Privacy and Security Risks with Cloud Computing Infrastructure (IaaS, SaaS)

5/11/2018 Privacy and Security Risks with Cloud Computing Infrastructure (IaaS, SaaS) - sl...

http://slidepdf.com/reader/full/privacy-and-security-risks-with-cloud-computing-infrastructu

Privacy and Security Risks with CloudComputing Infrastructure (IaaS, SaaS)

Mark Stanislav

[email protected]

Abstract

Computing infrastructure management is often of huge cost in terms of

both manual labor to support and maintain, as well as capital expenditures

to continually purchase new machines and replacement parts.

Virtualization technology allows administrators to leverage third-party

resources in order to achieve similar infrastructure implementations for a

fraction of the cost. A mitigating factor of this infrastructure convenience

and cost saving, however, is much of the inherent security gained by self-

managing resources. While the days of IBM big-iron mainframe

computing is well behind us, shared-resource computing on a smaller

scale is quickly making an impact on the IT landscape.

As this shift in computing infrastructure becomes more prevalent, are we

prepared to handle the influx of new attack vectors and security concerns

that are a part of cloud computing?



The ubiquity of cost-efficient hardware resources has created a momentum behind

changing the infrastructure paradigm of “each service receives a separate server”. This unofficial

standard has sound reasoning behind it because it separates the failure of one piece of hardware

or security breach from other services. In modern computing, however, we are able to eliminate

the need to maintain 100 servers in a rack to separate 100 services. Rather, we are able to

consolidate those machines into, maybe, 10 high-performance, capacity-centric computing

powerhouses. This consolidation through virtualization technology grants us the ability to start

creating new avenues in infrastructure.

Infrastructure as a Service (IaaS) provides a variance of resources for everyone, from the

two-person web hosting company to the large enterprises, to take advantage of, allowing portions

or the totality of their computing infrastructure to be ran outside of their walls. By removing the

physical ownership of hardware resources and meshing in virtualization technologies, companies

are now able to pay for their computing needs on a usage basis with no worry of “what if our

hard drive dies?” or “how will we get a new fan for this server over-night?”. These traditional IT

concerns are now highly mitigated by professionals who have gigantic resources on hand with

huge fault-tolerance and redundancy in place that normal companies will never be able to attain.

However, just as every convenience in information technology has a trade-off in the realm of

security, IaaS has its own list of concerns for the security-conscious administrator or legal team.

Amazon’s cloud-computing offerings are far-and-away some of the most well-known

examples of what a company can take advantage of if they are in the market to off-set their

physical infrastructure with machines, databases, load balancers, and other technology into the

cloud. Take, for example, Amazon’s EC2 (Elastic Cloud Computing) infrastructure which uses



virtualization to allow technology consumers to quickly deploy hundreds of custom virtual

machines (VM) with no human interaction at all. More so, the cost of running these VM

deployments is predicated only on usage -- both bandwidth and system uptime. With such ease of

deployment and a juggernaut of an infrastructure company like Amazon behind the

implementation, it’s fairly simple to just shift your entire company onto their cloud platform. The

one cost not computed for you, however, is the one of security risk to your company’s

information and availability.

Amazon’s EC2 uses a well-known virtualization technology released by Citrix called

“Xen”. A quick introduction to this virtualization platform would make it known that through

using an administrative console (xm console <vm-id>), a system’s administrator is able to

remotely connect to a VM as if they were standing in front of the monitor directly attached to a

regular computer. It’s no secret that every computer has at least one administrator; but what

about a company like Amazon who may have hundreds or thousands of people tasked with

maintaing their impressive backend? A computer within your walls is accessible generally by

maybe a external hacker or a rogue insider, but what about letting random IT contractors have

full access to your systems, off-site, as much as they want? The image of security begins to

lessen with the cloud.

