The Cloud Isn't Safe?! (Or Did Black Hat Just Scare Us?)
At last week's Black Hat USA conference in Las Vegas, a number of security researchers demonstrated new ways of attacking cloud computing services. One of the more notable presentations, "Clobbering the Cloud," looked at the vulnerabilities in Amazon's cloud infrastructure, Apple's MobileMe service, and Salesforce.com's cloud platform. Another demonstration showed how both Microsoft and Amazon used insecure methods for password retrieval. And still another presentation examined how the supposedly secure protocol SSL could be defeated.
But hacks alone aren't the only dangers to be found when moving to the cloud, as the Black Hat presentations quickly made clear. In reviewing the dangers brought up by the researchers, it was enough to make anyone wonder: is cloud computing putting us and our data at risk?
Cloud Danger #1: All Yours Eggs in One Basket
In Sensepost's presentation about cloud vulnerabilities (available here as a PowerPoint download), they make note of the fact that moving your data to a cloud service is the equivalent of "putting all your eggs in one basket." Not too long ago, we saw a perfect example of the worst-case scenario of doing just that. Earlier this year, social bookmarking site Ma.gnolia experienced a server crash that resulted in massive data loss - enough to shut down the service for good. Users' bookmarks were unrecoverable. Permanently.
While that incident may have had only a minimal impact on the world at large, Sensepost pointed out a few other examples that were much worse including that of online storage service MediaMax (also called The Linkup) which went out of business following a system administration error that deleted active customer data. Then there was the incident where Salesforce.com customers were locked out of their critical business applications during a service outage. And finally, they mentioned Nokia's Ovi crash which resulted in three weeks of lost user data as contacts simply disappeared from people's phones. There were no backups in place, either.
These incidents highlight some of the pitfalls that can come from trusting cloud services, and it's precisely for those reasons that enterprise IT is making the move at a much slower rate than consumers. This is especially true in heavily regulated industries where compliance is an issue. Sensepost's presentation quotes Tim Mather, RSA Security Strategist, on this point: "If it's non-regulated data, go ahead and explore. If it is regulated, hold on. I have not run across anyone comfortable putting sensitive/regulated data in the cloud."
Cloud Danger #2: Too Much Trust?
In another part of the Sensepost presentation, they looked specifically at vulnerabilities of Amazon's Web Services. To start off, they detailed the process involved in setting up a new instance on Amazon's Elastic Compute Cloud (EC2). The first step is to create a new Amazon Machine Image (AMI) containing your applications, libraries, data, and other associated configuration settings. However, as an alternative, you could use a pre-configured templated image to get up and running quickly.
There's only one problem with that, though. While Amazon has provided 47 machine images they built themselves, the remaining 2721 images were build by other EC2 users. Can you really believe that all of these images were built securely? Basically, the template directory is just a big archive of user-generated content. And you know what user-gen content is like... risky.
Sensepost asks: Do people really just run machines other people create? Apparently, the answer is yes.
The rest of the presentation went on to demonstrate a hack that allowed them to steal others' machine time by setting up images that included "back doors" in them and tricking other EC2 customers into using those compromised images as their EC2 template.
Cloud Danger #3: Reliance on Passwords
Another issue with cloud computing services is that, despite the numerous protections built into a cloud service itself, any account is only as secure as the password used to access it. A recent example of the consequences of insecure passwords was seen during what has now become known as "Twittergate." The microblogging service Twitter had their online accounts accessed by a hacker and numerous sensitive corporate documents stolen. The documents were housed in Google's online web office service Google Docs. Although Google was not to blame for the break-in, the hack may not have ever occurred in the first place if documents were securely hosted on-site, behind a firewall. Instead, the entire company data was only one password crack away from discovery.
Password cracking is not the only threat from what is seemingly becoming a more and more archaic system for logging into online services. Weak password recovery systems are an issue, too. In a separate presentation at Black Hat, both Amazon and Microsoft's Online Services came under fire for having poor password recovery systems. That's something that should come as no surprise, Andy Cordial, Origin Storage's managing director, was quoted as saying:
"Password resetting and other security mechanisms in the cloud are always going to be a weak link, as long as user-friendliness comes ahead of security in the cloud computing beauty stakes. Expecting regular joes to whip out a two-factor authentication device for use with a cloud-driven service just isn't realistic. It's not going to happen."
