FLORIDA INSTITUTE OF TECHNOLOGY

UNDERSTANDING CLOUD COMPUTING VULNERABILITIES

An Article Summary

AN ARTICLE SUMMARY ASSIGNMENT SUBMITTED TO:

DR. WILLIAM ALLEN

IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR

CYB 5288: SECURE COMPUTER SYSTEMS AND ORGANIZATION

BY

CRAIG CANNON

MELBOURNE, FLORIDAAPRIL 13TH 2014

There is not a day that goes by where I haven’t seen a commercial, read it in a book, or even seen it in a magazine article, some mention of the term cloud computing. This concept, this new idea of cloud computing that many of us old timers know about actually isn’t a new concept at all but simply and old idea with new technology that as it stands now is poised to change everything specifically in the IT industry where it will initially have the greatest impact. Nevertheless, like all new technologies there are road blocks to its approval and cloud computing is no exception. The biggest road block to its acceptance is centered on security. Simply stated, many people are not comfortable with the security aspects of cloud computing because they simply don’t understand the risks, threats, and vulnerabilities surrounding this new technology. In “Understanding Cloud Computing Vulnerabilities” author’s Bernad Grobauser, Tobias Walloschek, and Elmar Sticker do and excellent job of addressing theses concerns and cites significant cloud-specific issues in an understandable manner that almost anyone can comprehend and come to appreciate the importance of the many risk factors impacting cloud computing.

The article starts out by defining some basic security related terms to show how they relate to cloud computing. The Open Group’s risk taxonomy and ISO27005 risk factors are both mentioned as useful overview tools to refer to when considering loss event frequencies and risk factors. According to the article, a loss event occurs when a hacker successfully exploits vulnerability. The occurrence of such an event is dependent upon its frequency of occurrence. This frequency is based on the attacker’s motivation, his efforts, his risks and current level of access, as well as the systems ability to defend against an attack. According to the article vulnerability is seen as a weak resistance and when these weaknesses are removed, security is improved. Updates and patches are one way of increasing security in an effort to stop attackers from taking advantage of these weaknesses.

The article does an excellent job of presenting risk factor taxonomy in the form of a diagram. In a nutshell, the diagram shows that there is no difference in the degree of losses from a data violation from the cloud customer’s viewpoint and the normal IT infrastructure viewpoint. However, when we look at the viewpoint of the cloud provider the impact was greater and clearly shows how vulnerabilities can influence the loss event frequency. In the article there is mention of the term “cloud-specific “vulnerability. This term in essence implies that there are certain weaknesses that are only targeted for the cloud. There are many different technologies making up the cloud computing conceptual idea. For instance, web applications and services like SaaS, PaaS, and IaaS all sit on top of some sort of virtualization foundation and eventually need to use some sort of cryptography to handle their confidentiality needs. Equally important, the National Institute of Standards and Technology (NIST) does a great job of defining the various IT cloud based service characteristics. In summary NIST states that on-demand self service allows users to order and manage services without any human interaction with the service provider. This method is done through a ubiquitous network where the cloud is accessed through the internet. Most of the cloud services are shared with others using resource pooling and if more resources are needed scalability is provided by a process called rapid elasticity. All in all theses services and resources are both monitored and metered by measured service type business models.

According to the article, as a result of these ideas cloud specific vulnerabilities can clearly be defined as one that has it root causes in one of these NIST characteristics and furthermore makes it difficult to use the traditional security controls in any of its offerings and most importantly in its core cloud computing technology. When any of these characteristics are

impacted in the manner we just mention, cloud computing security is at stake leading to cloud based weaknesses. Because of these type fundamental flaws, the core parts of cloud computing such as: web applications and services, virtualization, and cryptography have built in susceptibilities. These inclinations involve things such as: escaping from a virtual machine where an attacker could possibly break away from a virtual environment into another environment, perform session riding and hijacking where an attacker could take over or hijack a users session and impersonate that user, or finally even defy some obsolete cryptography where the attacker recognizes that the cryptographic algorithm that the cloud provider is using has already been cracked and therefore he uses it to his advantage to hack into the system. All of these vulnerabilities located at the very core of cloud computing are very real possibilities in the cloud computing environment.

Some of the weak spots involving the critical cloud characteristics cited by the article are situations where: unauthorized access to the management interface occurred- where an attacker got access to a clients management interface and did considerable damage or accessed confidential information, there was an internet protocol issue- where a man in the middle attack occurred and the attacker was able to impersonate a person and gain access to sensitive information or authorized areas, there was a data recovery flaw- where overwritten data form one client was actually recoverable by a totally different client because they both at one time used the same area on the hard drive, and finally a metering and billing concern- where data manipulation occurred and a person was over billed or under billed and services were impacted as a result. One good point the article made involved control challenge vulnerabilities. In cloud based environments things such as network scanning or IP based network zoning can be applied because its difficult to distinguish between when it’s a friendly scan or a network attack. Also because virtual machines use both real networks and virtual networks its difficult to apply the traditional network-level security controls in this type of environment. Other problems with these known security controls are poor key management procedures because virtual machines don’t have associated hardware features and non-standard security metrics which fail to allow any type of monitoring or auditing to occur.

I really was surprised that the article pointed out that conventional vulnerabilities such as SQL injection, cross-site scripting(XSS), command injection, and weak authentication methods all still apply and thus can be considered as cloud specific type weaknesses when it comes to cloud computing. These long-established weaknesses are well known in the non-cloud based infrastructures and would normally be considered as mitigated risks in the cloud environment. However, as stated in the article that is clearly not the case.

Finally, the article provides a great diagram of the cloud reference architecture. This diagram is broken down into three vital areas and does a great job of mapping cloud specific vulnerabilities to each of its components. The three components of the model are: computation, storage, and communication and each have their own independent vulnerabilities. Computational resources biggest vulnerability involves how virtual machine images are managed. If an imaged has been rented and studied by an attacker, the attacker may be able to identify its vulnerabilities and set up a backdoor to get in. If in turn these images are distributed over several clients now the problem will be widespread. Storage has its own vulnerabilities involving data destruction. If a hard drive that tenant one use to use is not destroyed but instead being used by tenant 2 this may become a security issue since data leakage could occur. Any cryptography algorithms placed on the data could be easily cracked since most algorithms are now well known. Communication vulnerabilities include shared network resources like DNS and DHCP where

cross tenant attacks could occur. Whether its client side or browser side vulnerabilities, cloud computing is in constant development. More and more challenges will continue to occur for this new industry. As the cloud computing field continues to evolve identifying and understanding cloud-specific weaknesses as they materialize will be of the utmost importance to its continual success.

References

Grobauer, B., Walloschek, T., and Stocker, E. (2011) ‘Understanding Cloud Computing Vulnerabilities’Co-Published by The IEEE Computer and reliability Societies March/April 2011