Cloud trust or bust

Security continues to reign supreme as the primary adoption hurdle for cloud computing. While the vendor community has mounted a compelling campaign to educate users on the likely advantages service providers have in terms of security expertise, dedicated staff and other resources, a vague patina of unease around public cloud security has proved difficult to wash away. In a recent Microsoft-sponsored survey of SMBs from the U.S. and Europe, comScore researchers found that experience with cloud services can generate a high level of confidence among end users but that security remains the primary deterrent for companies that have not yet adopted cloud: though 94 percent of respondents said the security of their organization had been positively impacted since adopting cloud, 60 percent of non-user respondents attributed their hesitation over cloud to concerns over security. In enterprise environments, security matters loom even larger. ITMD research conducted in 2012 has shown that within large enterprise IT departments nearly 75% of IT management views security as the most significant impediment to cloud-based systems. And though business decision makers tended to be more concerned with data access than with information security, from 44 percent to 54 percent (varying with organization size) viewed security as a key cloud concern.

This pervasive and persistent concern over cloud security is indicative of the need for better understanding of the ‘dark art’ as it applies to cloud. If ‘cloud’ has provoked a profusion of marketing hype, it has also created confusion around types of cloud service, deployment models and vendor offerings. Adding security concerns into the mix has created a potent brew of inertia as the best defense against need to know and act.

Many security issues are familiar — high profile instances of data breach and data loss have become oft cited examples of cloud insecurity. The Cloud Security Alliance (CSA), a non profit coalition of industry practitioners devoted to development of best practice and education on cloud security, has included account hijacking, insecure APIs, denial of service, malicious insiders, abuse of cloud services, insufficient due diligence and shared technology to a list of security issues in its February publication of The Notorious Nine: Cloud Computing Threats in 2013. Considered in tandem with guidelines for addressing these challenges, the CSA’s list offers a comprehensive overview of the potential risk associated with threats that are largely web-based, or that follow from laxity in an organization’s security processes or research. Missing from this list — except perhaps in the section on malicious insiders[1] — is discussion of the physical threats to servers in cloud environments.

Steve Weis, CTO, PrivateCore
Steve Weis, CTO, PrivateCore

At the July CSA Innovation Conference 2013, Oded Horovitz, CEO and co-founder of the Palo Alto startup, PrivateCore, and company CTO Steve Weis expanded on different “physical threat vectors” that extends beyond the damage that may be inflicted by a malicious individual. In virtualized environments, abstraction of software and infrastructure has enabled users to consume compute resources ‘as-a-service’ without a great deal of thought about the health and operation of infrastructure components. But as Weis noted, “at the end of the day, there are still physical servers underneath the cloud, and they are operated by organizations that have supply chains.” Threats occur, he explained, when someone or something gains access to these physical machines and security measures to prevent this access can include measures such as video surveillance, security controls, locking up the physical machines, etc.

In a cloud service deployment, users typically rely on the service provider to provide this physical security; however, this front line defense may not be capable of handling all threats. Weis pointed, for example, to risks associated with malicious devices that may have penetrated the supply chain: “one of the things we demoed [at the CSA Conference] was a simple hardware device that we built relatively cheaply. If this is installed in a server in the cloud, it can completely compromise the entire software stack — that means the operating system, applications, and ultimately, the end user data that is in the applications. So if your Amazon instance happened to be on a server that we compromised, all that data, all your keys and all your software may be exposed to these devices.”While this kind of threat involves physical contact with data centre resources at some point, it may not require the intervention of a physical person. In some cases, the threat evolves when a malicious component is introduced into the supply chain, and built into the physical server. According to Weiss, instances of the shipment of laptops, ATMs and other hardware from the factory with compromised components preinstalled are not unknown. In addition, these devices may be activated remotely — a network card, for example, with a backdoor in the firmware could be activated through the network — without any end user visibility into the threat.

For a video demo, compliments of PrivateCore, of a PCI – DMA attack, where a card is programmed to read memory contents from the system and data exfiltrated via the network, click here.

Todd Thiemann, VP marketing, PrivateCore
Todd Thiemann, VP marketing, PrivateCore

As a defense of first and last resort, many organizations currently depend on encryption. As Todd Thiemann, VP marketing, PrivateCore, explained, for data in motion, SSL and transport layer security is well established and for data at rest, there are various means to encrypt discs and storage. “But there is a hole in terms of encryption for data in use,” he added, which means that “if someone can connect back that data from memory, they can parse it, and get the encryption keys to access data at rest.” With the growing trend towards processing data with in-memory storage, this threat has taken on greater urgency: “as more architectures move towards running in-memory… as more data is actually being processed in-memory, it is entirely exposed,” Weiss explained. And as more organizations run their SaaS applications in-memory, hacking threats are magnified. Thiemann likened this risk to the Willie Sutton school of thought, (Sutton being an infamous robber who targeted U.S. banks because that was where the money was), data in us by in-memory cloud apps being the location of a goldmine of exposed, sensitive data.

While all types of resource deployments, including on-premise, remote office and collocation, are vulnerable to this type of threat, cloud service provider environments are an especial target and at special risk due to two factors: the concentration of data in provider infrastructure and the increasing popularity of this deployment model.  Most service providers have adopted what Weiss called a “shared responsibility model” where the provider is accountable for security on everything from a certain layer down, and the user for security on applications, etc. above that designated line.To address security gaps that may appear in this shared approach, PrivateCore has developed an open source software solution aimed at the IaaS level which protects virtual machines from the hardware platform itself. Based on full-memory encryption, this vCage technology has been integrated into the Linux KVM hypervisor to provide protection for data in program execution: “as we move up this hierarchy of disc to memory, we can now protect all those [memory] contents,” Weiss explained. Users can deploy this modified hypervisor in any environment, from bare metal servers to a cloud environment, and remotely verify that the correct software has been loaded. Once verification is complete, virtual machines may be deployed to this secure platform.

For the service provider there are several advantages to this approach. Beyond contributing an important value add to the provider’s array of services (currently in beta, the PrivateCore solution will be delivered as a value added service via the service provider channel as well as direct to the enterprise), as Thiemann noted, encryption of data in use means that lawful requests for information will have to be directed at the data owner, relieving the provider of increasingly frequent, and sensitive requests for information. For the end user, the outcome is more end user more control over data and apps and greater confidence in cloud security, which enables the user to take advantage of the scale and flexibility that IaaS can deliver — trust in cloud being the ultimate adoption driver.

[1] In item six of The Notorious Nine, CSA notes: “A malicious insider, such as a system administrator, in an improperly designed cloud scenario can have access to potentially sensitive information.

From IaaS to PaaS and SaaS, the malicious insider has increasing levels of access to more critical systems, and eventually to data. Systems that depend solely on the cloud service provider (CSP) for security are at great risk here. Even if encryption is implemented, if the keys are not kept with the customer and are only available at data-usage time, the system is still vulnerable to malicious insider attack.”