Mario Santana, vice president of secure information services at cloud computing provider Terremark Worldwide Inc., spoke at Cloud Connect 2011 earlier this month in Santa Clara, Calif. SearchCloudSecurity.com caught up with him at the conference for this exclusive interview, where he talks about
SearchCloudSecurity: What are some security threats that are unique to the cloud?
Mario Santana: You’ve got a couple of things that sort of define cloud computing, one of which is virtualization. Virtualization involves some new software; some new technology that is not necessarily there outside the cloud, and wherever you’ve got a new technology, you’ve got a new risk. Specifically the most talked about risk in cloud computing and virtualization is a VM breakout, where an attacker who has compromised one virtual machine could cause code to run on either another machine in that same physical environment or on the host environment itself, break out of that isolated virtual machine. The good news is that doesn’t often; there are not many vulnerabilities that allow an attacker to do that that have been published. The last big one was in mid-2009 or so; so as far as we know that’s not very common.
Another risk, or vulnerability, of a cloud environment is due to its distributed nature. One of the good things the cloud brings is if you’re running a bunch of virtual machines on one piece of hardware and that piece of hardware is getting overloaded from too many virtual machines on it, the cloud will transfer some of those machines over to another piece of hardware that is being underutilized to load balance the various machines across various pieces of physical hardware.
But what if that other piece of hardware is in another legal jurisdiction? Now you have a virtual machine that has data and processes on it that are set up correctly for one legal jurisdiction moving to another legal jurisdiction where there might be other requirements that aren’t being met. That’s one possibility. Maybe that virtual machine has moved outside of the visibility zone of some security instrumentation and now that security isn’t able to monitor and secure that virtual machine like it used to.
So, the configuration of the virtual infrastructure allowing virtual machines to cross those kinds of boundaries is one potential risk. It’s a much more controllable one because we’re not talking about zero-day vulnerabilities like we are with the breakout scenario, but it’s high risk because there are a lot more variables involved; you have to know what the jurisdictions are and what the security sensitivity levels are of your various physical environments that you might be transferring VMs into. So, on the one hand you have more control over it, on the other hand there’s a lot more variables involved so it takes more thinking.
SearchCloudSecurity: What does Terremark do to deal with these particular security issues?
Santana: For the breakout issue, we keep patching and stay aware of any announced vulnerabilities. We actually have lots of relationships with white hat offensive security guys and become aware of these early on. We also segregate our physical infrastructure into low, high and medium risk environments. Although, risk isn’t the right word, sensitivity is a better word. If an attacker manages to compromise one of the virtual machines, even if he could break out of that virtual machine and compromise other virtual machines in that same physical environment, he would only have access to machines that are of a similar sensitivity level as the machine that was compromised in the first place.
What this means is, if you had a development machine was set up in a hurry and didn’t get the right password to fly, didn’t get patched, etc., and the attacker was able to escape out of that machine, he couldn’t access other systems except for other development machines and other sort of low-value targets like that. The theory being that if you’ve got high-value virtual machines, you’ll make sure they’re hardened, well managed, and hard to compromise, so you don’t want to want to keep your super secret stuff on the same physical hardware as your dev stuff that doesn’t get a lot of security attention.
One of the big differentiators for our cloud is the managed security services that are sort of baked in to the whole Terremark enterprise cloud offering; all the major managed security services such as IDS are baked in.
SearchCloudSecurity: Can you talk about your incident response processes and how you developed them?
Santana: Secure information services has done a whole lot of incident response over the years even before the term cloud computing was coined. So with that kind of history and expertise in incident response, what we’ve been able to do is take a lot of our techniques and hard learned lessons about documentation, procedure, relationships with law enforcement agencies -- federal and local -- and craft a plan from those basics that applies to the cloud environment. There are a few differences for example, when dealing with a subpoena, which isn’t quite an incident response, but maybe some law enforcement agency got a subpoena to gather evidence from the physical machine of one of our customers. When that happens, we have to comply, but we want to minimize the impact that has on that customer, as well as all of our other customers.
In the physical world, if it’s a co-location customer, it’s no problem, it’s very straightforward; the cops understand what the computer is, what it looks like, that it’s in a case, and they’ll take the computer they’ve got the subpoena for and be done with it. In a virtualized or a cloud environment things are grayer. There’s a lot of education that has to happen with the officers. So our relationships with law enforcement agencies help a lot. If it’s a physical machine, it’s really straightforward: Take the hard drive out, make a copy of it. For a virtual machine it’s similar in theory: Take a bit-by-bit image of the virtual disk (which is actually a file), but you have to do it in a way that the officers involved can legally swear to the authenticity and the forensic soundness of that copy. You don’t want the cops to say, “Well, I’m not sure this is going to work in court, so I’m just taking the whole physical machine.” Now, they’re taking not just the virtual machine they’re interested in all the other virtual machines on that physical processor. They might not even be sure which of several physical structures it’s involved with, so there’s a huge risk there for Terremark, the customer, and all the other customers.
So having a detailed plan and a relationship with the law enforcement agencies, explaining the plan, tweaking the plan, going through the plan to work out the kinks is essential because if you hit any unforeseen snags while the cops are serving the subpoena, that’s not going to increase their confidence in the validity of your evidence. You’ve got to iron everything out, make sure it’s nice and smooth, educate the cops, have a nice mutual relationship with them; that’s what gives us the ability to protect Terremark’s interests as well as all of our customers’ interests.