It All Depends

Editors: Lori M. Kaufman, lori.kaufman@ieee.org Bruce Potter, bpotter@pontetec.com

Can Public-Cloud Security Meet Its Unique Challenges?

s cloud computing increases its presence in the public sector, more and more businesses are seeking cloud services (that is, software as a service, infrastructure as a service, and plat-

form as a service1) to improve productivity and reduce costs.

Similarly, public-cloud providers are looking to maximize their revenues. To achieve the gains afforded through virtualization, such providers are colocating virtual machines (VMs) from disparate organizations on the same physical server. From a profit/loss perspective, this matching seems to provide a win-win scenario for both the user and service provider. However, this operational profile introduces a new era of security concerns. As cloud computing expands rapidly, its securitys nuances are becoming more evident. In a recent Prism Microsystems survey, 58 percent of the respondents indicated that their biggest fear is that the hypervisor, a program allowing multiple OSs to share a single host, can and will create an entry point into multiple machines.2 More than half the respondents also believe that virtualization will create a new layer that could be attacked and that the proliferation of virtualized environments will reduce security visibility. Even though the respondents admitted these concerns, 58 percent of them admitted that theyre implementing traditional security solutions to provide virtual security. This mind-set is creating opportunities for attack.

This revelation, although not surprising, demonstrates the security challenges inherent in publiccloud computing and virtualization. Can both the user and provider communities adapt their security mind-set to contend with the unique vulnerabilities in the virtualized environment that traditional security solutions cant combat?

from multiple organizations on a single server, you must provide security at the VM level rather than at the perimeter. This situation is exacerbated when cloud users create Web-based applications. Although this concern seems well defined, we need to better understand virtualizations unique vulnerabilities. Without this understanding, public-cloud security can never be properly realized.

Lori M. K aufMan BAE Systems

Vulnerabilities and Virtualization

Virtualization expands the set of security vulnerabilities. If these new vulnerabilities are left unmanaged, they will jeopardize the future of public-cloud services. The public cloud offers user access via the Internet, and cloud subscribers conduct administrative activities in this environment. This paradigm in itself introduces security risks because this remote access provides exposure to potential cyberattackers. Although these vulnerabilities increase the threat space, other concerns pose an equal, if not greater, security threat. In the virtualized world, the hypervisor lets multiple OSs run concurrently on a host computer. The hypervisor provides a virtual platform on which guest OSs can execute while sharing resources. These multiple instantiations provide the capability to isolate failures in one OS, preventing them from affecting another OS sharing the same hardware. However, this operational paradigm might not actually exist. Public-cloud providers typically provide the
55

Traditional Information Security and Virtualization

Traditionally, data centers consist of large collections of server farms implementing perimeter-security measures including firewalls, demilitarized zones, intrusiondetection-and-prevention systems (IDS/IPS), and network-monitoring tools.3 Administrative access typically is through a LAN (intranet) to limit external access. However, virtualization has provided the mechanism to shrink this configuration. A single server can now provide multitenant services; in a public-cloud environment, the concept of the network perimeter evaporates.4 The fundamental reason for this loss of perimeter security arises from the lack of physical segregation among the VMs. Because the virtual environment supports multiple VMs

JULY/AUGUST 2010 1540-7993/10/$26.00 2010 IEEE COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SOCIETIES

It All Depends

environment, applying traditional perimeter-security approaches will increase their potential for exploitation. As I mentioned earlier, to thwart attacks in public clouds, you ultimately need to move the security from the perimeter to the VM.

