1 CLOUD COMPUTING SECURITY: HOW RISKS AND THREATS ARE AFFECTING CLOUD ADOPTION DECISIONS A Thesis Presented to the Faculty of San Diego State University In Partial Fulfillment of the Requirements for the Degree Master of Business Administration by Takahiko Kajiyama Fall 2012
3 iii Copyright 2012 by Takahiko Kajiyama All Rights Reserved
4 iv DEDICATION This thesis is dedicated to my father, who worked hard to support his son s and daughters educational endeavors. May he rest in peace.
5 v The ancient Romans built their greatest masterpieces of architecture for wild beasts to fight in. Voltaire
6 vi ABSTRACT OF THE THESIS Cloud Computing Security: How Risks and Threats Are Affecting Cloud Adoption Decisions by Takahiko Kajiyama Master of Business Administration San Diego State University, 2012 Many IT professionals would agree that cloud computing is the most revolutionary information delivery model since the introduction of the Internet. For corporate management and decision makers, cloud computing brings many financial and functional benefits as well as serious security concerns that may threaten business continuity and corporate reputation. The definition of cloud computing is still blurry in a large part, because of the magnitude of the security risks and the virtually unlimited amount of information being published. The purpose of this research is to assess how cloud security risks and threats most commonly discussed today are affecting current and prospective cloud users decisions on adoption. In this research, both practitioner and academic literature was reviewed in order to incorporate views from both sides on cloud security, as well as technology white papers, government reports, and recent market and security articles. Then an online survey targeting current and prospective cloud users was conducted, and real-life driving and resisting forces of cloud adoption were assessed. The survey posed questions about a variety of security risks, and even though the respondents indicated concerns about these risks, none of them were voted as a show stopper in cloud adoption. Furthermore, the majority of respondents were confident with their cloud service providers protection mechanism, while being well aware of the existence of the risk.
7 vii TABLE OF CONTENTS PAGE ABSTRACT... vi LIST OF TABLES...x LIST OF FIGURES... xi ACKNOWLEDGEMENTS... xiii CHAPTER 1 INTRODUCTION...1 Background...1 Research Question...3 Methodology and Sources PRACTITIONER LITERATURE REVIEW...5 Cloud Services and Models...5 Service Providers and Users...7 Security Standards and Compliance Organizations...9 Non-Regulatory Organizations...9 Significance of Security Standards and Compliance...10 Recent Cloud Data Breach Incidents...11 Epsilon Service Nasdaq Directors Desk The 2011 GAO Report...14 Security Benefits Security Risks RESEARCH LITERATURE REVIEW...18 New versus Traditional Security Concerns...18 New Security Threats and Vulnerabilities...18 Side Channeling Shared Ecosystem and Fate Sharing Vendor Lock-In... 23
8 API Changes Abuse and Nefarious Use Traditional Security Threats and Vulnerabilities...26 Cross-Site Scripting SQL Injection Flaws Access Control Weaknesses Cross-Site Request Forgery Buffer Overflow Attacks HTTP Header Manipulation, Hidden Field Manipulation, and Cookie Manipulation Botnets Other Traditional Security Threats and Vulnerabilities Other Cloud-Specific Concerns...37 Regulatory Compliances Risk Assessment Security as a Service (SECaaS) Cloud Security Best Practices...39 Vendor Selection Service Level Agreement (SLA) Physical Isolation Data Protection Transmission Data Protection Storage and Encryption Virtual Machine Security Auditing Other Considerations in Cloud Adoption SURVEY METHODOLOGY...48 Creation and Distribution...48 Data Collection and Responses...49 Data Analysis Methodology DATA ANALYSIS...52 Introduction...52 Survey Results and Findings...52 viii
9 ix Current Cloud Usage Primary Drivers and Concerns for Cloud Adoption Security Risk and Threat Awareness Risks and Threats Affecting Cloud Adoption Decisions Defensive Measures DISCUSSION...75 Cloud Benefits and Concerns...75 Cloud Adoption Obstacles and Show Stoppers...76 Avoiding Costly Defensive Measures...78 Research Limitations and Shortcomings CONCLUSION...80 REFERENCES...82 APPENDIX SURVEY QUESTIONS AND RESPONSES...87