During the most recent Super Bowl, a digital marketing company utilized Amazon EC2

to help handle the slam of web traffic for clients who were advertising during the game. Because

of EC2, the millions of web site queries done in a small window was handled; a feat that would

have been near impossible without purchasing huge amounts of extra hardware that would be

used once and then sold. In this scenario, the client agreed to the usage of cloud computing to



help fulfill their request for service. A concern that should be at the front of cloud computing

discussions by IT staff everywhere is: what are the legal implications of storing customer data at

an unknown location, with unknown metrics of security, and unverified people administrating

those data storage devices?

In July of 2009, a hacker broke into Google Apps accounts of a Twitter administrative

assistant, compromising confidential company documents. Twitter, a giant in technology

themselves, used Google Apps to store and transfer files amongst company employees, using

Google’s resources in a “Software as a Service” (SaaS) manner, leveraging a component of

Google’s cloud offerings. Rather than simply setting up an internal company file-share that

would only be accessible on-site or through a VPN, Twitter opened themselves up to not only

having confidential data compromised, but potentially leaking methods to further compromise

their physical infrastructure. What if Twitter VPN credentials were part of the file-share?

Information security is often about mitigating threats, but in this example, Twitter actually

created brand-new vectors.

One aspect of EC2 that may seem innocuous is the usage of the 10/8 private network

space for virtual machines to conduct their network traffic through. Many systems administrators

may be familiar with locking-down threats of an external nature, but how much does the every-

day administrator know about internal network security? There’s a potential for administrators to

simply find and replace firewall rules for their transition from on-site hardware to the cloud,

forgetting that while they may have a public IP address, the actual network resource they are

connected to is in existence on Amazon’s virtual backplane. The ability to port-scan huge private

IP blocks is likely to turn up at least a few notable security vulnerabilities -- could one be a



Fortune 500 company? One threat of the cloud is simply the lacking knowledge of systems

administrators being unaware of maintaing tight enough security to leverage shared resources.

A study called “Hey, You, Get Off of My Cloud” speaks about how it was possible to

deploy virtual machines on Amazon’s infrastructure until one was co-resident of the same

hardware as a ‘target’ VM. Once a VM occupies the same hardware as a target, side-channel

attacks provide a possible avenue to compromise resources. More so, targeted Denial of Service

(DoS) attacks become a realization if machine RAM, CPU, cache, bandwidth, and other physical

resources can be overwhelmed by the guests through exploitation or aggressive usage. If a

potential attacker was able to surmise the location of a target’s virtual machine and gain co-

residency with enough VMs of their own, there is increased potential to internally DoS resources

that may have been done prior using large bot-nets and floods of internet traffic. The security

landscape changes and new attack vectors open as resources are less easily managed by those

who care most about their availability and reliability.

The east-coast power outage in 2003 made many aware of the fragility of our power grid

and, more so, the potential for that fragility to be used against us in an attack of terrorism. Before

that outage, most were oblivious to the concern that we need to more fervently strengthen this

core resource of daily life. Companies such as Rackspace and Amazon face large-scale

challenges to provide high-availability computing resources to millions of customers, each of

whom may have their own enemies and threats. While a company like eBay may be the constant

target of hackers and generalized attacks daily, a small, but profitable, internet company may

rarely see any sort of threats. By utilizing third-party consolidated infrastructure, those targeted

often and those targeted rarely are both now using the same machine. By being allocated to the



same bandwidth or computing resources, there is an increased chance that a small company who

never was threatened before may be the ever apparent “innocent bystander” in this new age of

computing with IaaS.

On the other-side of having a highly scalable infrastructure on a moment’s notice, there’s

a real threat of traditional bot-nets growing beyond their boundaries within cloud infrastructure.

Shell-hosting companies have often been a target of fraudulent credit card and PayPal account

abuse since they are able to provide remote system resources with no verification of the

“customer”. In order to create a virtual machine account with services such as Amazon EC2,

Rackspace Cloud, or even Grand Rapids, MI native Fivebean, all that is required is a few

minutes and a credit card. A scaled attack could be created if one stolen credit card was used to

instance thousands of virtual machines from a few companies. Multiply this threat with scripting

and hundreds of credit cards, and one consolidated attack could DoS gigantic computing

resources with the same ease as a regular infected-host bot-net. The need for protection now is

not just for those who use cloud computing resources, but those who could be attacked through a

planned abuse of their ubiquitous nature. This risk will only grow larger, as more Virtual Private

Server (VPS) companies come into play.

