Security: Tip Toeing Through the Clouds

Wednesday, September 28, 2011

Rafal Los


So what is your company doing for "cloud security"?

I've gotten that question, and you probably have too. The problem with this question is that it's completely nebulous, and there are many different answers depending on your company's disposition, market vertical, and point of view on what exactly cloud computing is.

For all the momentum Cloud Computing has picked up over the last 2 years or so, security is still an underwhelmingly small component of the overall buzz.  We've heard research into how it's relatively simple to find faults within templated, stored virtual environments but what about the security of the virtual environments themselves?

So what does cloud security mean to you? Actually... what does cloud computing mean to your organization?

The different points of view on "the cloud"

Cloud computing really means different things based on which of three perspectives you're looking from.  If you're a consumer of cloud services and you're looking to provide security to the transitional state into a cloud service, that's one perspective. 

Another is if you've built a public, hybrid, or even private cloud and you're looking to provide security for that IaaS, PaaS, or SaaS service - this can actually take two forms, consumer and provider.  The last viewpoint is from a service provider of security services from the cloud.  A cloud you don't necessarily build, but operate from to provide security related services.

You see, whether you're a consumer or service provider, there are a number of viewpoints on this whole "security in the cloud thing" ... and that's something to think about.

Securing the various viewpoints of the cloud

Given how much power and capability a cloud management operating platform delivers - it's conceivable that there are those who would like to abuse that system to gain access not only to virtual environments they shouldn't have access to but also to the data and management capability. 

That being said, how secure are these platforms we're deploying.  While I'm making no claims of a specific vulnerability, I'd like to point out a few of the less obvious things you should be thinking about if you're either attaching to, or building out such a public cloud environment.

First, let's think about provisioning and management of these vast networks of computing power.  Provisioning isn't just about spinning up an image but setting it up with the correct hardware and software capabilities if you're providing more than bare-metal Infrastructure as a Service (IaaS).  If you're moving up the stack to Platform as a Service (PaaS) you're likely provisioning an operating system built on some template you've either pre-defined, or are letting the customer build out for themselves. 

The bottom line is that there is a central point of commonality between all of your environment.  If someone were to, say, compromise your template by inserting some malware or keylogging code it would be equated to compromising every host your customers sping up and deploy... until that template is retired. 

The other scenario is purposely breaking some security provision within a configuration template or purposefully mis-configuring a security setting.  Allowing an attacker an easy way in is just as bad as exploiting the environment since either way - the goose is cooked.

An attacker compromising the management infrastructure and operating system can be catastrophic as well.  Maliciously destroying cloud instances, mixing security and system policy in a multi-tenant environment, or some other form of chaos can quickly destroy your customers appliations and data. 

Commandeering a hypervisor or management operating layer of a cloud service isn't some science fiction - it was already demonstrated on a sister concept with escaping from the virtual machine hypervisor... even at the bare-metal layers.  Taking down an This is serious stuff, and while I haven't seen it happen yet - what's to say it won't soon?  It's a very realistic attack surface.

Hopping around the clouds

If you're an attacker, it only makes sense that you're going to go after the big score.  Attackers have become more brazen, more bold today with the various anonymizing technologies available, and the abject lack of cloud security in many instances.  So what's the likely attack scenario?  Well we've already seen the one where someone uses a stolen (or cloned, whatever) credit card to purchase some compute power to crank away and attack other clouds. 

But what about the one where someone uses that same compute power and points their rage or attention inward?  What about breaking the base operating environment on top of which all this virtualization runs?  After all, many of the widely used, non-proprietary cloud management platforms are able to use vast amounts of server metal to string together a cloud environment, and you're not tied into the specific chassis of one vendor.

Imagine for a moment an attack that would break the management layer, and start hopping around through the cloud of your provider.  Better yet, imagine that that provider uses some open cloud management software and that attack can be replicated over and over across providers.

But aren't these management platforms properly vetted?

Sure they are... like lots of other software that is found to have severe security bugs in production.  Making it a cloud management platform doesn't somehow make it immune to security attack.  Let's take a peek at OpenStack for example.  It's Python... and probably has had a million eyeballs staring at it... and is likely pretty safe. 

Do you trust it?  Many corporations do, and with good reason - it's been reviewed and re-reviewed over and over... but attacks against systems like this aren't uncommon even after successive review.  I'm not picking on OpenStack, but making a more general point here.

Hey, vendors with proprietary software to manage their 'cloud in a box' aren't immune from this either.  Vulnerabilities like this may and probably do exist all over the place.  The question is... who spots them first and how carefully do we work to ensure they don't show up in the first place?  Enter the old Software Security Assurance message I've been bantering about for a while now.

Look, my point is, every piece of software is subject to security bugs, but be careful what you put up out there in the clouds.  If you're implementing cloud as a management agent, check that code twice, and then check it again.  Follow standard SSA practices, and rigerously test the management layers as well as everything else.

You just can't be too careful.  As elastic cloud computing becomes more and more popular, more and more critical applications and data will be living in those multi-tenant environments... and while this is a fantastic development on many fronts - we as security professionals can't let bad software development practices we've been trying to eradicate for two decades ruin the next biggest leap in business technology!

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Cloud Security
Service Provider
Cloud Security Virtualization Cloud Computing SaaS Managed Services vendors
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.