Cloud Computing Vulnerabilities and Policies

Cloud Computing Vulnerabilities and Policies

ABSTRACT

“Cloud computing is an evolving paradigm with tremendous momentum, but its unique

aspects exacerbate security and privacy challenges, (Takabi, et. al. 2010).” This statement really

defines the overall current state of cloud computing and the biggest concerns of its users and

providers. Cloud computing is quickly becoming the next tech phrase that is inundating

mainstream computing advertising. It is being touted as the economic and technological savior

for organizations large and small; economically savvy or simply inexperienced. The business of

cloud computing is still considered in its infancy according to server providers like Dell

Computer yet there are hundreds of billions of dollars now being invested in the supply side of

the equation. This paper will attempt to discuss vulnerabilities as well as policies for effective

risk management covering cloud computing.

THE BASICS OF CLOUD COMPUTING

In order to discuss the vulnerabilities and policies to mitigate risks associated with cloud

computing, it is important to understand the basic framework associated with the environment.

Cloud computing comes in three varieties; private, public and hybrid clouds. The public cloud is

typically a data center environment run by a third party organization providing varying computer

services for a variety of customers. Private clouds are typically a shared computer environment

created within an organization but in some cases are simply private servers and network

connections allocated to an organization by a third party. The last type of cloud, the hybrid, is

typically a combination of private and public computing and can actually be the most complex to

secure and the most risk associated with. There are several cornerstone technologies associated

with the cloud. Virtualization technologies are the most pronounced signature of the cloud

environment; the operating system and the network environments are typical virtual

1
Cloud Computing Vulnerabilities and Policies

environments which afford efficiency and promote greater availability for cloud vendors and

customers. The virtual environments also create natural disaster recovery environments with use

of duplication of virtual systems within the cloud.

Another element of cloud computing that needs to be understood when determining the

vulnerabilities are the architectural services offered by the environment. There are three

prominent services which will be included in the discussion on vulnerability and policy. These

services are: Software as a Service (SaaS); Platform as a Service (PaaS); and Infrastructure as a

Service (IaaS). To save time, this paper assumes the reader is basically educated in these terms

and technologies so we will not explore detailed definitions of these service types.

Beyond the architecture there are essential characteristics of the cloud which are well

defined by the US National Institute of Standards and Technology (NIST). Again, this

information is offered to provide the reader an understanding that standards exist which define

the cloud itself which are the areas being examined. NIST classifies these characteristics as: On-

demand self service; Ubiquitous network access; Resource pooling; Rapid elasticity; and

Measured service. The reader can reference, Understanding Cloud Computing Vulnerabilities

from March/April edition of the IEEE Computer Society Journal1.

VULERABILITIES

Based on the overview of the cloud environment presented, we can now turn our

attention towards defining specific cloud computing vulnerabilities. A vulnerability can be

classified as specific to cloud computing if it:

 is intrinsic to or prevalent in a core cloud computing technology.

 has its root cause in one of NIST’s essential cloud characteristics.

2
Cloud Computing Vulnerabilities and Policies

 is caused when cloud innovations make tried-and-tested security controls difficult

or impossible to implement, or

 is prevalent in established state-of-the-art cloud offerings, (Grobauer, et. al.,

2011).

We will now explore the vulnerabilities themselves; there are many types of cyber

security attacks which clouds are exposed to on a regular basis. According to Christoph Schuba

of Sun Microsystems, some of the more common vulnerabilities which cloud computing is

subject to include:

 Network

o Distributed Denial of Service (DDoS)

o Man In the Middle (MITM)

 SSL, SSH, Certificated Management

o IP Spoofing

o Port Scanning

o Packet Sniffing

 Tenant sniffing inside the public cloud

 Storage Security

o Pool and object-level scrubbing

o Redundant storage w/o backup?

o Encrypted storage

3
Cloud Computing Vulnerabilities and Policies

Diving deeper into the indicators discussed earlier, let’s shed some more light on types of

relative vulnerabilities. Beginning with the core technology itself there are areas that are known

to be vulnerable to attacks. Web services and applications, encryption (if weak), and the

virtualization itself are all intrinsic to being vulnerable. Three examples of these vulnerabilities

are virtual machine escape, sessions riding and hijacking, and insecure or obsolete cryptology,

(Grobauer, et. al., 2011). Virtualization is probably the most common signature within a cloud

environment. The nature of the virtualized platform lends itself to self contained systems which

can be copied and removed from the cloud premise, whereas the classic non-virtualized server

configuration lives in a stack environment where the operating system software, application,

network, etc configuration created a much more challenging environment to copy and remove.

