Security

7 Security Threats in the Cloud

Top threats to the security of your cloud-based computing—and what you can do about them.

• By Adam Swidler
• 12/01/10

In a report issued this past year, the Cloud Security Alliance (CSA), a nonprofit organization formed in 2008 to promote the use of best practices for providing security assurance within cloud computing, identified the “top threats” of security and compliance risk for cloud computing. In this article, we summarize these threats and offer examples of them, as well as provide recommendations for remediation. To read the full report, you can download “Top Threats to Cloud Computing V1.0” at cloudsecurityalliance.org/topthreats.

1) Abuse and Nefarious Use of Cloud Services

Essentially these are the “bad guys” who use cloud computing resources and applications to further the reach and impact of their activities. Because cloud services provide nearly “frictionless” registration processes where users can register and immediately begin using the service, spammers, malicious code writers, and other criminals can take advantage to operate with very little chance of detection. Infrastructure as a service (IaaS) and platform as a service (PaaS) technologies can be used to execute distributed denial of service (DDoS) attacks, password and CAPTCHA cracks, as well as host botnet command and control capabilities. Software as a service (SaaS) technologies can be used to send spam e-mails at significant volumes.

Examples: IaaS services have hosted the Zeus botnet, the InfoStealer Trojan horse, and numerous Microsoft Office and Adobe PDF exploits. Webmail services have been exploited by spammers to send large amounts of spam.

Remediation: Cloud providers must implement stricter registration and validation processes, including enhanced credit card fraud detection and prevention. Providers must also aggressively and proactively monitor their own network traffic to spot patterns that are indicative of abuse. Finally, the CSA suggests proactive monitoring of public blacklists to ensure that a provider’s address is not being blocked.

Additional references:

• The Malware Domain List website maintains a list of domains that are known to host malware: malwaredomainlist.com.
• A blog post on ZDNet details how Amazon’s cloud computing service has been used as part of a botnet: blogs.zdnet.com/security/?p=5110.
• A blogger for The Washington Post looks at how spammers have used cloud computing services to send spam e-mails: voices.washingtonpost.com/securityfix/2008/07/amazon_hey_spammers_get_off_my.html.

2) Insecure Interfaces and APIs

Cloud computing providers use APIs to allow customers to interact with the services. These interfaces are used to perform functions such as provisioning, management, authentication, monitoring, access control, and others, and they must be designed with protection from both accidental and malicious compromise. In addition, third parties often build value-added services upon APIs, which they then offer to their customers. This creates a layered API with increased complexity and can increase risk.

Examples: Cleartext authentication or transmission of data, anonymous access, reusable passwords, improper authorizations, and API dependencies are some examples of this threat.

Remediation: Customers must analyze the security model of the cloud service interfaces. In addition, customers should verify that strong authentication methods are used together with encrypted transmissions. Finally, there is a need to understand the dependencies that are associated with an API.

Additional references:

• An API directory and programming resources are available at programmableweb.com.
• The Websense Security Labs Blog provides a description of API threats and vulnerabilities: securitylabs.websense.com/content/Blogs/3402.aspx.

3) Malicious Insiders

While the risk of an insider behaving with malicious intent is known, the threat is potentially increased for cloud services. The presence of multiple customers’ data, all hosted with a cloud provider, could make that provider an attractive target for hobbyist hackers, organized crime, corporate espionage, etc. In addition, cloud providers may not offer visibility into how employees are granted access to physical or virtual assets, how they monitor employee actions, and how they analyze and report on policy compliance.

Remediation: Cloud customers are advised to enforce strict supply chain management practices and conduct comprehensive supplier assessments, including the cloud provider’s hiring practices and policies. Further, human resource requirements can be specified in service contracts. Customers should require transparency into overall information security practices and compliance reporting of the provider. Customers also should work with the providers to understand the security breach notification process.

Additional references:

• In “Tackling the Insider Threat,” information security guru Steve Katz describes insider threats and remediations: blogs.bankinfosecurity.com/posts.php?postID=140.
• A discussion of corporate espionage is available at technicalinfodotnet.blogspot.com/2010/01/tethered-espionage.html.

4) Shared Technology Issues

Shared infrastructure is how IaaS vendors deliver their services in a highly scalable fashion. In some cases, the underlying components (GPUs, CPU caches, etc.) were not designed to offer strong isolation capabilities for a multi-tenant deployment. Virtualization hypervisors can address much of these issues. However, even hypervisors have displayed vulnerabilities that have enabled inappropriate control or influence on the underlying systems.

Examples: Some examples of these risks include security researcher Joanna Rutkowska’s Red and Blue Pill exploits and the Cloudburst tool developed by Kostya Kortchinsky, all of which highlight potential vulnerabilities and exploits in virtualization technologies.

Remediation: Cloud providers should have an in-depth defense strategy that includes computer-, storage-, and network-security enforcement and monitoring. Strong compartmentalization should be used to ensure that individual customers do not impact other tenants on the shared infrastructure. Providers need to monitor their environments for unauthorized access, changes, and activity. The use of strong authentication methods, vulnerability scanning, and configuration audits is also recommended. Finally, service level agreements (SLAs) for patching and vulnerability remediation can also reduce risk.

Additional references:

• The research study at blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf describes potential VMware hypervisor security vulnerabilities.
• Security vulnerabilities in Microsoft’s Hyper-V are discussed at microsoft.com/technet/security/bulletin/MS10-010.mspx.

5) Data Loss or Leakage

Data loss or leakage is a risk that is common to cloud vs. on-premise architectures. Deleting or altering records without backups of the originals or delinking records from their larger context can make that data unrecoverable.

Examples: Potential problem areas include insufficient authentication, authorization, and audit (AAA) controls; inconsistent use of encryption; operational failures; disposal challenges; jurisdictional and political issues; data center reliability; and disaster recovery.

Remediation: To protect against these risks in the cloud, providers should encrypt data in transit; implement strong API access control; analyze data protection at design as well as run time; and/or implement strong key generation, storage, and management and destruction practices. Cloud customers can seek contractual commitments from cloud providers to wipe persistent media before it is released back into service and to specify backup and retention strategies.

Additional references:

• The Sidekick data outage of 2009 is chronicled here: en.wikipedia.org/wiki/Microsoft_data_loss_2009.
• The Flexiscale cloud storage service interruption is reported on here: news.cnet.com/8301-13846_3-10029707-62.html.
• The Sui Generis law blog discusses relevant legal decisions and the use of encryption: nylawblog.typepad.com/suigeneris/2009/11/does-cloud-computing-compromise-clients.html.

6) Account or Service Hijacking

Phishing, fraud, and exploitation of vulnerabilities can lead to account access being compromised. Attackers that gain access to your credentials can eavesdrop on your activities and transactions, manipulate data, return false information, and redirect your users to illegitimate sites. Your account can become a base for continued attacks.

Remediation: Cloud customers should prohibit the sharing of account credentials among users and across services. Where possible, customers should leverage two-factor authentication methods. They should also understand cloud providers’ security policies and SLAs. Cloud providers should employ proactive monitoring to detect unauthorized activity.

Additional references:

• Another news report on hackers exploiting cloud computing services: infoworld.com/d/cloud-computing/hackers-find-home-in-amazons-ec2-cloud-742.
• A discussion of traffic monitoring on virtual machines: vmetc.com/2009/03/12/virtual-machine-sniffer-on-esx-hosts.

7) Unknown Risk Profile

Cloud computing offers significant potential for reduced cost, simplified IT infrastructures, and improved IT efficiency. Software versions, updates, security practices, vulnerability profiles, intrusion attempts, and security design are all factors for estimating your institution’s security posture. In some of these areas, cloud computing solutions may offer different levels of visibility compared to their on-premise counterparts. This can contribute to making it harder to “calculate” a risk profile. In reality, all infrastructures have some unknown risks.

Remediation: Cloud providers can help reduce the unknowns by disclosing applicable logs and data and by providing a partial or full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.). Monitoring and proactive alerts and notifications can also help reduce this risk.

Additional references:

• Security analyst Chenxi Wang discusses cloud computing security considerations: chenxiwang.wordpress.com/2009/11/18/36, chenxiwang.wordpress.com/2009/11/24/follow-up-cloud-security.
• The Center for Education and Research in Information Assurance and Security at Purdue University (IN) provides a summary of a cloud computing security panel discussion: cerias.purdue.edu/site/blog/post/symposium_summary_security_in_the_cloud_panel.