really defines the overall current state of cloud computing and the biggest concerns of its users and providers. Cloud computing is quickly becoming the next tech phrase that is inundating mainstream computing advertising. It is being touted as the economic and technological savior for organizations large and small; economically savvy or simply inexperienced. The business of cloud computing is still considered in its infancy according to server providers like Dell Computer yet there are hundreds of billions of dollars now being invested in the supply side of the equation. This paper will attempt to discuss vulnerabilities as well as policies for effective risk management covering cloud computing.
THE BASICS OF CLOUD COMPUTING
In order to discuss the vulnerabilities and policies to mitigate risks associated with cloud computing, it is important to understand the basic framework associated with the environment. Cloud computing comes in three varieties; private, public and hybrid clouds. The public cloud is typically a data center environment run by a third party organization providing varying computer services for a variety of customers. Private clouds are typically a shared computer environment created within an organization but in some cases are simply private servers and network connections allocated to an organization by a third party. The last type of cloud, the hybrid, is typically a combination of private and public computing and can actually be the most complex to secure and the most risk associated with. There are several cornerstone technologies associated with the cloud. Virtualization technologies are the most pronounced signature of the cloud environment; the operating system and the network environments are typical virtual environments which afford efficiency and promote greater availability for cloud vendors and customers. The virtual environments also create natural disaster recovery environments with use of duplication of virtual systems within the cloud.
Another element of cloud computing that needs to be understood when determining the vulnerabilities are the architectural services offered by the environment. There are three prominent services which will be included in the discussion on vulnerability and policy. These services are: Software as a Service (SaaS); Platform as a Service (PaaS); and Infrastructure as a Service (IaaS). To save time, this paper assumes the reader is basically educated in these terms and technologies so we will not explore detailed definitions of these service types.
Beyond the architecture there are essential characteristics of the cloud which are well defined by the US National Institute of Standards and Technology (NIST). Again, this information is offered to provide the reader an understanding that standards exist which define the cloud itself which are the areas being examined. NIST classifies these characteristics as: On-demand self service; Ubiquitous network access; Resource pooling; Rapid elasticity; and Measured service. The reader can reference, Understanding Cloud Computing Vulnerabilities from March/April edition of the IEEE Computer Society Journal1.
Based on the overview of the cloud environment presented, we can now turn our attention towards defining specific cloud computing vulnerabilities. A vulnerability can be classified as specific to cloud computing if it:
- is intrinsic to or prevalent in a core cloud computing technology.
- has its root cause in one of NIST’s essential cloud characteristics.
- is caused when cloud innovations make tried-and-tested security controls difficult or impossible to implement, or
- is prevalent in established state-of-the-art cloud offerings, (Grobauer, et. al., 2011).
We will now explore the vulnerabilities themselves; there are many types of cyber security attacks which clouds are exposed to on a regular basis. According to Christoph Schuba of Sun Microsystems, some of the more common vulnerabilities which cloud computing is subject to include:
- Distributed Denial of Service (DDoS)
- Man In the Middle (MITM)
- SSL, SSH, Certificated Management
- IP Spoofing
- Port Scanning
- Packet Sniffing
- Tenant sniffing inside the public cloud
- Storage Security
- Pool and object-level scrubbing
- Redundant storage w/o backup?
- Encrypted storage
Diving deeper into the indicators discussed earlier, let’s shed some more light on types of relative vulnerabilities. Beginning with the core technology itself there are areas that are known to be vulnerable to attacks. Web services and applications, encryption (if weak), and the virtualization itself are all intrinsic to being vulnerable. Three examples of these vulnerabilities are virtual machine escape, sessions riding and hijacking, and insecure or obsolete cryptology, (Grobauer, et. al., 2011). Virtualization is probably the most common signature within a cloud environment. The nature of the virtualized platform lends itself to self contained systems which can be copied and removed from the cloud premise, whereas the classic non-virtualized server configuration lives in a stack environment where the operating system software, application, network, etc configuration created a much more challenging environment to copy and remove. As a result we must consider the virtual aspect of the design to be intrinsically susceptible and in need of protection from cyber criminals.
Web applications by nature form an environment that is susceptible known as stateless protocol which is characteristic of HTTP. Because web applications require a notion of session handling an environment conducive to session ridding and session hijacking is inherent.
Cryptanalysis improvements can render any cryptographic mechanism or algorithm insecure as methods of breaking them are discovered. Cryptology flaws are often commonplace exposing weaknesses in the algorithms themselves which can make strong encryption weak or even useless. As the business and use of cloud computing increases the need for stronger encryption becomes and hence the relevance of security related to encryption.
We will now address a few vulnerabilities related to the essential characteristics of cloud computing. Referring the NIST characteristics, the following vulnerabilities apply:
- Unauthorized access to management interface.
- Internet protocol vulnerabilities.
- Data recovery vulnerability.
- Metering and billing evasion.
There are other vulnerabilities we have not touched on but for sake of time let’s finish with identity management (IDM) before moving on to discuss policy. “Cloud computing environments are multi domain environments in which each domain can use different security, privacy, and trust requirements and potentially employ various mechanisms, interfaces, and semantics, (Takabi, et. al., 2010).” When it comes to IDM there are many concerns in the cloud; interoperability drawbacks that can result in different identity tokens and protocols. “Existing password-based authentication has an inherited limitation and poses significant risks, (Takabi, et. al., 2010).” Takabi brings to light how multi-tenant cloud environments can protect the privacy of identity information is still not well understood. This poses a significant risk in preventing systems that may be interconnected to the user interface system and how those interconnected systems may compromise the integrity of the login information if not protected properly.
