Embed Size (px)
Citation preview
Cloud Computing
May 1, 2009
An iDefense® Topical Research ReportThe VeriSign® iDefense® Security Intelligence Team
Actionable Threat Intelligence
Contents
1 Executive Summary 32 Introduction 53 Dissecting the Concept of Cloud Computing 7
3.1 Utility Pricing Model 93.2 Private Clouds vs. Public Clouds 103.3 Services Available in the Cloud 11
3.3.1 Applications in the Cloud 123.3.2 Storage in the Cloud 133.3.3 Infrastructure in the Cloud 15
3.4 Cloud Computing for Malicious Intent 164 Risk Analysis and Risk Management of Cloud Computing Technologies 17
4.1 Privilege Access Control 174.2 Data Segregation 184.3 Regulatory Control 194.4 Physical Location of Data 204.5 Service Availability 214.6 Recovery 234.7 Investigative Support 244.8 Viability and Longevity 254.9 Identifying Key Risks 254.10 Risk Quantification 27
5 Conclusions 29
3Cloud Computing
1 Executive Summary
In recent years, the concept of cloud computing has become a more viable enterprise solution for dealing with complex infrastructures, data retention and software licensing. Today, corporations and governmental agencies are beginning to use cloud computing as a means of reducing network and software costs while providing the same, and sometimes greater, levels of service to their employees.
Cloud computing offers enterprises (both large and small) a catalogue of resources such as data storage, utility computing (e.g., grid computing), content delivery networks and online, cloud-based office productivity suite applications. These offerings generally work on the principle of “you pay for what you use.” Many cloud computing service providers use the same pricing model used by more traditional utilities such as water, electricity and gas utilities. The more of the service a consumer uses, the more the incurred cost. Inversely, the less of the service used, the lower the cost. This model is particularly appealing to enterprises looking to reduce overhead associated with under-utilized resources such as servers, personnel and application licenses.
The data storage and retrieval solutions are an obvious advantage of using this model. With the high cost associated with developing and maintaining data retention infrastructures, offloading the functionality to a cloud service provider is an economical solution that removes the need for expensive equipment, licenses and administrators by paying a third party to manage the resource. Many service providers in this arena offer the option to scale the required storage facility easily and seemingly without limitations.
The use of cloud-based office productivity suites gives enterprises the option to reduce the licensing overhead associated with traditional products such as Microsoft Office. Many service providers in this area charge a nominal amount (if any) and give each user a storage space online. These same applications can give users the ability to share their documents with others easily through the Web. Traditional, stand-alone applications typically do not have this feature.
Cloud computing does come with a certain level of risk companies must assess. Enterprises that leverage cloud computing must fully understand the implications of moving their data and resources out of their locally controlled infrastructure. Offloading a business’s critical data to an external party introduces the risk that someone may compromise the data in some way outside the control of the business. By the very nature of cloud computing, the data stored within the cloud is only accessible by an active network connection. When a business loses connectivity to the Internet or to the cloud service provider, the loss of connectivity effectively detaches the business from its assets until the network connection recovers.
Lastly, the use of cloud computing may be incompatible with various governmental regulations when dealing with sensitive financial, national and personal information. It is important to understand not only the risk associated with the use of third-party service providers such as cloud computing
4Cloud Computing
providers but also the legal implications of transferring sensitive data to servers that may be located in foreign countries. Understanding the local laws and rights of the country that houses a company’s data can help determine the risk associated with any governmental regulations that may interfere with data retrieval or incident response.
5Cloud Computing
2 Introduction
Recently, the concept of cloud computing has become another in a series of popular information technology (IT) buzzwords. The technology and techniques behind cloud computing are not new concepts; having been available in several forms for many years under a variety of different names, cloud computing represents not a single technology but a mixture of technologies and licensing/leasing frameworks. To some in the IT industry, the use of the term “cloud computing” is more a form of marketing than technology. Recently, the CEO of Oracle, Larry Ellison, stated:
The interesting thing about cloud computing is that we’ve redefined cloud computing to include everything that we already do. I can’t think of anything that isn’t cloud computing with all of these announcements. The computer industry is the only industry that is more fashion-driven than women’s fashion. Maybe I’m an idiot, but I have no idea what anyone is talking about. [...] I don’t understand what we would do differently in the light of cloud computing other than change the wording of some of our ads.1
Despite the ambiguity of terminology, the fact remains that the concept of cloud computing has emerged recently as another potential source of revenue. Fueled by the ability to reduce overhead, to pay for services actually used, and to offload key infrastructure administrative needs to a third party that handles the same need for a larger set of consumers, the cloud computing business model has made significant inroads in the IT community. While there is no certainty that the term cloud computing will remain over the next decade, history has shown that the services that fall under the cloud computing umbrella have longevity within the industry.
When considering moving key company resources from the relative security and control of an in-house infrastructure to the ubiquitous network of a cloud computing service provider, it is imperative that businesses fully understand the risks and benefits of such a transition. The only safe network is an unplugged network, to paraphrase the saying, but the risk associated with a corporate-owned network is quantifiable or can be, at the very least, approximated. Cloud computing service providers make such quantifications more difficult by obscuring the details of their operations. In-house infrastructures have the benefit of transparency when being quantified by company auditors and IT security personnel by virtue of the fact that the same company performing the quantification has unfettered access to the network. Cloud computing services do not offer this same transparency, making the task of risk quantification more difficult but not impossible.
There are several key factors to address when considering moving enterprise data and services to a cloud computing solution. Enterprises must consider the risk associated with cloud computing while at the same time establishing reasonable controls to mitigate the risks. Analysts have identified several key areas enterprises must consider to this end, such as access controls, regulatory compliance, data location and segregation, recovery, incidence
1 http://blogs.wsj.com/biztech/2008/09/25/larry-ellisons-brilliant-anti-cloud-computing-rant/
6Cloud Computing
responsible management and longevity.2
The intent of this report is to provide a broader understanding of the phenomena known as cloud computing while also giving the reader an understanding of the risks associated with this technology. It is important for readers considering the move to cloud computing to understand the unique risks tied to cloud computing and potential techniques to mitigate the impact of these risks.
2 http://www.infoworld.com/article/08/07/02/Gartner_Seven_cloudcomputing_security_risks_1.html
7Cloud Computing
3 Dissecting the Concept of Cloud Computing
As with most new technologies and new buzzwords, inconsistencies, myth and misinformation mar the term cloud computing. To understand the risks associated with cloud computing, it is necessary to understand the components that make up the cloud computing infrastructure. Many conceive of cloud computing as virtualizing services on another company’s servers and accessing the resource via the Internet as depicted in Exhibit 3-1. For the most part, this generic depiction of cloud computing retains some accuracy; however, the true nature of cloud computing is much more complex.
During the past several years, system administrators, IT professionals and industry leaders have bounced around the definition of cloud computing, resulting in a general lack of consistency in the meaning of cloud computing. Recently, the industry has begun to settle on identifying the various service classifications of cloud computing resources to define the larger cloud computing notion.3 The most commonly accepted classifications of cloud computing service classifications are software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS). These cloud computing service classifications represent a sliding scale of abstraction, with SaaS providing the highest degree of resource abstraction, PaaS providing slightly less abstraction and IaaS being the most concrete of the resource types. Exhibit 3-2 illustrates the relationship between the various service classifications and their rankings with regard to abstraction. Exhibit 3-2 also details the implied dependence on each service classification with its lower neighbor. For instance, SaaS relies on PaaS, which in turn depends on IaaS.
