Tuesday, May 10, 2011

Cloud Computing: Vulnerabilities and Security

Cloud computing is a software delivery platform, that offers the flexibility and cost savings of providing technology services over the internet. Clients pay only for the services that they need, which could be anything from shared resources on a server to an entire infrastructure. Thus, Cloud computing is rapidly becoming a viable choice for small and large companies and the government alike. The flexibility and the resulting cost advantages (purchasing and maintenance) make cloud computing very attractive. However, it would also seem to be an attractive option and target for criminals. Some criminals are actually offering their ‘services’ in clouds, while others target cloud environments. The primary concern of potential adopters of cloud computing is security and privacy. However, as with many new technologies, we seem to be ready to accept a certain amount of risk for convenience and the advancement of technology. This paper evaluates and demonstrates the ways that entities are employing cloud computing and explores its unique vulnerabilities and examines some of the solutions that counter them.

Definition of a Cloud

The National Institute of Standards and Technology (NIST) defines cloud computing as: “…a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
Cloud computing expands on the Software-As-A-Service (SaaS) concept introduced a few years ago in that it offers clients the ability to perform functions normally available on a desktop, in an internet environment.   What marks the clouds evolution is the inclusion of the service models: Platform-As-A-Service (PaaS) and Infrastructure-As-A-Service (IaaS).  Cloud detractors would say that Cloud Computing is more evolutionary than revolutionary while Cloud computing proponents rebuff this by stating that several different ideas have been merged to create the cloud thus making it unique. However, they readily agree that it has its roots in ideas like Application Service Providers (ASP’s) and Remote Storage Providers.

The Technologies of the Cloud

According to Takabi, Joshi and Ahn (2010) there are multiple technologies that come together to form the cloud, Web applications, Web Services and Virtualization. Web applications are internet based applications, such as Google docs and Web Services, which are, at their core, internet applications without a graphical user interface that perform a specific function. Virtualization or Virtual Machine (VM) is the technology that enables multiple operating systems to run on a computer concurrently. Grobauer, Walloscheck and Stoker (2011) also suggest Cryptography.

Characteristics of the Cloud

Likewise, five characteristics define a cloud environment, on-demand self-service, ubiquitous network access, location-independent resource pooling, rapid elasticity, and measured service. On-demand self-service allows clients to acquire the resources they need rapidly. Ubiquitous network access refers to the fact that the services are accessed via the internet. This means that regardless of location or means, the resources they need are available.  Resource pooling refers to the fact that resources are centralized. Rapid elasticity refers to the ability to scale resources to application or system need. Measured service refers to the constant automated optimization of resources in order to provide cost effective services.

Types of Clouds

There are four recognized types of clouds: Public, Private, Hybrid and Community. Public clouds are what most people think of when they think of cloud computing. These platforms are made available to the public and are operated and maintained by third parties. Private clouds are operated behind a firewall for an organization, are managed either internally or by a service provider, and may be on or off the organizations premises. Hybrid clouds blend the Private and Public cloud approaches. Community clouds are owned and operated by several organizations and support communities with shared interests.

Adopters of Cloud Technology

Before we delve into the various implications of adopting cloud technology, let us examine how it is currently being adopted.

Private Business

The cloud provides a unique opportunity to optimize efficiency, increase collaboration, and take control of system scaling all while reducing cost, only paying for what is used and eliminating overhead costs. For some it offers the opportunity to be the basis for or expand business. Basant Narayan Singh (2009) states that SaaS providers like relative newcomers SalesForce.com and SuitCloud provide software services in the cloud, while older staples like IBM and Microsoft provide services like Blue Cloud and Azure, which are PaaS offerings. Other organizations like Yahoo! and Amazon have expanded their businesses by offering support for cloud services.

Federal Government

The United States government has undertaken an Open Government Directive. Central to the execution of this directive is increased transparency, more agency collaboration and improved contact with the public. For this to become a reality, the government is currently undertaking a consolidation of its data centers. They are leaning toward offering more centralized services and resources. Already federal government agencies are starting to consolidate. According to Elizabeth Montalbano (2011), the Navy recently placed a moratorium on spending on new hardware in favor of focusing on consolidation, which is the first logical step in the implementation of cloud computing.


According to Matthew J. Swartz (2011), Security experts are predicting that cloud computing will not only be a tool for business and government, but for criminals also. Already security experts are seeing exploit kits provided as services. Two examples given were NeoSploit and Phoenix exploit kits. Customers simply purchase a web service configuration and victims are redirected to a backend server controlled by NeoSploit.

Unique Vulnerabilities in the Cloud
The very things that make cloud computing unique are what can trouble potential adopters of the technology. The technologies and the characteristics of the cloud have their own vulnerabilities. The technologies and characteristics have been documented above, below the vulnerabilities of each are explored.
Vulnerabilities Regarding Cloud Technology

Web Services and Applications

Web Service and Application vulnerabilities are related to offering applications over Hypertext Transfer Protocol (HTTP) including session hijacking and man-in-the-middle attacks.