10 x LIST OF TABLES PAGE Table 1. Likert Scale to Numeric Point Conversion...50 Table 2. T-Test Result: Minimizing Software Licensing Fees as Benefit Expected to Gain by Adopting Cloud...57 Table 3. Q18: Your Cloud Resources Can Be Used as a Platform for Launching Attacks, Hosting Spams and Malware, Software Exploits Publishing, and for Many Other Unethical Purposes...62 Table 4. Q19: Unauthorized Users, such as Hackers and Malicious Insiders, May Gain Access to Your System Due to Flawed Hypervisor, Insecure Cryptography, and So On...63 Table 5. Q20: Vendor-Provided Cloud Apis with Weak Authentication May Jeopardize the Confidentiality, Integrity, and Availability...63 Table 6. Q21: Shared Resources May Affect Your System s Performance and Business Continuity...63 Table 7. Q22: Physical Location of Your Data Is Unknown...63 Table 8. Q23: Your Data May Not Be Recoverable When an Unforeseen Event Takes Place...63 Table 9. Q24: Your Systems May Be Disrupted Entirely When an Unforeseen Event Takes Place...64 Table 10. Q25: Your Service Provider May Not Be Compliant with Regulatory Standards, Including the Internal Control, Compliance, and Internal Security Procedures...64 Table 11. Q26: When a Security Breach Takes Place, There May Be Little or No Forensic Evidence Available...64 Table 12. Q27: Unauthorized Access and Data Leakage Will Always Remain as a Possibility, No Matter How Much Effort You Put Into Cloud Security...64 Table 13. Q28: There Will Be Unknown Risks and Threats as Attackers Continue to Invent New Attacking Methods...64 Table 14. T-Test Result: Unrecoverable Data as a Risk Factor...67 Table 15. T-Test Result: Non-Regulatory Compliant Provider as a Risk Factor...69 Table 16. T-Test Result: Replication of Backup in One or More Cloud Storage...74
11 xi LIST OF FIGURES PAGE Figure 1. The cloud computing stack...6 Figure 2. The cloud scales: Amazon S3 growth...8 Figure 3. Xen hypervisor architecture...20 Figure 4. The traffic signature associated with running SU in a SSH session...21 Figure 5. Relationships of the cloud API and other key cloud components...25 Figure 6. Sample web application error exposing C# source code, framework version, and source code file path on development machine Figure 7. Actual web application error on Chase.com, exposing the database server name Figure 8. Botnet infection methods...35 Figure 9. General botnet spread...36 Figure 10. Overview of the Cloud Adoption Toolkit...46 Figure 11. Cloud computing usage by type Figure 12. SaaS adoption by organization size Figure 13. SaaS adoption by organization type Figure 14. Cloud provider selection Figure 15. Cloud provider overall satisfaction Figure 16. Primary drivers for cloud adoption Figure 17. Primary drivers for cloud adoption by organization size Figure 18. Primary drivers for cloud adoption by organization type Figure 19. Primary concerns for cloud adoption Figure 20. Primary concerns for cloud adoption by organization size Figure 21. Primary concerns for cloud adoption by organization type Figure 22. Security issue awareness Figure 23. More concerned with malicious insiders Figure 24. Provider security confidence Figure 25. Existence of escalation channel Figure 26. On-premise is more secure than cloud....61
12 xii Figure 27. Cloud readiness for mission-critical applications...62 Figure 28. Cloud will be more secure in the future Figure 29. Cloud security risk effects Figure 30. Unrecoverable data as a risk factor, by organization size Figure 31. Unrecoverable data as a risk factor, by organization type Figure 32. Non-regulatory compliant provider as a risk factor, by organization size Figure 33. Non-regulatory compliant provider as a risk factor, by organization type Figure 34. Cloud security defensive measures in place Figure 35. Periodic data backup and restore tests performed, by organization size Figure 36. Periodic data backup and restore tests performed, by organization type Figure 37. Data encryption usage by organization size Figure 38. Data encryption usage by organization type Figure 39. Replication of backup in one or more cloud storage, by organization size Figure 40. Replication of backup in one or more cloud storage, by organization type....73
13 xiii ACKNOWLEDGEMENTS My heartfelt gratitude to Dr. Murray Jennex for continuous and sincere guidance throughout this project, and for sharing most valuable ideas. His professional and academic assistance made this research project much more efficient and rewarding. I am very grateful for his support, and for his willingness to spend his valuable time guiding me. My sincere thanks to Dr. Theo Addo for his valuable suggestions, indispensable recommendations, and continuous encouragement. Special thanks to Dr. Chris Paolini for being a part of my thesis committee, and for thought provoking ideas. My gratitude to Ms. Laura Dieken for helping me with my written English, and for providing constructive comments and encouragement. I would like to thank all my fellow MBA classmates and faculty stuff for inspiring ideas and memorable time in the program.
