Security Risks to Consider When Adopting Cloud Services

Cloud risks stem from three characteristics: agility (rapidly-changing environments make consistent controls hard), sharing (compromise to one component affects neighbors), and outsourcing (loss of control). Critical tasks fall through cracks when responsibility isn't explicitly assigned between provider and customer.

Security professionals are rightly concerned about their organizations starting to embrace cloud-based services even for applications that process sensitive and regulated data. Yet, cloud computing is a reality of today’s business and IT climate. Coming to terms with paradigm starts by understanding the terminology and key cloud frameworks and continues by considering the risks associated with such services. Once organizations delineate the risks worth worrying about, they can determine how to handle them.

Build Upon Your Existing Approaches to Risk

Don’t start from scratch when dealing with Governance, Risk and Compliance (GRC) issues of cloud computing. You might have already established approaches for reviewing logs, formalizing third-party vendor commitments, performing change management, and defined other controls that apply to IT infrastructure and applications regardless of how they are deployed. Build upon the tools, processes and people your organization has come to rely upon.

Risks Introduced by Key Cloud Characteristics

The risks particularly relevant to cloud services are those associated with the following characteristics of the cloud:

• Agile: The agile nature of cloud services allows a cloud-based environment to change quickly. As the result, organizations might deploy systems and applications within minutes. Moreover, the virtualized systems across physical host, network and data center boundaries, making it hard to track where they are and how they are secured. Consistently enforcing security controls is hard in a rapidly-changing environment.
• Shared: Most cloud services involve sharing of hardware or software resources, such as using a single physical server for multiple virtual machines, or using a single database for multiple applications. Such sharing provides cost benefits, but introduces the possibility that a compromise to one component of the environment will affect its “neighbors.”
• Outsourced: Many cloud service models involve outsourcing aspects of infrastructure or application management. While outsourcing isn’t a new concept to IT, it can act as a dangerous ingredient in combination with agile and shared to create a combustible mixture. The biggest fear of an outsourced hosting arrangement is usually the loss of control.

Concerns Over the Hypervisor

Discussions of cloud risks often highlight the possibility that the hypervisor, which handles virtualization of cloud IT resources, can be exploited. For instance:

• There have been vulnerabilities in virtualization software that under the right circumstances would allow an “escape” from one virtual machine onto another. Similarly, a vulnerability could allow the exploit to gain control over the hypervisor itself. (Gartner’s Neil MacDonald published a few notes on the topic: 1, 2; virtualization vendors, such as VMware continue to fix know vulnerabilities of this nature.)
• It may be theoretically possible to to infer information about one virtual machine by observing the state of the shared system from another aspect of the underlying system and could even lead to code execution. Such attacks could measure the time latency in CPU or disk activities, for example. (For instance, George Hotz’ exploit of the Playstation 3 hypervisor incorporated a timing element.)
• The cloud service provider might incorrectly configure the hypervisor and the associated tools, introducing a vulnerability into the environment. For example, the provider might allow different virtual machines to share system resources or might inadvertently open the hypervisor management interface to the public.

Who Is Responsible For What?

Organizations that use an external/outsourced form of cloud services usually retain some security and regulatory responsibilities. Critical security and GRC tasks might not get done, because each party will assume that the other needs is responsible for them. This is because organizations often fail to define which obligations fall upon the cloud provider and which will be handled by the customer. For instance:

• Who will approve security patches prior to installation? How will they be tested?
• Who will certify user accounts on the relevant systems or applications?
• Who will collect security logs? Who will review security logs and investigate relevant events?
• Who will perform regular security assessments? What will be the scope of such testing?
• Who will interact with auditors and what form will such communications take?
• Who will define and enforce security standards on relevant aspects of IT infrastructure?
• Who will validate firewall rule changes prior to and post implementation?
• Who will define and enforce change management practices? What will this process be like?

Creating a roles-and-responsibilities matrix prior to executing the cloud services contract will help prevent critical tasks falling through the cracks.

Visibility into The Cloud

Cloud services are often presented as black boxes that function according to the specifications. Yet, the inner-workings of such services is often not visible to the user. This makes it hard to define, validate and enforce security and related IT controls. Third-party attestations can shed some light on security practices of the cloud provider. Moreover, cloud providers may allow customer to review some security logs and events that occur within the cloud.

More Perspectives on Cloud Risks

Here are pointers to the papers I found particularly useful when considering cloud-related security risks:

• Achieving Compliance in a Virtualized Environment (PDF) whitepaper by VMware, LogLogic, Tripwire and Savvis
• Top Threats to Cloud Computing by Cloud Security Alliance
• Cloud Computing Security Risk Assessment by ENISA
• Seven cloud-computing security risks by Gartner
• Patching the Cloud blog series by Chris Hoff