But without more secure methods of gaining access to cloud services, users themselves are the weakest link. Of course, this issue is not new. IT administrators have struggled with users' lack of good security practices for years on end. Ever since computers required a password, in fact. However, the difference between a corporate network and an online account is that in a business environment, administrators can create server-enforced password policies that require users to make up passwords with certain minimum levels of complexity. They can also force users to reset their passwords on a regular basis. But in the cloud, a user could set their password to "fluffy" and never change it again.
Some cloud vendors are beginning to offer security policy control for their applications which would allow an IT admin to create and enforce stricter policies (like a secure password policy, for instance). Today, though, this is an area where many cloud applications are still lacking.
Cloud Danger #4: Encrypting Data in the Cloud
Alex Stamos, an iSec Partners researcher present at BlackHat brought up the issue of data encryption. He noted that many cloud providers do not offer encryption for their service. In a presentation done along with Andrew Becherer and Nathan Wilcox, they discussed a little-known flaw in virtual computing - virtual machines don't always have enough access to the random numbers needed to properly encrypt data. The details of this issue are highly technical, but fascinating, and the end result is that the very nature of virtual computing itself makes hacking simpler because it allows attackers to more easily guess the numbers used to generate the encryption keys.
Stamos admits that this problem isn't an immediate threat to cloud computing, but it does require more research. "It's certainly not a slam dunk," he says. "But we do think that you could potentially reduce the complexity enough that the encryption can be broken by a determined hacker."
Side note: Information Week has a good podcast interview with Stamos about this subject, too.
So, Is the Cloud Safe?
Considering the above issues, you may find yourself thinking twice about your reliance on cloud services. And if you listen to security analysts like John Pescatore of Gartner, you may be even more afraid. He was recently quoted in the Financial Times as saying:
"The security of these cloud-based infrastructure services is like Windows in 1999. It's being widely used and nothing tremendously bad has happened yet. But it's just in early stages of getting exposed to the Internet, and you know bad things are coming."
Yikes, right?
But is the cloud really all that bad? Is it any worse of a platform for computing than what we had before? In reality, probably not. Although the cloud will provide a new set of challenges and threats to deal with - and these will be more prevalent in the early stages of the transition - it doesn't necessarily present threats that are that dramatically worse than old-school on-site computing.
In the end, some cloud vendors will step up and make their cloud applications more secure, layering in security policies, encryption and the like while doing their best to mitigate the single-point-of-failure issues. Those vendors will eventually be rewarded for their efforts as more users, and then businesses, adopt their platform. Those that ignore the security issues will soon fall out of favor.
Today's cloud services may not be as secure as they should be, but in time they could easily rival any other computing platform... in fact, they may one day be considered more secure. Until then, though, users, and especially companies, should proceed with caution when moving to the cloud, making sure they're fully aware of not only the capabilities of the online service, but the risks as well.
Share
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
Good works. Thanks.
A thought provoking article. The answer to me is that neither wholly in the cloud, nor wholly at home base works fully. The same principles that everybody learns (and many repeatedly relearn) about backups, archives (and the difference between the two), security, et al apply whatever environment (local or cloud) you use. If you need your data to be always available wherever you are and/or without your primary equipment and/or you don't have expertise to set up the systems yourself and several other reasons, then cloud computing services will be a great attraction - but then you should always ensure you have a backup somewhere else. Similarly, one can't always guarantee net access, so ability to work offline with your data will remain important. Its a mix and probably always will be. The issue though is that too many have been led down the path of believing in the infallibility of the cloud services and believe it - just like your corporate or home iT never fails; really!!!??!
'good works'? really? everything you (& these 'experts') mentioned are not inherent to cloud computer. they are all (except the last piece about encryption) operations issue. it doesn't matter if ur servers are local, at a hosting colo, or in the cloud. if you don't back up, you are going to lose your data. we have our servers hosted in two seperated colos in different parts of the country. if one of our colo's were to go up in flames, we'd have an exact replica ready to go at our other location. and all our servers are managed via a web front end, thus if our passwd was compromised, the hacker could get in and shutdown all our servers. again this is not inherent to the cloud. any colo set up has these issues. and to a lesser extend (on pwd issue, but more so on 'fire' situation) local server setups.
