At last week's Black Hat USA conference in Las Vegas, a number of security researchers demonstrated new ways of attacking cloud computing services. One of the more notable presentations, "Clobbering the Cloud," looked at the vulnerabilities in Amazon's cloud infrastructure, Apple's MobileMe service, and Salesforce.com's cloud platform. Another demonstration showed how both Microsoft and Amazon used insecure methods for password retrieval. And still another presentation examined how the supposedly secure protocol SSL could be defeated.
But hacks alone aren't the only dangers to be found when moving to the cloud, as the Black Hat presentations quickly made clear. In reviewing the dangers brought up by the researchers, it was enough to make anyone wonder: is cloud computing putting us and our data at risk?
Cloud Danger #1: All Yours Eggs in One Basket
In Sensepost's presentation about cloud vulnerabilities (available here as a PowerPoint download), they make note of the fact that moving your data to a cloud service is the equivalent of "putting all your eggs in one basket." Not too long ago, we saw a perfect example of the worst-case scenario of doing just that. Earlier this year, social bookmarking site Ma.gnolia experienced a server crash that resulted in massive data loss - enough to shut down the service for good. Users' bookmarks were unrecoverable. Permanently.
While that incident may have had only a minimal impact on the world at large, Sensepost pointed out a few other examples that were much worse including that of online storage service MediaMax (also called The Linkup) which went out of business following a system administration error that deleted active customer data. Then there was the incident where Salesforce.com customers were locked out of their critical business applications during a service outage. And finally, they mentioned Nokia's Ovi crash which resulted in three weeks of lost user data as contacts simply disappeared from people's phones. There were no backups in place, either.
These incidents highlight some of the pitfalls that can come from trusting cloud services, and it's precisely for those reasons that enterprise IT is making the move at a much slower rate than consumers. This is especially true in heavily regulated industries where compliance is an issue. Sensepost's presentation quotes Tim Mather, RSA Security Strategist, on this point: "If it's non-regulated data, go ahead and explore. If it is regulated, hold on. I have not run across anyone comfortable putting sensitive/regulated data in the cloud."
Cloud Danger #2: Too Much Trust?
In another part of the Sensepost presentation, they looked specifically at vulnerabilities of Amazon's Web Services. To start off, they detailed the process involved in setting up a new instance on Amazon's Elastic Compute Cloud (EC2). The first step is to create a new Amazon Machine Image (AMI) containing your applications, libraries, data, and other associated configuration settings. However, as an alternative, you could use a pre-configured templated image to get up and running quickly.
There's only one problem with that, though. While Amazon has provided 47 machine images they built themselves, the remaining 2721 images were build by other EC2 users. Can you really believe that all of these images were built securely? Basically, the template directory is just a big archive of user-generated content. And you know what user-gen content is like... risky.
Sensepost asks: Do people really just run machines other people create? Apparently, the answer is yes.
The rest of the presentation went on to demonstrate a hack that allowed them to steal others' machine time by setting up images that included "back doors" in them and tricking other EC2 customers into using those compromised images as their EC2 template.
Cloud Danger #3: Reliance on Passwords
Another issue with cloud computing services is that, despite the numerous protections built into a cloud service itself, any account is only as secure as the password used to access it. A recent example of the consequences of insecure passwords was seen during what has now become known as "Twittergate." The microblogging service Twitter had their online accounts accessed by a hacker and numerous sensitive corporate documents stolen. The documents were housed in Google's online web office service Google Docs. Although Google was not to blame for the break-in, the hack may not have ever occurred in the first place if documents were securely hosted on-site, behind a firewall. Instead, the entire company data was only one password crack away from discovery.
Password cracking is not the only threat from what is seemingly becoming a more and more archaic system for logging into online services. Weak password recovery systems are an issue, too. In a separate presentation at Black Hat, both Amazon and Microsoft's Online Services came under fire for having poor password recovery systems. That's something that should come as no surprise, Andy Cordial, Origin Storage's managing director, was quoted as saying:
"Password resetting and other security mechanisms in the cloud are always going to be a weak link, as long as user-friendliness comes ahead of security in the cloud computing beauty stakes. Expecting regular joes to whip out a two-factor authentication device for use with a cloud-driven service just isn't realistic. It's not going to happen."
But without more secure methods of gaining access to cloud services, users themselves are the weakest link. Of course, this issue is not new. IT administrators have struggled with users' lack of good security practices for years on end. Ever since computers required a password, in fact. However, the difference between a corporate network and an online account is that in a business environment, administrators can create server-enforced password policies that require users to make up passwords with certain minimum levels of complexity. They can also force users to reset their passwords on a regular basis. But in the cloud, a user could set their password to "fluffy" and never change it again.
Some cloud vendors are beginning to offer security policy control for their applications which would allow an IT admin to create and enforce stricter policies (like a secure password policy, for instance). Today, though, this is an area where many cloud applications are still lacking.
Cloud Danger #4: Encrypting Data in the Cloud
Alex Stamos, an iSec Partners researcher present at BlackHat brought up the issue of data encryption. He noted that many cloud providers do not offer encryption for their service. In a presentation done along with Andrew Becherer and Nathan Wilcox, they discussed a little-known flaw in virtual computing - virtual machines don't always have enough access to the random numbers needed to properly encrypt data. The details of this issue are highly technical, but fascinating, and the end result is that the very nature of virtual computing itself makes hacking simpler because it allows attackers to more easily guess the numbers used to generate the encryption keys.
Stamos admits that this problem isn't an immediate threat to cloud computing, but it does require more research. "It's certainly not a slam dunk," he says. "But we do think that you could potentially reduce the complexity enough that the encryption can be broken by a determined hacker."
Side note: Information Week has a good podcast interview with Stamos about this subject, too.
So, Is the Cloud Safe?
Considering the above issues, you may find yourself thinking twice about your reliance on cloud services. And if you listen to security analysts like John Pescatore of Gartner, you may be even more afraid. He was recently quoted in the Financial Times as saying:
"The security of these cloud-based infrastructure services is like Windows in 1999. It's being widely used and nothing tremendously bad has happened yet. But it's just in early stages of getting exposed to the Internet, and you know bad things are coming."
Yikes, right?
But is the cloud really all that bad? Is it any worse of a platform for computing than what we had before? In reality, probably not. Although the cloud will provide a new set of challenges and threats to deal with - and these will be more prevalent in the early stages of the transition - it doesn't necessarily present threats that are that dramatically worse than old-school on-site computing.
In the end, some cloud vendors will step up and make their cloud applications more secure, layering in security policies, encryption and the like while doing their best to mitigate the single-point-of-failure issues. Those vendors will eventually be rewarded for their efforts as more users, and then businesses, adopt their platform. Those that ignore the security issues will soon fall out of favor.
Today's cloud services may not be as secure as they should be, but in time they could easily rival any other computing platform... in fact, they may one day be considered more secure. Until then, though, users, and especially companies, should proceed with caution when moving to the cloud, making sure they're fully aware of not only the capabilities of the online service, but the risks as well.