Article Summary of: Understanding Cloud Computing Vulnerabilities Michael R. Eldridge April 14, 2016
2 Introduction News stories abound about the almost daily occurrence of break-ins and the stealing of information from cloud computing data centers. Most times, these episodes are caused by bad user practices regarding safeguarding user login credentials. But other times, they suggest a fundamental weakness in the design or management of cloud computing resources. How can we classify and assess the risks and vulnerabilities in cloud computing and determine the necessary security controls to be implemented? In their article, Understanding Cloud Computing Vulnerabilities (Grobauer, et al, 2010), the authors differentiate between the wide-ranging security issues within general computing to those associated with cloud computing. In doing so, they define cloudspecific vulnerabilities called indicators which can be used to spotlight security controls that are frequently successful in general computing, but ineffective in the cloud. Vulnerability The Open Group s risk taxonomy describes risk factors in terms of the potential that a threat can exploit a vulnerability (loss event frequency) and the effects (probable loss magnitude) of such an attack. Loss magnitude is further divided into loss factors such as the value of lost assets, lost time and productivity, organization credibility, etc. Event frequency is driven by several factors including a threat agent s motivations (gains) versus risk to the agent and their ability to drive an attack. An attack agent s capabilities compared with the strengths of security controls define vulnerabilities which are factors in loss event frequency. This leads to the definition of vulnerability by the Open Group as the probability that an asset will be unable to resist the actions of a threat agent. The ability to resist in this case means the presence or lack of adequate security controls and implementation of security policies. For example, not applying current Operating System (OS) updates undermines a systems ability to resist attack. It s interesting to note that from a customer s standpoint, cloud computing does not really change the probable loss magnitude, as the cloud does not force a customer to have any more or less resources (data, users, etc.) that could be exploited. However, from a cloud service provider perspective, the loss impact could be significantly bigger. With this refined definition of vulnerability, a detailed review of how cloud computing can influence the loss event frequency, either by affecting security controls, or the motivations and capabilities of an attacker, can be obtained. Indicators of Cloud-Specific Vulnerabilities Cloud computing utilizes several, basic technologies to provide services to many customers via the internet and through service providers. These core technologies include web applications and services, virtualization and cryptography. The basis of cloud computing is the ability to provide pay-as-you-go services which are implemented using web based applications. The service models include Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). To make these offerings cost effective for customers and profitable for providers, they must be able to scale in order to support, yet isolate many customers without incurring a per customer cost in facilities, hardware, power and support. This is done by virtualization of hardware and software which gives the appearance to customers that they are alone in using the service(s). Lastly, cryptography is used to solve other security requirements. Along with core technologies, cloud computing has several attributes which allow delivery and use of services in a cost effective
3 manner. These essential characteristics as described by the US National Institute of Standards and Technology (NSIT) are, on-demand self-service, ubiquitous network access, resource pooling, rapid elasticity and measured service (Mell & Grance, 2009). With core technologies and essential characteristics of cloud computing as a backdrop, we can use these as indicators as to whether a vulnerability is cloud-specific. Vulnerabilities can be bounded as cloud-specific if, they are inherent in a core cloud computing technology, or have as its origin one of the NISTs essential cloud characteristics. Additionally, a vulnerability is cloud-specific if the technology or implementation limits or prevents security controls from being applied. And lastly, if the vulnerability is widespread in cloud applications. Cloud-Specific Vulnerabilities With the indicators now in hand, it is straightforward to determine which vulnerabilities are specific to cloud computing by looking at vulnerabilities that pertain to those indicators. The indicator for core technologies of web applications and services, virtualization and cryptography have many well-known vulnerabilities including virtual machine escapes, session hijacking and weak cryptography. Essential cloud characteristic vulnerabilities consist of unauthorized access to management and administrative tools, internet protocol exploits, unauthorized access to data via covert channels or by accessing data in memory or storage, and the ability to affect metering which can be used to forge billing records or avoid paying for services. The indicator of when cloud computing technology leads to ineffective or non-existent security controls, presents vulnerabilities which include key management as it pertains to generating keys through hardware in a shared environment, the lack of standard security monitoring and reporting tools for cloud resources, and the fact that many security controls are built for common, network computing and generally do not work well in virtualized, cloud computing environments. Finally, if vulnerabilities associated with the technologies and software used to implement cloud computing services are wide-spread, they are considered cloud-specific. These can include command interception, privilege escalation at the OS level, cross-site scripting and weak authentication mechanisms. An important class to this list is user behavior, i.e.; weak or bad passwords, unattended desktops, or poor security policies. Architectural Vulnerabilities Utilizing the cloud infrastructure reference architecture developed by IBM in conjunction with the University of California, Los Angeles (Youseff, et al, 2008), more detail is provided to the cloud services models which can be used to identify other cloud-specific vulnerabilities associated with the different layers that are used to implement SaaS, PaaS, and IaaS. The architecture has three parts, Supporting (IT) Infrastructure, Cloud Specific Infrastructure and Service Customer. At the center is the Cloud Software Infrastructure which provides access to lower level components such as the OS and HW through abstraction, and the Cloud Software Environment which provides application services. Together they comprise three resource types, Computational Resources, Storage and Communication. The vulnerabilities associated with these three resource types are typical in an environment where users and processes share resources, for which cloud computing depends on. These include virtual machine compromise and data leakage, weak cryptography keys because of shared hardware key generation, data compromise due to remnant data on storage devices or in memeory and network software weakness internal to VMs, such as DNS, DHCP and
4 IP vulnerabilities. Cloud Specific Infrastructure also includes Cloud Web Applications, Services & APIs, and Management Access and Authentication and Authorization processes. Again, the vulnerabilities associated with these components as well as the ones which comprise the Supporting (IT) Infrastructure are common for most computing environments, but considered cloud-specific in this context. Examples include input fuzzing at the browser to either crash applications or get them to operate in unexpected ways, interceding in the communication between client and server (man-in-the-middle), poor authorization checks and insufficient logging and monitoring. Conclusion This article provides a simple, yet comprehensive framework for identifying and understanding cloud-specific vulnerabilities. It does so by taking familiar vulnerabilities associated with noncloud based computing and classifies them into a cloud computing architecture. The result is the ability to move away from the vague fears that cloud computing is just unsafe, to a concrete taxonomy which reveals what and where the real vulnerabilities are, thus providing a practical foundation for a thorough assessment of the risks and threats in cloud computing.
5 References: [1] Brobauer, B., Walloschek, T., Stocker, E. (2010), Understanding Cloud Computing Vulnerabilities. IEEE Security & Privacy, 9(2), 50-57. [2] Mell, P., Grance, T., (2009), Effectively and Securely Using the Cloud Computing Paradigm (v0.25), US Nat l Inst. Standards and Technology presentation. http:// csrc.nist.gov/groups/sns/cloud-computing. [3] Youseff, L., Butrico, M., Da Silva, D., (2008), Towards a Unified Ontology of Cloud Computing. Proc. Grid Computing Environments Workshop (GCE), IEEE Press, doi: 10.1109/GCE.2008.4738443.