Five Lessons from the Dark Side of Cloud Computing

Companies tapping into virtual infrastructure through cloud computing should take another look at their security plans, say experts at the Black Hat Security Conference. From legal protection to phishing, here are five cloud security issues to consider.

By Robert Lemos
Thu, August 06, 2009

CIO — While many companies are considering moving applications to the cloud, the security of the third-party services still leaves much to be desired, security experts warned attendees at last week's Black Hat Security Conference.

The current economic downturn has made cloud computing a hot issue, with startups and smaller firms rushing to save money using virtual machines on the Internet and larger firms pushing applications such as customer relationship management to the likes of Salesforce.com. Yet, companies need to be more wary of the security pitfalls in moving their infrastructure to the cloud, experts say.

"Guys at the low end are using (cloud infrastructure) to save money, but the danger is that the guys at the top end start to use it without any auditing," says Haroon Meer, technical director at security firm SensePost, who discussed his team's research into some aspects of Amazon's Elastic Compute Cloud (EC2) at the Black Hat security conference.

[ For timely data center news and expert advice on data center strategy, see CIO.com's Data Center Drilldown section. ]

Their experiments showed that companies frequently do not scan the third-party machine instances available from some providers. A malicious instance could easily be created as a Trojan horse to gain access to a company's internal network, Meer said.

With those pitfalls in mind, here are five lessons from the presentations at Black Hat.

1. Cloud offers less legal protection

Companies need to realize that data in the cloud is subject to a lower legal standard in terms of search and seizure. The government, or an attorney focused on discovery, may be able to subpoena the data without a search warrant.

Cloud providers are more concerned with protecting themselves and not the client, says Alex Stamos, a principal security consultant at iSec Partners, so don't expect the legalese in service agreements to favor your company.

"All of these (cloud-services) companies have very active and very well-trained legal departments," Stamos said. "And as a result, the agreements you agree to when you sign up for these services, basically promise you absolutely nothing."

If someone breaks in because of the provider's mistake, the client agrees not to hold the firm responsible. If there is a data loss because of a data center failure, the provider are not obligated to do anything for you, Stamos says.

It would be nice, he adds, if there were language that said they will attempt to help you.

"It would be nice if they had language in there that said if there is a security breach, we will try to give you a hand up," he says. "This seems to be where there is a disconnect between the cold heartless world of the lawyers, and the nice warm security (ethics) of the company."

2. You don't own the hardware

Companies who want to audit their providers and do their own testing need to remember that they don't own the hardware. Conducting a vulnerability scan or a penetration test requires the explicit permission of the cloud-service provider, Stamos warns. Otherwise, the client is hacking the providers' systems.

While some service agreements, such as Amazon's, specify that the client can conduct testing of their software running on the provider's systems, getting explicit permission is key, he says.

"The recommendation ... is that, if you are asked to pen-test applications in the cloud, they (the legal experts) recommend that you get permission from someone at the company," he said. "Because certainly, by the letter of the law the legal ownership of those machines is very important."

3. Strong policies and user education required

While cloud computing offers companies immense benefits, such as allow access to data from anywhere and removing maintenance headaches from the IT staff, the always-on service also means that phishing attacks that hit workers at home could threaten the company.

Thus, educating users about the dangers, not only to themselves but to their company, is key, said iSEC's Stamos.

"It is very difficult to teach all the non-technical users in your company about how to not be phished, but the fact of the matter is, with software-as-a-service, phishing attacks are going to be something that stops being a personal issue and starts becoming a enterprise-wide security issues," he said.

4. Don't trust machine instances

When using a virtual machine from a provider, such as the third-party instances created on Amazon's Elastic Cloud Computing (EC2) infrastructure, companies should never trust the system, says SensePost's Meer.

The company's researchers scanned a number of pre-configured instances and found authentication keys in the caches, credit-card data and the potential for malicious code to be hidden within the system. Yet, they found most of their customers did not consider the security implications of using a machine image created by the third-party developer.

"Some customers have based an entire authentication server off of pre-configured images," SensePost's Meer said.

Companies should either create their own images for internal use, or protect themselves technically and legally from potentially malicious third-party developers, Meer says.

5. Rethink your assumptions

In all cases, when considering security, corporate information-technology managers need to reconsider their assumptions in the cloud.

For example, when deploying an application to run on a computing instance in a virtualized data center, features that rely on random number generation will not necessarily work as expected. The problem is that virtual systems have much less entropy than physical ones, so random numbers could be guessable, iSEC's Stamos says.

"You need to consider the non-obvious," he says.

Do you Tweet? Follow everything from CIO.com on Twitter @CIOonline.

