Security Risks of Moving to the Cloud – Risk Assessment (Part 1)

The Cloud Migration

In some of the earlier blog posts in Sept’10, I have shared some industry and analyst information /findings that indicates the growing interest of organizations of various sizes to move their IT operations and business to the Cloud services. I have also pointed about the wave of migration and deployment requirements that may be required for such organizations.

There are significant discussions happening across the  Industry that ‘security’ is the #1 barrier or deterrent to embracing and adopting cloud computing. Some say Cloud Security fears are overblown and Cisco’s CEO calls ‘Cloud computing’ a security nightmare !

State of Affairs

A Few months ago, IT World had published an article about a Gartner’s report citing that Cloud Computing is fraught with Security risks. Gartner has identified seven critical risks that Cloud should raise with vendors before selecting a cloud vendor. The seven risks are

1. Privileged User access
2. Regulatory compliance
3. Data location
4. Data Segregation
5. Recovery
6. Investigative Support
7. Long term viability

Let’s now look at the other state of affairs. Veracode , a leading Security solutions firm reported recently, there have been multiple new zero-day vulnerabilities reported . You can read the news article here

Following is a summary of key findings:

• More than half of all software failed to meet an acceptable level of security – 57 percent of all applications were found to have unacceptable application security quality on first submission to Veracode’s testing service, even when standards were lowered for those considered less business critical.
• 3rd party code is the culprit behind Operation Aurora, Siemens Stuxnet and others – It is to be noted that third-party code is an essential and rapidly growing part of an enterprise’s software portfolio, making up nearly 30 percent of all applications submitted to Veracode for review, with third-party components comprising between 30-70 percent of internally developed applications.
  • Of particular note, third-party suppliers failed to achieve acceptable security standards 81 percent of the time.
• Cloud /web applications were the most requested third-party assessments – Suppliers of cloud/web applications made up nearly 60 percent of all third-party assessments requested of Veracode. Similar to the results of testing other types of third-party software, cloud/web applications show low levels of acceptable security.
• Eight out of 10 web applications would fail a PCI audit – Based on automated analysis, Veracode found that eight out of 10 web applications failed to comply with the OWASP Top 10 industry standard for security quality, and therefore would not pass a PCI audit.
• 56 percent of finance-related applications failed upon first submission to Veracode’s testing service. Analysis shows that software quality of applications from banking, insurance and financial services industries is not commensurate with the security requirements expected for business critical applications, though the financial services industry performed better than banking and insurance overall.
• Cross-site scripting remains prevalent, accounting for 51 percent of all vulnerabilities uncovered in the testing process; .NET applications exhibited abnormally high cross-site scripting vulnerabilities. Additionally, “potential backdoors” broke into the top 10 most common vulnerabilities.

Top Security Risks for your to Assess

1.  Risk Assessment from a Cloud Service provider perspective
2.  Risk Assessment  from a Systems & Software  perspective

Risk Assessment from a Cloud Service provider perspective

• Loss of Governance in using a specific Cloud service
  • Evaluate if you have to necessarily yield or surrender a lot of the control to the Cloud service provider (CSP) on a number of aspects and issues.Such Higher dependencies may affect security. Also,Evaluate the SLAs and commitments offered to you as a part of such a dependency. A Nil or lower commitment adds to the risk.
• Isolation Failure
  • Multi-tenancy and shared resources are inherent features of the cloud computing model. This risk is attributed to the failure of mechanisms separating storage, memory, routing and the reputation between different tenants (e.g.,  guest-hopping attacks). However typical attacks on resource isolation  mechanisms (e.g.,. against hypervisors) are less compared to attacks on traditional Operating Systems
• Compliance Risks
  • Industry standard or regulatory requirements based certifications may be put at risk by migration to the cloud:  if the CSP cannot provide evidence of their own compliance or  if the CSP does not permit audit by a cloud customer. This could make deployment on public cloud infrastructures  more risky as such provisions may not be available.
• Management Interfaces in Public Clouds
  • Public cloud providers expose access and management interfaces of customers through the Internet and mediate access to a number of other resources and this poses an increased risk, when combined with remote access and web browser vulnerabilities and if a compromise is made
• Data Protection: Cloud computing poses several data protection risks for cloud customers and providers. In some cases, it may be difficult for a customer  to effectively check the data handling practices of the cloud provider .  On the other hand, some cloud providers provide information on their data handling practices. Some also offer certification summaries on their data processing and data security activities and related  data controls they have in place, e.g., SAS70 certification
• Intercepting Data in Traffic : Cloud computing models typically have more data in transit between cloud infrastructure and remote systems, etc.Most use of the Public or even some private Clouds doesn’t have secure VPN-like connection environment. Sniffing, spoofing, man-in–the-middle attacks, side channel kind of cyber attacks should be considered as possible threat sources. Moreover, in some cases a  Cloud provider does not offer a confidentiality or non-disclosure clause or these clauses are not sufficient to guarantee respect for the protection of the customer’s secret information and ‘know-how’ that will circulate in the ‘cloud’.
• Insecure/Incomplete Data deletion : When a request to delete a cloud resource is made, as with most OS, it may not result in true wiping of the data. Adequate or timely data deletion may also be impossible (or undesirable from a customer perspective), either because extra copies of data are stored but are not available, or because the disk to be destroyed also stores data from other clients. In the case of multiple tenancies and the reuse of hardware resources on the cloud, this represents a higher risk  than with dedicated Computing systems

As much as possible, in your Risk assessment pursuits with regards to moving to the Cloud,evaluate the possibilities of  transferring a risk to the cloud service provider (CSP). If any of the risks leads to the failure of your  business, serious damage to the reputation or legal implications may arise and  it will become  hard  to compensate for this damage. Ultimately, while you can outsource responsibility with most of the CSPs ,outsourcing accountability is low unless a CSP offers SLAs taking ownership.

