"The cloud" is an often hazily defined term that doesn't really encapsulate what is involved with making enterprise-grade
cloud computing work; enterprise employees may store documents in the cloud, but they know little of the underlying technology that makes it possible to do so, never mind do so securely.
In essence, all cloud computing services are comprised of a "stack" that may include hardware assets (servers with memory, CPU, disk), virtualization technologies that run on the hardware, network components (both physical and virtual), additional computing and orchestration software, large-scale storage and virtual machines (VMs) or applications and software instances.
While this broad set of technologies opens up a world of opportunity in terms of computing capabilities, enterprises must be aware that vulnerabilities can surface in the cloud stack because of the way these technologies interact and are often shared among cloud computing customers. For example, with multiple customers' systems, applications and data hosted within a public or commercial cloud environment (likely on the same physical platforms), instituting proper isolation, segmentation and access control between virtual systems and data is essential.
On any hypervisor, a number of VMs can be hosted. Within a private network or in a private cloud, internal segmentation (or even physical separation on different physical hosts) can be maintained a bit more readily. However, in a cloud environment where internal security teams do not have control over the infrastructure (public and hybrid cloud deployments), there are risks to having multiple organizations' VMs and data running on the same physical platform. In addition, boundaries for the management and monitoring of all activity within the hypervisor are critical, as exploit attempts and attacks from other users' VMs need to be detected (or prevented) rapidly to prevent issues.
To gain a better understanding of cloud stack security vulnerabilities, let's take a look at the various threats that can crop in different cloud models.
IaaS and PaaS threats
In an Infrastructure as a Service (IaaS) model, entire VMs are hosted in a multi-tenant environment, which means that attackers can potentially create malicious VMs in the same environment. Researchers at MIT revealed ways to locate specific physical cloud servers within the Amazon cloud, and potentially numerous other providers' environments as well. This is a fairly innovative attack that allows an attacker, through specific attributes of a victim's VM behavior, to pinpoint the physical server on which it resides. With that information obtained, the attacker could upload and run a malicious VM there, which could then be used to perform data theft attacks and others.
In November of 2012, a group of researchers exposed another potential shared technology vulnerability in IaaS models when they demonstrated a viable "side-channel" attack against VMs running on the same hypervisor platform. In the attack, one VM floods the local hardware cache, causing the target VM to overwrite some of this data with its own. Based on the data written, as well as the manner in which it's written, attackers can discern a variety of details about the target VM, including crypto keys in use for isolation and other encryption functions. This kind of attack, while potentially difficult to pull off in the cloud, demonstrates just how vulnerable multi-tenancy can make an enterprise cloud computing environment.
Platform as a Service (PaaS) environments are capable of running full VMs side by side, but consumers also have less control over their configurations; as a result of their inability to create a standalone VM, attackers may not be able to create a malicious VM as in IaaS environments. This does not mean that the PaaS model is devoid of cloud stack vulnerabilities, though, as there are other shared components like storage and APIs that could introduce risk. In the case of APIs, data could be transferred in an unencrypted fashion, or an authentication implementation may be flawed.
As for storage (something that could affect ALL cloud models), the key risk is a lack of isolation between consumer data. In April 2012, researchers at Context Information Security revealed that they had been able to download their own VM disk files from several cloud providers, and after forensic analysis, determined that other consumers' data was still present within them. The reason? The providers had failed to isolate and sanitize storage space in multi-tenant environments.
How to manage cloud stack risk
So what can enterprises do to combat shared technology threats? First, they must understand how much risk is actually posed by some of the attacks that have been mentioned here and elsewhere. For example, while "VM escape" attacks and hypervisor-compromise scenarios like the Blue Pill have been discussed often, the likelihood of these threats actually manifesting is, in reality, very low. Likewise, the coordination, environment knowledge and skill needed to perpetrate a side-channel attack with the aim of extracting encryption keys from a shared memory cache is extraordinary, so it's likely negligible risk in most cloud environments.
That being said, enterprises must still take the proper precautions to ensure the cloud stack is secured. Using encryption for sensitive data and VM components can be a strong deterrent to many of these threats. Inherently, virtualization platforms support built-in segmentation and isolation, and so do most chips. In addition, network and host-based access controls can be implemented at both the physical and virtual network layer, as well as within the VMs themselves. Access control to the hypervisor must also be taken into consideration, as an attacker gaining control over the hypervisor or its management platform could be devastating.
The key for most enterprises is to ask cloud providers direct questions about their security practices, specifically how they are locking down hypervisors and other layers in the stack. In addition, find out what access controls are in place to prevent illicit access to management and orchestration applications. Examples would include user account and group management, password and multifactor authentication policies and practices and more robust identity management tools and processes.
For other questions to ask providers, the Cloud Security Alliance Consensus Assessments Initiative Questionnaire provides plenty of good examples, so this is a good place to start for any enterprise just beginning to consider these issues.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC, Lead Faculty at IANS, and a SANS analyst, senior instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, as well as the co-author of Hands-On Information Security from Course Technology. Recently, Dave co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.