Welcome!

@CloudExpo Authors: Yeshim Deniz, Carmen Gonzalez, Pat Romanski, Zakia Bouachraoui, Elizabeth White

Related Topics: @CloudExpo

@CloudExpo: Article

Securing & Hacking the Cloud

Securing the cloud doesn't present radically new challenges

Often when those who say the cloud is too early or not ready for wide-scale enterprise usage they point to "security" as being a key concern. Although they are quick to point out the security of a third-party provider is an obvious point of weakness, they typically lack any specific examples of what these possible weak points actually are. So I thought I'd point out a few.

When looking at the potential vulnerabilities that cloud computing introduces, I typically recommend looking at the low-hanging fruit, the stuff that a novice user could exploit with little or no technical capabilities. Right now the simplest exploits involve something I call "cloud jacking" or "cloud hijacking". This is when a unscrupulous element takes either partial or complete control of your cloud infrastructure typically by using a simple automated exploit script (kiddie script). An example of this in action is found within the world of botnets in which an existing series of compromised computing resource are used to create an exploit map of the cloud.

The basic premise of "cloud exploit mapping" is to use a technique similar to that of Celestial navigation, which was a navigational positioning technique that was devised to help sailors cross the featureless oceans without having to rely on dead reckoning to enable them to strike land. Similarly cloud exploit mapping is used in order to navigate and locate the optimal targets for exploitation across the cloud. Once the potential vulnerable machines have been mapped, all a potential hacker needs to do is hijack a series of already exploited machines by crawling the structure of an existing botnet basically using it as a guide to the easiest targets replacing the previous command and control with a new set. Generally speaking, botnet controllers don't plug existing holes, so it's fairly easily to exploit the previous vulnerabilities.

When looking at Security in the cloud Richard Reiner, formerly the founder of Assurent Secure Technologies and Advisor for Enomaly puts it another way.

"Securing the cloud doesn't present radically new challenges, although new technology may be required. For example, rather than implementing firewall and IPS functions exclusively in the physical network, some of these network security functions may need to be delivered within the virtual switch provided by a hypervisor, and products specifically adapted to this deployment will be required. Host-based security agents may also require some modification to run well in this environment, as they need to handle events such as migration of the guest instance form one host to another.

When an enterprise makes use of public cloud resources (e.g., Amazon EC2, or Rackspace's Mosso cloud services), additional issues arise. Here there is a new trust issue. The customer's compute tasks are now executing within the cloud providers infrastructure, and the "servers" these tasks are operating on are guests under the cloud's hypervisors -- i.e. essentially fictions created by the hypervisor software. The hypervisor is software, so it is easily modified; and it is all-powerful with respect to the guest instances running under it -- the hypervisor can copy, modify, or delete data from within the guest at will. This is a new trust problem: the customer must trust that the cloud provider's hypervisors and management software are behaving appropriately and haven't been tampered with.

Unlike traditional hosting, the problem can't be solved by locking the physical servers in a cage that only the customer has access to, since these are virtual servers running on shared hardware."

For cloud providers, the next major issue may be in addressing multi-tenant cloud federation and security. When a series of applications or machines have been exploited the next generation of cloud platforms will need to provide a quick and secure way to quarantine those machines before they can further harm or potentially bring down the entire cloud. Most security products were never made to hand the management of ten of thousands or more of transient physical and virtual machines that could be used by anyone at anytime for any reason. This is the new reality facing public cloud providers and their customers.

More Stories By Reuven Cohen

An instigator, part time provocateur, bootstrapper, amateur cloud lexicographer, and purveyor of random thoughts, 140 characters at a time.

Reuven is an early innovator in the cloud computing space as the founder of Enomaly in 2004 (Acquired by Virtustream in February 2012). Enomaly was among the first to develop a self service infrastructure as a service (IaaS) platform (ECP) circa 2005. As well as SpotCloud (2011) the first commodity style cloud computing Spot Market.

Reuven is also the co-creator of CloudCamp (100+ Cities around the Globe) CloudCamp is an unconference where early adopters of Cloud Computing technologies exchange ideas and is the largest of the ‘barcamp’ style of events.

CloudEXPO Stories
Blockchain has shifted from hype to reality across many industries including Financial Services, Supply Chain, Retail, Healthcare and Government. While traditional tech and crypto organizations are generally male dominated, women have embraced blockchain technology from its inception. This is no more evident than at companies where women occupy many of the blockchain roles and leadership positions. Join this panel to hear three women in blockchain share their experience and their POV on the future of blockchain.
Concerns about security, downtime and latency, budgets, and general unfamiliarity with cloud technologies continue to create hesitation for many organizations that truly need to be developing a cloud strategy. Hybrid cloud solutions are helping to elevate those concerns by enabling the combination or orchestration of two or more platforms, including on-premise infrastructure, private clouds and/or third-party, public cloud services. This gives organizations more comfort to begin their digital transformation without a complete overhaul of their existing infrastructure - serving as a sort of "missing link" for transition to cloud utilization.
Cloud Storage 2.0 has brought many innovations, including the availability of cloud storage services that are less expensive and much faster than previous generations of cloud storage. Cloud Storage 2.0 has also delivered new and faster methods for migrating your premises storage environment to the cloud and the concept of multi-cloud. This session will provide technical details on Cloud Storage 2.0 and the methods used to efficiently migrate from premises-to-cloud storage. This session will also discuss best practices for implementing multi-cloud environments.
In very short order, the term "Blockchain" has lost an incredible amount of meaning. With too many jumping on the bandwagon, the market is inundated with projects and use cases that miss the real potential of the technology. We have to begin removing Blockchain from the conversation and ground ourselves in the motivating principles of the technology itself; whether it is consumer privacy, data ownership, trust or even participation in the global economy, the world is faced with serious problems that this technology could ultimately help us in at least partially solving. But if we do not unpack what is real and what is not, we can lose sight of the potential. In this presentation, John Bates-who leads data science, machine learning and AI in the Adobe Analytics business unit-will present his 4-prong model of the general areas where Blockchain can have a real impact and the specific use...
FinTech is a disruptive innovation that denotes the adoption of technologies that have changed how traditional financial services work. While FinTech is now embedded deeply into the financial services ecosystem, the rise of digital age has paved way to FinTech 2.0 - which is rolling out innovative solutions through emerging technologies at a disruptive pace while maintaining the tenets of security and compliances. Blockchain as a technology has started seeing pilot adoption in FinTech around trade settlements, fraud detection and would need to sort out few of the technology challenges primarily around transaction time, interoperability with existing systems before being fully adopted into mainstream systems. While private blockchain adoption by Banks have taken shape, the challenge of real time transaction settlement, preventing double spend attacks need to be addressed.