Information technology security is of paramount importance for all computers, server farms, data centers, and their applications. Security involves both physical security of the facilities and IT assets, security monitoring and management of the network infrastructure, servers, and applications. Obvious goals are the prevention of intrusions, attacks, and the protection of data. Basic security concepts are assumed knowledge so that we can focus on the unique challenges within a cloud environment.
First, we will briefly review the top aspects of security in a traditional data center environment then add cloud-specific considerations. This list is by no means an exhaustive catalog of security systems available in the industry, but we will build upon it to explain cloud-specific threats, vulnerabilities, and recommended protection.
- Perimeter security of the network. Protecting the network infrastructure using firewalls is the most common part of securing your systems. These firewalls can be in the form of specialized appliances, or standard servers running firewall software. Traditional firewalls track and allow or disallow network traffic from one network, commonly the Internet, to another network. Some organization deploy multiple firewalls in layers for increased security, but more often create so-called demilitarized zones (DMZs), where public-facing web services can be offered while back-end protected data is behind additional firewalls.
Many legacy firewalls protect through configurable rules, and monitor low-level layers of the OSI model. Advanced modern firewalls offer improved protection of known and unknown threats as they monitor and restrict traffic based on more advanced logic – all the way up to the application layer of the OSI model.
- Intrusion prevention and detection. Monitoring network traffic searching for unauthorized access or attempts to hack into the system is a normal secondary step. Through perimeter detection devices such as firewalls, we can block access to unknown networks or types of traffic, but we cannot necessarily stop traffic that appears to come from legitimate sources or computer activities occurring inside the network; it’s simply beyond the firewall’s ability to detect. Intrusion detection systems monitor many aspects of the network, server farms, applications, and event logs, searching for patterns that represent known harmful activities, as well as suspicious ones that could represent a new, unknown security threat. Once detected, intrusion systems can trigger alarms to computer support personnel, and in some cases of advanced security systems, actually begin a response to the potentially harmful activity, such as isolating the user, network traffic, or suspected malware.
- Anti-Virus and anti-malware. Protection from numerous types of computer viruses and malware are usually provided as an add-on software tool on servers and desktop workstations throughout the internal network. Even computer systems that do not have access to the Internet should be protected, so that one infected machine cannot turn around and infect others within the internal network. Network-based applications for anti-virus and malware also exist that can monitor network traffic to identify patterns of known and unknown viruses or malware; these network-based systems can also be included within an application-layer firewall system.
Managing and monitoring the network, servers, and applications is typically performed through a combination of computer systems, processes, and people. Computerized systems normally do a reasonably good job of protecting known threats and vulnerabilities, but are challenged when it comes to detecting new or unknown threats. As new threats appear by the dozen every day, a computerized security system will regularly come up against threats against which it has no library of protections. Detecting these zero-day attacks requires worldwide detection of the incoming threat, and hopefully an alert to support personnel or automated isolation of the suspicious traffic.
Figure: Worldwide threat detection and analysis is critical to identifying and responding to zero-day attacks
Constantly Improving Security Systems and Tools
Although this is a broad summation of the IT security industry, the last 10+ years have focused on basic security protection and monitoring, but is highly flawed. Human beings are heavily relied upon to monitor system logs and events, rather than computer systems detecting and automatically responding to events on their own.
Recent trends in computer security are certainly improving, and are now able to better detect potentially harmful behavior or traffic seen on the network, rather than solely relying upon a library of know signature files in need of constant updating. These systems are better – but not perfect – in detecting patterns of activity that may not be individually harmful, but could be evidence of a hacker, virus, worm, Trojan, or other intrusion.
Figure: Proactive vs. Reactive Security Protection
Unique Cloud Computing Threats and Vulnerabilities
Cloud systems, being inherently based on users and customers accessing everything via the Internet, expands both the need for more advanced forms of traditional security systems, as well as new security technologies unique to cloud.
Cloud computing considerations include:
- Perimeter security. In a cloud environment, a much larger percentage of the computer systems are Internet facing ,or directly online for access by customers and their users and customers. In a traditional data center, only a fraction of servers might be available via the Internet – such as public web sites – and the internal users of the organization are on the relatively safe internal networks. In a public cloud environment, the internal cloud users are both employees of the customer, but also users from the Internet. This means the threats are increased, and the number of users and activity to be scanned increases. In a private cloud, the computing services can be hosted from an internal customer data center, and thus internal users would not necessarily access their systems via the Internet. To mitigate the increased risks, the most advanced firewalls, application layer firewalls, intrusion detection systems, monitoring systems, and dedicated security personnel are all combined to protect the environment. As discussed earlier, the amount of automation in the cloud system is also a security risk. Virtual machines and new users can be added to the cloud service at any time of the day; this means that the security management systems must become aware of them as they are provisioned. There can be no gap in security protections, thus the cloud management system should automatically insert new VMs into the network and security monitoring systems in an automated fashion as part of the provisioning process.