Service Classification Description
Software (SaaS)
Web applications offered by the provider to the consumer that fill a particular requirement of the consumer. The consumer is isolated from the infrastructure administration and platform configuration, resulting in a product requiring no additional investment on the consumer’s part.
Platform (PaaS)Platform on which consumers can deploy Web applications or store data that offers scalable resource allocation without the necessity of backend resource management by the consumer.
Infrastructure (IaaS)Cloud-based computing model in which consumers deploy, control and loosely administer virtual servers using a provider’s commodity resources.
It is important to understand the meaning of each of the service classifications and the attributes that make up these classifications. The most fundamental service classification, the classification on which all other service classifications depends, is that of IaaS. IaaS has a close relationship to the notion of grid computing. IaaS allows an enterprise, large or small, the ability to deploy a variety of virtual servers in such a manner that administrators consider the servers themselves part of a larger server infrastructure. For instance, Amazon’s EC2 service provides consumers with a vast array of virtual servers on which an enterprise can deploy any number of virtual server images. These virtual servers use the common infrastructure owned and operated by Amazon but allow consumers to retain administrative control over
3 Visual Map of the Cloud Computing/SaaS PaaS Markets: http://peterlaird.blogspot.com/2008/09/visual-map-of-cloud-computingsaaspaas.html; Demystifying the Cloud: Where Do SaaS, PaaS and Other Acronyms Fit In?: http://www.saasblogs.com/2008/12/01/demystifying-the-cloud-where-do-saas-paas-and-other-acronyms-fit-in/
Exhibit 3-1: Generalized View of Cloud Computing
Exhibit 3-2: Summary of Cloud Computing Service Classifications
Res
ourc
e A
bst
ract
ion
8Cloud Computing
their own virtual machines.
PaaS introduces the first layer of abstraction on top of the IaaS classification. PaaS operates as an application frame or runtime system on which consumers can execute their custom code or store information. PaaS removes the notion of system administration by abstracting the underlying architecture with an application-programming interface (API) or some other means of accessing the consumer’s data. Consider Google’s AppEngine, for example: the AppEngine provides developers with a full featured Web server suitable for running custom Web applications from the Google owned and operated servers. The developer of an AppEngine-enabled Web application uses the software development kit (SDK) to develop its product and then places the application on the Google servers. The result is a functional Web application that, in theory, the provider can scale according to demand and growth without the intervention of the developer’s IT staff.
The last piece of the cloud computing model provides the highest level of abstraction for the consumer. SaaS most closely resembles what the majority view as cloud computing. The SaaS classification encompasses Web applications accessed by a consumer from third-party resources. Consumers access these applications, which are rarely available in house, over the Internet. Zoho’s application suite is an example of SaaS. Zoho provides office productivity suites available via the Web. Zoho uses proprietary Web applications hosted on its own servers, which compete with more traditional software packages such as Microsoft’s Office. Exhibit 3-2 summarizes the various cloud computing service classifications and their respective meanings.
Exhibit 3-3 updates the generic cloud computing view with respect to the IaaS, PaaS and SaaS classifications. As seen in the diagram, each of the service classifications targets a specific subgroup of the Internet community. Providers of IaaS solutions typically gear the service toward system administrators or those who require a significant level of control over their resources. PaaS providers, on the other hand, gear their service more toward developers or those who can safely ignore the backend implementation of a system and focus only on the resulting product development or resources. SaaS focuses more on the end user by abstracting the entire cloud computing experience down to a set of applications accessible via a Web browser or some similar Internet-connected product.
Cloud computing service providers — those who provide SaaS, PaaS or IaaS offerings — do not always clearly define the line between the three service classifications as depicted in Exhibit 3-3. The “as a service” classifications are generic, and some services may not necessarily fit well into only one group. For instance, GoGrid provides a service that allows system administrators to deploy virtual machines through the IaaS model.4 To administer the virtual servers, GoGrid provides an optional API that would typically fit under the PaaS model.5
4 How GoGrid Cloud Hosting Works: http://www.gogrid.com/how-it-works/index.php5 GoGrid API: http://www.gogrid.com/how-it-works/gogrid-API.php
9Cloud Computing
3.1 Utility Pricing Model
The advantage most commonly referenced with addressing a cloud computing solution is price. Cloud computing service providers typically charge for resources used by a consumer. Similar to the manner in which more traditional utilities such as water and electric charge by the unit of the service used, cloud computing service providers charge for the quantity of resources used over time. The advantage for enterprises of this type of utility pricing system becomes evident when compared to the cost of hardware purchasing (for IaaS and PaaS models) and software licenses (for PaaS and SaaS models). While an enterprise may purchase 100 licenses for a given office productive suite, the enterprise may only use a small percent of the licenses at any given time. On the other hand, if the enterprise adopted a SaaS-based product for its office productive suite and paid for only the amount of time and resources the enterprise used, the cost savings could be significant. Pricing models vary between service providers, but the theme of paying only for the resources consumed is common. GoGrid’s Cloud Hosting service, an IaaS product, charges a fee for the number of hours a single virtual server uses. GoGrid uses the concept of “server-hour” the same way an electric company uses the concept of a kilowatt-hour. The longer a server image is running, the more GoGrid charges. In addition to charging for the time a server is running, GoGrid charges for the amount of data a server image transfers from the image to an outbound recipient (e.g., a network client). In this sense, GoGrid charges for the bandwidth used by the consumer. Exhibits 3-4 and 3-5 provide a high-level pricing structure for GoGrid’s service.
Exhibit 3-3: View of Cloud Computing with Respect to Service Classifications
10Cloud Computing
Server Hour Package Price
Pay-As-You-Go $0.19 US/server-hour
Pre-Paid: 800 server-hours/month $99.99/month
Pre-Paid: 5,000 server-hours/month $499.99/month
Pre-Paid: 30,000 server-hours/month $2,499.99/month
Outbound Data Transfer Package Price
Pay-As-You-Go $0.50/GB
Pre-Paid: 200GB/month $49.99/month
Pre-Paid: 1TB/month $199.99/month
Pre-Paid: 6TB/month $999.99/month
Another example of utility pricing found in the PaaS sector is Amazon’s S3 service. S3 is a cloud-based storage service that structures the service’s pricing around the notion of data conception (both over the network and on the storage medium). Amazon prices the S3 on the amount of data stored or transferred, and on the total number of requests made, with prices varying between Europe and the US. The storage costs are on a per-gigabyte basis, and the more “total storage used” decreases the price per gigabyte. Exhibit 3-66 displays Amazon’s pricing structure.
Service Provided Server Location Rate
StorageUS Servers $0.15-$0.12/GB
European Servers $0.18-$0.15/GB
Data Transfer (Upload)US Servers $0.10/GB
European Servers $0.10/GB
Data Transfer (Download)US Servers $0.17-$0.10/GB
European Servers $0.17-$0.10/GB
HTTP Request (GET/PUT/COPY/POST/LIST)
US Servers $0.01/Request
European Servers $0.01/Request
3.2 Private Clouds vs. Public Clouds
One of the key advantages to using cloud computing for an enterprise infrastructure lies in the offloading of costs associated with hardware, personnel and resources to a third party that charges for service as a utility world; however, offloading sensitive data to a third party introduces risks. Enterprise data security is commonly a concern when considering the use of cloud computing services. To that end, a relatively recent shift in the cloud computing topology has emerged. Known as private clouds or internal clouds, enterprises have begun creating cloud computing-type infrastructures within their own internal networks.
