The "No Network is 100% Secure" series
- Cloud Computing -
A White Paper
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
What is cloud computing?: In a sentence, cloud computing is software that's
hosted centrally in a shared environment that can be leased.
More specifically, cloud computing is a computing model in which virtualized resources are provided as a service over the Internet. The concept incorporates infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) as well as Web 2.0 and other recent technology trends that have the common theme of reliance on the Internet for satisfying the computing needs of the users. Cloud computing services usually provide common business applications online that are accessed from a web browser.
Cloud computing characteristics: Customers engaging in cloud computing do not own the physical infrastructure that hosts the software service. Instead, they rent usage from a third-party provider. They consume resources as a service, paying for only the resources they use or on a subscription basis. Sharing computing power among multiple customers can reduce costs significantly. A cloud application often eliminates the need to install and run the application on the customer's own computer, thus alleviating the burden of software maintenance, ongoing operation, and support.
Cloud computing economics: Cloud computing users can avoid capital expenditure on hardware, software and services, rather paying a provider only for what they use. Consumption is billed based on resources consumed or on a subscription basis with little or no upfront cost. Other benefits of this time sharing style approach are low barriers to entry, shared infrastructure and costs, low management overhead and immediate access to a broad range of applications. Users can generally terminate the contract at any time (thereby avoiding return on investment risk and uncertainty) and the services are often covered by service level agreements with financial penalties. One of the key advantages that cloud computing offers is infrastructure agility. IBM, Amazon, Google, Microsoft and Yahoo are some of the major, more well known cloud computing service providers.
Cloud computing risks: Customers wishing to avoid data access and data loss problems should research vendors' policies on data security before using those services. The Gartner Group lists seven security issues which one should discuss with a cloud-computing vendor:
- Privileged user access: who has root/Administrator access to data?
- Regulatory compliance: will vendor undergo external audits and security certifications?
- Data location: Does the provider allow for any control over the location of data?
- Data segregation: Is encryption available at all stages and were these encryption schemes designed and tested by experienced professionals?
- Recovery: What will happen to data in the case of a disaster? Do they offer complete restoration and, if so, how long that would take?
- Investigative Support: Does the vendor have the ability to investigate any inappropriate or illegal activity?
- Long-term viability: What will happen to your data if the company goes out of business; how will data be returned and in what format?
In practice, one can best determine data-recovery capabilities by experiment: asking to get back old data, seeing how long it takes, and verifying that the checksums match the original data. Determining data security is harder.
Probably the biggest risk relating to cloud computing is the obvious: a total dependency that the Internet will always be available. Operations that are highly mission critical could become vulnerable to service availability problems if the Internet is disrupted in any meaningful way. This possibility certainly exists due to State sponsored or rogue terrorism or several other methods described in other white papers in this series.
Cloud computing key benefits:
Cost is greatly reduced and capital expenditure is converted to operational expenditure. Pricing uses utility resource usage or subscription options. Minimal or no IT skills are required for implementation.
Device and location independence enable users to access systems using a web browser regardless of their location or what device they are using, e.g., PC, mobile. Since the infrastructure is typically provided by an off site third-party and accessed via the Internet the users can connect from anywhere.
Security typically improves due to centralization of data, increased security-focused resources, etc., but raises concerns about loss of control over certain sensitive data. Security may be as good as or even better than traditional systems, in part because providers are able to devote resources to solving security issues that many customers cannot afford. Providers typically log accesses and transactions, but accessing the audit logs themselves can be difficult or impossible.
Cloud computing security issues:
1) Every breached security system was once thought secure
SaaS (software as a service) and PaaS (platform as a service) providers all trumpet the robustness of their systems, often claiming that security in the cloud is tighter than in most enterprises. But the simple fact is that every security system that has ever been breached was once thought infallible.
Google was forced to make an embarrassing apology when its Gmail service collapsed in Europe, while Salesforce.com is still smarting from a phishing attack in 2007 which duped a staff member into revealing passwords.
While cloud service providers face similar security issues as other sorts of organizations, analysts warn that the cloud is becoming particularly attractive to cyber crooks. The richer the pot of data, the more cloud service providers need to do to protect it.
2) Data and information security
In the realm of multi-tenant data, you need to trust the cloud provider that your information will not be exposed. For their part, companies need to be vigilant about how passwords are assigned, protected and changed as examples. Cloud service providers typically work with numbers of third parties, and customers are advised to gain information about those companies which could potentially access their data. However, realistically, this could be easier said than done.
An important measure of security often overlooked by companies is how much downtime a cloud service provider experiences. Ask to see service providers' reliability reports to determine whether these meet the requirements of the business. Exception monitoring systems is another important area which companies should ask their service providers about.
An important consideration for cloud service customers, especially those responsible for highly sensitive data, is to find out about the hosting company used by the provider and if possible seek an independent audit of their security status.
Customers typically do not seem to be as stringent about data and information security as one might think they should in many cases.
3) Distributed cloud computing issues
Let's say that you use a particular cloud provider for your eCommerce web presence. But your checkout and credit card transaction capabilties may be carried out using different servers in different data centers or even by different cloud providers. This may be happening with or without the customer's knowledge. This type of computing distribution is a very common cloud provider model. Cloud providers may have dozens of servers in dozens of data centers in dozens of Countries. If communications between the various cloud provider services is not strongly encrypted and extremely secure, your data and information could be at risk.
