26

Moving almost everything to the Cloud gradually becomes a mainstream.

Are there any security issues, which appeared together with this trend?

What everybody should check out, from the security point of view, before moving its webapps and databases to the Amazon Cloud, Azure, etc.?

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
rem
  • 2,117
  • 2
  • 19
  • 28

11 Answers11

14

There's an infinite amount of security issues with the cloud. To see a nasty laundry list, check out ENISA's documents.

atdre
  • 18,945
  • 6
  • 59
  • 108
  • 5
    Don't want to be picky, but an "infinite" amount? ;) – Nev Stokes Nov 14 '10 at 20:38
  • 1
    @ Nev Stokes: Well we're still coming up with new security issues everyday in non-cloud environments, why not also cloud? – atdre Nov 15 '10 at 01:43
  • 2
    I'd be interested in seeing a real world comparison of risk between cloud and non-cloud deployments. Since most risk is from insiders, one would think the cloud solution is more secure. I doubt the local-non-cloud deployment will be as secure as the cloud deployment in most cases. – makerofthings7 Dec 01 '10 at 21:03
  • 2
    @makerofthings - I have a feeling your assumption that most risk is from insiders is outdated by a few years. Most real risk as measured at C-suite level is external (possibly with an element of internal collusion, but not always) as applications are more and more external. So far evidence proves cloud is definitely less secure, but to be fair, this could be mostly around misconfoguration :-) – Rory Alsop Dec 30 '10 at 01:57
  • @Rory, also don't forget that the cloud providers have their own "insiders" - basically you're just transferring the insider risk from your own insiders (which you might have a chance of controlling a little) to their insiders (which you don't). – AviD Dec 30 '10 at 08:39
  • 3
    In fact, the (very good) ENISA link lists 35 risks and 53 vulnerabilities - that's total of only 88 which was less than *infinite* last I checked. "Infinite" sounds a lot like paranoid scare tactics to me. Sure, If there was more content to the answer or to the indirect argument against cloud computing it contains, I'd be happy let the attack pass or would even join the crowd - but stated like this there just isn't. – Ilari Kajaste Jan 10 '11 at 12:22
  • You can't get cyber insurance on data that you store in or that transits a public cloud. – atdre Dec 03 '14 at 17:26
11

From the ENISA pdf that @atdre already linked to in his answer.

LOSS OF GOVERNANCE: in using cloud infrastructures, the client necessarily cedes control to the Cloud Provider (CP) on a number of issues which may affect security. At the same time, SLAs may not offer a commitment to provide such services on the part of the cloud provider, thus leaving a gap in security defences.
LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment. This introduces a dependency on a particular CP for service provision, especially if data portability, as the most fundamental aspect, is not enabled..
ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computing. This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants (e.g., so-called guest-hopping attacks). However it should be considered that attacks on resource isolation mechanisms (e.g.,. against hypervisors) are still less numerous and much more difficult for an attacker to put in practice compared to attacks on traditional OSs.
COMPLIANCE RISKS: investment in achieving certification (e.g., industry standard or regulatory requirements) may be put at risk by migration to the cloud:
if the CP cannot provide evidence of their own compliance with the relevant requirements
if the CP does not permit audit by the cloud customer (CC).
In certain cases, it also means that using a public cloud infrastructure implies that certain kinds of compliance cannot be achieved (e.g., PCI DSS (4)).
MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk, especially when combined with remote access and web browser vulnerabilities.
DATA PROTECTION: cloud computing poses several data protection risks for cloud customers and providers. In some cases, it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way. This problem is exacerbated in cases of multiple transfers of data, e.g., between federated clouds. On the other hand, some cloud providers do provide information on their data handling practices. Some also offer certification summaries on their data processing and data security activities and the data controls they have in place, e.g., SAS70 certification.
INSECURE OR INCOMPLETE DATA DELETION: when a request to delete a cloud resource is made, as with most operating systems, this may not result in true wiping of the data. Adequate or timely data deletion may also be impossible (or undesirable from a customer perspective), either because extra copies of data are stored but are not available, or because the disk to be destroyed also stores data from other clients. In the case of multiple tenancies and the reuse of hardware resources, this represents a higher risk to the customer than with dedicated hardware.
MALICIOUS INSIDER: while usually less likely, the damage which may be caused by malicious insiders is often far greater. Cloud architectures necessitate certain roles which are extremely high-risk. Examples include CP system administrators and managed security service providers.