The advantage to using a private cloud comes in the form of security, control and accountability.7 Private clouds give an enterprise complete control of the cloud-type services. Restricting the infrastructure to an internal network reduces the likelihood of third-party data breaches influencing the enterprise
6 http://aws.amazon.com/s3/#pricing7 Cloud Computing Types: Public Cloud, Hybrid Cloud, Private Cloud: http://samj.net/2009/03/cloud-computing-types-public-cloud.html
Exhibit 3-5: GoGrid’s Data Transfer Pricing System
Exhibit 3-6: S3 Pricing Structure
Exhibit 3-4: GoGrid’s Server-Hour Pricing System
11Cloud Computing
and increases the accountability of the company’s IT staff. Enterprises have absolute control over the infrastructure, the data and the network associated with private clouds. These advantages come with the distinct disadvantage of cost.
Public cloud services, as mentioned previously, offer consumers the ability to leverage communal resources to lower operational costs. When multiple consumers purchase access to a shared resource, the provider can lower the overall cost of the consumption of those resources. This model spreads the costs of administration, data management and resource deployment among multiple consumers, resulting in each consumer handling a much smaller financial burden in comparison to the financial strain imposed by administering, managing and deploying the resources in house.
The disadvantage of using public cloud services comes as a result of the very aspect that makes public cloud service advantageous: communal resources. When communal resources are involved, the consumer must place a higher level of trust with the service provider to ensure that the consumer’s data is properly isolated from other consumers. Security is one of the primary concerns associated with public cloud services. The potential for a breach of one consumer’s resources spilling into another consumer’s resources is much higher when using communal resources than would be found when the resources are restricted to an in-house, internal network.
Reliability is also a determining factor between public versus private clouds. Private clouds exist on the local, internal network whereas public clouds exist on a network accessible via the Internet. In the event of an Internet disconnect, private clouds will continue to provide access to resources while the public cloud will be unable to meet this same outcome.
For the purposes of this report, the remaining sections assume the use of a public cloud. While the use of a private cloud does contain risks, the risks associated with private clouds are significantly lower than those of public cloud infrastructures. Moreover, private clouds closely model traditional internal networks commonly found in most enterprises. The notable difference between traditional internal infrastructures and those that employ private cloud services is the heavier use of virtualization for servers and services. The trend of using virtualization on internal enterprise networks is becoming more popular,8 indicating that the distinction between private cloud services and traditional internal networks may begin to blur more in the coming years.
3.3 Services Available in the Cloud
The number of companies providing cloud-based services has increased tremendously during the last several years. One cannot easily define the number of service types (not to be confused with service classifications) given the wide range of companies and products currently available. While attempting to describe every available cloud-based service available is beyond the scope of this report, a quick survey of a few service types follows.
A number of traditionally host-based application providers and better-known
8 Virtualization Infrastructure: http://www-03.ibm.com/systems/virtualization/infrastructure/
12Cloud Computing
Web-based companies are venturing into the arena of cloud-based services. While each company offers its own unique set of services, they generally fall into one of several larger types:9 applications, value-added, integration, storage, cloud platform tools, cloud platforms and infrastructure. This report will explore a subset of applications, storage and infrastructure to give the reader a small subset of the available cloud-based services currently on the market to provide the reader context for the risk associated with cloud-based services that follow in the next chapter.
iDefense does not endorse any of the products listed in the following subsections. The providers listed in this section represent a sampling of available services.
3.3.1 Applications in the Cloud
Many companies have released SaaS-based office productivity suites that compete directly with traditional workstation-installed office productivity suites, such as Microsoft Office and OpenOffice. These products use the SaaS model by employing Web 2.0 technologies to provide word processors and spreadsheet editors within a Web browser. Well-known companies such as Microsoft, Google and Adobe offer their own products in this market, but other, less familiar players are also involved, such as Zoho and ThinkFree.
Microsoft offers Office Live Workspace, a product that morphs its Office Suite into the cloud. The service allows users to sign up for free access and use of the service. Office Live Workspace encompasses Word, Excel, OneNote and PowerPoint, allowing each of these applications installed on a client computer to save the file to the Workspace — the Microsoft file store located on the Microsoft servers — via a plugin called Office Live Update. Office Live Update saves documents edited on a client computer to the Workspace after a user provides logon credentials. Office Live Workspace provides online editing tools that essentially are stripped-down versions of Word, Excel, OneNote and PowerPoint.10 The approach taken by Microsoft is unique when compared to the other major players in this domain. Unlike most providers where the client application exists in the cloud as a SaaS, Microsoft uses a fat-client solution (Microsoft Office) and provides integration for that client with the cloud-based workspace essentially turning the solution into a PaaS-based product. Google Docs and ThinkFree (mentioned below) provide fat clients; however, unlike the Microsoft solution, these clients are limited and generally considered “after thoughts.”
Google presents Google Docs as its cloud-based office productivity suite. Google Docs is a free application that allows users to store, view and edit documents. The owner of a document can share the document with others for collaboration. The application suite includes a word processor, PDF viewer, spreadsheet and presentation program. Unlike Microsoft’s Office Live, Google Docs does not require the user to download an executable, as the application runs in supported Web browsers as a SaaS product. Google Docs accepts a wide variety of word processor, spreadsheet and presentation file types.11 The
9 http://saaslink.googlepages.com/Laird_CloudMap_Sept2008.png10 Learn About Online Collaboration with Microsoft Office Live Workspace - http://workspace.officelive.com/FAQ11 Google Docs Basics - http://www.google.com/support/writely/bin/answer.py?answer=49008&cbid=1sv49ar24domm&src=cb&lev=answer
13Cloud Computing
wide range of supported file formats allows Google Docs to interact with a larger user base from other operating systems. At the same time, a user can share all files simply by inviting others by e-mail address, which provides a link to the document within an e-mail.
Adobe released the free Acrobat.com Beta as a cloud service, which includes an application named Buzzword. Buzzword provides word processing functionality for uploaded Microsoft Word, Open Office, rich-text and plain-text files. A user can edit the uploaded files within the Flash-based editor and save the files as any of the previously mentioned file types, or a user can export the files to PDF and HTML formats. Buzzword allows file sharing with others while providing three permission levels: co-author, reviewer and reader. A co-author has the ability to make changes to the document whereas a reviewer can only include comments and a reader can only view the document. Buzzword effectively limits users to an online word processor.
Zoho offers a wide range of applications online to replace traditional office productivity suite applications. Zoho offers applications that include a word processor, an online spreadsheet program, a presentation program and a document manager. Zoho offers licenses to purchase online business applications for customer relationship management (CRM), online conferencing, online databases and reporting, human resource management, and project management.12
Trend Micro, an anti-virus vendor, released a SaaS product named Smart Protection Network on June 18, 2008.13 The Smart Protection Network uses a lightweight local agent application to access Web, e-mail and file reputation databases to minimize exposure to malicious Web servers, spam messages and malicious code by blocking access. The Web reputation database stores information about domains collected from threat intelligence. The information gathered includes all domain-related activity seen in analyzed malicious code samples and spam messages. The e-mail reputation database stores IP addresses and domains of known spam sources and determines a real-time reputation rating for IP addresses to block malicious e-mails from reaching end systems. The cloud blocks e-mails from known spam sources before exposing a potential threat to the end system.
The Smart Protection Network minimizes the reliance on definition files at the client’s system by relocating the file scanning technology to the cloud. The client uses a lightweight local agent application that reduces the burden of local file scanning by checking a file within an e-mail or from a website against Trend Micro’s file reputation database. The file reputation database checks to see if the file is malicious and, if so, blocks access.