As a result we must consider the virtual aspect of the design to be intrinsically susceptible and in

need of protection from cyber criminals.

Web applications by nature form an environment that is susceptible known as stateless

protocol which is characteristic of HTTP. Because web applications require a notion of session

handling an environment conducive to session ridding and session hijacking is inherent.

Cryptanalysis improvements can render any cryptographic mechanism or algorithm

insecure as methods of breaking them are discovered. Cryptology flaws are often commonplace

exposing weaknesses in the algorithms themselves which can make strong encryption weak or

even useless. As the business and use of cloud computing increases the need for stronger

encryption becomes and hence the relevance of security related to encryption.

We will now address a few vulnerabilities related to the essential characteristics of cloud

computing. Referring the NIST characteristics, the following vulnerabilities apply:

4
Cloud Computing Vulnerabilities and Policies

 Unauthorized access to management interface.

 Internet protocol vulnerabilities.

 Data recovery vulnerability.

 Metering and billing evasion.

There are other vulnerabilities we have not touched on but for sake of time let’s

finish with identity management (IDM) before moving on to discuss policy. “Cloud

computing environments are multi domain environments in which each domain can use

different security, privacy, and trust requirements and potentially employ various

mechanisms, interfaces, and semantics, (Takabi, et. al., 2010).” When it comes to IDM

there are many concerns in the cloud; interoperability drawbacks that can result in

different identity tokens and protocols. “Existing password-based authentication has an

inherited limitation and poses significant risks, (Takabi, et. al., 2010).” Takabi brings to

light how multi-tenant cloud environments can protect the privacy of identity information

is still not well understood. This poses a significant risk in preventing systems that may

be interconnected to the user interface system and how those interconnected systems may

compromise the integrity of the login information if not protected properly.

POLICIES

“Security policies and procedures constitute the main part of an organization’s

security, (Bhasker, et. al. via Vaaca, 2009).” Of course there are many vulnerabilities not

yet discussed that cloud computing environments are subjected to but those discussed

provide enough incite to discuss how policy provisions can be used to mitigate associated

5
Cloud Computing Vulnerabilities and Policies

risks. When it comes to cloud computing and in general IT, policies need to address the

following functional levels: access control standards, accountability, audit trails, backups,

disposal of media, disposal of printed matter, information ownership, managers

responsibility, equipment, communication, and procedures and processes at work.

Security policy can be implemented at various levels within an organization and

should provide general guidance for process, technical and ethical aspects of the cloud IT

environment. Policy should exist for both cloud users and providers with varying aspects

depending on the use type and level of service. One of the vulnerabilities discussed above

involves physical access or facility security. It is important not to underestimate the

internal risks associated with physical access. “ A robust physical-security policy will

have many facets for surveillance, personnel, continuity of operations, and architectural

resilience, (Spring, 2011).” This policy area involves the facility level and is important in

determining how and insuring that things like physical access is controlled, monitored

and process oriented to deal with issues that may occur in the event of a breach. Typical

mitigation measures include: controlled entry systems, perhaps biometric controls and

access; closed-circuit cameras and patrolling security guards. Policy for facility layer can

also go as far as delegating machine access for technicians like database and systems

analysts. Facility related policy should include conduct guidelines and non-disclosure

protocol for intellectual property. Procedures for operations personnel including back

ground checks and routine screening are all critical policy elements which need to be

considered. The data center should have a comprehensive continuity-of-operations plan

(COOP), preferable conforming to US Federal Emergency Management Agency (FEMA)

standards. There should be a plan to help integrate or provide a liaison to help assist with

6
Cloud Computing Vulnerabilities and Policies

cooperative use with customer’s COOP. There may need to be security measures to

protect the data center from physical attack, depending on the value of the data housed.

There should also be legal measures defined to handle compromises and loss of service.

