Cloud-based computing has increased in popularity over recent years, and the growth shows no sign of slowing. Although the expression ‘cloud’ is sometimes used vaguely, it has been precisely defined by NIST Special Publication 800-145. The definition includes five essential characteristics, three service models, and four deployment models. All five essential characteristics must be present for a set-up to be considered as cloud computing. This definition is widely accepted, including by the CSSF in Luxembourg (Circular 17/654).
Introduction
Cloud-based computing has increased in popularity over recent years, and the growth shows no sign of slowing. Although the expression ‘cloud’ is sometimes used vaguely, it has been precisely defined by NIST Special Publication 800-145. The definition includes five essential characteristics, three service models, and four deployment models. All five essential characteristics must be present for a set-up to be considered as cloud computing. This definition is widely accepted, including by the CSSF in Luxembourg (Circular 17/654).
A quick look at the essential characteristics helps to explain the business reasons driving the growth:
- On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
- Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
- Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.
- Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
- Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
The benefits to business include:
- Lower costs of ownership, no depreciation
- Pay as you go
- Resilience
- Scalability
- Elasticity
- Reduced physical infrastructure management
Essentially, cloud-based computing allows businesses to offer more effective customer services, at a lower cost than traditional IT.
Governance
One key priority, before even engaging a cloud-based service, is to be clear about who will be responsible for what. Which aspects of security will be managed by the cloud service provider (CSP) and which will have to be done by the client? Essentially, the customer has more control, and more responsibility, with an IaaS model, and these decrease, moving to the CSP, as you move to PaaS, and SaaS.
Usually, a CSP’s offer is based on standard terms and conditions for their services, with little scope for customization. This means that businesses need to think about their security requirements before agreeing a contract, to ensure that the requirements can be met. Trying to adapt a contract afterwards is unlikely to work.
Spectre, Meltdown, and related vulnerabilities
The Cloud Security Alliance (CSA) regularly produces lists of the top threats affecting cloud-based computing, which we examine in the section below. But first, we consider one of the threats with particular relevance for the cloud, namely, the risks of shared technology, and vulnerabilities in the isolation and separation mechanisms. These are potentially very significant in cloud computing, because of resource pooling.
The Spectre and Meltdown vulnerabilities were first publicized in early 2018, and since then, several similar vulnerabilities, affecting various different vendors’ processors, have also been reported.
These vulnerabilities seek to exploit speculative execution within the processor. This is a technique which improves processor performance, by pre-computing and caching possible next steps in the thread, before they are actually needed, and then discarding the unused branches. The vulnerabilities exploit this discarding of cache contents, to leak memory contents through a side channel.
The potential consequences of such a failure in the isolation mechanism are very serious indeed: in principle data including passwords and encryption keys could be leaked.
Remediation of these vulnerabilities comes in two basic forms: patching – microcode and software – and hardware changes (which obviously take a longer time to become available).
The remediation has a negative impact on performance, meaning that the cost of maintaining a given performance level is likely to increase, but not so much as to make cloud computing unattractive.
As elsewhere, good security is a cost of doing business.
The Cloud Security Alliance: Treacherous 12 Top Threats 2016
Over recent years, the CSA has produced lists of the top threats affecting cloud computing. The importance of these threats is based on consultation within the industry, and analysis of specific breaches and incidents which have actually occurred. The most recent list was published in 2016, and is referred to as the “Treacherous Twelve.”
Cloud computing is, after all, still computing, with access rights, data, software, networks etc, so virtualized or not, it is hardly surprising that most of the threats look very familiar:
- Data Breaches
- Weak Identity, Credential and Access Management
- Insecure APIs
- System and Application Vulnerabilities
- Account Hijacking
- Malicious Insiders
- Advanced Persistent Threats (APTs)
- Data Loss
- Insufficient Due Diligence
- Abuse and Nefarious Use of Cloud Services
- Denial of Service
- Shared Technology Issues
There is a specific cloud flavour to number 10, which relates to potential abuses of the ‘on-demand’ scaling model, while number 12 involves the isolation and separation mechanisms discussed in the previous section.
The CSA recently published a “deep dive” analysis of some well-publicized cases, such as the ones involving LinkedIn, Yahoo, MongoDB, and others. The analysis shows that each incident resulted from one or more defective or inadequate controls, including a lack of management oversight, continued use of the compromised MD5 hashing algorithm, weak access control, and a failure to use salted password hashes.
The take-home point is that there is no need for a ‘magic bullet’ to fix any of these: just manage security properly, so that effective controls are in place. That means:
- identifying your most important assets;
- looking at how they can be accessed;
- performing a risk-analysis, to determine where your controls are missing, or ineffective;
- planning and executing improvements to fix these weaker controls.
Once these basic approaches are in place, a much more detailed level of security assurance can be attained by assessment against the Cloud Controls Matrix (also developed by the CSA).