3.3.2 Storage in the Cloud
The cloud offers many online storage solutions from a variety of companies. Data storage in the cloud offers hard drive space for a monthly fee that is small compared to operating similar in-house storage space. The low prices and the possibility of enhanced security entice outsourcing storage solutions
12 Zoho Pricing – http://zoho.com/pricing.html13 http://trendmicro.mediaroom.com/index.php?s=43&item=642
14Cloud Computing
to services in the cloud. In-house solutions require significant investments in resources such as equipment, servers and storage devices and require additional investments when the solution must scale to meet growing needs. Consumers can scale their systems using cloud-based storage solutions, such as those outlined in this section, without the need for these resources and thus reduce the investment cost. Typically, service providers offering storage via cloud solutions use a PaaS-based approach. The service provider establishes an interface between the consumer and the consumer’s data. This interface may not necessarily be an API but sometime exists as a set of file transfer protocols such as BitTorrent or HTTP. This blend between network-level protocols (e.g., BitTorrent) and application interfaces (e.g., HTTP) blurs the line between PaaS and SaaS solutions.
Amazon’s S3 provides online storage at a fraction of the cost of network attached storage (NAS) solutions. S3 stores data on multiple servers called “buckets” and allows users to access the stored data from anywhere. Amazon houses the buckets in data centers spread across the US and Europe and allows users to download data in many ways, including HTTP or BitTorrent protocols. A user determines whether the stored data is available to the public or whether it is private. The data owner grants permissions to data on a per-user basis to add access control and security. With a focus on security, Amazon published a whitepaper14 discussing, in detail, the security infrastructure that protects the S3 infrastructure. The whitepaper discusses physical security measures that include professional security guards stationed at ingress points, video surveillance and intrusion detection systems. Data centers are inconspicuous and have protective boundaries. Data center floor access requires two-factor authentication no fewer than three times. Information security includes access control lists and permissions applied to buckets or objects minimizing unauthorized access to data. Physical security aside, communication to S3 uses secure sockets layer (SSL) for encryption; however, data stored is unencrypted. Therefore, the data’s owner is encouraged to encrypt his or her data before uploading.
There are additional classes of cloud data storage that focus on more simple uses such as file storage, retrieval and sharing. Box.net is a cloud storage provider, established in 2005, designed around the idea of not only storing files but also of allowing consumers to select which files can be publicly shared with others. Box.net offers an enterprise-grade storage solution that provides high availability and security features required by enterprises. The enterprise-level services offered provide a management interface to provision access, monitor usage and activity, and provide phone and e-mail support. Box.net implements security safeguards for the data center, network connectivity, user and application. The data center incorporates 24/7 monitoring, biometrics and radio frequency identification (RFID) cards for access. The network uses Cisco PIX firewalls, allowing HTTP and SSL only and file transfers over a 256-bit SSL-encrypted channel. Box.net guarantees 99.9 percent availability. User security focuses on password authentication and access control. Files are private to the user unless explicitly shared with others or specifically changed to a status of publicly accessible. File access can be password protected to thwart unauthorized access.15 Forcing all
14 Amazon Web Services:Overview of Security Processes - http://s3.amazonaws.com/aws_blog/AWS_Security_Whitepaper_2008_09.pdf15 http://www.box.net/enterprise/security
15Cloud Computing
requests to the Box.net application to pass a verification code that checks the authentication of authorized access secures the application. Box.net sends daily data backups to an offsite location and allows Box.net to revert data quickly if consumers experience data inconsistency.16
The rapid growth in multimedia-based Web content has spawned the need for increased bandwidth and reliable connections. Content delivery networks (CDNs) use multiple servers and load-balancing techniques to spread traffic loads to servers close to the client geographically for increased speed. This technique allows audio and video streaming and faster downloads to enable multimedia services on the Web. There are many companies offering CDN services, but few implement features only available in the cloud.
Amazon offers a service called CloudFront that acts as a CDN for objects stored in Amazon’s S3. The CloudFront service caches data across edge servers to deliver content to users close in proximity. The users experience faster download speeds and lower latency as CloudFront routes user requests to the closest server—the server with the lowest network latency. The Amazon infrastructure includes caching servers in the US, Europe and Asia with pricing based on these regions.
Pando Networks provides a content delivery cloud (CDC) to supplement existing CDNs. The Pando Content Delivery suite enhances content delivery with peer-to-peer (P2P) technology. P2P uses servers to track users accessing content to allow them to connect to one another to set up a network of peers. These peers send server data to other peers within the P2P network known as a “peer cloud.” As a supplement to CDNs, the P2P aspect shares the content delivery responsibilities with users receiving the content. The P2P feature tasks users accessing the content to host content to other users also. This concept allows more peers to host popular files, which reduces the load and bandwidth required by the edge server of the CDN. The CDN edge servers house all distributed content at a static location, and the P2P component scales popular content to meet spikes in demand.17 P2P networks typically decentralize data transfer, but Pando’s use of a centralized tracker allows content to be controlled. Data transferred between peers use Advanced Encryption Standard (AES) 256-bit encryption to secure distributed data.18 The Pando CDC using P2P to distribute content reduces costs due to lower bandwidth utilization and scalability for increases in demand.
3.3.3 Infrastructure in the Cloud
Amazon offers IaaS through its EC2 service. This service provides computational resources via virtual machines controlled by a Web interface. Amazon provides virtual machine image templates for quick virtual server creation or accepts custom-created virtual machines preloaded with software for computation. Virtual server images, known as Amazon Machine Image (.ami) files, which are stored in Amazon’s S3, and instances of the virtual machine run on physical servers located within the US and Europe. EC2 offers a menu of operating systems and resources allocated to each instance. The operating systems compatible with EC2 include Windows Server 2003,
16 http://www.box.net/static/download/enterprise_overview.pdf17 http://www.pandonetworks.com/p2p18 http://www.pandonetworks.com/security
16Cloud Computing
openSolaris and a number of Linux distributions. The European region allows Linux and openSolaris instances and does not include an option to run Windows Server 2003. Instance types are dependent on the resources allocated and split up based on the amount of EC2 Compute Units (ECU), memory and storage. Amazon’s EC2 provides a network security and access control interface allowing users to modify firewall configurations and access between instances.19
GoGrid provides a similar IaaS solution with pricing comparable to Amazon’s EC2. Like EC2, GoGrid gives consumers a selection of Linux- and Windows-based instances. GoGrid offers free f5 appliance-based load balancing. GoGrid’s pricing structure is based on “server RAM hours” and outbound data transfer rates. The server RAM hour metric is defined as the amount of RAM a server has (0.5GB, 1GB, 2GB, 4GB or 8GB) multiplied by the number of hours the RAM is in use. Unlike Amazon, GoGrid lacks a geographical server distribution. GoGrid houses its cloud services in a single data center located in San Francisco. The data center has multiple network connections to the Internet backbone, but these could ultimately prove ineffective in the event of a natural disaster that affects the city, such as the earthquake of 1989.
3.4 Cloud Computing for Malicious Intent
The use of cloud computing is not limited to enterprise uses. Researchers have observed the cyber underground’s use of cloud-computing-type services for malicious activities. Essentially a PaaS for spam, the spam botnets allow clients to offload the task of spamming hundreds of thousands if not millions of e-mail addresses. This configuration allows the originator of the spam to remain hidden while using a vast network of infected computers. The result is a business model that incurs a low cost for high volume.
