Cloud Computing: Vulnerabilities and Security
Cloud computing is a software delivery platform, that offers the flexibility and cost savings of providing technology services over the internet. Clients pay only for the services that they need, which could be anything from shared resources on a server to an entire infrastructure. Thus, Cloud computing is rapidly becoming a viable choice for small and large companies and the government alike. The flexibility and the resulting cost advantages (purchasing and maintenance) make cloud computing very attractive. However, it would also seem to be an attractive option and target for criminals. Some criminals are actually offering their ‘services’ in clouds, while others target cloud environments. The primary concern of potential adopters of cloud computing is security and privacy. However, as with many new technologies, we seem to be ready to accept a certain amount of risk for convenience and the advancement of technology. This paper evaluates and demonstrates the ways that entities are employing cloud computing and explores its unique vulnerabilities and examines some of the solutions that counter them.
Definition of a Cloud
The National Institute of Standards and Technology (NIST) defines cloud computing as: “…a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
Cloud computing expands on the Software-As-A-Service (SaaS) concept introduced a few years ago in that it offers clients the ability to perform functions normally available on a desktop, in an internet environment. What marks the clouds evolution is the inclusion of the service models: Platform-As-A-Service (PaaS) and Infrastructure-As-A-Service (IaaS). Cloud detractors would say that Cloud Computing is more evolutionary than revolutionary while Cloud computing proponents rebuff this by stating that several different ideas have been merged to create the cloud thus making it unique. However, they readily agree that it has its roots in ideas like Application Service Providers (ASP’s) and Remote Storage Providers.
The Technologies of the Cloud
According to Takabi, Joshi and Ahn (2010) there are multiple technologies that come together to form the cloud, Web applications, Web Services and Virtualization. Web applications are internet based applications, such as Google docs and Web Services, which are, at their core, internet applications without a graphical user interface that perform a specific function. Virtualization or Virtual Machine (VM) is the technology that enables multiple operating systems to run on a computer concurrently. Grobauer, Walloscheck and Stoker (2011) also suggest Cryptography.
Characteristics of the Cloud
Likewise, five characteristics define a cloud environment, on-demand self-service, ubiquitous network access, location-independent resource pooling, rapid elasticity, and measured service. On-demand self-service allows clients to acquire the resources they need rapidly. Ubiquitous network access refers to the fact that the services are accessed via the internet. This means that regardless of location or means, the resources they need are available. Resource pooling refers to the fact that resources are centralized. Rapid elasticity refers to the ability to scale resources to application or system need. Measured service refers to the constant automated optimization of resources in order to provide cost effective services.
Types of Clouds
There are four recognized types of clouds: Public, Private, Hybrid and Community. Public clouds are what most people think of when they think of cloud computing. These platforms are made available to the public and are operated and maintained by third parties. Private clouds are operated behind a firewall for an organization, are managed either internally or by a service provider, and may be on or off the organizations premises. Hybrid clouds blend the Private and Public cloud approaches. Community clouds are owned and operated by several organizations and support communities with shared interests.
Adopters of Cloud Technology
Before we delve into the various implications of adopting cloud technology, let us examine how it is currently being adopted.
Private Business
The cloud provides a unique opportunity to optimize efficiency, increase collaboration, and take control of system scaling all while reducing cost, only paying for what is used and eliminating overhead costs. For some it offers the opportunity to be the basis for or expand business. Basant Narayan Singh (2009) states that SaaS providers like relative newcomers SalesForce.com and SuitCloud provide software services in the cloud, while older staples like IBM and Microsoft provide services like Blue Cloud and Azure, which are PaaS offerings. Other organizations like Yahoo! and Amazon have expanded their businesses by offering support for cloud services.
Federal Government
The United States government has undertaken an Open Government Directive. Central to the execution of this directive is increased transparency, more agency collaboration and improved contact with the public. For this to become a reality, the government is currently undertaking a consolidation of its data centers. They are leaning toward offering more centralized services and resources. Already federal government agencies are starting to consolidate. According to Elizabeth Montalbano (2011), the Navy recently placed a moratorium on spending on new hardware in favor of focusing on consolidation, which is the first logical step in the implementation of cloud computing.
Criminals
According to Matthew J. Swartz (2011), Security experts are predicting that cloud computing will not only be a tool for business and government, but for criminals also. Already security experts are seeing exploit kits provided as services. Two examples given were NeoSploit and Phoenix exploit kits. Customers simply purchase a web service configuration and victims are redirected to a backend server controlled by NeoSploit.
