A Viewpoint on Cloud Computing Security Issues

A Viewpoint on Cloud Computing Security Issues

What I Have Learned About Cloud in the Last 6 Years

Prof. Michael E. Locasto

Department of Computer Science

About Me

The College of New Jersey, BSc Columbia University, MSc, PhD (2007) Postdoc at Dartmouth College (NH, 2008)

Research Prof at George Mason University (VA, 2008-2010) Assistant Professor, University of Calgary (2010-now)

“The Trustworthy Systems Group (TSG) is engaged in experimental computer science research that investigates cross-layer methods of creating efficient, trustworthy computer systems. We seek to understand why it seems difficult to build trustworthy systems and how we can get better at it.”

Trustworthy Systems Group

Agenda

→ Takeaway Message: Five Things I Think I Know About Cloud → My answer to “what is cloud?”

→ Share some of my experiences and observations about cloud from the past six years in various projects (COMTOR, ISPIA Private Cloud, Using AWS in the Classroom).

→ Understand some of the potential limitations of cloud, especially with respect to security and assurance

→ If time, a brief overview of Amazon’s AWS Console

Five Things I Think I Learned About Cloud

(1) Cloud is not a single working environment, but rather the culmination and intersection of years of technology development promise

(2) Customers have outrun the vendor hype cycle.

(3) Few organizations offer customized cloud incident response. (4) A successful cloud requires people.

(5) Cloud offers a low barrier to entry for deploying software.

A Beginning: 2007 USENIX ATC Talk By Verner Vogels

The point here is how impressed I was with his anecdote: scalable computing led directly to scalable business.

What

is

Cloud?

The answer depends on who you talk to: cloud vendor (IBM), cloud software vendor (VMWare), cloud provider (Google, Amazon), cloud customer (?).

IBM Definition

“It’s a new MIS consumption and delivery model to drive business value.”

NIST Definition

(1) Resource Pooling — servers, storage, network, applications and devices (2) Rapid Elasticity — dynamic infrastructure

(3) Ubiquitous Network Access — anytime, place (4) Self-Service — user enabled services catalog (5) Measured Service — “pay as you go” model

What

is

Cloud?

In terms of maturing technology...

This is how I choose to understand cloud: You’ve heard these terms before:

B2B

“The Network is the Computer” RPC, Java RMI

Web services

Service Discovery protocols and naming (UDDI) N-tiered web applications

Essentially the fulfillment of on-demand computing resources enabled by maturing capabilities in networking, storage, processing, software

engineering, and virtualization.

What is the Promise of Cloud?

The ultimate promise of cloud as a computing services delivery model is:

Business process as a Service (BPaaS): the nimble, agile outsourced contractor, supplier, client, or partner who is cheap, efficient, always there, on demand, reliable, and scalable

This promise is not 100% complete: cloud is often thought of as a utility (e.g., water, gas, electricity) but it is not.

The TCNJ COMTOR Project

http://cloud.comtor.org

Educational tool for helping students improve their technical documentation skills.

Original LAMP-stack software web app took 3 years with varying amounts and quality of undergraduate labor to build.

Move to a cloud version, from scratch initiation to completion: ?

The TCNJ COMTOR Project

http://cloud.comtor.org

Educational tool for helping students improve their technical documentation skills.

Original LAMP-stack software web app took 3 years with varying amounts and quality of undergraduate labor to build.

Move to a cloud version, from scratch initiation to completion: 3 weeks.

ISPIA Private Cloud

The Institute for Security, Privacy, and Information Assurance is near the tail end of a 2 year RFP, purchase, and shakedown process for buying a locally-hosted private cloud infrastructure. Multiple meetings with 4 potential vendors.

Intended as a research instrument. But nothing is easy... The lesson? Cloud needs people. Those people need expertise.

My Reactions to a Google Talk About Cloud Security

Outsourcing Cloud Security Does Not Work

Cloud is one size fits all

However, as a result, cloud providers are increasingly saddled with the responsibility to deal with, mask, and recover from faults and failures. This is ultimately an uncomfortable position, particularly because they aren’t in the business of specializing an intrusion response to a particular customer or network

environment. Rather, their business is predicated on the assumption that providing cloud services to a variety of organizations is essentially a one-size-fits-all framework.

Challenges for Cloud

From a security and assurance perspective

Although the upfront costs of offloading services to the cloud are stunningly attractive, they ignore the very real costs associated with a cloud computing environment’s failure modes, such as:

(1) increased time to solve simple problems, for example, why an email is bouncing;

(2) wasted time as employees sit around doing nothing while a cloud provider works on an issue;

(3) cost of downtime if the organization is in the middle of fundraising or other critical activity;

(4) cost of identifying and notifying customers whose information might have been compromised; and

(5) cost of not being able to hold an employee accountable because the job is outsourced.

Controlling Cloud Failure Modes

Ultimately, we can only trust (that is, rationally consider trustworthy) systems whose failure modes we can understand. With such understanding, we can respond to failures even if we cannot predict their exact form or control them as they happen.

Predictions

We predict that a fundamental challenge that cloud computing will face in the next few years — after significant migration of industry, government, and academic institutions to the cloud is pushback from clients as they attempt to regain some measure of control over parts of their outsourced infrastructure. Significant pressure exists to let institutions break through the abstractions that make the cloud so alluring.

Other Cloud Security Challenges Going Forward

(a) http://cloudlaw.ca/agenda/ (b) Data locality

(c) Enforcing SLA provisions (d) Computing on encrypted data (e) Better hypervisors

AWS Console Overview

AWS Bill

Key Takeaway Message

When you adopt cloud, you are exporting a workflow – not data! (well, data too, but that’s not the important thing)

The important thing is the dependencies your employees or contractors will naturally form on these existing outstourced workflows: their work

practicies and expectations will form dependencies on cloud services. There will thus be a transition cost away from a particular provider or cloud in general.

Time for Questions

email: [email protected] Twitter: @mlocasto

Blog: mlocasto.blogspot.com

Research Group: Trustworthy Systems Group http://tsg.cpsc.ucalgary.ca/

Additional Slides

Reminder: Saltzer and Schroeder

Economy of mechanism (complexity kills) Fail-safe defaults (fail closed, not fail open)

Complete mediation (identify all control/entry/measurement points) Open Design (no security through obscurity)

Separation of privilege (map functionality to a disjoint set of roles) Least privilege (what power do you need for Task T?)

Least-common mechanism (minimize “size” of TCB in terms of common surface/shared surface)

Psychological acceptability (usable security, intuitive, people-centric model)