Malicious actors can use legitimate services, such as Amazon’s EC2, for malicious activities. Setting up a large EC2 cluster of computers dedicated to cracking passwords would allow an attacker with limited hardware resources and minimal financial resources to dedicate a powerful grid-computing infrastructure to the task of breaking passwords and encryption. The use of the EC2 service in this manner increases the amount of information an attacker can glean from a victim without requiring the attacker to invest in expensive hardware.
Using PaaS such as Google’s AppEngine or IaaS such as GoGrid, attackers can quickly establish short-term phishing servers or command and control (C&C) servers for a fraction of the cost of bulletproof hosting servers. In the event that the service provider takes down an attacker’s site, the attacker can easily transfer the service to another service provider using the existing application or server image.
19 http://aws.amazon.com/ec2/
17Cloud Computing
4 Risk Analysis and Risk Management of Cloud Computing Technologies
Cloud computing can be an attractive option for many enterprises, large and small; however, as with any new technology, management and business partners must identify, analyze, evaluate and finally remediate the risks associated with the adaptation of cloud computing services. Unlike more established technologies, cloud computing comes with a unique set of attributes that may make this type of evaluation more challenging.
In June 2008, Gartner, Inc. released a whitepaper survey titled “Assessing the Security Risk of Cloud Computing,”20 which outlines nine key criteria business leaders should review before making a determination to use a cloud computing service provider or, in a larger sense, cloud computing overall. These criteria are important to understand, given the somewhat opaque nature of cloud computing resources. Gartner recommends the following areas for detailed security, regulatory compliance and privacy risk assessment:
Privileged User Access•Data Segregation•Regulatory Compliance•Physical Location of Data•Availability•Recovery•Investigative Support•Viability and Longevity•
The remainder of this chapter explores these risk criteria as they apply to the generic cloud computing model and provides potential mitigation strategies to reduce the risk of exposure to the consumer. Defining the risks for every cloud-based service provider is beyond the scope of any report, including this one; however, given the commonalities found in most cloud-based services (IaaS, PaaS and SaaS classes), it is possible to establish a set of general risks associated with cloud computing overall.
This chapter concludes by identifying several key risks associated with cloud computing. These risks represent the most likely risks to occur when a consumer deploys a cloud-based solution. iDefense based the selection of the key risks on events that have occurred within the past two years and risks iDefense feels will likely affect consumers in the immediate future.
4.1 Privilege Access Control
Providing data (sensitive or not) to a service provider removes the internal controls of the enterprise, which have been established for in-house data protection and gives control over the data to the service provider. As a result, it is important to understand who will have access to the data once it leaves the confines of the enterprise network and enters the cloud. This requires an understanding of not only which employees of the service provider will have access to the data, but any third parties that may also have access and how this access is controlled.
20 Heiser, Jay and Mark Nicolett. “Assessing the Security Risks of Cloud Computing,” Gartner. June 3, 2008.
18Cloud Computing
In an ideal environment, the access controls shown in Exhibit 4-1 would exist. In this type of environment, only the consumers responsible for a given data store would have access to said data store while the service provider’s administrative staff would have limited, yet administrative, access to all data stores. A failure in this system would result in the exposure of consumer data to other consumers or service provider personnel in a manner inconsistent with the terms of the service provider’s policies.
The risks associated with privileged access controls closely relate to the risk criteria of data segregation. Both risk criteria can lead to data exposure or data loss. The exposure or loss of the consumer’s data can have a very adverse affect on the consumer. Unlike the data segregation criteria, which is defined in a subsequent section, the privileged access control risk criteria focuses on the policies, hiring practices and personnel access controls the service provider employs.
Employees and contractors of a service provider will retain a certain level of access to consumer data to maintain the service provider’s resources properly. This fact requires that the service provider has sufficient controls in place to ensure employees and contractors have only the bare minimum access necessary to perform these functions while protecting the integrity and confidentiality of the consumer’s data.
To reduce the risk associated with a service provider’s privilege access controls, a consumer should evaluate the data access controls, hiring and employee policies, physical access controls and logical controls of the service provider before placing data within the service provider’s infrastructure. For any service provider who is unwilling to provide this type of information, a consumer should be suspicious of the service provider’s access control systems. Understanding the nature of the controls the service provider has in place is paramount when attempting to mitigate the risk to the consumer’s data and resources.
4.2 Data Segregation
Cloud computing works on the principle commodity hardware use for a vast number of consumers. This commodity hardware dynamically allocates resources when demand peaks and wanes, allowing service providers the ability to provide consumers with a cheaper solution that handles the same workload typically handled by under-utilized in-house servers and infrastructure. This fact dictates that, at some point, the data for multiple consumers may be stored or processed on the same physical computer as illustrated in Exhibit 4-2.
Consumers should assume the data segregation solutions used by service providers will fail at some point. The idealized segregation depicted in Exhibit 4-2 leaves open the possibility that when the commodity servers access the data store of one consumer, the commodity server may expose the data store of another consumer, thereby negating the data segregation system in place. Google Docs experienced a similar failure due to a caching system error in 2008.21
21 A New Security Breach in Google Docs Revealed: http://blog.isc2.org/isc2_blog/2008/09/serious-securit.html
Exhibit 4-1: Access Controls across Consumer Data Stores
Exhibit 4-2: Data Segregation across Multiple Consumer Data Stores
19Cloud Computing
Nearly all service providers now support SSL connections to ensure that the provider is encrypting the data traversing the network, but not all providers ensure that they are encrypting the physically stored data. When a service provider leaves the data at rest unencrypted and readable, the consumer should assume that at some point the data will be read. The fact that an unauthorized individual can read a consumer’s data represents a risk. Encryption mitigates this risk by making the data indiscernible without the proper keys.
Encryption can introduce the risk of data loss when providers and consumers mismanage keys, when unforeseen events damage encrypted files or when encryption is incorrectly used. Consumers should establish a clear chain of custody for encryption keys associated with the consumer data when the consumer gives the keys to the data to the service provider. If the service provider is providing the encryption for the consumer’s data (instead of the consumer providing the encryption), the consumer should ask the service provider for the details of the encryption system and for verification that the encryption system does not introduce unnecessary risks. When the service provider provides encryption for the consumer’s data, the consumer should be concerned with the protocols and implementation of the encryption system, as these two factors dictate the effectiveness of the encryption system.
Finally, consumers must evaluate the “how, when and where” of data storage the service provider employs to determine the level of risk associated by shared and potentially encrypted data stores. Poorly implemented data storage and encryption systems can introduce a greater risk of data loss.
