The Elephant in the Cloud
In my experience, I’ve seen organizational leaders approach cloud computing from three different angles best summarized by the following questions: A. How can I help my customers take advantage of cloud computing? B. How can I deliver a better product/service using cloud computing? C. How can I help cloud service providers deliver optimal service? Regardless of their approach, anyone considering cloud solutions quickly encounters the proverbial elephant in the room: Security. Therefore, their second question almost always is, “How can we adopt cloud technology in a secure manner?” At Core Security, we believe that security testing and measurement plays a crucial role in addressing the cloud security issue – regardless of your organization’s industry or role in the cloud computing world.
Converting Unknowns in Knowns
Cloud computing security concerns typically stem from three major factors:
- The sharing of computing resources with undisclosed third parties.
- The black-box nature of the computing environment. For instance, cloud providers often make specific computing resources available (e.g., a virtual server, a certain amount of storage space, etc.), but by necessity have to abstract the rest of the environment from the customer (e.g., network infrastructure, interconnections, etc.).
- The implications of including the cloud provider as a third party in many business processes that previously never involved a third party.
Put simply, cloud computing challenges the IT security status-quo because it introduces significant unknowns: your neighbors are unknown; larger parts of your computing environment are unknown; and the cloud provider’s effect on your business processes is unknown. So how do you convert the unknowns into “knowns”? One approach might rely on gathering information and accounting for liabilities at the outset of a cloud initiative. For instance, you might:
- Force your cloud provider to disclose the customers with whom you are sharing resources.
- Require them to more extensively document their environment.
- Require them to have insurance to cover liabilities introduced by the service.
In addition to probably requiring the vendor to skirt their policies, such an approach is unlikely to scale. What’s more, the resulting expenses required of the cloud provider would likely be passed on and therefore negate most, if not all, of the cost benefits resulting from using the cloud solution. If your background is engineering, you might compare this approach to figuring out the tensile strength of a stainless steel by determining the strength of the molecular bonds between the various atoms that constitute it. At Core Security, we believe a more effective approach to converting unknowns into knowns is through security testing and measurement. Just as the tensile strength of steel is more accurately understood by conducting a series of tests applying stress to the material and measuring the strain or deformation, the security of a cloud computing resource is best understood by testing and measuring its resiliency to attacks. Thus, security testing and measurement should be a critical component of any cloud service evaluation strategy.
Putting Security Testing and Measurement in the Cloud
A cloud-based security testing and measurement solution can provide significant benefits over a non-cloud based solution. First, cloud computing is a natural home for services used periodically or occasionally because you pay only for what you use. For these types of services, paying as you go vs. acquiring an in-house solution can be the more cost-effective approach. As such, customers who only use cloud services periodically may only need to conduct security tests periodically. In these instances, putting security testing itself into the cloud makes sense as well. Second, cloud-based security testing and measurement can leverage the collective experience and expertise of the user community, yielding a substantial multiplier effect. Security testing and measurement today is a human-intensive and skilled art. A properly designed security testing and measurement solution will include a large community component – where shared experiences and expertise benefits the user community as a whole. For instance, in the retail world, cloud-based retailers routinely provide product reviews on even the most inexpensive items (e.g., a generic, 50-cent watch battery) based on the collective opinion of consumers. The experience on each consumer therefore benefits the other consumers. Finally, certain elements of security testing – testing the strength of passwords, for example – are computing intensive. Other elements of security testing – such as correlating the results of thousands of individual tests to understand large scale trends in risk posture – are both computing and storage intensive. Such functionality can most efficiently be provided by implementing a solution using shared cloud resources. Security testing and measurement solutions can benefit immensely from the computing, storage and community resources of a cloud technology stack.
How Cloud Service Providers Can Benefit from Security Testing and Measurement
In addition to the obvious benefit overcoming a common sales objection, cloud providers themselves have interesting and unique needs for testing the security of their own infrastructures. Many benefits of cloud infrastructures come from managing IT resources much more efficiently than is otherwise possible for ordinary enterprises. For instance, virtual machines can be powered up and down, and relocated to different servers based on load and available capacity; storage is reorganized to secondary and tertiary storage depending on access patterns; etc. However, the implication of this constantly changing environment for security testing is that conducting a point-in-time assessment of security and risk posture of the environment is no longer sufficient. To effectively stay ahead of threats, cloud providers should implement a continuous security testing and measurement exercise. Cloud service providers will also have to conduct security testing and measurement from additional vantage points. For example, a person with administrative privileges at the cloud service provider will have different rights than a person with administrative privileges at the user of the cloud service. This means attacks are possible from previously non-existent vantage points. An admin at a cloud service provider should be able to gain access to a customer’s sensitive data, whereas an admin at a customer should not be able to breach the boundaries of his cloud resources and compromise the integrity of either another customer or of the cloud provider itself. Security testing and measurement solutions will have to provide a solution to test scenarios such as these, which are unique to cloud service providers. Increased dynamism of IT infrastructure and additional segregation of duties are two reasons why cloud service providers will need a specialized security testing and measurement solution.
Compliance Implications for the Cloud
There currently seems to be a lack of clarity on how security regulations like PCI-DSS and FISMA should be applied to the use of cloud services. While Core Security anticipates that regulatory frameworks will eventually be updated to incorporate the use of cloud services, we believe that the current security testing and audit regimes in use for in-house IT need to be extended directly to include any cloud services that are used. Indeed, we believe that cloud services have high potential to drive down compliance costs. For instance, one can imagine a cloud-based payment processing solution that the service provider ensures is PCI compliant; thus amortizing the cost of PCI compliance across all users of the billing service.
Next Steps for Assessing and Verifying the Security of Cloud Deployments
If you’re trying to solve the cloud security problem for your organization, I’d suggest taking the following steps:
- Know what defenses and protections your cloud provider has put in place. Verify the overall security of your cloud provider’s infrastructure and ask questions. Has it been penetration tested? Will your provider make those test results available to you? What steps are being taken to close identified exposures, and did they re-test to verify that the weaknesses were addressed? Do you have the right to audit the test results?
- Test your cloud instances in the same way that you would test your on-premise infrastructure. First ensure that your cloud provider’s agreement allows you to test your own deployments. Use best-practice test techniques and tools to identify whether your most critical information can be compromised.
- Specifically identify security intelligence that you want benchmarked and measured for your organization’s deployments. You can create risk benchmarks and thresholds through regular or automated testing regimes. Measure and report this intelligence throughout your organization so that management can balance the benefits of cloud deployments against identified risks.