Unique Vulnerabilities in the Cloud
The very things that make cloud computing unique are what can trouble potential adopters of the technology. The technologies and the characteristics of the cloud have their own vulnerabilities. The technologies and characteristics have been documented above, below the vulnerabilities of each are explored.
Vulnerabilities Regarding Cloud Technology
Web Services and Applications
Web Service and Application vulnerabilities are related to offering applications over Hypertext Transfer Protocol (HTTP) including session hijacking and man-in-the-middle attacks.
Virtualization
Bob Plankers (2007) suggests that within a virtual server environment there is the possibility of Virtual Machine escape (VM Escape). In this process, an attacker breaks out of the virtual machine and gains control of the Hypervisor, which controls all of the virtual environments under its control.
Vulnerabilities Regarding Cloud Characteristics
On Demand Self-Service
Provisioning and turning off services available in your environment could come under attack from external and internal threats.
Ubiquitous Network Access
For Public clouds, services are made readily available on a network with limited trust.
Resource pooling
With a single server possibly hosting multiple systems, a single point of failure or attack exists. Even with Private clouds, there is a concentration of risk. An attacker no longer has to worry about finding and attacking multiple resources if they are centralized in one location.
Rapid Elasticity
This could be susceptible to Time of Check/Time of Use attack. Imagine requesting 10 additional resources only to find that between the request and the execution 100 additional resources were requested.
Measured Services
This technology could be adversely affected by hacking into the providers system (not necessarily aimed at any one victim) and modifying the service measurement criteria. This could result in overbilling for services provided.
Cloud Security Measures
Supporters and detractors of cloud computing recognize the apprehension that adopters may have and (Buecker, Lodewijkx, Moss, Skapinetz and Waidner, 2009) suggest several counter measures to help ensure security. Some of the counter measures detailed below should be readily applied to Private clouds, and must be in the form of a Service Level Agreement (SLA) in Public and Hybrid clouds with any outside vendors. It is also important to note that while vulnerabilities can be addressed utilizing technology as a counter measure, vulnerabilities will require supporting policy. I have categorized and summarized these suggestions as they apply to the vulnerabilities listed above.
Technology Counter Measures
Web Services and applications
Application-auditing software that scans for potential security flaws and leaks should be utilized to identify any potential problems. Secure software development and testing practices should be enacted and enlisting the help of a third-party reviewer should be considered.
Virtualization
The implementation of virtual server protection through hardened operating systems must be considered as well as the utilization of access control and the application of the principle of least privilege to management consoles.
Characteristics Counter Measures
On Demand Self-Service
Establish a firewall and ensure that proper access controls are in place. Also, establish a formal plan for automated provisioning, refrain from the use of vendor supplied passwords and ensure that all patches are applied.
Ubiquitous Network Access
Implement virtual server protection systems to allow for the scanning of root kits for malware. Be sure to enact a strong intrusion and vulnerability management program
Resource pooling
Ensure that VM instances are in multiple locations or that all instances are isolated properly.
Establish a written standard for firewall configuration and implement a formal change management process for configuration of the firewall. Document all ports necessary for business continuity.
Rapid Elasticity
Implement automatic load balancing, enact a change management process for configuration management and establish environment testing and validation
Measured Services
Implement automated provisioning; apply access rights to the provisioning system
Have a written plan in place for provisioning and consistently review provisioning and fine tune when necessary
Summary
Cloud computing is a proven software delivery platform. Just as with any technology, it must be given due diligence, planning and support in order to be successfully implemented. New and existing technologies are available to make cloud computing a viable option for business and government entities alike. Just as with any information technology project, adopters need to use Planning, Analysis, Design, Testing and appropriate and constant monitoring in order to ensure that the implementation is to the level of operation, efficiency and security that they need it to be for regulatory compliance, business practice and customer satisfaction.
References
Buecker, A., Lodewijkx, K., Moss, H., Skapinetz, K., and Waidner, M. (2009) Cloud Computing Guidance. International Business Machines (IBM) Redpaper.
Grobauer, B., Walloschek, T., Stocker, Elmar (2011, Unpublished). Understanding Cloud Computing Vulnerabilities, IEEE Security and Privacy.