Anonymous Type
  • 463
  • 3
  • 9
8

A small subset of security issues (not necessarily new per se to cloud, but definitely more difficult) :

  • Access control
  • Privacy and confidentiality
  • Availability (how strong is your SLA, really? does your provider indemnify for any damages resulting from being offline?)
  • connection with internal systems - you'll often have to punch open holes in your firewall to allow some other protocols to get to your sensitive, internal systems.
  • Compliance - there are some regulations, notably PCI-DSS, that you currently cannot reach compliance with, if you are using cloud-based systems. Note that they might not explicitly disallow cloud-systems, but it is simply impossible to be compliant while using cloud-systems as they are today.
  • There are certain laws, in some countries, that forbid you from moving private data of their citizens out of their country. There are other countries, where you don't want to move your data into, as you do not want to be subject to their laws... When you're clouding, you don't really know where your systems and data are located, so how can you ensure your users anything wrt their location? For that matter how do you know which laws you must comply with at which time? And how do you know you're not already illegal?
AviD
  • 72,708
  • 22
  • 137
  • 218
  • Good points Avid although I'm not sure every item you listed falls into the security category, but still all very relevant to Cloud apps. I think your last point is a very important one. The individuals security (the user of your app) is at least as important as your companies security. – Anonymous Type Dec 30 '10 at 02:51
  • @Anonymous, actually I don't regard laws as protecting the individual's security - I can do that better than any vague and generic law. However, this is "security" because it relates to compliance to those laws. – AviD Dec 30 '10 at 08:41
6

I can highly recommend this survey of security issues with cloud-based hosting: Self Hosting vs. Cloud Hosting: Accounting for the security impact of hosting in the cloud.

D.W.
  • 98,860
  • 33
  • 271
  • 588
6

There was just a blog post from Lenny Zeltser on this topic: Top 10 Cloud Security Risks

Most of his points talk about the problem that you don't have full control over the infrastructure anymore, and might not even know how it works internally. One also doesn't know anymore who else is on the same system, and a vulnerability in their system might leak over to your data.

Another problem is that you have to trust an outsider to secure your data. A wrong configuration and all your data might leak.

Andreas Arnold
  • 2,423
  • 20
  • 19
4

In order to ensure that data is secure and that data privacy is maintained, cloud computing providers attend to the following areas:

Data protection - To be considered protected, data from one customer must be properly segregated from that of another; it must be stored securely when “at rest” and it must be able to move securely from one location to another. Cloud providers have systems in place to prevent data leaks or access by third parties. Proper separation of duties should ensure that auditing and/or monitoring cannot be defeated, even by privileged users at the cloud provider.

Identity management - Every enterprise will have its own identity management system to control access to information and computing resources. Cloud providers either integrate the customer’s identity management system into their own infrastructure, using federation or SSO technology, or provide an identity management solution of their own.

Physical and personnel security - Providers ensure that physical machines are adequately secure and that access to these machines as well as all relevant customer data is not only restricted but that access is documented.

Availability - Cloud providers assure customers that they will have regular and predictable access to their data and applications.

Application security - Cloud providers ensure that applications available as a service via the cloud are secure by implementing testing and acceptance procedures for outsourced or packaged application code. It also requires application security measures (application-level firewalls) be in place in the production environment.

Privacy - Finally, providers ensure that all critical data (credit card numbers, for example) are masked and that only authorized users have access to data in its entirety. Moreover, digital identities and credentials must be protected as should any data that the provider collects or produces about customer activity in the cloud.

For more info regarding Cloud Computing in India visit - Link Removed by mod

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • 2
    the OP requested security issues specific to the cloud. What you have posted contains a reasonable list of security headings but reads as an advert. The link you added is also a marketing front page, not a source of security information. – Rory Alsop Jan 10 '11 at 09:35
  • 1
    Adverts like these usually hurt the business more than it could do any good. – AdnanG Sep 18 '13 at 04:22
4

Practically speaking, I've seen companies move websites into the cloud without a code review. The code was written for a single machine running ASP.NET.

The cloud mostly offers scale-out abilities. If the site wasn't made to scale out, then concurrency issues arise with data integrity or session security. To deal with these problems developers will either remove the non-concurrent code (sometimes making it less secure) or rewriting the code needed to support sessionless, concurrent deployments.

makerofthings7
  • 50,488
  • 54
  • 253
  • 542
3

In addition to AviD's good points, the following are also very important:

  • Availability - yes, AviD mentioned it, but I can't stress enough how critical it is that you understand your reliance on the cloud. Often cloud providers mention the invulnerability of the cloud, but in reality a denial of service attack is still valid if you can't access your application on a timely basis.
  • Regulatory Compliance - on two fronts: where is your data? Can you guarantee it remains in the correct jurisdiction, and for e-discovery, can you guarantee you have retrieved every item of data connected with an individual/event?

The cloud makes both of these harder to confirm.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • Actually on availability with the massive resources of hosters like Msft, Amazon, etc you are actually less likely to suffer DDOS/DOS attacks than with a regular web hoster. Therefore while the same caveats that apply to web apps also apply to cloud apps, I'm not sure that the availability issue is necessarily "worse" under cloud. – Anonymous Type Dec 30 '10 at 02:54
  • @Anonymous Type - you'll note I didn't say worse, just that they are harder to confirm :-) – Rory Alsop Dec 30 '10 at 09:25
2

NIST came out in 2020 with NISTIR 8006, NIST Cloud Computing Forensic Science Challenges | CSRC. It documents and categorizes challenges specific to forensic investigation of cloud computing, but that includes lots of related issues.