The landscape for cloud computing may be concerning for early adopters but efforts are

in place and growing to help make the cloud a better place for companies to exist in. CloudAudit/

A6 aims to provide “a common interface and namespace that allows cloud computing providers

to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS),

platform (PaaS), and application (SaaS) environments”. The CloudAudit/A6 effort includes

members who work for companies such as Cisco, Telus, Google, VMWare, Microsoft, Akamai,



and other giants of technology. The Cloud Security Alliance (CSA) also exists to provide

guidance in best practices around cloud services and infrastructure for companies. They aim to

create consensus around guidelines to take confusion out of how to handle this emerging

juggernaut of computing. The CSA membership includes employees of eBay, ING, Sallie Mae,

Sun, RSA Security, Visa, McAfee, and PGP. Recommendations for standards also exist, such as

SAS70 and ISO27001, until full cloud-specific ones are created.

It’s unlikely that even a large-scale cloud computing comprise will stop its momentum.

Ideas which save money and man-power will always be hard to say no to. The downfall of

mainframe computing was that in order to utilize it, you had to have huge machines consuming

lots of power and exorbitant service contracts. In our modern computing era, those issues are

gone, and, once again, we return to a shared resources model of computing -- simpler and more

elegant than ever. The benefits to cloud computing are too vast to ignore, and, as most concerns

in information security, a decision for any participant in the paradigm shift will be the same as

always: how much convenience do we require to part with some of our security? Hopefully,

groups such as CloudAudit/A6 and CSA will provide that answer sooner than later.



References

Binning, D. (2009). Top five cloud computing security issues. Retrieved March 10, 2010 from

ComputerWeekly.com: http://www.computerweekly.com/articles/2010/01/12/235782/top-five-

cloud-computing-security-issues.htm.

Brodkin, J. (2008). Gartner: Seven cloud-computing security risks. Retrieved March 12, 2010from InfoWorld: http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-

security-risks-853.

Cloud computing security. (2010). In Wikipedia, The Free Encyclopedia. Retrieved March 29,

2010, from http://en.wikipedia.org/w/index.php?

title=Cloud_computing_security&oldid=352128529

Keizer, G. (2009). Hacker break-in of Twitter e-mail yields secret docs. Retrieved March 10,

2010from ComputerWorld: http://www.computerworld.com/s/article/9135591/

hacker_break_in_of_twitter_e_mail_yields_secret_docs.

Messmer, E. (2009). Cloud Security Alliance formed to promote best practices . Retrieved March

10, 2010 from NetworkWorld: http://www.networkworld.com/news/2009/033109-cloud-

security-alliance.html.

Ristenpart, T.,Savage, S., Shacham, H., & Tromer, E. (2009). Hey, You, Get Off of My Cloud!

Exploring Information Leakage in Third-Party Compute Clouds . Retrieved March 15, 2010

from 16th ACM Conference on Computer and Communications Security: http://

cseweb.ucsd.edu/~hovav/papers/rtss09.html.

Vizard, M. (2010). Gauging Cloud Security. Retrieved March 15, 2010 from CTOEdge: http://

www.ctoedge.com/content/gauging-cloud-security.

http://www.ctoedge.com/

http://cseweb.ucsd.edu/


http://www.networkworld.com/











http://www.computerworld.com/

http://www.computerworld.com/

http://en.wikipedia.org/w/index.php?title=Cloud_computing_security&oldid=352128529




http://www.infoworld.com/

http://www.infoworld.com/

http://www.computerweekly.com/

http://www.computerweekly.com/

Documents

Privacy and Security Risks with Cloud Computing Infrastructure (IaaS, SaaS)