Draft v0.7 July 27th. The Nature of Cloud

Transcription

1 Global Security Challenges of Cloud Computing Extended Abstract Sadie Creese and Paul Hopkins International Digital Laboratory, WMG, University of Warwick, UK There is no doubt that cloud computing is a major interest for many organisations and individuals. Across the globe massive investment is being made in infrastructure, applications and business models. Currently expectations of the market potential remain high, with Gartner predicting a services market value of $150bn by Security, control of data and privacy are key priorities and concerns for potential users, and in an enterprise environment a potential barrier to uptake 2. Unsurprisingly, the notion of your digital assets residing on infrastructure outside your direct control, and potentially in a geographical location a great distance away, is one which some find hard to accept. So the global nature of the potential cloud ecosystem results in security challenges which, in part, require a globally co-ordinated response. We explore here the requirements for such a response and reflect on the scope of the challenge. The Nature of Cloud Cloud is a utility computing concept, where resources can be consumed on demand, reconfigured and provisioned rapidly 34. Users of cloud can access computing resources via the Internet as opposed to owning and maintaining the resources themselves. This enables a close coupling between consumption of computing resource and investment, delivering a pay-as-you-use effect. Service providers seek to exploit a business model which is scalable due to minimal management effort, maximal automation and capacity balancing across resources. In a mature cloud ecosystem we can expect to see supply chains within the cloud, where service providers purchase additional resources to enable them to meet peeks in demand without having to maintain such capacity in the long term. To achieve the flexible benefits of the cloud, and to receive the best deal as their needs change, consumers of clouds require portability between clouds and the ability to switch suppliers as they see fit. This in turn requires responsiveness of service providers, and interoperability between clouds at many levels from policy to technology. Cloud is not a new technology, but a new business model which both exploits existing technology, such as Service Orientated Architectures (SOAs), GRIDs and Virtualisation, and demands technology innovations, such as portability of virtual machines 5. A variety of service models are envisaged: Software as a Service (SaaS) where applications are hosted and delivered online via a web browser offering traditional desktop functionality such as Internet-based alternatives to popular word processing/collaboration tools. Platform as a Service (PaaS) where the cloud provides the software platform on which systems run (as opposed to just the software as for SaaS). Infrastructure as a Service (IaaS) where a set of computing resources, such as storage and computing capacity, are hosted in the cloud. Virtualisation permits systems to be built in an ad-hoc manner depending upon demand. Customers then deploy and run their own software stacks to run services. Hardware as a Service (HaaS) where the cloud provides dedicated firmware accessible via the Internet. All of the service models could be offered in a public cloud (via the Internet), and also within a private cloud. Due to concerns surrounding security and privacy enterprise cloud users may seek to combine 1 Gartner: Forecast: Sizing the Cloud; Understanding the Opportunities in Cloud Services. March (2009). 2 IDC Enterprise Panel August Vaquero, L.M., Rodero-Merino, Caceres, J. and Lindner, M. A Break in the Clouds: Toward a Cloud Definition ACM SIGCOMM Computer Communication Review Vol 39 No 1 January 2009 pp IEEE (2008) ORGs for Scalable, Robust, Privacy-Friendly Client Cloud Computing at: 5 Distributed management task force - Open Virtualisation Format. 1

2 private clouds and public clouds into hybrid solutions: Utilising resources from a trusted infrastructure (perhaps a single enterprise or within a trusted community) can provide a mechanism for exploiting the benefits of a cloud service model without releasing digital assets into the wild. For less critical assets the Internet based Cloud will provide a service subject to global competition, and so may be more keenly priced as a resource, and offering the most innovative technologies and applications. Clouds will be responsible for not only data assets but also enterprise functionality which will vary in nature of criticality. We can expect a mature cloud ecosystem to include strong alignment between customer and service provider enterprise processes particularly in support of IT governance (to enable maximal automation and agility), and that best practice exist spanning cloud adoption and delivery. In addition, we can predict a number of properties which will be both necessary and challenging for current information assurance and network security practices: Scalability and agility of provision to meet fluctuating demands for resource, likely to include high levels of automation in the service provisioning process. Performance and quality metrics for cloud services, and optimisation techniques for exploitation within an enterprise. Including optimising hybrid cloud configurations within the context of a risk management strategy. Standardised and automated contractual mechanisms, including service level agreements for all types of cloud service offering (and structured to easily accommodate change). The Threat and Vulnerability Environment To understand the scope of the cloud security challenge for any particular deployment we need to understand the risks associated with cloud exploitation for a particular user or enterprise. This necessitates an understanding of impact which is context dependent. However, it is still possible to consider the broad nature of threat and vulnerability likely to be faced in cloud environments. The cloud vulnerability model is likely to be driven by the technology environment and human factors. The range of potential cloud ecosystem realisations span from the siloed adoption witnessed today (think process heavy procurement), to broad exploitation across various enterprise functions with high agility and mobility between service providers. Where investment in portability and interoperability is low then cloud applications are likely to become customised and bespoke as additional features are delivered. Where such investment is high we can expect dynamically composed services, originating from multiple sources, with heavy automation. Exploiting vulnerabilities in bespoke systems will require focused effort, and similar attacks on other systems will require repeated effort. If security investment is high then it too will be bespoke, so making the investment required of an attacker high in order to mount a successful attack. The most successful threats operating in this environment are likely to be those with insider knowledge. If investment in security is low the investment required of a threat is also low, although the potential payback is still limited to the particular target. In contrast, a cloud ecosystem with high mobility, ability and portability will require commonality within the applications used. This could result in systemic vulnerabilities existing, which could become the result of de-skilled attacks and highly available tool kits. Threats are likely to continue to use distributed modes of attack utilising computing resources of unknowing participants. A lack of security investment to remove vulnerabilities, deter their exploitation and detect attacks will mean 2