14 1 CHAPTER 1 INTRODUCTION BACKGROUND From time to time, great innovations are brought to us without wholly new discoveries or technological breakthroughs. Electric vehicles are a combination of existing auto body frames and electric motor technologies. The Internet is merely networked computer devices and resources on a global scale. It is about how existing and mature technologies and knowledge are mixed then advanced, introducing valuable and innovative products and services into our life. Similarly, cloud computing is nothing but a new information delivery model that utilizes existing technologies and resources. Since the introduction of Amazon s S3 (Simple Storage Service) and EC2 (Elastic Compute Cloud) in 2006, cloud computing has been generally welcomed as a cost-effective and flexible alternative to procuring and maintaining hardware and software in-house. According to a Gartner s cloud-based services study released in June 2010, the cloud services market is expected to maintain strong growth through 2014 (Pettey & Tudor, 2009). The study also states that by that time, worldwide cloud service revenue is expected to reach $148.8 billion, which easily surpasses the 2011 revenues of two software giants Microsoft and Oracle combined ($69.94 billion and $35.6 billion, respectively; Bond & Hellinger, 2011; Statista, 2012). On the surface, cloud computing seems to increase IT agility by eliminating many of the wearying tasks and responsibilities that IT departments manage these days. IT departments have been integrated so deeply into core businesses that most business operations would halt without the services and infrastructures that IT teams maintain. Furthermore, the fundamental challenges and responsibilities of IT will never stop expanding, as business and regulatory requirements become more complex, stronger protections from security threats become virtually mandatory, and technologies themselves become more ubiquitous, hence skill- and time-intensive. Therefore, traditional IT teams are frequently forced to devote a large portion of their time and budgets to tasks that are not
15 2 directly tied to revenues, or added-values that are clearly visible to top management. For example, installing security patches on an ERP (Enterprise Resource Planning) system does not bring any new functionalities or benefits to users; however it does require hours of planning and testing before the patches are implemented. According to a report prepared by CFO Research Services, many mid-size companies spend more than $1 million annually to update and maintain their EPR systems (CFO Research Services, 2009). Outsourcing the entire or even partial IT infrastructure and placing resources in the cloud is therefore an attractive alternative, especially for small- to mid-size organizations that cannot afford to allocate a large share of budget for projects that do not generate revenues. The technological advancements in processor performance, virtualization, and fast and reliable network connectivity are all positive driving forces for businesses adopting the cloud computing model. The cloud computing model also makes economic sense for many organizations because it allows rapid application development and deployment by utilizing tools and platforms that are already in-place, tested, and proven to be functional. However, the rapid growth of the cloud market has also raised serious concerns regarding data security and governance, and these are considered to be major barriers to broader adoption. According to a survey conducted by the 1105 Government Information Group in January 2012, more than 50% of respondents indicated that the current cloud solutions are not secure enough due to potential data loss and leakage, lack of strong identity authentication and credential management, ambiguous data ownership, and physical location of data possibly being outside the U.S. border. Many believe that these security concerns will eventually