Welcome!

@CloudExpo Authors: Pat Romanski, Zakia Bouachraoui, Yeshim Deniz, Liz McMillan, Elizabeth White

Related Topics: @CloudExpo

@CloudExpo: Article

Securing & Hacking the Cloud

Securing the cloud doesn't present radically new challenges

Often when those who say the cloud is too early or not ready for wide-scale enterprise usage they point to "security" as being a key concern. Although they are quick to point out the security of a third-party provider is an obvious point of weakness, they typically lack any specific examples of what these possible weak points actually are. So I thought I'd point out a few.

When looking at the potential vulnerabilities that cloud computing introduces, I typically recommend looking at the low-hanging fruit, the stuff that a novice user could exploit with little or no technical capabilities. Right now the simplest exploits involve something I call "cloud jacking" or "cloud hijacking". This is when a unscrupulous element takes either partial or complete control of your cloud infrastructure typically by using a simple automated exploit script (kiddie script). An example of this in action is found within the world of botnets in which an existing series of compromised computing resource are used to create an exploit map of the cloud.

The basic premise of "cloud exploit mapping" is to use a technique similar to that of Celestial navigation, which was a navigational positioning technique that was devised to help sailors cross the featureless oceans without having to rely on dead reckoning to enable them to strike land. Similarly cloud exploit mapping is used in order to navigate and locate the optimal targets for exploitation across the cloud. Once the potential vulnerable machines have been mapped, all a potential hacker needs to do is hijack a series of already exploited machines by crawling the structure of an existing botnet basically using it as a guide to the easiest targets replacing the previous command and control with a new set. Generally speaking, botnet controllers don't plug existing holes, so it's fairly easily to exploit the previous vulnerabilities.

When looking at Security in the cloud Richard Reiner, formerly the founder of Assurent Secure Technologies and Advisor for Enomaly puts it another way.

"Securing the cloud doesn't present radically new challenges, although new technology may be required. For example, rather than implementing firewall and IPS functions exclusively in the physical network, some of these network security functions may need to be delivered within the virtual switch provided by a hypervisor, and products specifically adapted to this deployment will be required. Host-based security agents may also require some modification to run well in this environment, as they need to handle events such as migration of the guest instance form one host to another.

When an enterprise makes use of public cloud resources (e.g., Amazon EC2, or Rackspace's Mosso cloud services), additional issues arise. Here there is a new trust issue. The customer's compute tasks are now executing within the cloud providers infrastructure, and the "servers" these tasks are operating on are guests under the cloud's hypervisors -- i.e. essentially fictions created by the hypervisor software. The hypervisor is software, so it is easily modified; and it is all-powerful with respect to the guest instances running under it -- the hypervisor can copy, modify, or delete data from within the guest at will. This is a new trust problem: the customer must trust that the cloud provider's hypervisors and management software are behaving appropriately and haven't been tampered with.

Unlike traditional hosting, the problem can't be solved by locking the physical servers in a cage that only the customer has access to, since these are virtual servers running on shared hardware."

For cloud providers, the next major issue may be in addressing multi-tenant cloud federation and security. When a series of applications or machines have been exploited the next generation of cloud platforms will need to provide a quick and secure way to quarantine those machines before they can further harm or potentially bring down the entire cloud. Most security products were never made to hand the management of ten of thousands or more of transient physical and virtual machines that could be used by anyone at anytime for any reason. This is the new reality facing public cloud providers and their customers.

More Stories By Reuven Cohen

An instigator, part time provocateur, bootstrapper, amateur cloud lexicographer, and purveyor of random thoughts, 140 characters at a time.

Reuven is an early innovator in the cloud computing space as the founder of Enomaly in 2004 (Acquired by Virtustream in February 2012). Enomaly was among the first to develop a self service infrastructure as a service (IaaS) platform (ECP) circa 2005. As well as SpotCloud (2011) the first commodity style cloud computing Spot Market.

Reuven is also the co-creator of CloudCamp (100+ Cities around the Globe) CloudCamp is an unconference where early adopters of Cloud Computing technologies exchange ideas and is the largest of the ‘barcamp’ style of events.

CloudEXPO Stories
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or personal computing needs.
DXWorldEXPO LLC announced today that the upcoming DXWorldEXPO | DevOpsSUMMIT | CloudEXPO New York will feature 10 companies from Poland to participate at the "Poland Digital Transformation Pavilion" on November 12-13, 2018. Polish Digital Transformation companies which will exhibit at CloudEXPO | DevOpsSUMMIT | DXWorldEXPO include All in Mobile, dhosting, Cryptomage, Perfect Gym, Polcom, Apius Technologies, Aplisens, ELZAB SA, TELDAT, and Rebug.io.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to advisory roles at startups. He has worked extensively on monetization, SAAS, IoT, ecosystems, partnerships and accelerating growth in new business initiatives.
Lori MacVittie is a subject matter expert on emerging technology responsible for outbound evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organizations, in addition to network and systems administration expertise. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine where she evaluated and tested application-focused technologies including app security and encryption-related solutions. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University, and is an O'Reilly author.
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like "How is my application doing" but no idea how to get a proper answer.