White Papers »
Cloud-Scale Networks Using Open Fabric Architectures
Virtualization and cloud are driving new requirements for data center network performance, VM support, automation and simplified orchestration. This paper outlines Extreme Networks® open fabric approach to high speed, low latency networks for modern data centers.
IBM Synchronizes its Commerce 2.0 Strategy with 'Smarter Commerce' Initiative
On March 14, IBM announced "Smarter Commerce", a strategic initiative that addresses the surging market for Commerce 2.0 solutions that take advantage of the convergence of a number of disruptive software and hardware technologies.
HP Converged Storage Sets the Stage for the Next Era of Computing
Enterprise storage has undergone many changes in recent years - with converged storage and infrastructure 2.0 paving the way for reduced IT infrastructure costs and greater performance. This report discusses the latest trends that are setting the stage for the next era of computing. Learn about the new infrastructure and storage trends that are changing the way business storage works today.
The Best Way to Build a Cloud
In most companies, the needs of the business are outpacing what IT can deliver. Technology is the foundation and enabler of business innovation, but developing and implementing new solutions is resource-intensive. Integrating and optimizing islands of IT is complex, time-consuming and costly.

However, implementing a private cloud can be complex and daunting. HP's solution, CloudSystem Matrix, helps you build a turnkey private cloud environment to deliver the benefits of the cloud to your business users. Read now to find out how the HP CloudSystem Matrix can enable you to move quickly to a private cloud model.
HP CloudSystem Matrix: Building a Private Cloud
Cloud computing continues to grow in popularity among the IT industry. And more businesses are advertising that they are the front runner for providing the best cloud services. However, in this race to remain top dog, IT pros remain unsure of what cloud computing is and the benefits it can bring to their organization.
HP CloudSystem Matrix: Managing at a Higher Level
This white paper examines IT management challenges from a fundamental and system standpoint. In addition, it introduces the concept of a service-oriented and automated approach to IT management.
Webcasts »
Optimizing Networks for the Cloud
Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and enterprise campus network infrastructures for the Cloud, and identify ways to better allocate network resources, reduce operating costs and improve application performance.
Deliver Private Cloud Database as a Service with VMware vFabric Data Director
VMware recently announced VMware vFabric™ Data Director, a new database deployment and operations platform that enables enterprise IT organizations to offer database as a private cloud service. Built on top of VMware vSphere 5, vFabric Data Director enables IT organizations to ontrol database sprawl through automation and consistent policy enforcement and accelerate application development cycles with self-service database management. Attend this webcast to learn how vFabric Data Director can help you build database-as-a-service in your datacenter.
Navigating the Public Cloud
InfoWorld contributing editor and consultant David Linthicum offers expert advice about choosing services to outsource to the public cloud providers, cloud data security and identity, integrating public cloud services, and how to avoid provider lock-in.
Today's Flexible Workstyles: Get Ready Now with Windows 7 Enterprise
In this exclusive Virtual Briefing Center session from Microsoft and IDG, you'll discover how deploying Windows 7 Enterprise now will help you take advantage of this new environment. Learn through a series of videos, audio webinars and rich downloadable resources how to power today's flexible workstyles with Windows 7 Enterprise.
Taming the Wild West: How to build a strong cloud security strategy
Cloud deployments are playing a critical role in propelling innovation for many companies. At the same time security has become the #1 one of the top concerns for IT and business leaders as they migrate into the cloud. In this webinar, learn from Accenture discusses how to recast the cloud as a "fresh chance to rethink your approach to security."
Virtualization Success is a Team Effort
As greater numbers of datacenter servers transition from the physical to the virtual world, the components of virtualization success come to the fore. What scores of organizations have discovered is that success is derived from an optimal pairing of the right software platform with the right hardware platform.
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  11. View all Newsletters | Privacy Policy
White Papers » All White Papers

Cloud-Scale Networks Using Open Fabric Architectures

IBM Synchronizes its Commerce 2.0 Strategy with 'Smarter Commerce' Initiative

HP Converged Storage Sets the Stage for the Next Era of Computing

The Best Way to Build a Cloud

HP CloudSystem Matrix: Building a Private Cloud

HP CloudSystem Matrix: Managing at a Higher Level

Five Myths of Cloud Computing

TechRepublic: Cloud Computing - Potential Value for Your Company?

Forbes: Enterprises Set Their Strategies for Cloud Computing

HBR: What Every CEO Needs to Know About the Cloud

Modernizing Application Platforms for Cost-Effective Cloud Readiness

Licensing for SaaS Applications: ISVs Take to the Cloud

Driving Business Value with VBlock Infrastructure Platforms

The Journey to the Private Cloud

Colocation: The Logical Home for the Cloud

Microsoft Enterprise Agreement Program Overview

Microsoft Enterprise Agreement Program Brief

Secure File Sharing in the Cloud: Maximizing the Benefits

Beyond Dropbox: Requirements for Enterprise Secure File Sharing

Seeing Through the Fog: Managing Application Performance in the Cloud
Resource Center
buy a link »
Ads by TechWords