Cloud Security: An Interview with a Professional White Hat
December 26th, 2013 By: Bill Kleyman
The amount of information current traversing the cloud continues to grow. We’ve crested the zettabyte threshold and continue to push even more data, applications and workloads through a cloud model. As with anything in technology, the more users on the platform, the bigger the target becomes.
Security has always been a major concern in cloud computing. The transmission of valuable data, the increased utilization of WAN resources and the growth of device connectivity are all pushing the boundaries of how we compute. There have been many discussions around cloud computing and security concepts. Today’s conversation is different.
I’ve known this security professional for many years. Due to the very sensitive nature of his work, he’ll only be identified as Alex. He has worked with Fortune-sized organizations, conducted massive security tests, and has been hired to conduct intricate penetration tests to verify complex security capabilities. In short, he is very good at what he does, and is one of the good guys. He and his organization work with some of the latest security and cloud concepts currently on the market.
Recently, I asked him to sit down with me for a brief conversation around some of the finer mechanics around cloud security.
Bill: Alex, from your perspective. give me a few thoughts on cloud computing, what’s happening with user security, and some overall concerns when it comes to the cloud.
Alex: From a strictly usability perspective, cloud computing is great (although nothing new). You are basically paying for only the things which you need, and you are able to get them and release them very quickly. Again, nothing new. I would break down security concerns into the following:
- You’re trusting somebody else with your data
- You’re running on untrusted systems
- Your data is accessible over the Internet
Bill: That’s a great starting point. Could we dive into that a bit? When it comes to cloud, what is the major first issue that many organizations just seem to have a problem overcoming?
Alex: First, you’re trusting somebody else with your data. It’s pretty self-explanatory, but basically you are taking what is presumably private and/or proprietary data and putting somebody in charge of it. This is as true with Amazon as it is with Google. As an individual or organization, you have no means of confirming the infrastructure and application safeguards that are in place or even how to respond to law enforcement requests for data. What if there’s a janitor working in your provider’s data center that secretly works for the PLA?
Bill: PLA, As in the People’s Liberation Army (China’s armed forces). Advanced Persistent Threats (APTs) against the data center have certainly grown. We’re seeing new types of attacks against specific resources inside of a data center. Have you been seeing security threats like these?
Alex: Absolutely, Google may have a public data usage policy, but what happens when they get breached? Which brings up the question: once you’ve put your data into the cloud, how can you confirm that the data is the same when you pull it back out? Beyond the confidentiality and integrity of your data, reliability may also be a security concern in some applications (i.e. if your data isn’t available, the company loses money). This was the case with Netflix when an EC2 outage took them offline last Christmas Eve.
Bill: Another thing you mentioned was hosting data on systems which were potentially untrusted. Can you elaborate?
Alex: While some cloud providers allow you to build your own systems, the majority of these kinds of offerings focus on pre-built images for rapid development, many of which are built by the community (I’m thinking of EC2 here). Just to reiterate, you’re potentially trusting your data on a server that some random IT admin built on the Internet. Let me give you an example. A friend of mine ran an experiment as a part of some research he was working on. He built an Amazon Machine Image (AMI) of a popular penetration testing platform, which was previously unavailable on EC2. One of his additions to the AMI was a backdoor which would basically just communicate back to his own server, indicating that somebody had turned on his backdoored instance. He could have just as easily built a reverse shell into the image (a link to the video: This particular process comes at the end, but the beginning research is also good). Beyond backdoored AMI instances, at the end of the day, you are using a server that is most certainly accessible at a low level by your provider (root access or equivalent). This basically comes back around to the discussion of data security, as all of your encryption keys, VPN configurations, and potentially passwords are protected by unknown controls, which are of unknown resiliency. As Dave Aitel posed in a recent Daily Dave post, how do you protect the security of your virtual servers when your provider transfers them over Internet links which are tapped by foreign governments? What keeps the people running/monitoring the Internet from flipping bits in your systems?
Bill: That’s certainly an important thought to consider. You brought up a final point – the fact that cloud computing is basically the dynamic delivery of information over the Internet. What do organizations need to really understand around this?
Alex: You’re making your data accessible over the internet, sometimes for the entire world to access. Your servers and/or data may very well be publicly accessible (which may or may not be what you actually wanted). Content Delivery Network (CDN) storage is great, but I have assessed many applications where data protection API’s were either inadequate or were used incorrectly. This would basically lead to a loss of sensitive/proprietary data. A couple of years ago, I saw a talk detailing a common misconfiguration in Amazon S3 buckets which lead to a lot of personal user data being publicly indexed and accessible. Again, this comes back around to putting your stuff on an unfamiliar, untrusted system and potentially not knowing how it works.
Bill: Given the still-dynamic world of both cloud computing and the technologies surrounding the platform, organizations have to be extra careful with their data. The rapid pace of cloud adoption clearly shows there is a good place for this technology. So what would you recommend that organizations do moving forward? What can they do to better protect their data?
Alex: As far as what I would recommend, I would say to try and stay away from cloud computing for critical security applications, and to divorce it from operational corporate data whenever possible. For example, don’t query (or replicate) your internal databases over the Internet to/from your cloud services. Also, use encryption where it makes sense. Encrypt data-at-rest, and ensure that data-in-transit is tunneled using some industry standard like TLS or SSH. Another suggestion (which is not limited to cloud computing), audit as many things as possible. If your cloud provider gives you logs, suck them into your security information and event management system (SIEM), figure out what normal behavior is, and then investigate anomalies. And as a final suggestion, go with reputable cloud providers. People seem to be in love with the idea of adopting buzzword technologies for no apparent reason. That, coupled with the cost savings that it provides, has new cloud services popping up daily. Your best bet with choosing the right vendor is probably their reputation, so try not to get swept up by promises from the sexiest new startup. Along with that, read your contract and try to understand what guarantees the provider gives you on the security of your data.
Cloud security and data integrity are major concerns for any organization looking to utilize cloud services. New threats and even unknown surveillance programs can all cast potential shadows in cloud infrastructure confidence. Still, just like any technology, there will be road bumps that will need to be smoothed over. Security is certainly one of those bumps. Already we’re seeing more reputable cloud providers offering great services which are PCI/DSS, HIPAA and even FedRAMP government compliant.
There’s no question that the user and corporate compute model has changed. New devices and new services are all changing the way we consume data, workloads, and applications. Security will always be a major part of the delivery process. Cloud computing certainly creates new types of targets and potential new threats. However, with proactive design methodologies and good security best practices, your organization can work to stay ahead in the cloud computing world.