Privacy and Security Risks with Cloud Computing Infrastructure (IaaS, SaaS

)
Mark Stanislav mark.stanislav@gmail.com

Abstract Computing infrastructure management is often of huge cost in terms of both manual labor to support and maintain, as well as capital expenditures to continually purchase new machines and replacement parts. Virtualization technology allows administrators to leverage third-party resources in order to achieve similar infrastructure implementations for a fraction of the cost. A mitigating factor of this infrastructure convenience and cost saving, however, is much of the inherent security gained by selfmanaging resources. While the days of IBM big-iron mainframe computing is well behind us, shared-resource computing on a smaller scale is quickly making an impact on the IT landscape. As this shift in computing infrastructure becomes more prevalent, are we prepared to handle the influx of new attack vectors and security concerns that are a part of cloud computing?

The ubiquity of cost-efficient hardware resources has created a momentum behind changing the infrastructure paradigm of “each service receives a separate server”. This unofficial standard has sound reasoning behind it because it separates the failure of one piece of hardware or security breach from other services. In modern computing, however, we are able to eliminate the need to maintain 100 servers in a rack to separate 100 services. Rather, we are able to consolidate those machines into, maybe, 10 high-performance, capacity-centric computing powerhouses. This consolidation through virtualization technology grants us the ability to start creating new avenues in infrastructure. Infrastructure as a Service (IaaS) provides a variance of resources for everyone, from the two-person web hosting company to the large enterprises, to take advantage of, allowing portions or the totality of their computing infrastructure to be ran outside of their walls. By removing the physical ownership of hardware resources and meshing in virtualization technologies, companies are now able to pay for their computing needs on a usage basis with no worry of “what if our hard drive dies?” or “how will we get a new fan for this server over-night?”. These traditional IT concerns are now highly mitigated by professionals who have gigantic resources on hand with huge fault-tolerance and redundancy in place that normal companies will never be able to attain. However, just as every convenience in information technology has a trade-off in the realm of security, IaaS has its own list of concerns for the security-conscious administrator or legal team. Amazon’s cloud-computing offerings are far-and-away some of the most well-known examples of what a company can take advantage of if they are in the market to off-set their physical infrastructure with machines, databases, load balancers, and other technology into the cloud. Take, for example, Amazon’s EC2 (Elastic Cloud Computing) infrastructure which uses

virtualization to allow technology consumers to quickly deploy hundreds of custom virtual machines (VM) with no human interaction at all. More so, the cost of running these VM deployments is predicated only on usage -- both bandwidth and system uptime. With such ease of deployment and a juggernaut of an infrastructure company like Amazon behind the implementation, it’s fairly simple to just shift your entire company onto their cloud platform. The one cost not computed for you, however, is the one of security risk to your company’s information and availability. Amazon’s EC2 uses a well-known virtualization technology released by Citrix called “Xen”. A quick introduction to this virtualization platform would make it known that through using an administrative console (xm console <vm-id>), a system’s administrator is able to remotely connect to a VM as if they were standing in front of the monitor directly attached to a regular computer. It’s no secret that every computer has at least one administrator; but what about a company like Amazon who may have hundreds or thousands of people tasked with maintaing their impressive backend? A computer within your walls is accessible generally by maybe a external hacker or a rogue insider, but what about letting random IT contractors have full access to your systems, off-site, as much as they want? The image of security begins to lessen with the cloud. During the most recent Super Bowl, a digital marketing company utilized Amazon EC2 to help handle the slam of web traffic for clients who were advertising during the game. Because of EC2, the millions of web site queries done in a small window was handled; a feat that would have been near impossible without purchasing huge amounts of extra hardware that would be used once and then sold. In this scenario, the client agreed to the usage of cloud computing to

help fulfill their request for service. A concern that should be at the front of cloud computing discussions by IT staff everywhere is: what are the legal implications of storing customer data at an unknown location, with unknown metrics of security, and unverified people administrating those data storage devices? In July of 2009, a hacker broke into Google Apps accounts of a Twitter administrative assistant, compromising confidential company documents. Twitter, a giant in technology themselves, used Google Apps to store and transfer files amongst company employees, using Google’s resources in a “Software as a Service” (SaaS) manner, leveraging a component of Google’s cloud offerings. Rather than simply setting up an internal company file-share that would only be accessible on-site or through a VPN, Twitter opened themselves up to not only having confidential data compromised, but potentially leaking methods to further compromise their physical infrastructure. What if Twitter VPN credentials were part of the file-share? Information security is often about mitigating threats, but in this example, Twitter actually created brand-new vectors. One aspect of EC2 that may seem innocuous is the usage of the 10/8 private network space for virtual machines to conduct their network traffic through. Many systems administrators may be familiar with locking-down threats of an external nature, but how much does the everyday administrator know about internal network security? There’s a potential for administrators to simply find and replace firewall rules for their transition from on-site hardware to the cloud, forgetting that while they may have a public IP address, the actual network resource they are connected to is in existence on Amazon’s virtual backplane. The ability to port-scan huge private IP blocks is likely to turn up at least a few notable security vulnerabilities -- could one be a