The National Institute of Standards and Technology. (2009). “The NIST Definition of Cloud Computing”. (NIST Version 15, 10-7-09). Retrieved from http://www.nist.gov/itl/cloud/index.cfm
Montalbano, Elizabeth. (2011). “Navy Halts Server Buys To Facilitate Consolidation”. Information Week. Retrieved from http://www.informationweek.com/news/government/enterprise-architecture/showArticle.jhtml?articleID=229000815&queryText=navy
Planker, B. (2007). “What is VM Escape?”. Retrieved from http://lonesysadmin.net/2007/09/22/what-is-vm-escape/
Singh, Basant Narayan. (2009). “Top 10 Cloud Computing Service Providers of 2009”. Retrieved from http://www.techno-pulse.com/2009/12/top-cloud-computing-service-providers.html
Swartz, Matthew J. (2011). “Top 10 Security Predictions for 2011”. Information Week. Retrieved from http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=228901638&subSection=security
Takabi, H., Joshi, James B.D., Ahn, Gail-Joon (2010, November/December). Security and Privacy Challenges in Cloud Computing Environments. IEEE Security and Privacy, 24-31.
Tuesday, May 10, 2011
Thursday, May 05, 2011
The Sandbox
(Originally posted October 29, 2008)
'Sup All,
I had the distinct displeasure of working with a tyrant of a Lead Business Analyst on a project with a health care organization. This woman was antagonistic by nature and often rubbed people the wrong way, while brown-nosing with the project manager. She probably had valuable advice to give, but it was always packaged in a gruff, cruel and condescending package and thus, any thing she said went in one ear and out of the other. You just can’t manage by fear anymore. It’s a tactic that is outdated and ineffective. People are too mature to respond to that kind of attitude and quite frankly, deserve better. I'm not sure if she came from a systems background, but she was a prime example of what you DON'T want to be as a BA Lead. She could not effectively communicate. Communication is an integral part of successful project management and is very important in team roles, especially a lead role and especially an Analyst Lead role. By the time I had been working there for 3-weeks, she had already lost me and much of the rest of the team (even people who weren’t BA’s didn’t like her). I was not happy with her, her style or her approach to me or my teammates. I continued to do my job, because as a professional, that is what you do, but I lost respect for her and was actually relieved when they decided to 'take the project in a different direction' and let us go (and all the other African-American members of the team anyway...interesting).
That experience was not very pleasurable, but I did learn a lot from the experience. I will pass along to you what I learned sparing you the scars of having to actually deal with a person like this to learn it:
1. Learn to Communicate Effectively - Everyone has a different management style, but I will bet you dollars to donuts that there is no place in the Effective Managers Book Of Knowledge (if one exists) that states that effective communication involves brow-beating or yelling at people you manage.
2. Don't keep concerns to yourself -. Keeping my feelings to myself regarding my concerns about her may have helped to alleviate the tension or at least given our Project Manager a 'heads up' that something was amiss. If you are in a situation where you think that airing your concerns will put you in jeopardy of losing your job, maybe you shouldn't be there. No one should have to work in a situation in which they feel uncomfortable telling the truth. As I said before “You deserve better”.
3. Don't burn bridges - This analysts once told me that her own father told her she was a b*tch. Her own dad told her this. So you know that you have a bit of a character flaw when the person responsible for your very existence says that you are a 'b*tch'. Dang.
Anyway, no matter how 'secure' you feel in your abilities, your ability to communicate with others in a professional and effective manner will go a long way in determining how you are perceived. The market in this town is very small, so analysts and developers here may run into each other on other projects. It is best not to ruffle the feathers of someone who could potentially determine whether you are selected to be part of a project or not. It's just the Golden Rule: Treat others the way you want to be treated. If it was up to me to hire this individual and my decision was based solely on skills, she would be a shoe-in, however, if it came down to her another individual who had lesser skill, but was more of a team player, she'd be out on her butt. She was divisive, aggressive and ultimately ineffective as a team member and especially as a team leader. Why would I want that attitude on my team?
More and more companies are expecting people to be able to work well with others. Kids who don't play well in the sandbox are not going to do well in situations like this. If you (like my example here) have issues with working with others, LEARN HOW TO. Take a communications or management class or a team building class. Remember the career you save may be your own.