3 the potential benefits to an attacker are relatively high for little investment. An investment in security would necessitate pushing protection measures down to the data level, in order to maintain security in the face of portability, unless service level agreements can be directly tied to the data which they are in part designed to ensure protection of. Attack patterns are continually evolving, however they are likely to include but won t be limited to: compromise of cloud service integrity leading to confidentiality and data losses; creation of malicious clouds in order to gain access to customer data; denial of service attacks launched upon the provisioning applications of cloud services; denial of service attacks launched from within compromised or malicious clouds preventing customer removal of data sticky clouds ; insider threat attacks on integrity, confidentiality and availability of cloud services and customer data. Global Security Challenges Cloud does have characteristics which could lead to requirements which might be unique, and will certainly stretch existing best practice in a number of areas. For the purposes of this paper we concern ourselves only with those which are likely to require a global collaborative response:: Risk Management Practice Fundamentally security begins with risk management, since it is in the application of a risk management methodology that impact and risk mitigation strategies are identified and aligned. In a cloud environment users will depend upon service providers to implement appropriate controls on their behalf. Hence, the practice of risk management, and the controls and mitigations utilised, will need to be standardised across the cloud ecosystem in order for cloud users to make informed decisions and maintain security postures whilst remaining mobile within the marketplace. In the short term it may be that cloud service providers seek to differentiate themselves based upon the controls they offer to users, and the degree to which users can operate controls remotely. It is unlikely that today s best practice in risk management related to out sourcing will directly translate to a mature cloud ecosystem as this necessitates close relationships with service providers, where culture and vision are aligned, relationships are deepened over time and a trust is built up; staying mobile in the cloud could make risk management based on long term relationships undesirable, and technical prevention techniques and contractual risk mitigation more attractive. But these approaches may be difficult from a personal cloud user perspective. Technical prevention techniques usually require some user control and configuration, as with virus protection for example. Individual users of cyberspace already find tangibility of risk problematic, and often choose not to read the small print in order to gain quick access to the desired service or product. Such issues can simply add to vulnerability in the system, and specific weaknesses may differ across cultures and user groups. Ultimately, whether something is done to address the current status quo (which for many appears to be finger crossing) will be down to the cloud service providers, and hence will depend upon whether they can see a clear business case for change. 3

4 If we consider security requirements from a lifecycle perspective: prevent, detect, respond the following we require addressing in a global manner: Prevention of malicious attack Designing, building and testing cloud systems free of vulnerabilities will be challenging. While scale plays a significant factor, the dynamic composition of services across the host, network and application layers has the potential to increase the attack surface but also increased potential for the mis-configuration of composed services, especially if they are not well defined and rapidly assembled. Previously enclosed functionality is also likely to be exposed to many different consumers to help define and build structured services and, while a number of these issues are coexistent with general SOA research challenges 6, testing remains particularly challenging 7. In addition, providing specific security mechanisms may also require global collaboration. If data protection is to be handled at the data level then portability will be necessary, as with a DRM solution. In a global cloud ecosystem this will require standardisation. It may also be necessary to implement some kind of global identity system to enable traceability and forensic investigations when things go wrong. Whilst a single system is highly unlikely, a federated model will still require collaboration and interoperability. In a mature cloud ecosystem with high mobility of users and agile provisioning it may require interoperability of security policy to enable requirements to be ported between services as users move around. Detection of malicious attack Detection of malicious activity within a cloud may not require a global response (unless the cloud service provider spans nation states in which case privacy laws might need to be aligned). However, collaborative attack detection across clouds will require co-operation. The detection of malicious activity is considered difficult within current enterprise environments, with many (often falsepositive) events arising from applications and dedicated intrusion-detection sensors. It is not clear that current techniques would necessarily read directly across into the cloud environment, with dynamically changing services requiring constant re-learning of traffic patterns, and large -scale events that may need to be collected and filtered. If this is to be achieved in real time then standardisation will be required, and an ability to deliver technology capable of reaching back to originating clouds, and mechanisms for identifying attack sources within the clouds. This will require cooperation between cloud service providers and may be in conflict with privacy policies and mechanisms operated 8,9. Hence, privacy protection will become a global issue for cloud computing. 6 Service-Oriented Computing Research Roadmap, Papazoglou, et Al, Dagstuhl Seminar Proceedings 05462, Service Oriented Computing (SOC), A Research Agenda for Service-Oriented Architecture, Kontogiannis, Lewis, Smith, Software Engineering Institute (CMU) EU FP7 project Privacy Aware Security Monitoring, 9 Craig Gentry, Fully homomorphic encryption using ideal lattices, Proceedings of the 41st annual ACM Symposium on Theory of Computing, pp , June

