Virtualization (started back in the 1960s by companies like General Electric, Bell Labs, and IBM) is a practice whereby the physical aspects of the hardware are virtually presented to operating systems in a way that allows more than one virtual machines (with their own operating systems) to run simultaneously on the same physical box. Cloud computing provides user and enterprise subscribers on-demand delivery of various IT services as a metered service over a network. Cloud computing offers everything from on-demand self-service, storage, and resource pooling to elasticity, automation in management, and broad network access. To further define what exactly it is, we need to consider the three major types of cloud computing— IaaS, PaaS, and SaaS. Cloud computing can be thought of as the ultimate in separation of duties. It moves system services that would otherwise be hosted internally to an external provider. It also separates the role of data owner from the role of data custodian.
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet. A third-party provider hosts infrastructure components, applications, and services on behalf of its subscribers, with a hypervisor (such as VMware, Oracle VirtualBox, Xen, or KVM) running the virtual machines as guests. IaaS is a good choice not just for day-to- day infrastructure service, but also for temporary or experimental workloads that may change unexpectedly. IaaS subscribers typically pay on a per-use basis (within a certain timeframe, for instance, or sometimes by the amount of virtual machine space used).
Platform as a Service (PaaS) is geared toward software development, as it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software. Hardware and software are hosted by the provider on its own infrastructure so customers do not have to install or build homegrown hardware and software for development work. PaaS doesn’t usually replace an organization’s actual infrastructure; instead, it just offers key services the organization may not have onsite.
Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet. SasS benefits include easier administration, automated patch management, compatibility, and version control.
Along with the types of cloud, there are four main deployment models: public, private, community, and hybrid. A public cloud model is one where services are provided over a network that is open for public use (like the Internet). A private cloud model is, not surprisingly, private in nature. The cloud is operated solely for a single organization (a.k.a. single-tenant environment) and is usually not a pay-as-you-go operation. A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations. A hybrid cloud model is exactly what it sounds like—a composition of two or more cloud deployment models.
NIST (National Institutes of Standards and Technology) released Special Publication 500-292: NIST Cloud Computing Reference Architecture to provide a “fundamental reference point to describe an overall framework that can be used government wide.” This publication defined five major roles within a cloud architecture: cloud carrier (the organization that has the responsibility of transferring the data; that is, the intermediary for connectivity and transport between subscriber and provider), cloud consumer (the individual or organization that acquires and uses cloud products and services), cloud provider (the purveyor of products and services), cloud broker (acts to manage use, performance, and delivery of cloud services, as well as the relationships between providers and subscribers), and cloud auditor (an independent assessor of cloud service and security controls).
FedRAMP is probably the most recognized and referenced regulatory effort regarding cloud computing. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP not only provides an auditable framework for ensuring basic security controls for any government cloud effort, but also offers weekly tips for security and configuration and even has free training available on the site. PCI Data Security Standard (PCI DSS) Cloud Special Interest Group’s Cloud Computing Guidelines also provides notables assistance and information for the cloud.
The Cloud Security Alliance (CSA) is the leading professional organization devoted to promoting cloud security best practices and organizing cloud security professionals. In addition to providing a certification on cloud security and offering all sorts of cloud-centric training, they published a general cloud enterprise architecture model to help professionals conceptualize the components of a successful cloud implementation. They also publish documentation on everything from privacy concerns to security controls, focus, and implementation.
Cloud security is really talking about two sides of the same coin—you must be concerned with the security of the provider as well as that of the subscriber. Both the provider and subscriber are responsible for security. Using virtualization introduces a hypervisor layer between the physical hardware and subscribed servers. Therefore, if you comprise the hypervisor, you compromise them all.
The Trusted Computing Model refers to an attempt to resolve computer security problems through hardware enhancements and associated software modifications. The Trusted Computing Group (TCG) is made up of a bunch of hardware and software providers who cooperate to come up with specific plans. Roots of Trust (RoT) is a set of functions within the trusted computing module that are always trusted by the computer’s operating system (OS).
Tools to assist in cloud security include CloudInspect and CloudPassage Halo. Core’s CloudInspect is “a tool that profits from the Core Impact & Core Insight technologies to offer penetration-testing as a service from Amazon Web Services for EC2 users.” It’s designed for AWS cloud subscribers and runs as an automated, all-in-one testing suite specifically for your cloud subscription. CloudPassage’s Halo “provides instant visibility and continuous protection for servers in any combination of data centers, private clouds and public clouds. The Halo platform is delivered as a service, so it deploys in minutes and scales on-demand. Halo uses minimal system resources, so layered security can be deployed where it counts, right at every workload —servers, instances and containers.” Other cloud-specific tools and toolsets mentioned include Dell Cloud Manager, Qualys Cloud Suite, Trend Micro’s “Instant On” Cloud Security, and Panda Cloud Office Protection.
Cloud Security Alliance released a publication titled “The Notorious Nine: Cloud Computing Top Threats in 2013,” and EC-Council has its own list. Important ones to remember include:
• Data breach or loss The malicious theft, erasure, or modification of almost anything in the cloud you can think of. While cloud providers deploy their own tools, methods, and controls to protect their overall environment, it’s generally and ultimately up to the subscribers themselves to protect their own data in the cloud. CSA recommends multifactor authentication and encryption as protection against data breaches.
• Abuse of cloud resources If attackers can create anonymous access to cloud services, they could then leverage the tremendous resources to do whatever they want. Typically this threat isn’t necessarily a specific concern of cloud subscribers, but it’s a very valid concern for the provider. The provider should perform active monitoring to detect any abuse instances as well as have a means to protect/recover from them. Generally speaking, threats of abuse of cloud services apply to the IaaS and PaaS models.
• Insecure interfaces and APIs Cloud services rely heavily on APIs and web services to function and operate, and without them, functions like auto-scaling, authentication, authorization, and sometimes the operations of cloud applications themselves will fail. Insecure interfaces and APIs can circumvent user defined policies and really mess around with input data verification efforts. Both provider and subscriber should ensure strong security controls are in place, such as strong encryption and authorization access to APIs and connectivity. This threat applies to all models of cloud.
Other threats mentioned that warrant inclusion in our discussion are insufficient due diligence (for example, moving an application from one cloud environment to another and not knowing the security differences between the two), shared technology issues (multitenant environments may not provide proper isolation between systems and applications), and unknown risk profiles (subscribers simply do not know exactly what security provisions are made in the background of and by the provider). Many others, such as malicious insiders, inadequate design, and DDoS are valid for both cloud services and traditional data centers.
SOAP (Service Oriented Architecture) is an API that makes it easier for application components to cooperate and exchange information on systems connected over a network. It’s designed to allow software components to deliver information directly to other components over a network. A wrapping attack occurs when a SOAP message is intercepted and the data in the envelope is changed and then sent/replayed.
Session riding is simply CSRF under a different name and deals with cloud services instead of traditional data centers. Side channel attacks, also known as cross-guest VM breach, deal with the virtualization itself: if an attacker can somehow gain control of an existing VM (or place his own) on the same physical host as the target, he may be able to attempt a litany of attacks and efforts.