Security in a Virtualized Environment

You can transform the primary security echelons in traditional data centers (firewalls, IDS/IPS, malware detection, and network and system monitoring and log inspections)4 to support public-cloud environments, under certain constraints. Firewalls must be bidirectional and deployed on each VM instantiation. The management schema must be centralized to ensure that all VMs offer the same level of protection. To achieve this state, the firewall configuration must enable in its physical environment at least these features: VM isolation, coverage across all IP protocols, design policies for each network interface, the ability to prevent denial-ofservice attacks, and detection of reconnaissance scans on cloud computing services. Besides the security vulnerabilities Ive described, cloud providers must consider performance. Existing malware security solutions (for example, Symantec and McAfee) were designed for standalone machines. So, concurrent applications of such security scans on the entire enterprise can significantly decrease platform performance. To overcome this concern, cloud providers must perform such resource-intensive scans at the hypervisor level.4 Additionally, as I mentioned earlier, VMs and servers typically use the same OSs and software (including Web applications). By deploying malware protection at the hypervisor level, cloud providers can maintain the

same OS and applications across their enterprise. So, the same vulnerabilities are distributed throughout the physical and virtual enterprise. This environment creates an atmosphere in which a cyberattacker, malware, or other threat can remotely exploit these vulnerabilities. Additionally, the VMs colocation increases the risk of VM-to-VM vulnerability exploitation. VMs dynamic nature allows for quick reconfiguration. You can revert them to previous instantiations, pause and restart them, clone them, and move them among the various servers. This inherent virtualization capability creates unique security concerns. The ease of reconfiguration creates an optimal environment to propagate vulnerabilities and unknown configuration errors. Similarly, owing to the dynamic virtualization environment, maintaining records of the overall cloud security state at any given moment is difficult, if not impossible. Another unique vulnerability is that when a VM is offline, its still available to any application
56
IEEE SECURITY & PRIVACY

that can access the physical server on which it resides. So, a remote user on one VM can access another dormant VM if both reside on the same physical server. Because dormant machines cant perform malware scans, theyre highly susceptible to malware attacks. Exploitation of this vulnerability isnt restricted to the VMs on a particular hypervisor. This attack can also affect other physical devices in the cloud. For example, a dormant machine might have been backed up or archived to another server or storage device. Among the most dynamic vulnerabilities are those introduced by patch management. Whenever a user creates an application (for example, a Web server) in a VM, the responsibility for patch management no longer resides with the cloud provider but with the user. This is because the number of users and applications that could reside in a public cloud make it impossible for the service provider to ensure that all applications are properly updated with the latest patches. Although these security risks are embedded in the virtual operating

It All Depends

public clouds entire security at a level equivalent to that found in current data center configurations and minimize the vulnerabilities associated with reconfiguration and dormant machines. Similarly, they should deploy IDS/IPS on VMs to minimize the potential for vulnerability exploitations. erhaps the easiest form of security involves monitoring the network, files, OSs, physical devices, and so on and log inspections. As is true in traditional data centers, monitoring system integrity and evaluating log files provide a critical layer of defense. Because end users might develop applications to be hosted on their VM, the cloud service provider must provide a well-

formed process to monitor network and system integrity.3 Such monitoring can alert the service provider to unexpected changes that could indicate malicious activities. Similarly, log inspections provide insight to OS and application security events. By optimizing log inspection rules, the cloud provider can ease detection of suspicious behavior and ensure timely awareness of this information.
References 1. P. Mell and T. Grance, The NIST Definition of Cloud Computing, ver. 15, US Natl Inst. of Standards and Technology, 7 Oct. 2009; http://csrc.nist.gov/groups/ SNS/cloud-computing/cloud-def -v15.doc. 2. 2010 State of Virtualization Security

Survey, Prism Microsystems, Apr. 2010; www.prismmicrosys.com/ documents/VirtualizationSecurity Survey2010.pdf. 3. J.W. Rittinghouse and J.F. Ransome, Cloud Security Challenges, Cloud Computing: Implementation, Management, and Security, CRC Press, 2009, pp. 158161; www. infosectoday.com/Articles/Cloud _Security_Challenges.htm. 4. Cloud Computing Security: Making Virtual Machines Cloud-Ready, Trend Micro, Aug. 2009.
Lori M. Kaufman is a director of IT security for BAE Systems IT. Contact her at lori.kaufman@ieee.org.

Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.

of Artificial Intelligence
IEEE Intelligent Systems provides peer-reviewed, cutting-edge articles on the theory and applications of systems that perceive, reason, learn, and act intelligently.

stay on the

Cutting Edge
The #1 AI Magazine
www.computer.org/intelligent
IEEE

w ww.computer.org/security

57