4.3 Regulatory Control
Consumers must evaluate cloud computing service providers to ensure that the service provider can fulfill any regulatory compliance, such as outsourcing regulations, privacy regulations and data security regulations, for which the consumer is bound. For instance, the Statement of Auditing Standards No. 70 (more commonly known as SAS 70)22 is a US auditing procedure used by third-party service organizations to provide reasonable assurance that the control objectives and control activities deployed by the service provider are sufficient to ensure the integrity of the consumer utilizing the service. The US regulation known as the Sarbanes-Oxley (SOX) Act of 2002 requires publicly traded companies to provide evidence that key controls are in place to prevent financial fraud.23 Companies that fall under the SOX regulation and use third-party services, such as cloud-based service providers, use the SAS 70 audit of the third party to provide evidence that the third-party service provider is meeting the same, or similar, key controls. Therefore, for cloud-based service providers that provide resources to publicly traded companies based in the US, the service provider must meet the audit standards outlined in the SAS 70 framework. Failure to do so would result in potential regulatory risk for consumers of the service. Regulatory controls, such as the upcoming International Standard on Assurance Engagements (ISAE) 340224 (the international equivalent of the SAS 70 currently under review), the US Health Insurance Portability and
22 About SAS 70: http://www.sas70.com/about.htm23 Sarbanes-Oxley Act of 2002: http://www.law.uc.edu/CCL/SOact/soact.pdf24 Building a Global SAS 70 Model: http://www.pwc.com/gx/eng/about/svcs/corporatereporting/GlobalSAS.pdf
20Cloud Computing
Accountability Act (HIPAA)25 and various information regulations, introduce risk mitigation frameworks that a consumer must verify the service provider against. Depending on the local laws of the consumer’s country, failure to abide by the appropriate regulations may result in the risk of unfavorable legal action against the consumer.
Regulatory controls may also work closely with the risk criteria introduced by the location of data. The use of a service provider to store or process data outside of the consumer’s country may introduce regulatory controls that must be satisfied.
4.4 Physical Location of Data
Cloud computing is, by its very definition, a dispersed commodity. Service providers, such as Amazon26 and IBM,27 provide services that reside on servers that traverse multiple international borders. IBM, as a specific example, has more than nine data centers dedicated to cloud-based services in countries including China, South Africa,28 Brazil, India, South Korea, Vietnam,29 Japan,30 the UK and the US.31 The geographic distribution of IBM’s “cloud computing centers” results in data centers located on five different continents. Exhibit 4-3 identifies the locations where IBM has reported data centers used for its cloud-based services. The use of these servers may result in a variety of regulatory complications, especially for countries that have strict regulations on offshore outsourcing or offshore data storage.
South Korea
Japan
China
Vietnam
India
United Kingdom
South Africa
Brazil
United States
When dealing with data stored in multiple countries, it is possible that local laws that govern the servers in one country will be contradictory to the local
25 HIPAA—General Information, Overview: http://www.cms.hhs.gov/hipaaGenInfo/26 Amazon Simple Storage Solution: http://aws.amazon.com/s3/#pricing27 IBM Announces First Chinese Cloud Computing Center: http://www.chinatechnews.com/2008/02/04/6367-ibm-announces-first-chinese-cloud-computing-center/28 IBM Opens Africa’s First “Cloud Computing” Center Second Cloud Center in China: http://www-304.ibm.com/jct03001c/industries/education/us/detail/news/Q841946E49407E55.html29 IBM Opens Four Cloud Computing Centers to Meet Growing Demand in Emerging Markets: http://www-03.ibm.com/press/us/en/pressrelease/25196.wss30 IBM Launched Cloud Computing Center in Tokyo: http://www-03.ibm.com/press/us/en/pressrelease/24787.wss31 https://www.ibm.com/developerworks/websphere/zones/hipods/
Exhibit 4-3: Map of the Approximate Geographic Location of IBM’s “Cloud Computing Centers”
21Cloud Computing
laws for data storage, privacy and security of a consumer’s country. Legal analysis may be required to ensure complete compliance. For instance, the Chinese constitution provides for the privacy of information except where “state secrets or a criminal investigation is involved, police and other authorities can intercept communications as necessary,”32 which gives the Chinese government considerable latitude to monitor communications. If such acts contradict the consumer country’s regulations on privacy, utilizing a resource located in a Chinese data center could infringe on the regulations to which the consumer must comply.
The more obvious solution of “use only data centers located in the consumer’s country” is more difficult than it may seem. Cloud-based service providers routinely deploy geographical distributed data centers to minimize network lag, provide redundancy and, in some cases, to lower cost. Before giving sensitive data to a service provider, the consumer should investigate if the service provider uses data centers in multiple countries and, if so, if the service provider has the ability to restrict the consumer’s data to a data store located in a country that is compatible with the regulations by which the consumer is bound. Failure on the part of the consumer to perform this due diligence can lead to risks associated with violating local regulations and the risk of foreign governments obtaining sensitive information.
4.5 Service Availability
Cloud computing, like any external service, requires a high degree of availability to prevent an adverse impact on business operations. When using a cloud computing service provider for any business-critical function, consumers must evaluate the risk associated with loss of connectivity to that provider. Without a sustained network connection between the service provider and the consumer, the consumer is isolated from a potentially critical enterprise resource. Using the generic network topology that exists between a cloud-based service provider and the consumer, as seen in Exhibit 4-4, risk analysis can identify several points of failure that pose a significant risk. From the network topology perspective, the following risk points are evident:
The service provider’s resources (servers, internal networks and storage •media)The service provider’s connection to the Internet (service provider’s ISP •connection)The Internet infrastructure (intermediate ISPs)•The consumer’s connection to the Internet (consumer’s ISP connection)•The consumer’s internal network infrastructure (consumer’s internal •firewalls, routers and LANs)The global and local domain name system (DNS) infrastructure•
32 Data Protection and Privacy Issues in China: http://www.hg.org/article.asp?id=5340
22Cloud Computing
Each of the risk points related to the network topology of Exhibit 4-4 can have an immediate and devastating impact on a consumer’s ability to perform critical business functions related to cloud-based services. At least one of the risk points has a relatively low probability of occurring: a failure of the entire Internet infrastructure. The likelihood of an immediate and sustained failure of the Internet is highly unlikely and, as such, the risk is negligible.
Starting with the consumer’s risk points, consumers can mitigate the risk of a sustained network outage by having more than one path to the Internet. This typically results in more than one ISP providing an uplink to the Internet. Internally, consumers should ensure that their network infrastructures use best practices to provide a high degree of network reliability.
When assessing the reliability and, by extension, the availability of the services provided by a cloud-based service provider, a consumer should query the service provider to find out the safeguards the service provider uses to ensure sufficient availability. The use of multiple data centers in more than one geographical location reduces the risk of a single site failure adversely affecting the consumer, provided the service provider has established a
Exhibit 4-4: Risk Points in the Cloud Computing Infrastructure
23Cloud Computing
disaster recovery plan that contains negligible downtime. Consumers should find a service provider that is willing to establish a service-level agreement (SLA). The SLA provides legal recourse should the service provider be unable to meet the agreed upon availability metrics. Of course, legal recourse, by itself, does not reduce the risk associated with insufficient availability, but finding a service provider that is willing to establish the availability metrics may indicate the service provider has a high level of confidence in its ability to provide the request resource.
The consumer should establish SLAs not only for the uptime of the service provider’s network but also for the resources the consumer uses. Most large, cloud-based service providers have sufficient hardware available to meet the demands of the service provider’s consumers without any one consumer noticing a performance impact. Consumers should establish SLAs to reduce the risks that the service provider will not allocate sufficient resources to meet the demands of the consumers. Establishing the nominal- and peak-demand metrics expected of the service provider by the consumer allows the service provider and consumer to determine the likelihood of a performance or availability incident.
One aspect of the network topology that consumers frequently overlooked is the DNS infrastructure. Unless the consumer uses IP addresses exclusively to access a cloud-based service, the consumer relies on the DNS infrastructure to resolve the network name (e.g., URL) to a network IP address. If the DNS infrastructure were to fail due to attack or misconfiguration, the consumer would be unable to access the service provider’s resource. Failure of the DNS infrastructure is a very real risk33 that consumers should consider when evaluating the use of cloud-based services overall and not just for a single service provider.