The greatest risk in taking on cloud infrastructure as a substitute for real business software installations, is not security or whatever, although these are very important - it is lack of provider liquidity and accountability.
If the provider is large and liquid, they are totally unaccountable, and you will get nothing for an outage of data loss but an apology.
If the provider is an upstart, venture funded PAAS platform, they probably have little cash reserves to see them through the rough patches, and all you will get is an email saying, "sorry, due to the current economic climate, we are closing the service, you have 72 hours to move your POS system to another provider".
It's all good. Right.
All of that stuff applies to shared and dedicated hosting.
Cloud Danger #1:
If you don't do offline backups you're a fool.
Cloud Danger #2:
Don't use any distributions that aren't packaged by a reputable vendor.
Cloud Danger #3:
All hosting companies have the same vulnerability via Cpanel etc or their various admin portals.
Cloud Danger #4:
Install your own encryption layer, just like you would have to do on a dedicated box (and can't do on a shared).
Meh!
And yet, nothing on the #1 security threat which stops the cloud model cold - DDoS.
>sigh
@ really, You are correct that none of the risks mentioned in this article are endemic to cloud computing. However, you missed the part where the author mentions that NONE of the regular mitigating controls are available.
Posted by: http://khurt.com/blog/
|
August 6, 2009 9:12 AM
It's always the information security companies soothsaying. Does it have anything to do with what they'll lose if their many thousands of customers all move their IT to a handful of Cloud service providers?
For years the infosec industry's been nothing other than reasons not to do stuff. Clould computing is happening because customers want it. Now how about getting behind those customers with some solutions that solve the problems you're talking about.
None of them are insurmountable, if they even exist as real threats in the first place.
Ian Hendry
CEO, WeCanDo.BIZ
http://www.wecando.biz
"@ really, You are correct that none of the risks mentioned in this article are endemic to cloud computing. However, you missed the part where the author mentions that NONE of the regular mitigating controls are available."
Really??? Backup is not available on the cloud? Using user-built machine images is a sensible thing to do? Puhlease!!
These are the inherent dangers of cloud computing - with encryption software usage being the real sticking point - but the real killer app for Cloud usage is in its AV potential. I think this is going to be the big tech story in the next 10 years - cloud as the killer app for all sorts of malware detection.
The issues to me going forward are two-fold:
1. When you give your data over to a third party, you give up all control of that data. You really don't know what access to your data they are giving out, you don't know if they are making money on the side marketing your names, and such, any data you save there is can be used by hackers, sure, but what about the company, or its employees? Then there's the little issue of it being used in profiling by the NSA or other agencies.
2. What if the cloud vendor goes out of business? What if they show up for work one day and find that their doors were closed, which has happened a good deal lately...where's your data? How do you get it back? Currently there aren't enough laws to protect users and corporations from someone using your data for their own gain.
Actually, I do have one more issue....this will only encourage the introduction of computer systems with no OS forcing people to pay for the use of an OS from a cloud. This has been announced as coming, Intel and VMware are already working on it. Then we will be debating the ability to control the information you see, being able to watch everything you do online, or in your home on your computer. Then we area talking about something else entirely. These technologies are dangerous and need to be avoided.
Companies can never be trusted to do "the right thing"...too much evidence out there to the contrary. Be afraid....be VERY afraid!
The greatest risk in taking on cloud infrastructure as a substitute for real business software installations, is not security kartonpiyer or whatever, although these are very important - it is lack of provider liquidity and boyacı accountability.
If the provider is large and liquid, they are totally unaccountable, and mantolama you will get nothing for an outage of data loss but an apology.
If the provider is an upstart, venture funded PAAS platform, they probably have little cash reserves to see them through the rough söve patches, and all you will get is an email saying, "sorry, due to the current economic climate, we are closing the service, you have 72 hours to move your POS system to another provider".