Cloud Computing Security Vulnerabilities

Dr. Mohammad Shoab

What is Cloud Computing?

NIST Definition

• On-demand self-service.
• Broad network access.
• Resource pooling.
• Rapid elasticity.
• Measured Service.

​

Architecture and Service Definitions

• Three Cloud Service Delivery Models:

1. Infrastructure as a Service (IaaS)

2. Platform as a Service (PaaS)

3. Software as a Service (SaaS)

• Four Cloud Service Deployment Models

1. Public

2. Private

3. Community

4. Hybrid

​

​

​

CSA Cloud Reference Model

Hypervisors

• Runs multiple instances of an OS (or multiple OSes) on shared hardware
• Native or “bare metal”
• PR/SM on the IBM System 370 (1972!)
• VMWare ESXi
• Microsoft Hyper-V
• Host based
• Virtual PC
• VMWare Server
• Parallels
• Can use direct physical storage and/or virtual disks
• Mainly used for IaaS and PaaS

​

​

Native Hypervisor

Vulnerabilities

Authentication, Authorization, and Accounting (AAA)

• Insecure storage of cloud access credentials by customer
• Insufficient roles available
• Credentials stored on a transitory machine
• Password-based authentication may become insufficient
• Strong or two-factor authentication for accessing cloud resources will be necessary

User Provisioning

• Customer cannot control provisioning process
• Identity of customer or billing information is not adequately verified at registration
• Delays in synchronization between cloud system components
• Multiple, unsynchronized copies of identity data are made
• Credentials are vulnerable to interception and replay
• De-provisioned credentials are still valid due to time delays in roll-out of revocation

​

Remote Access To Management Interface

• Allows vulnerabilities in end-point machines to compromise the cloud infrastructure (single customer or CP) through, for example, weak authentication of responses and requests.

Hypervisor

• Exploiting the hypervisor potentially means exploiting every VM!
• Guest to host escape
• VM hopping
• Virtual machine-based rootkits

Lack of Resource Isolation

• Side channel attacks
• Shared storage
• Insecure APIs
• Lack of tools to enforce resource utilization

Lack of Reputation Isolation

• Activities from one customer impact the reputation of another customer
• And can impact the reputation of the CP

Communication Encryption

• Reading data in transit via MITM attacks
• Poor authentication
• Acceptance of self-signed certificates

Weak or No Encryption

• Data in transit
• Data held in archives and databases
• Un-mounted virtual machine images
• Forensic images and data, sensitive logs and other data at rest puts customer data at risk

Unable to Process Data in Encrypted Form

• Encrypting data at rest is easy, but implementing homomorphic encryption is not -- there is little prospect of any commercial system being able to maintain data encryption during processing.
• Bruce Schneier estimates that performing a web search with encrypted keywords would increase the amount of computing time by about a trillion.

Poor Encryption Key Management

• Hardware security modules (HSM) required in multiple locations
• Key management interfaces which are accessible via the public Internet
• The rapid scaling of certificate authorities issuing key pairs to new virtual machines
• Revocation of keys for decommissioned virtual machines

Low Entropy for Random Number Generation

• The combination of standard system images, virtualization technologies and a lack of input devices means that virtual systems have much less entropy than physical RNGs!

Inaccurate Modeling of Resource Usage

• Overbooking or over-provisioning
• Failure of resource allocation algorithms due to extraordinary events (e.g., outlying news events for content delivery).
• Failure of resource allocation algorithms using job or packet classification because resources are poorly classified.
• Failures in overall resource provisioning (as opposed to temporary overloads)

​

No Control of Vulnerability Assessment Process

• Restrictions on port scanning and vulnerability testing are an important vulnerability which, combined with a AUP which places responsibility on the customer for securing elements of the infrastructure, is a serious security problem.

Internal (Cloud) Network Probing

• Cloud customers can perform port scans and other tests on other customers within the internal network.

Co-residence Checks

• Side-channel attacks exploiting a lack of resource isolation allow attackers to determine which resources are shared by which customers.

Media Sanitization

• Shared tenancy of physical storage resources means that sensitive data may leak because data destruction policies may be impossible to implement
• Media cannot be physically destroyed because a disk is still being used by another tenant
• Customer storage cannot be located or tracked as it moves through the cloud

Service Legal Agreement (SLA)

• Clauses with conflicting promises to different stakeholders
• Clauses may also be in conflict with promises made by other clauses or clauses from other providers.

Inadequate Resource Provisioning and Investments in Infrastructure

• Infrastructure investments take time. If predictive models fail, the cloud provider service can fail for a long period.

No Policies for Resource Capping

• If there is not a flexible and configurable way for the customer and/or the cloud provider to set limits on resources, this can be problematic when resource use is unpredictable.

Storage of Data in Multiple Jurisdictions

• Mirroring data for delivery by edge networks and redundant storage without real-time information available to the customer of where data is stored.

Lack of Information on Jurisdictions

• Data may be stored and/or processed in high risk jurisdictions where it is vulnerable to confiscation by forced entry.

Lack of Cloud Security Awareness

• Cloud customers and providers are not aware of the risks they could face when migrating into the cloud, particularly those risks that are generated from cloud specific threats, i.e. loss of control, vendor lock-in, exhausted CP resources, etc.

Lack of Vetting Processes

• Since there may be very high privilege roles within cloud providers, due to the scale involved, the lack or inadequate vetting of the risk profile of staff with such roles is an important vulnerability.

Unclear Roles and Responsibilities

• Inadequate definition of roles and responsibilities in the cloud provider organization.

Poor Enforcement of Role Definitions

• Within the cloud provider, a failure to segregate roles may lead to excessively privileged roles which can make extremely large systems vulnerable.

Inadequate Physical Security Procedures

• Lack of physical perimeter controls (smart card authentication at entry);
• Lack of electromagnetic shielding for critical assets vulnerable to eavesdropping.

​

Mismanagement

• System or OS vulnerabilities
• Untrusted software
• Lack of - or a poor and untested - business continuity and disaster recovery plan
• Lack of - or incomplete or inaccurate - asset inventory
• Lack of - or poor or inadequate - asset classification
• Unclear asset ownership

​

Poor Identification of Project Requirements

• Lack of consideration of security and legal compliance requirements
• No systems and applications user involvement
• Unclear or inadequate business requirements.

Application Vulnerabilities and Poor Patch Management

• Bugs in the application code
• Conflicting patching procedures between provider and customer
• Application of untested patches
• Vulnerabilities in browsers
• Dormant virtual machines
• Outdated virtual machine templates

​

Additional Vulnerabilities

• Resource consumption vulnerabilities
• Breach of NDA by provider
• Liability from data loss (cp)
• Lack of policy or poor procedures for logs collection and retention
• Inadequate or misconfigured filtering resources

Thank You