4.6 Recovery
One of the selling points for many cloud computing service providers is the offloading of data retention and backup services. A sophisticated data retention and backup system can cost an enterprise a significant amount of capital, but typically, business leaders compare this investment to the potential monetary loss associated with the loss of the business data. The replication of critical infrastructure is another substantial cost business leaders weigh against a disaster scenario and the resulting monetary loss. When a cloud computing service provider is being used to store data (sensitive, critical or public), the risk associated with the loss of the data must be evaluated.
Consumers should evaluate cloud computing service providers on not only their data recovery services but on whether the provider replicates data to more than one site in the event that a disaster renders the provider’s site non-operational. Of course, the evaluation of multiple site replications, if deemed a substantial risk by the consumer, goes hand in hand with the evaluation of the data segregation, privileged user access and the physical location of data risk criteria. The evaluation of multiple sites for infrastructure recovery after a site disaster also relates to the risk associated with availability.
33 Researchers Unleash DNS Attack Code: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110622
24Cloud Computing
Service providers should provide consumers with a reasonable estimate of the amount of downtime associated with replicating a failed cloud computing data center to a backup site. Ideally, service providers should have the ability to replicate data across multiple sites to prevent any or minimal downtime. Some providers, such as GoGrid, offer only a single site,34 resulting in the risk that a natural disaster such as an earthquake would render the service provider’s facility inoperable with no available recovery sites. Such an event would leave consumers disconnected from potentially critical business services.
Improper data storage or infrastructure communication failures can introduce the risk of data corruption. Consumers should inquire if the service provider retains more than a single backup of the consumer’s data. In the event that a consumer’s data is corrupted, having the ability to recover data from several days before the discovery of the corrupted data may prove invaluable to successfully recovering the data with its original integrity. Service providers should commit to a period associated with such a recovery operation to give consumers the ability to determine the risks associated with the potentially lengthy service downtimes while data is recovered.
4.7 Investigative Support
Many corporations have internal incident-response personnel responsible for handling any data incidents such as data theft, unauthorized data modification, and policy and regulatory violations. The response to such events results in an investigation that requires the incident-response personnel to access a variety of logs, data files and other sensitive information required to determine the depth, timelines and actors involved in an incident. When such events occur within the confines of enterprise network, investigations generally do not require a significant amount of administrative overhead; however, when a cloud-based service provider retains the sensitive data, previously unforeseen obstacles can hinder an investigation.
Service providers that retain access logs and other data necessary for an investigation may do so for multiple consumers at once, given the shared nature of the infrastructure. This shared landscape could result in the service provider being unwilling or unable to provide the necessary information in a timely manner if prior contractual arrangements are not in place. Enterprises should evaluate the risk associated with a stalled investigation of an incident to handle such investigations when they arise.
Consumers should establish a set of policies, procedures and expectations with a service provider related to incident-response operations prior to the consumer offloading resources to the service provider. Clearly establishing the expectations of the service provider’s own incident-response service may prevent unfortunate hindrances at the time of a real incident-response situation.
Service providers that are unable or unwilling to establish incident-response procedures for a consumer may represent a risk to consumers that require timely incident-response support.
34 GoGrid’s San Francisco Data Center: http://www.gogrid.com/company/facilities.php
25Cloud Computing
4.8 Viability and Longevity
Placing data within the infrastructure of a service provider means that the consumer has established a level of trust that the provider will exist and operate for as long as the data is viable. When evaluating the viability and longevity of a provider, it is imperative that a service provider does not close down its services abruptly, as data and services lost can be devastating to an enterprise. A service provider ending services also requires additional time and resources to integrate a new service.
As part of the evaluation process when determining the risk of a service provider “going dark,” consumers should query the service provider for how the service provider returns data and in what format the service provider returns the data in the event that the provider ceases operations.
Consumers should review the history of a service provider and the investment the service provider has put in to its services. Service providers with proven histories of longevity may represent less risk, whereas a startup with no record of longevity may represent a higher risk. Consumers should understand that a historical record of longevity is only an indicator of the risk potential, not a guarantee of low risks. Companies with lengthy histories can fail during economic downturns. Consumers should assume that a chosen service provider will eventually fail and should have contingency plans in place to reduce the risk of such an event to a suitable level.
4.9 Identifying Key Risks
The previous work outlined in this chapter identified and offered mitigation strategies for various risks associated with cloud-based services. To conclude the chapter, it is necessary to distill the information down into a set of key risk factors that consumers should consider when evaluating cloud-based services and cloud-based service providers. The list of key risk factors, shown in Exhibit 4-5, is by no means inclusive of all risk factors, as specific cloud-based services may have unique risks associated with the type of service offered. The list in Exhibit 4-5 applies to the generic cloud computing model, offering a consumer a broad understanding of the risk factors involved. The majority of the risks identified in Exhibit 4-5 have occurred to at least one service provider in the past two years, with some occurring since the beginning of 2009.
26Cloud Computing
Risk Risk Criteria Explanation
DoS Against Service Provider
Service Availability
When an attacker leverages a denial of service (DoS) attack against a service provider, the consumer is no longer able to access the service or the service’s resources. DoS attacks or distributed denial of service (DDoS) attacks have occurred against service providers as recently as March 2009.
DNS Failure
Service Availability
DNS failures prevent consumers from resolving the domain name of a service provider. The inability to resolve the service provider’s address prevents a consumer from accessing the service, effectively disconnecting the consumer from the service and the service’s resources. Attacks against a DNS server or servers associated with a service provider’s domain or a top-level domain has the same effect as a standard DNS failure. Such attacks have occurred as recently as April 2009.
(Source: http://isc.sans.org/diary.html?storyid=6121)
Consumer Network Disconnect
Service Availability
The use of a resource located on the Internet, by its very nature, requires the consumer of the resource to have a constant connection to the service provider of the resource. This reliance on a reliable Internet connection introduces the risk that the connection may at some point in time fail. A failure of this type on the consumer’s network affects not only the access to the cloud-based service but any other Internet service such as e-mail and general Web traffic. When a consumer’s local network is disconnected from the Internet for whatever reason, the impact to the consumer’s business operations can be severe, if not catastrophic.
Service Provider Network Disconnect
Service Availability
Similar to the impact associated with a consumer’s disconnect from the Internet, a service provider’s disconnect from the Internet affects a much larger audience. A service provider’s loss of connectivity to the Internet can cripple business-critical resources for each consumer that relies on the service provider. The use of geographically diverse server locations with diverse Internet connections reduces the risk associated with a service provider’s loss of connectivity in the event of a single service provider’s local network failure.
Non-Sensitive Data Loss/Exposure
Segregation of Data/Privilege Access Control
Data exposure or data loss can be detrimental to a consumer, even when the consumer considers the data non-sensitive. When a consumer places his or her data within the network of a cloud-based service provider, the consumer establishes a level of trust with the service that the data is safe from exposure and loss. Unfortunately, this trust is occasionally broken, resulting in the potential for significant damages to a consumer’s intellectual property or reputation. Data exposure events have occurred in the GoogleDocs SaaS product as recently as April 2009. In 2007, Carbonite, a cloud-based PaaS storage service, lost the data of 54 consumers due to a hardware failure.
(Source: http://www.techcrunch.com/2009/03/07/huge-google-privacy-blunder-shares-your-docs-without-permission/; http://www.washingtonpost.com/wp-dyn/content/article/2009/03/26/AR2009032601120.html; http://adrianstech.com/03/2009/carbonite-sues-hardware-sellers-for-lost-data/)
Sensitive Data Loss/Exposure
Segregation of Data/Privilege Access Control
As a consumer entrusts sensitive data to a service provider, the sensitive nature of the data amplifies the impact from the exposure or loss of the data. As a result, sensitive data loss or exposure represents a unique risk, independent of the loss or exposure of non-sensitive data.