diminish; however the same survey also revealed that more respondents, 60% in 2012 versus 54% in 2011, mentioned cloud computing security risks are greater than on-premises security risks (Brocade Communications Systems, Inc., 2012). For the reasons above, and despite its inexorable growth and popularity, cloud computing continues to be one of the most controversial trends in the IT industry. The situation is similar to when LASIK (Laser-Assisted in Situ Keratomileusis) was introduced nearly two decades ago: Extraordinary risks in the event of an unfavorable outcome but remarkable benefits when successful, therefore creating groups of early adopters and those who waited fearing the unknown risks. Even today, the success ratio is extremely high but still not 100%, leaving some patients with fears and doubts. Similarly, with cloud computing,
16 3 there are already many organizations which have successfully adopted the new computing model and are enjoying its benefits, but unknown security risks are still preventing others from making the commitment. Even though a number of regulatory and non-regulatory organizations are attempting to structure more streamlined and standardized methods for building secure cloud environments, many technical and non-technical hurdles still exist. RESEARCH QUESTION The purpose of this thesis is to assess how security risk factors are affecting the existing and prospective cloud users cloud usage strategies. Organizations hosting mission-critical applications and data in clouds are no longer considered to be early adopters. Are they simply betting that financial benefits will surpass security risks, or are they confident that cloud providers are capable of assuring an equal or higher level of security than on-premise systems? Examining real-world users opinions on risks and threats most commonly discussed in practitioner and academic literature is beneficial to organizations considering adding cloud to their IT portfolio. For management, the largest problem of cloud adoption today is a mass of uncertainty in decision making. Security being the top obstacle, other factors such as cost control, availability, and vendor lock-in require extensive research and analysis which is likely to produce less than definitive indicators for decision making. For the cloud model to be proven, or disproven, worthy of trust for an organization, claims made by cloud service providers and IT journalists are not sufficient. Instead, cloud adoption decisions should be made (1) by evaluating the current cloud service offerings, financial and technical benefits, and security concerns, and then (2) by studying real world examples that present how organizations are weighting these benefits and risks. METHODOLOGY AND SOURCES This thesis, through the examination of published materials and studies, analyzes existing issues along with available countermeasures in order to evaluate the overall assurance level of cloud security. Academic literature and security publications as sited are the main sources of material used for this research. Online resources and technical whitepapers will also be referenced to a
17 4 certain degree in order to present and analyze latest trends in cloud computing, regulatory standards, and research conducted by institutions and government agencies. In addition, in order to assess various perspective views of cloud computing security, a survey targeting IT professionals and managers, specifically current and prospective cloud users, was conducted. The survey respondents were recruited on EDUCAUSE ListServ, Meetup, Google Groups, and Facebook Groups over a period of five weeks. Two primary goals of the survey were (1) to assess how security concerns have affected or will affect the respondents decision on adopting cloud, and (2) to perform positive and normative analyses on how companies are guarding their assets in cloud as compared to the best practices recommended by security experts.
