Cloud service based deployments have become commonplace in industry segments ranging from financial services to healthcare. I have discussed in earlier posts how the cloud services model will come to dominate important areas such as healthcare information exchanges. The economic model is highly attractive across a broad range of business problems. Several years ago as the business models and technical foundations for cloud computing were taking shape I helped form the cloud security alliance. One area of frequent debate was whether the cloud services paradigm called for new approaches to security. Then as now, I think the debate is still valid. My personal opinion is that the security and risk fundamentals remain the same, but the pressure points are different.
Perhaps an example would be useful to consider. Application security is a critical consideration whether you ship a CD (you know some really cool software still ships on a CD these days) or ship bits to Amazon AWS. Often the top of mind issue for developers tasked with the problem of application security is confidentiality – basically protecting sensitive data from cybercriminals and malicious business partners or insiders. Sometimes overlooked are application security issues (that are amplified in cloud services deployments) related to integrity. Consider an attack in which a virtual machine instance is injected into a cloud system such as Google App Engine or Microsoft Azure. Such cloud malware could serve many purposes for the attacker ranging from eavesdropping to data modification. Given that the attacker has done sufficient reconnaissance and is able to convince the cloud system to treat the new instance as a valid VM associated with the particular service, the cloud system redirects user requests to the malicious service implementation and the adversary’s code is executed.
The countermeasure to this threat falls back on the usual security principles. Perform an integrity check prior to using a VM instance for incoming requests. This can be done by storing a hash value of the original VM image and comparing this value with all new service instance images. The attacker can presumably still crack the hash value comparison, but the risk is dramatically reduced.
Perhaps in a later post I will discuss cloud service flooding attacks. An unpleasant thought for those who are paying the bill.