The next layer we will discuss is the network; “An essential characteristic of

cloud computing is that the provider provides and controls the network access between

the customer data and the users across the internet, (Spring, 2011).” This is typically

assumed by the customer to be the most secured aspect of the service they are purchasing

and easily can be the most vulnerable. In this layer, policy should delegate the use of

protections such as firewalls, intrusion detections systems (IDSs), intrusion prevention

systems (IPSs) and network boarder proxies. Policies around the network layer should

include guidelines on IP domain name and address controls. Procedures such as address

masking, private connections and network protocols, security certificates and data

encryption can be discussed here. Additional policies which can help to deal with risks

on the network include logging and access analysis as well as data flow trending; which

can help determine when traffic flows may be higher than normal.

We now move on to the hardware layer where policy can delegate security

standards and controls. Proper configuration management is essential for the operation,

maintenance, and in some cases the security of servers and other hardware which may be

used in the cloud computing system. It’s important that policy dictate the assurance of

hardware integrity and control. Uses of proper access devices such as card and biometric

readers are just a few items that can be mandated to assure hardware security.

7
Cloud Computing Vulnerabilities and Policies

The operating system (OS) environment is one of the most important areas to

have secured for it generally provides the mechanisms that control software access to

data and applications. Policies relative to the OS generally include versioning

maintenance and auditing procedures. Tools such as vulnerability scans, penetration

testing, and security update patching are typical OS mitigation methods directed by

policy. Processes such as software security assurance (SSA) used mostly in application

development should be required when considering an OS or even vice versa. There are

additional policy items which will support a secure OS layer in the cloud. For sake of

time and breadth of this paper we will not address them all.

The final layers of the cloud environment which should have policy guidance are

the middleware, application and user levels.

Our discussion on policy will conclude with inclusion of industry standards.

There are several security standards we will review that can be delegated in cloud

computing organizations. It may be necessary to mandate standards such as Health

Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry (PCI)

if the data and applications housed in the cloud contain or process electronic health

records (EHRs) or personal financial transactions which identify individual’s private

information. These and other compliance guidelines do and can serve as a framework for

system design and operations security for organizations even if they aren’t required by

law or contract to comply with them. The details of the guidelines are not important for

this discussion and can easily be found in many references including the internet.

8
Cloud Computing Vulnerabilities and Policies

CONCLUSION

To summarize we must understand that cloud computing is currently exploding in growth

and needs to quickly remain in balance in terms of providing economic, efficient and secured

services for internal and external customers. There is a tremendous amount of risk associated

with moving to the public and hybrid cloud environments that has not really totally existed in the

private cloud or traditional internal hosted systems. The vulnerabilities are however, similar to

the classic IT models. One major differentiator from legacy IT is that cloud computing

predominantly utilizes virtualized environments which create some unique vulnerabilities. These

and other more common technologies require protection mechanisms to avoid risk of exposure

and destructive forces. Protection is granted through various forms of intervention to threats

such as processes, mechanisms, and awareness. In order for proper intervention to effectively

exist within an organization it must be recognized and actively supported by the head of the

organization. This can be done in many ways, however only by delegating it in the form of

corporate security policy will it be taken seriously and uniformly. Policy needs to be organized

to support the characteristics of the entire IT environment in an organization. The best way to

ensure coverage is to segment it based on classic IT management while providing the flexibility

to change as the outside world changes.

9
Cloud Computing Vulnerabilities and Policies

References

Bidgoli, H. (Ed.). (2006). Handbook of information security: Volume 2. Hoboken, NJ: John

Wiley & Sons, Inc.

Basescu, C., Leordeanu, C., & Costan, A. (2011). Managing data access on clouds: a generic

framework for enforcing security policies. IEEE Computer Society, X(11), 462-463.

doi:10.1109/AINA 2011.61

1
Grobauer, B., Wallowschek, T., & Stocker, E. (2011). Understanding cloud computing

vulnerabilities. Security and Privacy, 9(2), 50-57 doi 10.1109/MSP.2010.115

Schuba, C. (2009). Cloud security. Sun Microsystems Briefing. Retrieved from

http://blogs.oracle.com/schuba/resource/talks/20090324-cloud-security.pdf

Spring, J. (2011, March/April). Monitoring cloud computing by Layer, Part 1. Security and

Privacy, 9(2), 66-68, doi 10.1109/MSP.2011.33

Takabi, H., & Gail-Joon, A. (2010, November/December). Security and privacy challenges in

cloud computing environments. Security & Privacy, IEEE, 8(6), 24-31. doi

10.1109/MSP.2010.186

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan

Kaufmann.

10