This fall (2009) I have talked several times about cloud computing security. The latest talk was on Nov. 2, 2009, at the 3rd International Workshop on Cloud Computing, organized by IBM as part of CASCON 2009 in Markham, Ontario.
As it happens, this was an introductory talk — many more technical details can be found online (see links below) and in the first book on this topic “Cloud Security and Privacy”.
I started by talking about various misconceptions that surround cloud computing security. While cloud security is a major issue for many — 74.6% of IT managers rate security as their top concern regarding cloud computing as reported by an IDC Enterprise Panel — there is a “cloud” of misinformation regarding this subject. I quote some of the ones I’ve read or heard:
- “The business advantages outweigh the need for strong security measures”
- “You automatically forfeit security”
- “Your provider assumes all responsibility”
- “It’s just like getting electricity”
- “You should strongly consider the size of the vendor”
The reality is that the main difference between the traditional enterprise security model and cloud computing security is that in a cloud computing deployment architecture the security issues involved in protecting clouds from outside threats are similar to those already facing large data centers, except that responsibility is buy cheap prednisone online shared and divided between the cloud user and the cloud operator. The Jericho Forum has many papers about de-perimeterization and provides a “cloud cube” model to explain this in more detail.
In the cloud model, the cloud user stays responsible for application level security, aka “don’t share your password with anyone” responsibility… The cloud provider keeps responsibility for physical security (doors, walls, locks, fingerprint scanners, etc) and network security, including external firewall policies.
What they share, and the level of sharing depends on the deployment architecture (ie Software as a Service, Platform as a Service or Infrastructure as a Service, also called the SPI model), is security for intermediate layers of the software stack. In the SPI model, the lower the level of abstraction exposed to the user, the more security responsibility goes with it. This shared situation created the opportunity for new service providers to start offering cloud security services such as identity providers, application vulnerability scanning and external audit.
An important point to understand is that most security best practices still apply — no reason to get rid of the network firewall or the use of SSL (although recent developments by Moxie Marlinspike prove that SSL is not bullet-proof). At the same time, many security issues are amplified in a cloud computing environment.
In a SaaS deployment, application vulnerability scanning and testing is a must, as all customers can be compromised at once. Also important are the issues of secure development practices for SaaS development teams, implementation of API security, and mechanisms for preventing data loss through techniques like secure disk wipe, Ephemerize (Perlman and Arora), Vanish (see Geambasu).
In a PaaS environment, many security problems can be solved through the use of a secure OS, such as SELinux, and pre-hardened software stacks with off-line patching and tested for security.
In a IaaS deployment environment, virtualization – network, storage, OS — introduces new attacks channels that are not yet properly understood and blocked.
There are still many challenges ahead in federated access (identity federation – SAML, Higgins, identity validation) and data loss (user-level encryption, key management, data loss prevention at both host and network level).
With so many problems, why even bother with clouds for anything but non-critical workloads? Actually, a cloud environment offers many benefits from a security perspective. Although many of the technologies mentioned below exist already, the challenge is to adapt them to a cloud environment:
- Centralized data (reduced data leaks, easier monitoring)
- Easier, faster incident response (forensic readiness, decrease evidence acquisition time, reduced downtime )
- Password assurance testing (dedicated cracking servers )
- Logging (standard logs, better log indexing and search, C2 audit trail)
In conclusion, cloud computing has its own security challenges, and some unique benefits. With clouds offering a compelling value proposition to many IT organizations, security professionals have to understand the issues and adapt their policies and technologies to this new type of deployment environment.
Some useful cloud security links:
DMTF Open Virtualization Format
Cloud Computing Interoperability Forum