Peace(V)
(Originally posted October 29, 2008)
'Sup All,
I had the distinct displeasure of working with a tyrant of a Lead Business Analyst on a project with a health care organization. This woman was antagonistic by nature and often rubbed people the wrong way, while brown-nosing with the project manager. She probably had valuable advice to give, but it was always packaged in a gruff, cruel and condescending package and thus, any thing she said went in one ear and out of the other. You just can’t manage by fear anymore. It’s a tactic that is outdated and ineffective. People are too mature to respond to that kind of attitude and quite frankly, deserve better. I'm not sure if she came from a systems background, but she was a prime example of what you DON'T want to be as a BA Lead. She could not effectively communicate. Communication is an integral part of successful project management and is very important in team roles, especially a lead role and especially an Analyst Lead role. By the time I had been working there for 3-weeks, she had already lost me and much of the rest of the team (even people who weren’t BA’s didn’t like her). I was not happy with her, her style or her approach to me or my teammates. I continued to do my job, because as a professional, that is what you do, but I lost respect for her and was actually relieved when they decided to 'take the project in a different direction' and let us go (and all the other African-American members of the team anyway...interesting).
That experience was not very pleasurable, but I did learn a lot from the experience. I will pass along to you what I learned sparing you the scars of having to actually deal with a person like this to learn it:
1. Learn to Communicate Effectively - Everyone has a different management style, but I will bet you dollars to donuts that there is no place in the Effective Managers Book Of Knowledge (if one exists) that states that effective communication involves brow-beating or yelling at people you manage.
2. Don't keep concerns to yourself -. Keeping my feelings to myself regarding my concerns about her may have helped to alleviate the tension or at least given our Project Manager a 'heads up' that something was amiss. If you are in a situation where you think that airing your concerns will put you in jeopardy of losing your job, maybe you shouldn't be there. No one should have to work in a situation in which they feel uncomfortable telling the truth. As I said before “You deserve better”.
3. Don't burn bridges - This analysts once told me that her own father told her she was a b*tch. Her own dad told her this. So you know that you have a bit of a character flaw when the person responsible for your very existence says that you are a 'b*tch'. Dang.
Anyway, no matter how 'secure' you feel in your abilities, your ability to communicate with others in a professional and effective manner will go a long way in determining how you are perceived. The market in this town is very small, so analysts and developers here may run into each other on other projects. It is best not to ruffle the feathers of someone who could potentially determine whether you are selected to be part of a project or not. It's just the Golden Rule: Treat others the way you want to be treated. If it was up to me to hire this individual and my decision was based solely on skills, she would be a shoe-in, however, if it came down to her another individual who had lesser skill, but was more of a team player, she'd be out on her butt. She was divisive, aggressive and ultimately ineffective as a team member and especially as a team leader. Why would I want that attitude on my team?
More and more companies are expecting people to be able to work well with others. Kids who don't play well in the sandbox are not going to do well in situations like this. If you (like my example here) have issues with working with others, LEARN HOW TO. Take a communications or management class or a team building class. Remember the career you save may be your own.
Peace(V)
Wednesday, May 04, 2011
A Trusted Advisor
(originally posted January 30, 2008)
'Sup All,
I recently completed a project for a client, that involved notifying the client where they would be vulnerable in a PCI compliance review. My manager wanted me to include a risk analysis that showed where they were most vulnerable. I did so and using EACH PCI compliance requirement (all 196) and created a slide that summarized my findings. I sent him the slides and the accompanying spreadsheet with my risk analysis (wieghted on priority and the status of the requirement within the company).
We presented my findings to a group of lower level executives. When we got to the slide that clearly showed that they were in trouble based on their Network Security status (as expected) the network security folks were less than pleased. My manager quickly denounced my spreadsheet and acted as though it was the first time he had seen it. I explained how I came up with my numbers and the room fell silent as the network folks pondered what they were seeing. Yet their director continued to harp on the slide and my numbers and how I weighted the requirements. My manager then says "these numbers are clearly erroneous"...which angered me to no end. The numbers don't lie. I rated at the highest (3) risk level if they had gaps. I rated them just a step below that (2) if they were planning to address it. Bear in mind that "planning" in this organization means that it's an idea and hasn't even been funded yet. Hell...I can plan to get married, but until I actually meet someone and become engaged...It ain't happening. This (at least to me) is still an area of concern for this large insurance company (that does not even encrypt their credit card data by the way). I was being completely up front and honest with them because (on the advice of another manager) I read a book called "The Trused Advisor"--a great book for consultants and for employees alike--that clearly states that in order to be a truly trusted advisor you must be willing to give good news with the bad. My manager, on the other hand, only wanted to give the "Sunny day, lambs skipping in the sunshine" view of their situation. Nevermind that I felt that he threw me under the bus by pretending that he never saw my spreadsheet before, he is giving these folks a false sense of security.