5 Response to and recovery from malicious attack Whilst disaster recovery, business continuity and resilience are well known concepts, how we deliver them in the context of a public and global cloud environment is not clear. Even if cloud service providers offer mirror sites and distribution functions in order to tolerate failures in their systems and offer continuing service, this cannot offer protection in the face of systemic failures or catastrophic attack. In which case cloud users and consumers will need to consider whether they need to create multiple redundancy effects themselves, possibly in the replication of their use of cloud across heterogeneous vendors (and for the truly paranoid vendors using heterogeneous platforms). This in turn only serves to broaden the potential attack surface, and so the optimal strategy will depend highly upon the perceived level of risk. This is likely to vary and business continuity strategies will need to vary with it. There may be an opportunity for trusted cloud ecosystems to be created, which deliver the benefits of a public cloud but in a private manner. Thus limiting the attack surface in an environment where heterogeneous resources could be utilised and shared in a collaborative manner in order to deliver continuity in the face of malicious attack. These are likely to be at least international, if not global. Legal, regulatory, compliance and audit The legal and regulatory environment is particularly challenging for the highly dynamic and international service offering of clouds potentially spanning multiple legal jurisdictions. The ability to transfer data and deliver services requires a knowledge and conformance to the jurisdictions where data is processed and potentially delivered. Ensuring that privacy laws are adhered to is often recognised as being particularly complex in the cloud environment, applicable to both organisations and individual users of the cloud alike. However, regulatory bodies also place additional requirements for good practice on businesses, and in some countries often set defined practice and impose penalties. While most suppliers will want to ensure that the burden for ensuring compliance and enabling them to be audited falls to the user of the cloud, they will have to provide the practical mechanisms to ensure that it can be done for many businesses and where possible ensure that mechanisms do not conflict. Data retention is one such area where requirements are increasingly being examined from the communications layer up to the provision of services such as . Of particular concern is the ability to conduct activities as part of both criminal and civil investigations. Although currently collaborative frameworks exist for the investigation and pursuit of criminal activities, they are generally found to be inadequate in terms of speed of delivery except in the most serious of cases 12. With cloud data and services are easily distributed across many legal jurisdictions and suppliers understanding the responsibilities and getting the agreement of all parties to assist in gathering and understanding the evidence gathered will be highly challenging. While frameworks exist via Mutual Legal Assistance Treaties (MLATS) for criminal investigations, these prove cumbersome except in the most serious of cases, and nothing equivalent exists to assist for civil procedures. It has been suggested that some new technologies, such as virtualisation, may assist in the investigation of incidents. However, the reality is that they are likely to introduce new challenges 12 R. Anderson,R. Bohm,R. Clayton,T. Moore, Security Economics and the Internal Market,

6 and uncertainty; data may be spread across many different machines and providers and the challenge of assuring that the host was not compromised prior to the forensic investigation will be very difficult to address in the shared environment. Concluding Remarks To degree to which security and privacy concerns will prove a barrier to uptake of cloud services is yet to be fully understood. Published surveys certainly suggest that they will. This has led many to propose private, or semi-private, clouds as an alternative solution. Where using a combination of grid techniques to optimise resource usage within an enterprise, and sharing such resources amongst a trusted group or coalition, can avoid the necessity to place assets in more risky hands. Such propositions can certainly mitigate some risks originating from outsider threats. However, this will not alleviate the pressures to create solutions to portability and interoperability issues if we are to avoid being tied into particular service providers and their preferred technologies and partners. The degree to which global security challenges are also challenges for the private cloud is a topic for future research. 6