18 5 CHAPTER 2 PRACTITIONER LITERATURE REVIEW CLOUD SERVICES AND MODELS Essential resources consumed by households and businesses, such as water, gas, and electricity, are made available in a virtualized manner: These resources are readily available through faucets and outlets, and their sources and delivery mechanisms are not of interest to resource consumers. Cloud computing introduced the same concept to information technology. With the cloud computing model, software, platforms, and infrastructures are made available as web services through the Internet, and cloud service consumers are not aware of the physical location where these services are performed. Companies obtain hardware and software resources as services from cloud service providers, as opposed to as physical assets. Every service provider and standard organization defines cloud computing slightly differently. For example, the National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (Mell & Grance, 2011, p. 2). Just as application software can be divided into multiple classes based on various criteria such as categories and intended user types, cloud computing can also be divided into several service types and deployment models. Buyya, Broberg, and Gościński (2011) divide cloud computing services into three classes: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (Figure 1). Infrastructure as a Service (IaaS) is the lowest level of separation between what consumers could expect and the resources that are readily available for them to utilize. This service class offers raw computing, networking, and storage services that enable cloud consumers to build custom services and applications. The cloud provider controls the physical resources, and the cloud consumer controls anything above, such as operating systems and development tools. Platform as a Service (PaaS) takes the separation higher in the stack and is an environment where applications which are ready to be developed or deployed are
19 6 Figure 1. The cloud computing stack. Source: Buyya, R., Broberg, J., & Gościński, A. (2011). Cloud computing: Principles and paradigms. Hoboken, NJ: Wiley. offered by the cloud provider. The cloud consumer utilizes the provided platform, such as Java programming language and Oracle databases, without worrying about the underlying details such as software and hardware dependencies and configurations. Software as a Service (SaaS) moves the separation even higher in the stack where the cloud consumer is simply an end-user of applications that the cloud provider hosts. The majority of free cloud services, such as web-based and word processing, can be categorized as this type of service class. The model virtually eliminates the software maintenance for end users and simplifies the testing and deployment procedures for the software developers. Cloud computing can also be categorized by deployment models: Private, community, public, and hybrid. Private clouds are dedicated, in-house clouds that do not allow access from external networks. Companies and schools host their own private clouds that are accessed only by internal users. Private clouds maintain the ease of access to services using the same web service protocols, yet maintain the data confidentiality by making the services visible only to internal users. Community clouds are deployed in a way that multiple organizations share and operate the cloud cooperatively. For example, multiple schools within a region operating a single cloud for sharing library catalogs with a single search interface used by all students attending these schools. Public clouds are either free or paid clouds that are accessible to anyone in the public. The public cloud is the most commonly used model. Many of the popular cloud
20 7 services, such as web-based and paid services offered by service providers like Amazon, are deployed as public clouds. Hybrid clouds consist of one or more private clouds and one or more public clouds, both managed by a single organization. This deployment type is chosen primarily for scalability and cost-efficiency. For example, a company keeping sensitive data internal, and outsourcing other non-critical workloads to a public service provider. SERVICE PROVIDERS AND USERS For each service class, most prominent cloud service providers include: Infrastructure as a Service Amazon AWS GoGrid IBM SmartCloud Joyent Rackspace Verizon Platform as a Service Google App Engine Microsoft Windows Azure Oracle Public Cloud Software as a Service Google Apps Microsoft Office 365 Oracle Public Cloud Salesforce.com The online retail giant Amazon is one of the pioneers of cloud computing, and is by far the most successful cloud service provider today. The company s cloud computing platform, Amazon Web Services (AWS), consists of a collection of web services and is steps ahead in service maturity and customer awareness with aggressive pricing strategies (Search Cloud Computing, 2010). Amazon is heavily betting on cloud computing to be the default platform for running most business applications in the future, and is continuously adding more capacity to its data centers (Robinson, 2012). At the end of the first quarter 2012, as
21 8 Figure 2 illustrates, Amazon s S3 cloud storage housed over 905 billion objects, with 1 billion being added daily (Amazon, 2012). Figure 2. The cloud scales: Amazon S3 growth. Source: Amazon. (2012, April). Amazon web services blog: Amazon S3-905 billion objects and 650,000 requests/second. Retrieved from /04/amazon-s3-905-billion-objects-and requestssecond.html. Users of AWS vary in size and industry. AWS is an attractive platform for small startups with limit IT budgets and resources. Amazon client list also includes large financial institutions and pharmaceuticals companies, the types of companies that demand the highest level of security for their data. For example, Pfizer has set up its worldwide research and development facility within Amazon Virtual Private Cloud, which handles various computation tasks such as large-scale data analysis, research projects, clinical analytics, and modeling (Amazon, n.d.d). Google is another key player in cloud computing. Unlike Amazon s platform offerings, Google s App Engine provides application development and hosting environments. Applications built on App Engine are sandboxed, and run across multiple servers hosted in Google-managed data centers. For example, Best Buy has developed a web browser plugin called Giftag, a free tool that lets users create a wish list from any online retailers, and share it with others. The development team initially developed the server-side Java application on another platform, and then re-platformed and re-launched the system on Google App Engine in just 10 weeks (Bendt, 2009).