Exhibit 4-5: Key Risks of Using Cloud Computing (Continued on the next page)
27Cloud Computing
Provider Shutdown
Viability and Longevity
Consumers who place critical resources such as data or applications in a cloud-based service provider’s infrastructure become acutely dependent on the survival of that service provider. If the service provider were to terminate services abruptly, the service provider would place the consumer into a position where the consumer would have to rapidly integrate his or her resource with another service provider or risk substantial downtime that may affect the consumer’s business operations. An example of such an event is found in AOL's Xdrive, known for its cloud storage services. Xdrive notified consumers in late October 2008 that it would be closing down on Dec. 31, 2008, but later pushed that date back to Jan. 12, 2009. After the Jan. 12, 2009, deadline, Xdrive permanently deleted all accounts, resulting in the service provider denying consumers access to the service and any remaining data the consumer left on the Xdrive systems. This event forced consumers of the Xdrive service to find a way to retrieve their data in a rapid manner and move the data to a new provider.
(Source: http://dev.aol.com/forum?c=showthread&ThreadID=707; http://www.xdrive.com/closingfaqs/)
Incident Response Failure
Investigative Support
It is important to have a team in place to provide immediate incident response when a data breach, data loss or service failure occurs. With cloud-based service providers, the service provider can significantly restrict the incident-response procedures typically handled by the consumer’s personnel. By virtue of the fact that service providers handle the resources of multiple consumers, service providers may not be able to resolve inquiries for logging information and forensic data retrieval for a consumer quickly. This lack of transparency can have a devastating effect on an incident response.
4.10 Risk Quantification
The previous chapters defined the notion of cloud computing and evaluating the various risks that may arise from the use of the technology. To obtain perspective on the risks identified, it is important to quantify, as best as possible, the impact the risks pose and the likelihood of these risks occurring. By plotting the risks as the product of likelihood and impact, one can quickly obtain a visual understanding of the key risks involved with cloud computing. Exhibit 4-6 depicts this quantification for the generic cloud computing service model when using a public cloud service provider. Of the eight unique risks identified in Exhibit 4-6, five risks have occurred to at least one major provider in the last two years: DDoS Against Service Providder, Non-Sensivite Data Lost/Exposure, Sensitive Data Loss/Exposure, DNS Failure and Provider Shutdown.
Each cloud-based service may deviate slightly from the quantification identified in Exhibit 4-6 based on the nature of the service provided. For instance, when a consumer uses a cloud-based service provider (a PaaS in this example) to deliver content to the consumer’s consumer base, the impact of the consumer experiencing an Internet disconnect is negligible (“none”), which is contradictory to the “Consumer Network Disconnect” risk rating depicted in Exhibit 4-6. Therefore, it is important for analysts to understand that the risk matrix is a guideline for the generic cloud computing technology and not necessarily accurate for all cloud computing services available. A level of user intuition is required to make an appropriate assessment.
The definition of the likelihood ratings appear in Exhibit 4-7.
Exhibit 4-5 (Continued): Key Risks of Using Cloud Computing
28Cloud Computing
Non-sensitive Data Loss / Exposure
HIGH
Consumer Network Disconnect
MEDIUM
Service Provider Network Disconnect
MEDIUM
DDoS Against Service
ProviderHIGH
Provider Shutdown
HIGH
DNS Failure
HIGH
Sensitive Data Loss / Exposure
HIGH
Incident Response Failure
MEDIUM
Consequence
Like
lihoo
d
Level Rating Description
5 Almost Certain95 percent or greater probability of the event occurring during the next 12 months
4 LikelyLess than 95 percent probability of the event occurring during the next 12 months
3 PossibleLess than 50 percent probability of the event occurring during the next 12 months
2 UnlikelyLess than 20 percent probability of the event occurring during the next 12 months
1Extremely Unlikely
Less than 5 percent probability of the event occurring during the next 12 months
Exhibit 4-6: Cloud Computing Risk Matrix
Exhibit 4-7: Risk Likelihood Ratings
29Cloud Computing
5 Conclusions
Cloud computing offers an enterprise an attractive set of options for data and application services. Cloud computing provides a means for replacing the cost of infrastructure and infrastructure administration with the lower cost of paying for services in a fashion similar to paying for utilities. On the other hand, cloud computing introduces the possibility of new, unexpected risks to an enterprise. When data is stored on a local network, the enterprise responsible for that data has complete control over how employees access the data and, in the event of a breach, has full access to perform any necessary incident-response operations. When a company offloads the data to a third-party provider, the data is no longer in the physical possession of the data owner. This fact alone makes incident response extremely difficult. While many of the large cloud computing companies have long-standing reputations and have implemented a vast array of security protocols to safeguard data, the fact remains that potentially sensitive data is in the possession of a third party.
One of the advantages of cloud computing solutions that provide data storage and retrieval services is the fact that the enterprise no longer must deal with the data handling administration associated with large-scale data storage solutions. The downside to this situation is that if the service provider were to terminate its storage services, the consumer would be required to perform an excessive amount of work to recover the data stored in the cloud. Even well known companies, such as AOL, started storage solutions in the cloud and later terminated their services. This fact indicates that there is no guarantee that a storage provider will remain in operation indefinitely. Organizations should maintain local backups of all data sent to a cloud-based service provider’s infrastructure in the event that a provider abruptly shuts its doors.
The most obvious downside of cloud computing is the reliance on an always active Internet. While it is fair to say that any small- to large-scale company has a 24/7 reliance on the Internet, the introduction of cloud computing adds emphasis to this requirement. Typically, in the event of an Internet connection failure, at least a minimal set of business operations can continue by virtue of the fact that applications operate on the local workstations and servers. When an enterprise houses these applications on a remote server, an Internet failure can be catastrophic to the productivity of a business until the network administrators restore the Internet connectivity.
When using a cloud computing service provider, the provider’s infrastructure is just as important as the infrastructure that supports the enterprise using the cloud services. The service provider must demonstrate a sufficiently robust and redundant infrastructure capable of sustaining a severe physical or logistical disaster without service interruption. The geographically and logistically dispersed infrastructure provided by the many data centers Amazon uses bolsters its suite of services. GoGrid, on the other hand, has a single data center located close to an active earthquake fault line, which increases the likelihood of a major outage resulting from electrical, network and environmental disasters.
When considering placing sensitive data in the cloud, it is important to understand that the lack of physical control over that data places the data at a significant risk. Amazon, for instance, plainly states that it does not encrypt
© 2009 VeriSign, Inc. All rights reserved. VeriSign, the VeriSign logo, the checkmark circle, iDefense and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for iDefense customers and personnel only. The reproduction and distribution of this material is forbidden without express written permission from iDefense.
30Cloud Computing
the data it stores. Sensitive information should not be stored in the cloud. Typically, all client data resides in the same database or file system within the service provider’s infrastructure, raising the potential for accidental data exposure. Ultimately, the decision to use cloud computing should come down to the acceptance of the level of risk associated with any particular cloud computing service. Businesses must accept the risks associated with any type of infrastructure—local or in the cloud. If the cost savings associated with the use of cloud computing services is suitable when compared to the cost of the data being lost or exposed, then cloud computing may provide an attractive alternate infrastructure.
