Pssst… For A Cup of Coffee, I’ll Say Your Cloud Is Secure

Tuesday, January 05, 2010

Cross-Posted from:

In an article entitled “Cloud computing is a trap, warns GNU founder Richard Stallman” [1] the context couldn’t have been worded better:

“It’s stupidity. It’s worse than stupidity: it’s a marketing hype campaign” … “Somebody is saying this is inevitable – and whenever you hear somebody saying that, it’s very likely to be a set of businesses campaigning to make it true.”

While many remain enamored with the clouds, I wonder if those cheering for the cloud have a solid grasp of real world security and real world risks in a real world environment. After all, we do live in a real world and not the clouds. At least, most of us.

I recently read an interesting article entitled “Amazon’s Private Cloud: Virtually Private or Maybe Private” [2] which describes Amazon’s marketing of a “VPN to the cloud” where Amazon defines a ‘VPC’ or Virtual Private Cloud. They in turn offer this VPC as the solution to a company’s security concerns, by stating: “These resources are fully isolated and can only communicate with other resources in the same Virtual Private Cloud…”

However, therein lies the problem though and it seems Amazon just doesn’t get it. Amazon and many other vendors are under the impression that they can control the mindset of an attacker but the problem is, they lack not only the resources and funding, but also the “hacker’s mindset” to do so.

Many security professionals can comment on the losing battles they’ve had in the past, have read about or have heard about when dealing with security: “It’s them against us… thousands of hackers attacking and we just don’t have the resources.” Because in a real world environment (not a research environment for those in academia), security is “right now,” “get it done,” “they’re taking down our servers.” The research on why it is happening is done post-mortem. This is reality: In a typical day, mega corporations (such as Amazon, Google, Microsoft and others) are likely being scanned millions of times for security holes. Someone is looking for a way in. Because many malicious hackers have different reasons for their attacks, the cost of hacking a mega corporation runs into the billions of dollars–and no company I can think of can compete financially with the attackers.

An explanation is due for the statement above regarding the cost of hacking a corporation versus the cost it would take a corporation to secure themselves from hackers. Suppose that we gathered every malicious hacker on the planet and solicited an hour’s worth of their time each day from every one of them. We can easily guesstimate that at any given point in time we’d have at least 1,000,000 hackers willing to compromise any mega corporation. One million man hours each day — no problem. This comes to light because there is no real money involved in collaborating with anyone else, so it is rather difficult to finger a definitive monetary value. Let’s try to be fair and realistic by taking the lowest cost associated with the cloud computing services being offered; I.E., by using the lowest cost Linux machine offered on Amazon’s EC2 service[3]. This is rated at $0.10 PER hour, thereby leaving me with a figure of $100,000.00 per hour in free research by using malicious hackers. This equates to $2,400,000.00 a day in free “antisecurity” money, or $876,000,000.00 yearly. Do you honestly believe any cloud related company is going to spend that much on security when they can spend 1% of that to market away the risk? Irrelevant? Sort of.

Jumping back into some of the technicalities associated with “security in the cloud“, I decided to start a minor technical analysis into why I initially stated that “Therein lies the problem” when speaking about Amazon’s Virtual Private Cloud (and other marketable terms such as these). However, the cost of writing this analysis would involve a lot of time, and it would also lead to a biased result. I can only call what I see, and what I see smells of “Eureka.” … “That sure is some “Superlative Heuristic Information Technology they’ve got going on”

To me, Amazon’s response appears to be focused on creating a moat in front of their cloud, and while that’s not a bad idea, in no way does this alleviate the threats inside of the cloud itself not to mention an array of other reasons to be discussed later. I sincerely dislike quoting, but I do feel the need to do so in my posts in order to drive home some points — so please bear with me:

“Computer security researchers had previously shown that when two programs are running simultaneously on the same operating system, an attacker can steal data by using an eavesdropping program to analyze the way those programs share memory space. They posited that the same kinds of attacks might also work in clouds when different virtual machines run on the same server.” [4] Got root?

The bottom line is, how can you defend the outside of your cloud when you might not even be able to trust the inside of your cloud. What resources will be available for you when you decide to use the cloud? Is a cloud provider willing to allow you to perform an in-depth penetration test to ensure you meet compliance?  For now, can even forget about the outside threat to your cloud, those threats will always exist, what can you do to defend the insider? Seriously. You can throw in all of the VPN’s you want, all the VPC’s you can fathom, and it still doesn’t solve the problem. Maybe I’m wrong on this, perhaps I see things different. Or, maybe the reality is that – cloud providers – whether it is SaaS, PaaS or any other * aaS – can’t market away security as much as they’d like. So when a provider states that: “We reserve the right to invade your privacy at any given point in time,” it just doesn’t sound so appealing, especially when companies are looking to potentially store customer data in the cloud. Do you honestly want a third party viewing your customer database?

Here are some quick facts from the horse’s mouth to expound that last sentence above: [5] (NOTE: your mileage may vary):

“We were able to locate a Zeus botnet controller and promptly shut it down. We take all claims of misuse of our services very seriously and investigate each one. When we find misuse, we take action quickly and shut it down. Our terms of usage are clear and we continually monitor and work to make sure the services aren’t used for illegal activity. It’s important to note that we take the privacy of our customers very seriously, and don’t inspect the contents of instances. This is part of the reason that legitimate customers of all types are comfortable running production applications on Amazon EC2. However, when abuse is detected, we are able to act swiftly to isolate the abusive behavior.”

On the one hand, when Amazon discovered it was affected by a botnet controller, they state: “We were able to locate a Zeus botnet controller and promptly shut it down.” Yet in the same paragraph they also state: “It’s important to note that we take the privacy of our customers very seriously, and don’t inspect the contents of instances.”

Huh? I interpret: “We looked at an instance of something running in our cloud to validate it was a botnet and shut it down.” After all, how else could they have known anything without actually taking a peek? You really can’t have this both ways, can you Amazon states: “Abusers who choose to run their software in an environment like Amazon EC2, make it easier for us to access and disable their software.” Yet again I ask myself, “how would Amazon know whether something is a rogue or a misconfigured application, without taking a look?” Suppose, for example, a programmer fat-fingered a program [6] which inadvertently caused what seemed to Amazon to be an attack. Amazon is stating they can promptly shut it down (their words not mine). This is actually a nice thing (shutting things down), but it is also a dual edged sword since they’d have to somehow validate a problem, which meant that they’d HAVE TO look at it. If this is not the case, then at what point does Amazon validate their findings as opposed to outright blocking a service?

While this writing so far may seem to be critical of Amazon, that is not really my intention. My intention has been to slowly poke holes in the marketing of security in the cloud. Nothing more, nothing less. But enough of this for now. It’s a New Year, I’ve just returned to my desk and I haven’t had enough Starbucks – then again, I never have enough Starbucks. Please tune in next week when I’ll love the cloud so much better after so much shwag accidentally gets delivered to me via cloud computing companies – that I’ll bet the kitchen sink on cloud computing security!


Possibly Related Articles:
Cloud Security Budgets Enterprise Security
Hacks Cloud Security Amazon
Post Rating I Like this!