22 9 SECURITY STANDARDS AND COMPLIANCE ORGANIZATIONS As concern over the cloud security keeps rising, it has become critical for cloud service providers to present and demonstrate their ability to safeguard customer data. The most common means to accomplish this is to obtain trustworthy security certifications and audits for prospective customers. This type of assurance has become almost mandatory rather than mere marketing incentives. For example, in an effort to attract customers with various requirements, Amazon s AWS has obtained and offers a variety of industry-recognized certifications, accreditations, and audits: SOC 1/SSAE 16/ISAE 3402, PCI DSS Level 1, ISO 27001, ITAR, FISMA Moderate, FIPS 140-2, and SAS 70 Type II (Amazon, n.d.a). At present the security standards and regulatory organizations that have the most direct effect on cloud computing security are PCI DSS, FISMA, and HIPAA. PCI DSS (Payment Card Industry Data Security Standard) provides a framework for cloud providers to host applications that require a robust payment card data security process (Security Standards Council, n.d.). In other words, by choosing a PCI DSS-compliant cloud provider, developers can easily build applications with a secure credit card payment system without using a third party merchant account provider. FISMA (Federal Information Security Management Act) requires federal agencies to develop, document, and implement an agency-wide program to provide information security for the information and information systems (National Institute of Standards and Technology [NIST], 2012). FISMA accredited cloud providers would auto-comply with the regulations that federal agencies are required to follow for data security. HIPAA (Health Insurance Portability and Accountability Act) requires every healthcare provider and organization that handles PHI (protected healthcare information) to adhere strict information security guidelines that assure the protection of patient privacy. Even though HIPAA does not directly impose these guidelines on cloud providers, if a company chooses to store protected healthcare information in cloud, the service provider must either be HIPAA-compliant or provide secure infrastructure and policies that satisfy the HIPAA standards and requirements. NON-REGULATORY ORGANIZATIONS There are non-profit organizations that aim to build a common ground for cloud computing security. These organizations are non-regulatory; however, they have extensive influence on cloud computing security. The most widely recognized organizations are CSA and NIST.
23 10 CSA (Cloud Security Alliance) is a non-profit organization that was officially formed in December 2008, in response to the emerging popularity of cloud computing. CSA consists of a large number of corporate and affiliate members such as Accenture, Amazon, McAfee, Microsoft, and Oracle. CSA s primary objective is to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing (Cloud Security Alliance, n.d., p. 1). CSA provides a variety of security education programs and certifications, such as PCI DSS and GRC (Governance, Risk Management & Compliance) training and CCSK (Certificate of Cloud Security Knowledge). NIST (National Institute of Standards and Technology) is a non-regulatory government agency with in the U.S. Department of Commerce. NIST was originally founded as the National Bureau of Standards in 1901, and it was the first physical science research laboratory owned by the federal government. The agency is also known to be a measurement standard laboratory, with a mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life (NIST, 2008, para. 2). Specifically for cloud computing, NIST primarily aims to provide thought leadership and guidance around the cloud computing paradigm to catalyze its use within industry and government (NIST, 2010, para. 3). SIGNIFICANCE OF SECURITY STANDARDS AND COMPLIANCE IT security in general has experienced intense changes over the past decade. Computerized tasks and processes have created increasing vulnerabilities in the workplace, networked devices have introduced new threat paths, and the ever-growing volume of personal and financial information stored in binary form has triggered waves of privacy concerns from organizations as well as individuals. The electronic giant Sony and the world s largest tech-security company RSA Security experienced massive security breaches in Seeing these systems in a private, closed environment being victims of online attacks, it is natural for one to wonder why cloud services would be any more secure. To mitigate these concerns, cloud service providers are taking a great effort to build secure platforms that meet today s strict security standards. These standards, however, have very little effect on the protection customers receive: The standards are merely a measurement of level of assurance that the certifications entail. For example, applications hosted in a HIPAA-compliant cloud platform still could face security breaches if the application s architecture and deployment are not handled with a full understanding of the