The rise of IaaS has largely been driven by the adoption of the virtualized environment. Consequently, the security of the virtual environment is at the heart of IaaS security. This security is the foundation upon which the service lies. There are several areas of concern regarding the virtual environment and the ability to provide sufficient security. These areas include hypervisor security, the reuse of resources and tenant management.
The hypervisor creates and manages the virtual environments, making it a prime attack target. Vulnerabilities exploited in this area result in free trusted access to each tenant’s virtual environment. This is similar to the problem of the privileged user abusing the granted trust in the traditional IT environment. However, the difference in this case is that instead of the violation happening in one organization, all of the virtual environments are compromised. In an environment where a single server can support 20 organizations on average, a compromised hypervisor means 20 organizations all have the problem of the untrusted privileged user.
While hypervisor vulnerabilities fortunately are not numerous, they do exist. A piece of malware that takes over the hypervisor undetected could represent a significant opportunity for the malware creator to learn about many organizations while infecting only one physical server.
The recent reports on Stuxnet, Duqu and Flame have shown the ineffectiveness of many of the best practice security solutions. Consider the time to detect and the amount of damage done by these three pieces of malware. Next consider that they worked on networks that were not cloud subscribers, and in most cases, security software was in place. The cloud offers a consolidation of potential targets.
Malware like Duqu monitors and ex-filtrates information; if the equivalent malware were to exist for the hypervisor, that malware would be able to ex-filtrate information when the virtual environment is created, as it operates and even information about its destruction. Because the information would be ex-filtrated, it would still continue to exist, therefore, destroying the virtual environment does not guarantee the destruction of the data.
Additionally, should Duqu-like malware exist for the hypervisor, it could also modify logged information about the tenant virtual environments. This could serve two purposes: First, it would make prosecution difficult, since logs would be destroyed, and second, this same issue would allow a hacker to use the virtual environment of the cloud as a place from which to launch attacks.
At this point, it should be noted that none of these attack scenarios have actually happened. Also, the intent is not to frighten the reader; rather the intent is to inform, so you may use caution when determining if a cloud migration makes sense and, if so, how much data goes to the cloud and how much resides locally.
IaaS security: Reuse of resources and tenant management
The virtualized environment allows for dynamic resource allocation and removal, which has potential legal ramifications. If the IaaS cloud is used to launch an attack, and the CSP is unaware of this attack, the tenant attacker can remove the virtual environment before the provider has an opportunity to save the environment. Typically, users request preservation of log data when entering into agreements with the CSP, but if the cloud is being used as a launching point for attacks, the user will not likely be requesting log and other data preservation. The attacker who launches an attack from the cloud may hope to enter the murky legal area where ownership issues and jurisdiction has yet to be settled.
For the site that is attacked in the cloud, the dynamic is, naturally, different. This cloud subscriber is relying on the CSP to react in accordance with the organization’s policies. The policies and procedures performed by the organization in such events are now specified in the service-level agreement (SLA) with the provider. This SLA arrangement can work fine when the attack is launched against the tenant; the tenant point of contact (POC) will be immediately notified. However, when the attack is launched against the CSP, the tenant POC likely will not be the first party notified, therefore, the acceptable notification period must also be defined in the SLA. Immediate notification cannot be expected.
The dynamic nature of the cloud is somewhat easy to grasp: Dynamic provisioning and de-allocation of network resources, as needed, fits the “just in time” nature of many businesses. Provisioning what is needed, as it is needed, reduces waste and overhead. However, when forensics takes place, this dynamic environment introduces additional challenges when only parts of the previously deleted information can be found. Even when data is recovered, the ownership of the “found” data is now in question.
CSPs have strong motivations for separating and protecting user data. However, SLAs between provider and subscriber can only be written to cover what is known. This is at the heart of the security problem with the cloud: The ability to anticipate the next vulnerability and the effects of exploitation are undefined. Agreements work best when terms are clearly defined.
The ambiguous nature of cloud security makes the cloud an attractive target for hackers, criminals and cyber warriors. Subscribers may follow best practices in protection, only to have their data fall into the wrong hands when a zero-day attack is launched against the cloud. When such an event happens, new legal territory will be entered and the outcome will be uncertain. Perhaps, this is what is needed in order to step back from the hype and move toward a more thoughtful cloud migration path.
About the author:
Char Sample has close to 20 years of experience in Internet security, and she has been involved with integrating various security technologies in both the public and private sectors. She is a doctoral candidate at Capitol College, where her dissertation topic deals with the use of cultural markers in attack attribution.