Amplified Cloud Security Problems

Amplified cloud security problems (amplified CSP) are mainly originated by under- lying technologies upon which cloud computing is substantially built, such as, virtu- alization technology, web applications and multi-tenant software architectures. Fur- thermore, problems originating in well known and commonly established security best- practices, which are difficult or impossible to implement in a cloud computing envi- ronment are also classified as amplified CSP. The following amplified CSP have been identified:

A1: Misuse of administrator rights / malicious insiders

Misuse of administrator rights is a severe problem already known in traditional IT. In a recent survey [104] among 300 IT professionals 26% admitted, that at least one staff member has abused a privileged login to access information. In cloud computing this threat is amplified. Virtual machines are mostly provided as managed root servers. The cloud provider is responsible for the underlying host system and has access to the VMs running on the host through the hypervisor. A misuse through malicious insiders is possible and hard to detect due to a general lack of transparency into provider pro- cess and procedure. This affects the following core principles of information security: confidentiality, authenticity, authorisation, integrity, data protection, accountability and non-repudiation.

A2. Missing transparency of applied security measures

In traditional IT outsourcing, this risk is mitigated by well defined regulation: The customer (IT housing) or the provider (IT outsourcing) is responsible for the appli- cation of security measures. They must be communicated to the customer. Providers can prove their compliance to baseline security measures with ISO 27001 or PCI DSS

certificates. In cloud computing there is a lack in transparency regarding applied provider security measures and processes exists. The underlying hardware infrastruc- ture gets masqueraded to protect it from attacks. Cloud customers currently need to trust the provider that they are compliant to current security standards. Amazon Web Services announced in December 2010 that the AWS data center, infrastructure and services are compliant to ISO 27001 and PCI DSS Level 1 [105]. However, to date no agreed standard criteria for running a secure cloud infrastructure exist. This affects the following core principles of information security: integrity, availability and data protection.

A3. Missing transparency with security incidents

Since computing systems are completely owned by the customer in IT housing, they are responsible for securing all evidence in case of a security incident. In IT out- sourcing this responsibility is transferred to the service provider which employs skilled personnel, e.g. an own Computer Emergency Response Team (CERT). In cloud com- puting, customer and provider need to work together to collect all information of a security incident. Problems with hardware must be mapped to the different customer cloud resources to react on incidents and initiate correct problem management. But a standardized procedure is currently missing. Current cloud offers available in the mar- ket do not offer a transparent process for its customers on how security incidences are detected, which efforts are taken by the provider to mitigate it and how the provider supports its customer during the investigation phase. This is an increased risk in cloud computing. This affects the following core principles of information security: data protection, integrity, availability and non-repudiation.

A4. Shared technology issues

3.4. Cloud Computing Security Issues

Year Name Description

2007 vmftp [106] Directory traversal vulnerability in VMware tools

2009 XEN Ownage Trilogy [107] Exploiting drivers using DMA

2009 VMware Cloudburst [108] Abuse of a lack of access control in a VMware 3D graphics driver 2011 KVM Virtunoid [109] Dangling pointers due to a bug in the hardware emulation layer

2012 VMware

VMSA-2012-0009 [110]

a) Bug in the Backdoor API (for communication between VMware tools and host) channel between VM and host b) Bug in the SCSI device registration (no further details available, potentially bug in hardware emulation layer) c) Buffer overflow in floppy driver (no further details available, potentially bug in hardware emulation layer)

2012 VMDK Has Left The

Building [111]

Design flaw in the VMware ESXi hard disk handling

2012 XEN Sysret [112] Para virtualization API design flaw

Table 3.2: Overview of Hypervisor outbreaks [15]

as well the problem of misconfigured VMs that endangers other resources. In IT hous- ing this threat only applies for misconfiguration of security parameters and is limited to one corresponding customer. In IT outsourcing the provider is fully responsible to configure running services securely. In cloud computing this is caused by the use of virtualization. Table 3.2 shows security incidents based on hypervisor outbreaks to illustrate the increased risk for cloud computing. The main problem is the lack of isolation, which for cloud computing can be categorised into:

• VM isolation: If one customer runs an improperly configured VM in the cloud this also endangers other VMs running on this specific host. An attacker could use a VM as an entry point to get access to the host machine through a hy- pervisor flaw to gain inappropriate levels of control or influence on the under- lying platform. Exploits seem rare but have already been demonstrated by Kortchorski [108] and Rutkowska [113]. Although few successful attacks are published so far, increasing code complexity in hypervisor software amplifies this threat.

infrastructure, e.g. GPUs or CPU caches were not designed to offer strong iso- lation properties for a multi-tenant architecture [26]. These resources need to be quickly allocated and de-allocated to fulfil a current demand. Well estab- lished measures for secure data wiping might not be applicable. So far no cloud provider discloses information on how shared resources get securely wiped before being reassigned to a different customer. Furthermore, by getting a default root access to a VM in current IaaS offering enlarges the attack vector of breaking through the isolation of shared resources. Certified Common Criteria compliant hypervisor software (minimum EAL 4) could mitigate this threat [88].

• I/O isolation: if there are problems with the virtual network (bridge software) traffic sniffing can be undertaken by an attacker.

Another security risk comes from the usage of pre-provided virtual machine images. The number of administrators of a traditional data centre is limited and they all are working under the same company security policy, while installing and maintaining machines. This can be completely different in a cloud infrastructure. Public mar- ketplaces for exchanging cloud appliances such as, OpenNebula Marketplace [114], Amazon Web Services EC2 Management Console or the Amazon Web Services Mar- ketplace [115] provide cloud customers with an easy and efficient way of finding the right virtual machine image. But they also allow users to be administrators of their virtual machines, or upload and share their custom made VM images with other users. Although cloud providers provide security guidelines [116] on how to prepare an image before releasing it to a marketplace, current research by Balduzzi [91], Bugiel [117] and Meer [118] shows, that marketplace images are highly insecure due to old software versions or “forgotten” or restorable security credentials, such as SSH private keys. Users, uploading appliances are usually more or less anonymous. There is no way to easily determine whether a custom appliance is legit or maliciously manipulated.

3.4. Cloud Computing Security Issues

Images could contain rootkits, which are performing passive eavesdropping attacks such as traffic analysis, keylogging or transmission of user’s data to external systems for industrial spying [91].

This affects the following core principles of information security: integrity, availability, data protection, confidentiality, authentication and non-repudiation.

A5. Data life cycle in case of provider switch or termination

This threat does not exist in IT housing since data and computing resources remain the property of the customer if he changes the housing provider. In IT outsourcing service level agreements control how data is transferred to a customer or how storage devices need to be securely wiped or disposed of. In cloud computing this threat is increased due to shared usage of resources. Customers need to define special rules for end of contract scenarios regulating how data gets exported from the cloud and how a provider has to securely erase customer’s data [26]. This affects the following core principles of information security: data protection and confidentiality.

A6. Monitoring of Service Level Agreements

IT housing and IT outsourcing can easily log events per user. In a cloud several multi- tenant applications running in a virtualized environment need special tools to monitor Service Level Agreements. New tools for hypervisor, virtualized networking monitor- ing, etc. must be available. This affects the following core principles of information security: availability and integrity.