Also look at de-risking by planning your deployment on more than one Cloud Services (CSP). You may read this interesting article on the Informationweek that explores such a scenario.

Risk Assessment from a Systems & Software perspective

Now , once you have selected a cloud service provider to deploy your Software products or Applications , you have the onus of making sure that risks associated with your IT deployment and then the intended operations on  the cloud poses a lower or no risks to your business. The state of affairs and details cited above in the Veracode survey indicates the glaring holes and comprehensive need for making your software safe.

Here are some of my own recommendations to assess  such risks:

1. Make the Cloud deployment configuration secure

The Cloud Services Provider (CSP) should provide you with all the information and processes on leveraging the Cloud’s security features and best practices. For example,Amazon provides exhaustive information in its document Amazon AWS – Overview of Security Processes . Also use the support services provided by the CSPs to discuss your (specific) requirements.

2.  Plan to isolate your  deployment(s) on the Cloud

• Plan your system for maximum security when deploying applications to the cloud,especially when you are deploying internet-facing applications.Foe example..,You can deploy a Virtual server bound to a public IP access that allows you to have one of the interfaces on a standard firewall appliance. Your other Software application interface can be placed on the network for your servers in the cloud.  This allows you to define rules, services, and polices for how public internet access is granted to resources in the cloud.  This can be immensely powerful – as you can include services like VPN , dhcp, dynamic DNS, proxies, full firewall rule sets, and logging to cloud deployments.  This way,You’re no longer limited by the set of functions that a cloud provider offers for control of firewall resources .

3. Scan your Application code for Vulnerabilities

• Veracode’s survey reports and metrics cited above indicating significant Application layer vulnerabilities that are being overlooked is a ‘wake up call‘ to the industry,that  strongly suggests the need for assessing the risks of the application components and fix the application layer issues before they are deployed on the cloud. For instance,Veracode offers static and dynamic scanning for software application components (binaries).
  

4. Conduct Vulnerability Scanning at the System & Web Application level

• To detect the Security vulnerabilities , configure your cloud in the intended environment and use suitable VA test tools such as from Vendors like Qualys or Mcafee to find the gaps and take suitable remediation such as updating patches,making changes to your web server configuration or changing firewall rules etc. I have used ondemand VA scan tools from Qualys and EdgeOS (Perimeter security) and Nessus. Ondemand VA solutions can help reduce your time to test.

5. Conduct a Manual or Automated Penetration test.

• You have to understand that a sophisticated Penetration test actually simulates the techniques used by hackers looking for finding vulnerabilities or loopholes and taking advantage of any such condition to target and attack. Now, a PT should be conducted on your system after you have made it fully safe after finding and fixing all the vulnerabilities. This essentially means, a PT test result should not indicate any higher risks on such a system. Please note that a Penetration test is not conducted frequently (a VA is done more frequently based on the moving graphs of security breaks and vulnerabilities )and it is not done on a production system. If you happen to do a major upgrade later on your deployment, you may do a PT . I would suggest that you check with the cloud provider if you can conduct a PT so as to make sure that other shared cloud components doesnot get affected because of your PT or your CSP might advise you on how to conduct it safely in their environment. Also check with the PT software vendor.
  • Companies like Veracode offers manual penetration testing while companies like iViz offers sophisticated ondemand penetration testing.

To summarize,

• Security risks on the Cloud computing may be high especially when you are moving your IT applications /Products on a Public cloud. The risk is also high for you if you don’t approach your Cloud deployment in a knowledgeable way.
• Assessment of Risks and mitigation is very critical to the success of your moving your business to the cloud.
• It is worth spending  time and efforts to evolve a comprehensive assessment and risk mitigation plan and depending on your deployment situation, you may allocate suitable budgets to realise this.
• Assessment of  risks includes assessing the Cloud service provider related security risks as well as your software and the pre-production test harness environment.
• Post your deployment, active risk management would also be needed, although we haven’t discussed this part.
• If appropriate to your situation, you should look at de-risking strategies through diversifying your deployment to more than one cloud service provider based on the security requirement ,priorities,cost and other related conditions of your Software portfolio.

As the Part-2 plans of this subject, I am planning to share my thoughts on the various ways to lower or mitigate the security risks on the Cloud.

References :

Cloud computing : Benefits, risks and recommendations for information security report (Nov 2009) by ‘European Network and Information Security agency.