Sharing memory and disk space with strangers while software enforces security -- what could possibly go wrong?...
While these questions or concerns are constantly considered by security professionals, they become more relevant when considered in the context of platform as a service with cloud security. The cloud continues to gain in both popularity and scrutiny, making this point in time a good chance to examine PaaS security.
The hypervisor remains the most direct and effective vector for attacking the cloud, both for PaaS and infrastructure as a service. The hacking community remains committed to cracking the hypervisor, or hyperjacking. The reason for the focus on the hypervisor is that the hypervisor in cloud computing is the equivalent of root or admin in normal operating systems.
Currently, once the hardware and firmware used by the hypervisors has been cracked, not only can access be easily granted, but the ability to detect the problem is more difficult. A cracked hypervisor is difficult to detect due, in part, to the lack of monitoring software available at this layer. There is a second, more obvious problem for detection; a hacker who is capable of compromising the hypervisor will easily disable logging and other monitoring services, or worse yet, provide false information to monitoring systems.
The virtual environment used in platform as a service (PaaS) requires protection against attacks designed for both the physical and the virtual environment. The standard bugs against libraries in the physical environment remain exploitable in the virtual environment. After all, the virtual environment is simply another instantiation of the physical environment. Additionally, exploits such as malware designed for the virtual environment are an unfortunate reality, as Crisis/Morcut illustrated in 2012.
Of additional interest in the lower layers of a PaaS environment are the memory mappings. When virtual environments are created, memory and disk space are allocated for usage. Programmers create software that writes to memory and while objects are generally deallocated as part of the tear down process this is not guaranteed. A well-placed persistent object can act as a rootkit of sorts if placed in the correct memory location, and may proceed to affect environments at each instantiation.
Cross-tenant hacking is another path that provides an opportunity for security issues. Configuration errors represent a large portion of PaaS security issues. Misconfigurations can inadvertently cause data loss through either cross-tenant hacking or privilege escalation by authorized users.
While there is little that can be done about hyperjacking, there are steps that can help minimize or at least quantify the damage by these and other PaaS attacks. Some simple rules can be used when operating in the PaaS cloud environment. While these rules will not take care of every attack vector, they will at least make the risks manageable.
PaaS security rule 1: Assign a value to the data. Before joining the cloud and before even entering into an agreement with the provider, determine the value of the data that you will be storing in the cloud. Simply put, some data does not belong in the shared environment. This is true even if the data is encrypted, since some of the attack vectors act as man-in-the-middle attacks when keys are exchanged. Also consider the value of other data, such as employee data that isn't typically considered.
PaaS security rule 2: Encrypt your data. While encryption does not guarantee security, it does assure privacy. But keep in mind that the mechanisms deployed do restrict access. Recognize that attacks to the hypervisor can defeat this control through man-in-the-middle attacks. For this reason refer to rule 1.
PaaS security rule 3: Enforce the rule of least privilege. All users should be granted the least amount of privileges in order to run. This bears repeating because historically, when software developers have developed software in-house, the developers have been granted privileged access on isolated hosts. While the cloud model creates and destroys a temporary environment, mistakes happen, bugs occur and the potential for the creation of permanent objects provides sufficient reason to restrict access. Failure to maintain the separations will result in a stronger need to understand rule 1.
PaaS security rule 4: Read, understand and negotiate service-level agreements (SLA). The service-level agreement goes beyond availability and performance and is directly related to the value of the data. If the data is lost or compromised the SLA spells out the terms for remuneration. In order for the SLA to be effective, the cloud service provider (CSP) must have adequate assets to cover the costs associated with the data valued in Rule 1.
The CSP must demonstrate that it has performed due diligence on the security of the environment. The problem is that security audits are unable to detect sophisticated zero-day attacks; rather, the audit will only reveal the well-known vulnerabilities. If your site security posture is more rigorous than that of the CSP, consider again, rule 1.
Understanding your specific threat landscape should provide enterprises the necessary context to the decisions around cloud usage in general and PaaS security specifically. In some cases, migrating to the cloud offers a chance to maintain or even improve an organization's security posture. In other cases the cloud migration creates new problems. In either case, determine the value of the data first and use that information to determine the way forward.
About the author:
Dr. Char Sample, a cybersecurity researcher and fellow at ICF International, has 20 years of experience in internet and information security. She previously served as a research scientist and security solutions engineer with CERT at Carnegie-Mellon University. In addition to her role at ICF International, Sample is a visiting researcher and international fellow for cybersecurity at the University of Warwick in the U.K.
Learn how a cloud-based HSM can improve enterprise security
Read more on securing cloud workloads as they travel
Find out how to test data analysis capabilities in virtual environments