Bob Plankers (2007) suggests that within a virtual server environment there is the possibility of Virtual Machine escape (VM Escape). In this process, an attacker breaks out of the virtual machine and gains control of the Hypervisor, which controls all of the virtual environments under its control.

Vulnerabilities Regarding Cloud Characteristics
On Demand Self-Service

Provisioning and turning off services available in your environment could come under attack from external and internal threats.

Ubiquitous Network Access
For Public clouds, services are made readily available on a network with limited trust.

Resource pooling
With a single server possibly hosting multiple systems, a single point of failure or attack exists. Even with Private clouds, there is a concentration of risk. An attacker no longer has to worry about finding and attacking multiple resources if they are centralized in one location.
Rapid Elasticity
This could be susceptible to Time of Check/Time of Use attack. Imagine requesting 10 additional resources only to find that between the request and the execution 100 additional resources were requested.
Measured Services
This technology could be adversely affected by hacking into the providers system (not necessarily aimed at any one victim) and modifying the service measurement criteria. This could result in overbilling for services provided.
Cloud Security Measures
Supporters and detractors of cloud computing recognize the apprehension that adopters may have and (Buecker, Lodewijkx, Moss, Skapinetz and Waidner, 2009) suggest several counter measures to help ensure security. Some of the counter measures detailed below should be readily applied to Private clouds, and must be in the form of a Service Level Agreement (SLA) in Public and Hybrid clouds with any outside vendors. It is also important to note that while vulnerabilities can be addressed utilizing technology as a counter measure, vulnerabilities will require supporting policy. I have categorized and summarized these suggestions as they apply to the vulnerabilities listed above.

Technology Counter Measures

Web Services and applications
Application-auditing software that scans for potential security flaws and leaks should be utilized to identify any potential problems. Secure software development and testing practices should be enacted and enlisting the help of a third-party reviewer should be considered.

The implementation of virtual server protection through hardened operating systems must be considered as well as the utilization of access control and the application of the principle of least privilege to management consoles.

Characteristics Counter Measures
On Demand Self-Service
Establish a firewall and ensure that proper access controls are in place. Also, establish a formal plan for automated provisioning, refrain from the use of vendor supplied passwords and ensure that all patches are applied.

Ubiquitous Network Access
Implement virtual server protection systems to allow for the scanning of root kits for malware. Be sure to enact a strong intrusion and vulnerability management program

Resource pooling
Ensure that VM instances are in multiple locations or that all instances are isolated properly.
Establish a written standard for firewall configuration and implement a formal change management process for configuration of the firewall. Document all ports necessary for business continuity.

Rapid Elasticity
Implement automatic load balancing, enact a change management process for configuration management and establish environment testing and validation

Measured Services
Implement automated provisioning; apply access rights to the provisioning system
Have a written plan in place for provisioning and consistently review provisioning and fine tune when necessary

Cloud computing is a proven software delivery platform. Just as with any technology, it must be given due diligence, planning and support in order to be successfully implemented. New and existing technologies are available to make cloud computing a viable option for business and government entities alike. Just as with any information technology project, adopters need to use Planning, Analysis, Design, Testing and appropriate and constant monitoring in order to ensure that the implementation is to the level of operation, efficiency and security that they need it to be for regulatory compliance, business practice and customer satisfaction.

Buecker, A., Lodewijkx, K., Moss, H., Skapinetz, K., and Waidner, M. (2009) Cloud Computing Guidance. International Business Machines (IBM) Redpaper.
Grobauer, B., Walloschek, T., Stocker, Elmar (2011, Unpublished). Understanding Cloud Computing Vulnerabilities, IEEE Security and Privacy.
The National Institute of Standards and Technology. (2009). “The NIST Definition of Cloud Computing”. (NIST Version 15, 10-7-09). Retrieved from http://www.nist.gov/itl/cloud/index.cfm
  Montalbano, Elizabeth. (2011). “Navy Halts Server Buys To Facilitate Consolidation”. Information Week. Retrieved from http://www.informationweek.com/news/government/enterprise-architecture/showArticle.jhtml?articleID=229000815&queryText=navy
  Planker, B. (2007). “What is VM Escape?”. Retrieved from http://lonesysadmin.net/2007/09/22/what-is-vm-escape/
Singh, Basant Narayan. (2009). “Top 10 Cloud Computing Service Providers of 2009”. Retrieved from http://www.techno-pulse.com/2009/12/top-cloud-computing-service-providers.html
Swartz, Matthew J. (2011). “Top 10 Security Predictions for 2011”. Information Week. Retrieved from http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=228901638&subSection=security
Takabi, H., Joshi, James B.D., Ahn, Gail-Joon (2010, November/December). Security and Privacy Challenges in Cloud Computing Environments. IEEE Security and Privacy, 24-31.

No comments: