On April 7th, NIST convened a conference on cloud computing in Gaithersburg, MD. One of the featured sessions was a panel on cloud security. I participated in the panel with Steve Lipner of Microsoft, JC Moses of Amazon, Jonathan Smith of Penn, and Jeremy Epstein of SRI. The panel was moderated by Donna Dodson and gathered together by Lee Badger.
Before the panel, we came up with a number of questions to help drive conversation and discussion. Since this is a blog, I will reproduce the original questions with my somewhat quirky short form answers in full below. Note that Cigital Principal Consultant Scott Matsumoto who heads up Cloud Security at Cigital was instrumental in helping to formulate these thoughts. You want some cloud security? We got some.
The title of this panel is whether we can ever trust the cloud. Starting with a big general question: in a nutshell, -what- can we reasonably trust the cloud to do, or not to do?
The question of trusting the cloud should be the same as asking the question “can I trust distributed architectures (as opposed to a mainframe architecture)”. Put this way, it’s a silly question. A better question might be “what is the cost of creating a secure computing environment for <insert cloud platform name here>?”
There are two components to worry about:
1. One of the main drivers for Cloud is cost. Creating a secure computing environment requires some level of cost to compensate for security that may well be different from one’s current computing environment.
2. The answer to the cost question can only be answered WRT a specific platform since the nature (pros and cons) of the platform-provided secure controls and the weaknesses (not necessarily vulnerabilities) both vary across the plethora of platforms lumped under “Cloud.”
Remembering the answer to the last question, how does that compare with how we can reasonably trust traditional shrink wrapped software?
Wrong analogy. This probably should be (as stated above) can you trust distributed architectures over mainframe architectures?
A security perimeter is a well-known idea from computer and network security; it’s a boundary with an inside and an outside and a regulated access point; e.g., you can’t access the systems inside my security perimeter unless you are allowed by my firewall rules. From a customer’s view, how can we have meaningful security perimeters in a cloud?
Could you ever really trust the perimeter? Trusting the perimeter was an urban myth. Will that help this discussion go somewhere useful?
To the extent that a cloud is an aggregation of many very similar systems under one administrative authority, there seems to be an opportunity for an expert security team to use automated techniques to implement more consistent security practices than are likely outside a cloud. Do you buy that? Is it possible that cloud security policies may be better?
This is a good question.
The analogy to COTS software may well apply to this question. While the Cloud provider may get a boost from a critical mass of humans working on a common set of problems; it means that the solution must be generalized to apply to the broadest number of use-cases. With COTS software you get a more cost-effective solution IFF the solution designed by the COTS solves your problem. You also get a lot of other people’s baggage.
From the 1970s we have the concept of the reference monitor. It is a protective layer that regulates access to resources, like data stored in a cloud. As traditionally formulated in the seminal Anderson report, a reference monitor can be trustworthy because it is: 1) protected from tampering, 2) non-bypassable, and 3) simple. Can there be reference monitors in the cloud? Or is this just an outdated concept?
This is also a useful question.
From the NIST cloud definition, in a public cloud, “the cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.” For a private cloud, “the cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.” So a private cloud -could- be behind a protective firewall. In your view how do public and private clouds compare security wise?
Private VS Public should probably be evaluated through Single-tenant VS Multi-tenant.
As software people, we know that complexity is the enemy of security, and that, traditionally, for every thousand lines of good code we should expect multiple flaws. For similar features delivered to customers, are clouds more complex, less complex, about the same?
It’s the type of code that’s the issue (as opposed to LOCs). What the Web should have taught us is that we don’t want application programmers writing security controls like authentication/authorization, session mgmt., etc. We’ve become ever so slightly more secure as these controls have been sunk back into the application infrastructure (app-servers, middleware, etc) and pulled out of the apps.
Cloud means that some of security controls required to compensate for platform weaknesses are pushed into the application. That is a problem.
What is even more worrisome is that for SaaS, the controls push through the application layer and into the legal agreements. Lawyers… draw your own conclusions.
Generally, cloud-based applications depend on reliable and secure networking. Anecdotally, I seem to experience more network glitches than local freeze-ups, and networks need working DNS, routers, etc. A few thousand smartphones suddenly turned on in a conference center is also an issue. Can the network really be as reliable as the local client?
Search engines sometimes seem to know us better than we know ourselves. They aggregate data from our searches. With a scale of aggregation in the data center that is perhaps unique to cloud computing, malicious insiders in the data center might pose a unique and sobering threat to privacy. How concerned should we be?
Also meh. Expect everybody to watch everything. Act accordingly.
The Cloud Security Alliance lists account hijack as one of the top 7 threats for the cloud. For most people, the browser is the access point to the cloud, but browsers seem always to be getting smacked down at contests. E.g., see http://cansecwest.com/, with a macbook already owned this week and more likely on the way. Can we be confident that our cloud accounts are safe?
Weakest link, yadda yadda.
Multi-tenancy is a high-profile feature of clouds. It seems similar to process separation in operating systems, which has a checkered history security wise. What should give us confidence that cloud-implemented multi-tenancy will keep customer workloads really separated.
goto QUESTION 6
Considering the data replication practiced by some cloud providers and the inherent difficulty of erasing data authoritatively even when the local storage device is in hand, can we have real data delete in the cloud? Do you think it matters much?
Deletion is the most important part of backup.
What is your number 1 most important security challenge or opportunity in the cloud?
Software security uber alles.