BlackHat 2009 Cloud Computing Track
August 2009 by Michael Hayes CTO, B-4-U Inc.
The press and advertizing has really stepped up the interest of Cloud Computing. Consumers, Enterprises and Government agencies are all becoming interested in this phenomena with its promise of technology and lower cost services. The problem is:
What is Cloud Computing?
What are the real risks and threats?
To illustrate this point BlackHat 2009 had a complete track on Cloud Computing this year that addresses some of the basic questions.
To have a meaningful discussion on Cloud Computing, we need to establish a base line and understanding what it is. Generally it means the following; A service provider that provides
General Purpose Hosts (A host server farms), “Platform as a service”.
Ability to move Applications from system to system, farm to farm, “Application as a Service”.
Centralized Management of the hosts and farms.
Distributed Data Storage independent of the hosts..
Low-touch provisioning system of applications and resources.
Soft failover and redundancy
The ability to move and scale applications to customers’ needs.
Well know providers include google.com, salesforce.com, IBM and CSC, plus a host of companies that have joined the ranks of cloud providers.
The second key question is “What are the real RISKs and THREATS:
The good news is that if you are a SMB, or a MID Sized corporation there is a great chance, that these Cloud Providers may be a lot more proficient than you in Networking, Applications and Security. Even for large Enterprises and Government Departments and Agencies, some of these Service providers may be better. The difference is they will design their Cloud Hosting Center to maximize their profit and reputation, not yours. The other key thing is they will also host their systems in the Geographic Location that will be optimized for them historically or from a cost and/or market perspective.
New attack surfaces are opened, Virtualization opens new risk, Cross Site Scripting, Network Access, Data Access and Encryption of Data, both data at rest and data on the move provide additional attack surfaces..
1. As one example at DEFCON, a user attained a group of accounts (20 or so) for free trials, and used these to test the hardness of the VMware, and demonstrated multiple attack vectors within VMware.
2. Also at Black Hat the concern was demonstrated of Identify Management and un-authorized access to clients data.
3. Application vulnerabilities and SQL Injections are old problems that are now part of the list.
4. Version control is invisible to the client, the service provider will update as appropriate, on their time frame.
5. Patching and updating are old problems, but we will not visibility or accountability as to what level the patches are out, across all the different applications and OSs.
In fact all the issue a large data center needs to deal with are there, plus a greater diversity of applications, VMware and a larger number of groups “Safely” behind the service providers firewall.
Legal and Commercial risks
The major change is that even though our corporations own the data and most Cloud Computing providers will acknowledge that, though some do not, you have no legal way to easily protect this data..
1. What if you need to prove compliance for PCI or EU Data Privacy laws?
2. What if you data moves offshore 101 miles to a boat registered with Panama?
3. What if the Service Provider goes bankrupt (Who owns your data), can you wait for the legal proceeding to finish?
4. What if your data is leaked, who pays for the notification?
5. What if your data is seized, different laws, different way to seize, different corporate behaviors (with warrant or without), different notifications, different countries?
6. What are the Business Continuity processes and/or Disaster Recovery processes that need to be followed?
7. What are the security processes in place, and how are they maintained and updated?
With this in mind CIOs, CSOs and CISOs, need to prepare now, before their users create low cost applications and collect data in the cloud that simplifies the users life, but puts the corporation at risk.
As we think about moving our Data, Intellectual Property or other Corporate Gems to the cloud we really need to do:
1. Outline a corporate policy for this type of Service use.
2. Determine the value of this Data being used.
3. Determine if this is regulated information..
4. Do a risk analysis on the vendor (Financial, Security and Reputation) and the potential data exposure risk.
5. Understand Data Ownership within this specific Cloud Computing Service Provider.
6. Get the business owners sign-off on Risk and Mitigation, they are accountable.
7. Ensure regulatory testing is permitted in writing and review and test the Service Provider regularly.
Cloud Computing is even tougher than outsourcing, the legal protections of data; both from a regulated environment, security and privacy is even harder to protect. We as corporate executives really need to analysis for the short term and long term impacts of jumping into “A” cloud and understand all clouds are not the same. Most Cloud Computing facilities have standard SLA’s and EULA, which clearly protect them and not us, and the legal testing of these environments have not been tested in Western Europe, North America or other areas of the Globe.
Note: If the Application software has not been re-written for this environment run don’t walk away from this service provider, they are not ready for the demands of cloud computing.