Here is the list of challenges from section 3.2.3 Categorization of Challenges:

  • Architecture (e.g., diversity, complexity, provenance, multi-tenancy, data segregation).
    • Dealing with variability in cloud architectures between Providers
    • Tenant data compartmentalization and isolation during resource provisioning
    • Proliferation of systems, locations, and endpoints that can store data
    • Accurate and secure provenance for maintaining and preserving chain of custody
  • Data collection (e.g., data integrity, data recovery, data location, imaging).
    • Locating forensic artifacts in large, distributed, and dynamic systems
    • Locating and collecting volatile data
    • Data collection from virtual machines
    • Data integrity in a multi-tenant environment where data is shared among multiple computers in multiple locations and accessible by multiple parties
    • Inability to image all of the forensic artifacts in the cloud
    • Accessing the data of one tenant without breaching the confidentiality of other tenants
    • Recovery of deleted data in a shared and distributed virtual environment
  • Analysis (e.g., correlation, reconstruction, time synchronization, logs, metadata, timelines).
    • Correlation of forensic artifacts across and within cloud Providers
    • Reconstruction of events from virtual images or storage
    • Integrity of metadata
    • Timeline analysis of log data, including synchronization of timestamps
  • Anti-forensics (e.g., obfuscation, data hiding, malware). Anti-forensics are a set of techniques used specifically to prevent or mislead forensic analysis.
    • The use of obfuscation, malware, data hiding, or other techniques to compromise the integrity of evidence
    • Malware may circumvent virtual machine isolation methods
  • Incident first responders (e.g., trustworthiness of cloud Providers, response time, reconstruction).
    • Confidence, competence, and trustworthiness of the cloud Providers to act as first responders and perform data collection
    • Difficulty in performing initial triage
    • Processing a large volume of collected forensic artifacts
  • Role management (e.g., data owners, identity management, users, access control). Role
    • Uniquely identifying the owner of an account
    • Decoupling between cloud user credentials and physical users
    • Ease of anonymity and creating fictitious identities online
    • Determining exact ownership of data
    • Authentication and access control
  • Legal (e.g., jurisdictions, laws, service level agreements, contracts, subpoenas, international cooperation, privacy, ethics).
    • Identifying and addressing issues of jurisdictions for legal access to data
    • Lack of effective channels for international communication and cooperation during an investigation
    • Data acquisition that relies on the cooperation of cloud Providers, as well as their competence and trustworthiness
    • Missing terms in contracts and service level agreements
    • Issuing subpoenas without knowledge of the physical location of data
  • Standards (e.g., standard operating procedures, interoperability, testing, validation).
    • Lack of even minimum/basic SOPs, practices, and tools
    • Lack of interoperability among cloud Providers
    • Lack of test and validation procedures
  • Training (e.g., forensic investigators, cloud Providers, qualification, certification).
    • Misuse of digital forensic training materials that are not applicable to cloud forensics
    • Lack of cloud forensic training and expertise for both investigators and instructors
    • Limited knowledge by record-keeping personnel in cloud Providers about evidence
nealmcb
  • 20,693
  • 6
  • 71
  • 117
2

Virtualization, that is the root of cloud computing technology, removes so called term "perimeter", that was like a guide in usual DC's (data centers) where to start defense and what to do. As the most data in clouds are transferred between physical servers, virtual machines, there is decreased control of such system - less possibilities for network segmentation and usage of hardware-type protection. Such new DC virtualization requires new access policy and data management software.

There was created non-profit organization Cloud Security Alliance (CSA) that aims cloud security: http://www.cloudsecurityalliance.org/. There you can find guide, best-practices of how to deal with cloud computing.

  • The term "perimeter" was dying down long before clouding and virtualizationing became the tech du jour. E.g. check out [Jericho Forum](https://www.opengroup.org/jericho/index.htm), its been around for some time now... – AviD Nov 16 '10 at 22:39
  • @AviD, not all countries has the same level of IT development - it still often happens to watch the usage of this term in its primary meaning. Also, I used it here so it is clear what the talk about is - users who wants to get more information should check the link that was given in my answer. –  Nov 17 '10 at 09:20
  • @Ams, sorry, I wasn't clear - I didnt mean they don't use the *term*, I meant that the concept was slowly being phased out. That is, the "perimeter" around the organization, its systems, and users, has been recognized to not really be feasible anymore; what with mobile computing, open systems, extranet, hosted systems, etc etc. Of course, it could be argued that that was the beginning of the cloud/virtzation fad, but this was happening irrelevant of the cloud. – AviD Nov 17 '10 at 12:06
0

Multi-tenant environments are vulnerable to Related Domain Cookie attacks

makerofthings7
  • 50,488
  • 54
  • 253
  • 542
  • It is not clear to me how big an issue this is in practice, or how many cloud providers are at risk. Multi-tenant environments are at risk for related-domain cookie attacks only if the multiple tenants are assigned related domains. While some cloud providers may do that, it's also true that many cloud providers (like Amazon EC2) don't. – D.W. Mar 16 '12 at 17:32