If this company experienced a breach (or should I say when), there is no way that they will pass a PCI forensic audit...NO WAY! They should know that. They should not be told that they are OKAY when they are clearly not. The network "worker bees" knew that what I presented was the truth and that is why they became silent and let their director fight for them. I didn't say a word because, one I was shocked by my manager's lack of support and two I was equally shocked by the cluelessness of this company's "director of network architecture" (or whatever title they bestowed upon him because he clearly didn't earn it by actually building any type of functional network). Bottom line is...if you are still using technology circa 1994 to transmit sensitive credit card data over a telephone line...you're not compliant...you are a laughing stock.
The next day, this same director, clearly after speaking to his staff, wrote me and my manager and backed off of his stance in the meeting stating that we should "setup work groups to discuss the validation of the requirement statuses"--in other words--"Oh...you were right...we are in trouble", but of course this is after he basically has "undressed" me in front of his team and not suprisingly, they were not copied on this email.
I guess I at least got them thinking, which in retrospect was my intention from the beginning.
Download, Rent, Buy or Borrow a book called "The Trusted Advisor", it is without a doubt the best book on consulting I've ever read. Your client will appreciate you more if you tell them the truth than if you simply blindly perform whatever they instruct you to do regardless of the consequences. Ultimately, it is their reputation on the line. Be respectful, but challenge them if you think there is a better solution. You are working in their best interest, so why not give them everything they need to be successful. It will also reflect well on you.
Peace(v)
(originally posted January 30, 2008)
'Sup All,
I recently completed a project for a client, that involved notifying the client where they would be vulnerable in a PCI compliance review. My manager wanted me to include a risk analysis that showed where they were most vulnerable. I did so and using EACH PCI compliance requirement (all 196) and created a slide that summarized my findings. I sent him the slides and the accompanying spreadsheet with my risk analysis (wieghted on priority and the status of the requirement within the company).
We presented my findings to a group of lower level executives. When we got to the slide that clearly showed that they were in trouble based on their Network Security status (as expected) the network security folks were less than pleased. My manager quickly denounced my spreadsheet and acted as though it was the first time he had seen it. I explained how I came up with my numbers and the room fell silent as the network folks pondered what they were seeing. Yet their director continued to harp on the slide and my numbers and how I weighted the requirements. My manager then says "these numbers are clearly erroneous"...which angered me to no end. The numbers don't lie. I rated at the highest (3) risk level if they had gaps. I rated them just a step below that (2) if they were planning to address it. Bear in mind that "planning" in this organization means that it's an idea and hasn't even been funded yet. Hell...I can plan to get married, but until I actually meet someone and become engaged...It ain't happening. This (at least to me) is still an area of concern for this large insurance company (that does not even encrypt their credit card data by the way). I was being completely up front and honest with them because (on the advice of another manager) I read a book called "The Trused Advisor"--a great book for consultants and for employees alike--that clearly states that in order to be a truly trusted advisor you must be willing to give good news with the bad. My manager, on the other hand, only wanted to give the "Sunny day, lambs skipping in the sunshine" view of their situation. Nevermind that I felt that he threw me under the bus by pretending that he never saw my spreadsheet before, he is giving these folks a false sense of security.
If this company experienced a breach (or should I say when), there is no way that they will pass a PCI forensic audit...NO WAY! They should know that. They should not be told that they are OKAY when they are clearly not. The network "worker bees" knew that what I presented was the truth and that is why they became silent and let their director fight for them. I didn't say a word because, one I was shocked by my manager's lack of support and two I was equally shocked by the cluelessness of this company's "director of network architecture" (or whatever title they bestowed upon him because he clearly didn't earn it by actually building any type of functional network). Bottom line is...if you are still using technology circa 1994 to transmit sensitive credit card data over a telephone line...you're not compliant...you are a laughing stock.
The next day, this same director, clearly after speaking to his staff, wrote me and my manager and backed off of his stance in the meeting stating that we should "setup work groups to discuss the validation of the requirement statuses"--in other words--"Oh...you were right...we are in trouble", but of course this is after he basically has "undressed" me in front of his team and not suprisingly, they were not copied on this email.
I guess I at least got them thinking, which in retrospect was my intention from the beginning.
Download, Rent, Buy or Borrow a book called "The Trusted Advisor", it is without a doubt the best book on consulting I've ever read. Your client will appreciate you more if you tell them the truth than if you simply blindly perform whatever they instruct you to do regardless of the consequences. Ultimately, it is their reputation on the line. Be respectful, but challenge them if you think there is a better solution. You are working in their best interest, so why not give them everything they need to be successful. It will also reflect well on you.
Peace(v)
Subscribe to:
Posts (Atom)