Oops! The input is malformed!
Originally published August 16, 2011
Recently the news media have covered security breaches at a number of high profile corporate networks, web services and public cloud services. In some of the events, sensitive government and customer data has been exposed by organized groups of hackers. Cryptographic keys have been stolen and exploited to attack government and commercial sites. It has also been reported that some hackers may have used public cloud computing services to launch one or more attacks.
Vulnerabilities like this don’t discriminate – they plague legacy data infrastructures as well as clouds. Nevertheless, cloud computing does present unique challenges to data security. In this article, I’ll look at data security from a cloud computing viewpoint. First I’ll take a look at what’s new or different in a cloud environment, and then I’ll review some preventive measures that should mitigate potential cloud data security breaches before they happen.
Whenever a user clicks a hyperlink on the Internet, the web browser could be connecting to services located anywhere in the world. Domain name servers resolve URLs to IP addresses, network switches route traffic between end points, and the traffic or data may traverse any number of way points en route. The web and application servers may run in virtual machines whose physical locations can change at any time. And with desktop virtualization, the client as well as the server may run in the cloud. So the ubiquitous access nature of web services makes it challenging to control the attack surface of the services that the architect is trying to protect.
Although a service’s physical location may not be known exactly, many cloud service agreements specify regional or other geographic location constraints, guaranteeing that data will not move outside specific regions or regulatory borders while under the control of the service provider.
Device constraints provide another way to offer ubiquitous authorized access but deny unauthorized access by restricting access to registered devices (e.g., smart phones, laptops, etc.) in addition to employing strong passwords and multi-factor authentication. Also, depending on the application, it may be practical to impose constraints on the physical or logical locations of services clients with source IP address restrictions or device restrictions in the form of client-server digital certificates and accompanying encryption protocols. Although device and address constraints may create additional administrative work, once configured they can add layers of security with minimal impact to authorized users.
Another core component of cloud computing is multi-tenancy. A multi-tenant service is any service that hosts N tenants (e.g., clients or customers) on less than N service instances. Multi-tenancy can reduce the cost of service delivery, but it creates some issues too. One key data security problem that multi-tenant services must solve is the problem of how to maintain data isolation between tenants.
In practice, data isolation controls can be implemented in one or more of the solution architecture layers:
Each method has advantages and disadvantages, but all methods require authentication and authorization services to manage resource permissions. Regardless of the scheme used, it is important to thoroughly and repeatedly test all data isolation controls.
Strong authentication and role-based authorization mechanisms are critical to the effectiveness of data isolation controls. Many security exploits, such as SQL injection attacks, attack vulnerabilities that permit cross-user or cross-domain access.
The term chain of trust is usually used to refer to a method for verifying digital certificates and keys, where the keys are not centrally stored directly in hardware. But the notion of chains of trust can be adapted to the broader problem of data security in services architectures. In the cloud, higher level services may depend or trust data security controls that are provided by lower level services.
For example, a virtual machine may run in a network firewall container. An architect may choose to trust the network firewall to restrict access by source IP address, and therefore decide not to implement source IP restrictions in the operating system inside the virtual machine container, thereby establishing a chain of trust between the operating system and the network firewall. Alternatively, the architect might choose not to trust the network controls and take a defense-in-depth approach, implementing redundant controls in the operating system and/or application layers. Although redundant controls may add complexity, they may provide an extra layer of security for sensitive data.
Architects should assess the controls for each and every service layer, from storage and compute infrastructure to platform software to application level controls. Cloud service providers offer varying levels of transparency (see my earlier article: “On the Reliability of Cloud Computing”), but to the extent possible, architects should endeavor to understand how the individual controls function, their capabilities, limitations and potential vulnerabilities, and then design an overall cloud data security framework, identify the chains of trust across the layers, and design any additional controls that will be required to compensate for gaps.
For each identified chain of trust, an independent test can be added to the framework to verify the correct and proper implementation of the trusted control. For example, if a service provider firewall is trusted to restrict access by source IP address, then the chain of trust could be verified by testing access for both allowed and disallowed source IP addresses. So the old adage “Trust, but verify” applies to cloud data security.
It is also possible to make use of untrusted services if the security framework can use the service without exposing the data to the associated vulnerabilities. For example, strong encryption can be used to secure data before it is sent through an untrusted path or placed in an untrusted storage container, thereby preventing the underlying service providers from gaining access to the data.
Cloud computing and social networks have made it much easier for companies to communicate with their customers, but they also have opened up a whole new set of data security and privacy issues for IT, who not only has to protect internal systems, but now also must extend protection to the company presence on Facebook, Twitter, LinkedIn and other social networking sites.
Many companies are only now defining policies to govern the appropriate uses of social networking sites. The chain of trust notion applies in a different sense to social networks, where a company’s presence is defined not only by content, but by links or associations to other companies and network members.
The principle of “Trust, but verify” is not only for chains of trust within the framework; it applies equally to the data security framework itself. Routine data security assessments and audits help ensure that best practice data security controls are working, identify emerging areas of risk, and suggest near- and long-term strategies for continuous improvement.
The assessment should take into account the unique characteristics of cloud computing, as well as the regulatory requirements (FISMA, HIPAA, PCI, etc.) that apply to the industry and the business intelligence (BI) applications. A good practice is to start with an industry template (e.g., the Cloud Controls Matrix from the Cloud Security Alliance) and enhance and extend to fit.
Cloud computing and social networks expand the surface area that must be protected, so care should be taken to inventory all possible points of access, internal and external.
User communities and technical support resources should not be overlooked as an important part of the data security framework. Alert users who discover and report vulnerabilities, coupled with responsive tech support, can prevent and/or limit exposure when issues arise. Educated users are the first and last line of defense.
High visibility data security breaches are being reported almost every day. Although cloud computing shares many aspects of security with legacy IT infrastructures, unique cloud architecture features such as location independence, multi-tenancy, service-oriented architecture, and social networking present unique data security challenges. These risks can be managed by implementing appropriate controls within a cloud data security framework.
Recent articles by John Bair