Cloud Security Evangelists May Have Heads Stuck In Clouds

Thursday, December 17, 2009

Cloud Computing evangelists would have you believe that security in the cloud is relevant when reality paints a far different picture. Security managers should know that; “you can transfer risk but never responsibility.” Now add this statement to memory: “No cloud provider will give you the security you need.” Seriously. There can never be a cloud computing provider who can give you the kind of security protectionis that an in-house security team can and the logic behind this statement is a simple and factual one: a cloud provider won’t lose as much as you would at the end of the day. Therefore the incentives to go “above and beyond” can never and will never exist. What will exist however is marketing.

Businesses differ from each another in all areas. The types of services offered, how those services are delivered, the costs to implement, the processes involved, the architecture, the applications and the list grows significantly. Forget about the cloud for a moment though and imagine the following simple scenario: You rent an apartment at a complex with 100 apartments. As a resident, management has stated that “we use the latest ‘Super Uber Locks’ to ensure maximum security.” While it may have made sense for the complex’s architects as a blanket choice to secure apartment doors ask yourself; is your apartment is more visible than another? Maybe it’s near the main entrance; maybe you’re a popular person in your town; maybe it’s on the first floor where more people have access to see anything.

There are always different approaches here. The question you should ask is; Whose best interest is at stake in regards to securing my apartment? Your landlord’s or your own? Do not confuse the security of the complex with the security of the contents in your apartment. While the landlord may offer what they view as strong security proctections, the landlord can never understand the value of anything in your home. Therefore he would not know that he should have perhaps installed window alarms in the second bedroom – after all this is where YOU keep all your precious items.

Security needs should never be left to “template like”, “all inclusive” blanket policies. These broad blanket security protections are all that cloud providers can truly offer at the end of the day. Any security manager, CIO, CSO, CTO, CISO or high level manager should understand the costs and complexities surrounding risk assessments. To believe that any Cloud Provider would waste money performing risk assessments would be absurd.

Cloud computing providers can only cover so much ground when it comes to security and what they will cover is often a baseline based on often obsolete guidelines. Even if they could cover all the necessary bases, the virtualized environment itself would forever be at odds with forensics, so issues like E-Discovery, privacy and a variety of other topics come to mind. When a machine is virtualized, its states change rapidly and the possibilities of doing forensics is out of one’s hands and out of your company’s control and in fact, even outside of the cloud providers control.

A cloud provider will not (repeat will not) take dozens if not hundreds of other virtualized machines offline to make a forensic replica should the need arise. That could be disastrous for the provider and it need be thought about by anyone looking to procure cloud based services. I’d be astonished to see a cloud provider take a server offline or disconnect the host and server from a networked connection for evidence preservation. What I do know is, most cloud providers will market you the statement that “we can easily take your server offline; we make forensics easier” But what if a virtualized host was responsible for an incident against another virtualized host, how does a cloud provider seriously propose issues like chain of command, evidence preservation on a constantly changing environment that will disaffect dozens potentially hundreds of machines?

Do you think cloud providers are free from being compromised? Think again: “Amazon EC2 Used as Botnet Command and Control” [1] From a cost perspective, it’s you versus n amount of customers on that virtualized server. If you think that a cloud provider won’t cut its ties to you as opposed to potentially losing n amount of *other* customers, you may have your head stuck in the cloud. Literally.

It is an easy statement for me to make on this subject (forensics in the cloud); however the writing is in plain sight. It’s just hidden away; tucked neatly under the fast paced flash video created to keep you entertained by “uber technology.”


“Jeff Barr, Amazons cloud evangelist, questioned in October 2008, was unable to answer probing questions regarding what vendors are doing to enable future investigations to proceed effectively. The initial thought is that CC vendors cannot ensure that data which could be used as evidence will be complete, retrievable or verifiable. Therefore, it is possible that evidential artefacts will be unreliable and incomplete. [2]“

“Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation.along with evidence that the vendor has already successfully supported such activities.then your only safe assumption is that investigation and discovery requests will be impossible.” [3]

“Again – cloud companies can market to you the opinions of why they’re better – but in the end reality sinks in and they’re worse off for you than keeping things in house from a forensics point of view and an incident response point of view. If you need to act real-time how do you know that our cloud provider didn’t outsource to a rogue country which is attacking you?” [4]

“You’re kind of screwed because temp files and registry settings are virtualized and deleted when the program exits.” [5]

We will revisit this topic and create our own tag labeled CLOFOR (CLOud FORensics) but for now as the Rolling Stones would say: “Hey you… Get off of my cloud”


Original Post:

Possibly Related Articles:
Cloud Security
Cloud Security Security Strategies
Post Rating I Like this!