We maintained all of our own web and mail servers for many years (decades, actually). But the web page you are reading now is hosted on a cloud provider server. We were very careful to locate a provider that has strong ethics, is very competent and is likely to not go out of business tomorrow. We were particulary fortunate to find a provider that has it's offices and data center right here locally. But in our research, we found that this situation is the exception rather than the rule. Many cloud providers are located in Third World Countries and have questionable competency to say that least. One large provider that we looked at was so bad that their entire netblock was blacklisted by most SPAM e-mail black list authorities. We don't know (or care) whether this is because the cloud provider in question has a lot of open relay servers that have been hacked or whether they actively sell services to known spammers. And as for support... you'll come to value USA-based cloud providers and support teams the first time you have to contact them with issues or questions. Personally, we would think that trusting vital service applications to a company that was in Russia, China or India (as examples) would be a fundamentally bad idea. And just because the company headquarters are in the American heartland is no guarantee that the computers that are hosting your services aren't in Bangalore!
4) Security standards
In most SaaS offerings, the applications are constantly being tweaked and revised, a fact which raises more security issues for customers. Companies need to know, for instance, whether a software change might actually alter its security settings. The cloud is still very much a new frontier with very little in the way of specific standards for security or data privacy. In many ways cloud computing is in a similar position to where the recording industry found itself when it was trying to combat peer-to-peer file sharing with copyright laws created in the age of analogue. In terms of legislation, there's very little that is specifically written for cloud computing. As is frequently the case with disruptive technologies, the law lags behind the technology development for cloud computing. What's more, many are concerned that cloud computing remains at such an embryonic stage that the imposition of strict standards could do more harm than good. IBM, Cisco, SAP, EMC and several other leading technology companies created an 'Open Cloud Manifesto' calling for more consistent security and monitoring of cloud services. But the fact that none of the main cloud providers agreed to take part suggests that broad industry consensus may be some way off.
There are a handful of existing web standards which companies in the cloud should know about. Chief among these is ISO27001, which is designed to provide the foundations for third party audit, and implements OECD principles governing security of information and network systems. The SAS70 auditing standard is also used by cloud service providers.
5) Local law and jurisdiction where data is held
Possibly even more pressing an issue than standards in this new frontier is the emerging question of jurisdiction. Data that might be secure in one country may not be secure in another. In many cases though, users of cloud services don't know where their information is held. Currently in the process of trying to harmonise the data laws of its member states, the EU favors very strict protection of privacy, while in America laws such as the US Patriot Act invest government and other agencies with virtually limitless powers to access information including that belonging to companies.
Companies need to be confident that they have immediate access to all of their data should their cloud provider contract be terminated for any reason, so that their information can be quickly relocated. Part of this includes knowing in which jurisdiction the data is held.
European concerns about about US privacy laws led to creation of the US Safe Harbor Privacy Principles, which are intended to provide European companies with a degree of insulation from US laws. Some suspect that "Counter terrorism legislation" is increasingly being used to gain access to data for other reasons.
Cloud computing data privacy: Everything communicated on the web has a long shelf life. A really, really long shelf life, making it virtually impossible to leave the past in the past. Once someone uses the Internet to send a message or document, they have little to no control over the data. Cloud computing is becoming more common as more people opt to use web-based word processors and e-mail programs, such as Google's online word processor, Docs, or Microsoft's forthcoming online version of Office. People tend to put a lot, and perhaps too much trust in the Internet.
People go online to write notes to themselves, manage their calendars, share photos and manage contacts. And although storing information online means it's accessible from any computer, it also means it's in the "cloud," an enormous data center in cyberspace. In the Internet world, data never disappears. It has a potential to stay around forever. Much of the data is stored by third parties and because storage is so cheap, there's no reason to ever delete data. Hackers could potentially breach the stored data, compromising thousands of people's personal information. And as soon as that data has left the servers, where it goes could be anyone's guess.
In July, 2009, a hacker calling himself Hacker Croll successfully infiltrated 310 business documents belonging to social networking site Twitter that were stored in Google Docs. The hacker then sent that information, including what he claimed were PayPal, Gmail, and Amazon accounts, to various technology blogs. And while a person has some control over information contained on their home computers, they should never believe that deleting a file actually means it's gone. The truth is that bits from the file still remain in the computer and can be recovered. The Internet is even more indestructible, leaving people with little control over information transmitted online.
About the Author
Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle.
Home-based in Portland, Oregon, Frank has been designing remote diagnostic and
network enterprise monitoring centers since the late 1970s. Prior to becoming a
professional systems engineering consultant in 1990, Frank had a 20 year career
in computer systems field engineering and field engineering management. Frank
has a BSEE from Northeastern University and holds several certifications including
Network General's Certified Network Expert (CNX). As a NOC design engineer and
architect, Frank works regularly with enterprise-class monitoring tools such as
HP Openview Operations, BMC Patrol and others. In his enterprise security
audit work, Frank uses sniffers and other professional grade monitoring tools on a
Next in the security white paper series:
How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourced IT White Paper
Easyrider LAN Pro Consulting services:
Network Security Audit and PC Tune-up service
- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting
Last modified March 25, 2009
Copyright 1990-2009 Easyrider LAN Pro