Fortune 500 company? One threat of the cloud is simply the lacking knowledge of systems administrators being unaware of maintaing tight enough security to leverage shared resources. A study called “Hey, You, Get Off of My Cloud” speaks about how it was possible to deploy virtual machines on Amazon’s infrastructure until one was co-resident of the same hardware as a ‘target’ VM. Once a VM occupies the same hardware as a target, side-channel attacks provide a possible avenue to compromise resources. More so, targeted Denial of Service (DoS) attacks become a realization if machine RAM, CPU, cache, bandwidth, and other physical resources can be overwhelmed by the guests through exploitation or aggressive usage. If a potential attacker was able to surmise the location of a target’s virtual machine and gain coresidency with enough VMs of their own, there is increased potential to internally DoS resources that may have been done prior using large bot-nets and floods of internet traffic. The security landscape changes and new attack vectors open as resources are less easily managed by those who care most about their availability and reliability. The east-coast power outage in 2003 made many aware of the fragility of our power grid and, more so, the potential for that fragility to be used against us in an attack of terrorism. Before that outage, most were oblivious to the concern that we need to more fervently strengthen this core resource of daily life. Companies such as Rackspace and Amazon face large-scale challenges to provide high-availability computing resources to millions of customers, each of whom may have their own enemies and threats. While a company like eBay may be the constant target of hackers and generalized attacks daily, a small, but profitable, internet company may rarely see any sort of threats. By utilizing third-party consolidated infrastructure, those targeted often and those targeted rarely are both now using the same machine. By being allocated to the

same bandwidth or computing resources, there is an increased chance that a small company who never was threatened before may be the ever apparent “innocent bystander” in this new age of computing with IaaS. On the other-side of having a highly scalable infrastructure on a moment’s notice, there’s a real threat of traditional bot-nets growing beyond their boundaries within cloud infrastructure. Shell-hosting companies have often been a target of fraudulent credit card and PayPal account abuse since they are able to provide remote system resources with no verification of the “customer”. In order to create a virtual machine account with services such as Amazon EC2, Rackspace Cloud, or even Grand Rapids, MI native Fivebean, all that is required is a few minutes and a credit card. A scaled attack could be created if one stolen credit card was used to instance thousands of virtual machines from a few companies. Multiply this threat with scripting and hundreds of credit cards, and one consolidated attack could DoS gigantic computing resources with the same ease as a regular infected-host bot-net. The need for protection now is not just for those who use cloud computing resources, but those who could be attacked through a planned abuse of their ubiquitous nature. This risk will only grow larger, as more Virtual Private Server (VPS) companies come into play. The landscape for cloud computing may be concerning for early adopters but efforts are in place and growing to help make the cloud a better place for companies to exist in. CloudAudit/ A6 aims to provide “a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments”. The CloudAudit/A6 effort includes members who work for companies such as Cisco, Telus, Google, VMWare, Microsoft, Akamai,

and other giants of technology. The Cloud Security Alliance (CSA) also exists to provide guidance in best practices around cloud services and infrastructure for companies. They aim to create consensus around guidelines to take confusion out of how to handle this emerging juggernaut of computing. The CSA membership includes employees of eBay, ING, Sallie Mae, Sun, RSA Security, Visa, McAfee, and PGP. Recommendations for standards also exist, such as SAS70 and ISO27001, until full cloud-specific ones are created. It’s unlikely that even a large-scale cloud computing comprise will stop its momentum. Ideas which save money and man-power will always be hard to say no to. The downfall of mainframe computing was that in order to utilize it, you had to have huge machines consuming lots of power and exorbitant service contracts. In our modern computing era, those issues are gone, and, once again, we return to a shared resources model of computing -- simpler and more elegant than ever. The benefits to cloud computing are too vast to ignore, and, as most concerns in information security, a decision for any participant in the paradigm shift will be the same as always: how much convenience do we require to part with some of our security? Hopefully, groups such as CloudAudit/A6 and CSA will provide that answer sooner than later.

References Binning, D. (2009). Top five cloud computing security issues. Retrieved March 10, 2010 from ComputerWeekly.com: http://www.computerweekly.com/articles/2010/01/12/235782/top-fivecloud-computing-security-issues.htm. Brodkin, J. (2008). Gartner: Seven cloud-computing security risks. Retrieved March 12, 2010 from InfoWorld: http://www.infoworld.com/d/security-central/gartner-seven-cloud-computingsecurity-risks-853. Cloud computing security. (2010). In Wikipedia, The Free Encyclopedia. Retrieved March 29, 2010, from http://en.wikipedia.org/w/index.php? title=Cloud_computing_security&oldid=352128529 Keizer, G. (2009). Hacker break-in of Twitter e-mail yields secret docs. Retrieved March 10, 2010from ComputerWorld: http://www.computerworld.com/s/article/9135591/ hacker_break_in_of_twitter_e_mail_yields_secret_docs. Messmer, E. (2009). Cloud Security Alliance formed to promote best practices . Retrieved March 10, 2010 from NetworkWorld: http://www.networkworld.com/news/2009/033109-cloudsecurity-alliance.html. Ristenpart, T.,Savage, S., Shacham, H., & Tromer, E. (2009). Hey, You, Get Off of My Cloud! Exploring Information Leakage in Third-Party Compute Clouds . Retrieved March 15, 2010 from 16th ACM Conference on Computer and Communications Security: http:// cseweb.ucsd.edu/~hovav/papers/rtss09.html. Vizard, M. (2010). Gauging Cloud Security. Retrieved March 15, 2010 from CTOEdge: http:// www.ctoedge.com/content/gauging-cloud-security.