@CloudExpo Authors: Elizabeth White, Zakia Bouachraoui, Liz McMillan, Pat Romanski, Roger Strukhoff

Related Topics: @CloudExpo

@CloudExpo: Article

Securing & Hacking the Cloud

Securing the cloud doesn't present radically new challenges

Often when those who say the cloud is too early or not ready for wide-scale enterprise usage they point to "security" as being a key concern. Although they are quick to point out the security of a third-party provider is an obvious point of weakness, they typically lack any specific examples of what these possible weak points actually are. So I thought I'd point out a few.

When looking at the potential vulnerabilities that cloud computing introduces, I typically recommend looking at the low-hanging fruit, the stuff that a novice user could exploit with little or no technical capabilities. Right now the simplest exploits involve something I call "cloud jacking" or "cloud hijacking". This is when a unscrupulous element takes either partial or complete control of your cloud infrastructure typically by using a simple automated exploit script (kiddie script). An example of this in action is found within the world of botnets in which an existing series of compromised computing resource are used to create an exploit map of the cloud.

The basic premise of "cloud exploit mapping" is to use a technique similar to that of Celestial navigation, which was a navigational positioning technique that was devised to help sailors cross the featureless oceans without having to rely on dead reckoning to enable them to strike land. Similarly cloud exploit mapping is used in order to navigate and locate the optimal targets for exploitation across the cloud. Once the potential vulnerable machines have been mapped, all a potential hacker needs to do is hijack a series of already exploited machines by crawling the structure of an existing botnet basically using it as a guide to the easiest targets replacing the previous command and control with a new set. Generally speaking, botnet controllers don't plug existing holes, so it's fairly easily to exploit the previous vulnerabilities.

When looking at Security in the cloud Richard Reiner, formerly the founder of Assurent Secure Technologies and Advisor for Enomaly puts it another way.

"Securing the cloud doesn't present radically new challenges, although new technology may be required. For example, rather than implementing firewall and IPS functions exclusively in the physical network, some of these network security functions may need to be delivered within the virtual switch provided by a hypervisor, and products specifically adapted to this deployment will be required. Host-based security agents may also require some modification to run well in this environment, as they need to handle events such as migration of the guest instance form one host to another.

When an enterprise makes use of public cloud resources (e.g., Amazon EC2, or Rackspace's Mosso cloud services), additional issues arise. Here there is a new trust issue. The customer's compute tasks are now executing within the cloud providers infrastructure, and the "servers" these tasks are operating on are guests under the cloud's hypervisors -- i.e. essentially fictions created by the hypervisor software. The hypervisor is software, so it is easily modified; and it is all-powerful with respect to the guest instances running under it -- the hypervisor can copy, modify, or delete data from within the guest at will. This is a new trust problem: the customer must trust that the cloud provider's hypervisors and management software are behaving appropriately and haven't been tampered with.

Unlike traditional hosting, the problem can't be solved by locking the physical servers in a cage that only the customer has access to, since these are virtual servers running on shared hardware."

For cloud providers, the next major issue may be in addressing multi-tenant cloud federation and security. When a series of applications or machines have been exploited the next generation of cloud platforms will need to provide a quick and secure way to quarantine those machines before they can further harm or potentially bring down the entire cloud. Most security products were never made to hand the management of ten of thousands or more of transient physical and virtual machines that could be used by anyone at anytime for any reason. This is the new reality facing public cloud providers and their customers.

More Stories By Reuven Cohen

An instigator, part time provocateur, bootstrapper, amateur cloud lexicographer, and purveyor of random thoughts, 140 characters at a time.

Reuven is an early innovator in the cloud computing space as the founder of Enomaly in 2004 (Acquired by Virtustream in February 2012). Enomaly was among the first to develop a self service infrastructure as a service (IaaS) platform (ECP) circa 2005. As well as SpotCloud (2011) the first commodity style cloud computing Spot Market.

Reuven is also the co-creator of CloudCamp (100+ Cities around the Globe) CloudCamp is an unconference where early adopters of Cloud Computing technologies exchange ideas and is the largest of the ‘barcamp’ style of events.

CloudEXPO Stories
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected path for IoT innovators to scale globally, and the smartest path to cross-device synergy in an instrumented, connected world.
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
ScaleMP is presenting at CloudEXPO 2019, held June 24-26 in Santa Clara, and we’d love to see you there. At the conference, we’ll demonstrate how ScaleMP is solving one of the most vexing challenges for cloud — memory cost and limit of scale — and how our innovative vSMP MemoryONE solution provides affordable larger server memory for the private and public cloud. Please visit us at Booth No. 519 to connect with our experts and learn more about vSMP MemoryONE and how it is already serving some of the world’s largest data centers. Click here to schedule a meeting with our experts and executives.
Darktrace is the world's leading AI company for cyber security. Created by mathematicians from the University of Cambridge, Darktrace's Enterprise Immune System is the first non-consumer application of machine learning to work at scale, across all network types, from physical, virtualized, and cloud, through to IoT and industrial control systems. Installed as a self-configuring cyber defense platform, Darktrace continuously learns what is ‘normal' for all devices and users, updating its understanding as the environment changes.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the modern business digitalization solutions. Achieve up to 50% early-stage technological process development cost cutdown with science and R&D-driven investment strategy with Codete's support.