- Denial of Service (DoS) Attacks. Although any network or customer can become a victim of a denial of service attack, a cloud service – especially a public one – often hosts many customers. Any attack against a customer affects other customers sharing the same cloud provider network, and the chances of a cloud provider being attacked are higher than any one individual customer network. These DoS attacks usually consist of one or more hackers sending massive amounts of data through the Internet at the target in an attempt to overwhelm the perimeter security defenses and shut down the system, denying access to its rightful owners and users. In order to generate enough traffic to flood or overwhelm large pipes, attackers will initiate a Distributed Denial of Service (DDoS) attack using hundreds or thousands of computers all simultaneously sending traffic. The attacker has access to these thousands of computers by activating trojan-infected machines on the Internet, and turning each of the computers into a zombie or bot. The good news is that a successful cloud provider will have systems in place to mitigate or deal with denial of service attacks while keeping all customer services online. Common techniques they might use can also be deployed for private clouds, and even legacy data centers. Some of these recommended security systems are described in the next section.
- DNS attacks. Although technically a DNS attack can be categorized as a denial of service attack, we highlight it here to make the point that DNS attacks are increasing in popularity. If a cloud provider is prepared and successfully mitigates a traditional denial of service attack, a DNS attacker simply goes after the Domain Name Servers (DNS). By saturating the DNS servers with traffic, the hacker essentially inhibits the ability for customers or users to find the web site or cloud service they are trying to access.
- Application attacks. One of the newer and more sophisticated attacks target public-facing Internet applications or computer services. An attacker could find a search feature on a web site, and submit a query for a file or keyword that does not exist, producing a “nothing found” error after the server has scoured its network performing the search. Now imagine the attacker sending 3000 of these searches every second, and you can see how this would cause the web server to fail. Take this one step further; let’s say the attacker finds a “contact us” form on the web that updates an SQL database on the back-end server farm. By running a script that submits this form 5000 times per second, the attack causes the web server and the back-end SQL system to fail, overload, timeout, or otherwise crash. These kinds of attacks are called layer 7 attacks, referring to the name of the Application Layer in the ISO model. Protection against these attacks are difficult, since the attackers are constantly finding new ways to attack.
- Bot networks. Bot networks, zombies, and compromised systems occur when a computer within a network has been compromised through a virus, worm, or trojan horse. Scanning systems often detect infection after it occurs, but rarely prevent the infection. These compromised systems remain idle until called into action by an Internet-based control system, most often to accomplish some harmful task such as leaking data, spreading to other systems, corrupting or deleting data, or just clogging the network with overwhelming traffic.
- Social networking. Interception or discovery of data from social networking or human beings is a common threat. Spear Fishing is a prime example of using both technology and human vulnerabilities to send out – for example – emails to targeted users while pretending to be from a legitimate source. Unsuspecting users click on the email and are asked to log into, what they believe, is a legitimate bank or commerce web site. However, it is a fake site that obtains their user login information, then either sells it or exploits it to commit fraudulent activity. Virus and malware scanning do not provide adequate protections against these types of attacks. The email message, in the above spear fishing example, appears just like any other legitimate email except the URL within the message leads the end-user to a fraudulent location.
Consolidation of Systems and Data in the Cloud
The basic concept of cloud computing is the transformation of compute services and data into the cloud. By consolidating legacy server farms and data centers, you centralize your data in a cloud environment physically hosted at a cloud provider or customer facility, depending on your public or private deployment model.
Customers and security industry experts often ask the if their cloud environment is more or less secure than a traditional behind-the-firewall network inside a customer owned data center. There are two diverse opinions amongst industry experts on this:
- Less Secure. Some industry experts claim that consolidating all customer data and servers into a single cloud means that a successful hacker could have access to massive amounts of customer data in the same physical data center. This would make the risk of data loss or tampering higher in cloud environments, compared to distributed server farms and applications in traditional data centers.
- More Secure. The majority of security industry experts agree that the cloud is more secure than traditional server farms, data centers, and applications. The theory is that a consolidated location for servers, applications, and data is easier to protect and focus security resources on than traditional non-cloud distributed systems. Public cloud providers, and any private cloud owner, can procure all of the very latest in security appliances and software, centralize a focused team of security personnel, and consolidate all systems events, logs, and response activities. The quantity of security devices is actually less, as is the cost; however, the cost of newer and better security products will balance this out. Industry experts point to consolidated focus, and simpler correlation of logs and events as reasons for cloud environments being more secure than most legacy server farms.
In a cloud environment, the security posture and mitigation systems in place are across the entire network. They have sufficient capability and capacity to monitor and react to real or perceived security issues. However, since this is a multi-tenant environment, any individual customer with higher-than-normal security needs cannot be accommodated. This is probably the number one reason for private cloud deployments. The cloud is dedicated to one customer – or community of customers – that have shared goals, and more important, a shared security posture.
Categories: cloud computing