“Security policies and procedures constitute the main part of an organization’s security, (Bhasker, et. al. via Vaaca, 2009).” Of course there are many vulnerabilities not yet discussed that cloud computing environments are subjected to but those discussed provide enough incite to discuss how policy provisions can be used to mitigate associated risks. When it comes to cloud computing and in general IT, policies need to address the following functional levels: access control standards, accountability, audit trails, backups, disposal of media, disposal of printed matter, information ownership, managers responsibility, equipment, communication, and procedures and processes at work.
Security policy can be implemented at various levels within an organization and should provide general guidance for process, technical and ethical aspects of the cloud IT environment. Policy should exist for both cloud users and providers with varying aspects depending on the use type and level of service. One of the vulnerabilities discussed above involves physical access or facility security. It is important not to underestimate the internal risks associated with physical access. “ A robust physical-security policy will have many facets for surveillance, personnel, continuity of operations, and architectural resilience, (Spring, 2011).” This policy area involves the facility level and is important in determining how and insuring that things like physical access is controlled, monitored and process oriented to deal with issues that may occur in the event of a breach. Typical mitigation measures include: controlled entry systems, perhaps biometric controls and access; closed-circuit cameras and patrolling security guards. Policy for facility layer can also go as far as delegating machine access for technicians like database and systems analysts. Facility related policy should include conduct guidelines and non-disclosure protocol for intellectual property. Procedures for operations personnel including back ground checks and routine screening are all critical policy elements which need to be considered. The data center should have a comprehensive continuity-of-operations plan (COOP), preferable conforming to US Federal Emergency Management Agency (FEMA) standards. There should be a plan to help integrate or provide a liaison to help assist with cooperative use with customer’s COOP. There may need to be security measures to protect the data center from physical attack, depending on the value of the data housed. There should also be legal measures defined to handle compromises and loss of service.
The next layer we will discuss is the network; “An essential characteristic of cloud computing is that the provider provides and controls the network access between the customer data and the users across the internet, (Spring, 2011).” This is typically assumed by the customer to be the most secured aspect of the service they are purchasing and easily can be the most vulnerable. In this layer, policy should delegate the use of protections such as firewalls, intrusion detections systems (IDSs), intrusion prevention systems (IPSs) and network boarder proxies. Policies around the network layer should include guidelines on IP domain name and address controls. Procedures such as address masking, private connections and network protocols, security certificates and data encryption can be discussed here. Additional policies which can help to deal with risks on the network include logging and access analysis as well as data flow trending; which can help determine when traffic flows may be higher than normal.
We now move on to the hardware layer where policy can delegate security standards and controls. Proper configuration management is essential for the operation, maintenance, and in some cases the security of servers and other hardware which may be used in the cloud computing system. It’s important that policy dictate the assurance of hardware integrity and control. Uses of proper access devices such as card and biometric readers are just a few items that can be mandated to assure hardware security.
The operating system (OS) environment is one of the most important areas to have secured for it generally provides the mechanisms that control software access to data and applications. Policies relative to the OS generally include versioning maintenance and auditing procedures. Tools such as vulnerability scans, penetration testing, and security update patching are typical OS mitigation methods directed by policy. Processes such as software security assurance (SSA) used mostly in application development should be required when considering an OS or even vice versa. There are additional policy items which will support a secure OS layer in the cloud. For sake of time and breadth of this paper we will not address them all.
The final layers of the cloud environment which should have policy guidance are the middleware, application and user levels.
Our discussion on policy will conclude with inclusion of industry standards. There are several security standards we will review that can be delegated in cloud computing organizations. It may be necessary to mandate standards such as Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry (PCI) if the data and applications housed in the cloud contain or process electronic health records (EHRs) or personal financial transactions which identify individual’s private information. These and other compliance guidelines do and can serve as a framework for system design and operations security for organizations even if they aren’t required by law or contract to comply with them. The details of the guidelines are not important for this discussion and can easily be found in many references including the internet.
To summarize we must understand that cloud computing is currently exploding in growth and needs to quickly remain in balance in terms of providing economic, efficient and secured services for internal and external customers. There is a tremendous amount of risk associated with moving to the public and hybrid cloud environments that has not really totally existed in the private cloud or traditional internal hosted systems. The vulnerabilities are however, similar to the classic IT models. One major differentiator from legacy IT is that cloud computing predominantly utilizes virtualized environments which create some unique vulnerabilities. These and other more common technologies require protection mechanisms to avoid risk of exposure and destructive forces. Protection is granted through various forms of intervention to threats such as processes, mechanisms, and awareness. In order for proper intervention to effectively exist within an organization it must be recognized and actively supported by the head of the organization. This can be done in many ways, however only by delegating it in the form of corporate security policy will it be taken seriously and uniformly. Policy needs to be organized to support the characteristics of the entire IT environment in an organization. The best way to ensure coverage is to segment it based on classic IT management while providing the flexibility to change as the outside world changes.
Bidgoli, H. (Ed.). (2006). Handbook of information security: Volume 2. Hoboken, NJ: John Wiley & Sons, Inc.
Basescu, C., Leordeanu, C., & Costan, A. (2011). Managing data access on clouds: a generic
framework for enforcing security policies. IEEE Computer Society, X(11), 462-463. doi:10.1109/AINA 2011.61
1 Grobauer, B., Wallowschek, T., & Stocker, E. (2011). Understanding cloud computing vulnerabilities. Security and Privacy, 9(2), 50-57 doi 10.1109/MSP.2010.115
Schuba, C. (2009). Cloud security. Sun Microsystems Briefing. Retrieved from http://blogs.oracle.com/schuba/resource/talks/20090324-cloud-security.pdf
Spring, J. (2011, March/April). Monitoring cloud computing by Layer, Part 1. Security and Privacy, 9(2), 66-68, doi 10.1109/MSP.2011.33
Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.