Ned Einsig, Systems Security Analyst at United States Department of Defense

Cloud computing has quickly become a relevant technology within the information technology field over the past few years. This technology is powerful and useful but is a dual edge sword as security can become an issue quickly when placing data on web based storage servers. Information security is open broken up into C.I.A. (confidentiality, integrity, and availability) and cloud computing on its own increases availability while harming confidentiality and integrity. Much of the technology needed to secure the cloud is already in place, but the policies and procedures to fully utilize that technology are often non-existent. One example of this is the application of cryptography, many of the security exploits found in the last few years had very little technical impact because of PGP (pretty good privacy) or AES (advanced encryption standard) encryption. This paper will focus less on the technology in place, but the policies and procedures we can use to make the most of it for a more secure cloud for everyone.

Introduction

            Cloud computing is a great tool that also presents many security concerns for businesses, governments, and end users alike. It is a growing field in the IT world and an area of concern to many businesses. Some businesses push the envelope by not only putting data up on the cloud but also using cloud services to enhance security. Meanwhile others see it as a risk they are not willing to take and stick to local data storage solutions or private clouds. What a lot of companies implement is a hybrid cloud, keeping sensitive data and programs local and putting less sensitive files on a public or community cloud.

History

            Cloud computing can trace its roots back to the 1960s when Servers provided applications (software as a service) to thin clients or then known as terminal computers. These thin clients did not contain much local storage or processing power and relied heavily on the server. A great early example of cloud computing would be hotmail that is stored online, which could be accessed by any machine and only required a web browser. Hotmail started in the 1990s and is still in use to this day. Cloud computing in the way we perceive it today started only seven years ago in 2008. A system called OpenNebula was open source and could be used for deploying private and hybrid clouds. Large organizations such as NASA, IBM, and Oracle would join the cloud revolution in the years to come. Cloud computing continues to grow with both small and large businesses taking data storage, email accounts, and servers, with virtual machines, to the cloud. By April of 2013 over half of U.S. business used cloud computing to some extent.

Exploits

            The largest concern with cloud computing has been security. There is good reason for this, as it is a hackers dream, second only to banks due to the storing of large volumes of data. The prospect of stealing data from multiple companies by only hacking one server can send hackers swarming like bees to a hive. An example of a cloud computing hiccup occurred in 2008 when Google Docs suffered a software bug, resulting in corporate data being shared with users who should not have had permissions to access that data. Another example of an exploit found in a cloud environment was in 2011 when researchers working out of Ruhr-University Bochum ran into a cryptography hole in Amazon’s services. This would allow a hacker modify, create, and delete rights and they would be able to change login credentials. The final example of a real world attack occurred in July of 2012 when Dropbox, an online storage provider, had accounts hijacked from other sites to access user accounts, one of an employee. Since then Dropbox has deployed the security control of two factor authentication. We will now look into cloud computing vulnerabilities and the steps providers and customers can take to add security.

Literature Review

                Business Data Networks and Security by Raymond Panko and Julia Panko has a section dedicated to cloud computing that gives some background on the subject and its history. It sheds light on the technical aspects of cloud computing such as virtualization and hypervisors. They go over the advantages and disadvantages of cloud computing. The book also has a heavy focus on utility computing and software as a service (SaaS) which are two big components of cloud computing.

CompTIA Cloud Essentials from the ITpreneurs McGraw Hill series give a general overview of all things relating to cloud computing. It does not get overly technical but does serve as a good starting point for understanding what cloud computing is and why it is important from a business standpoint. It defines the types of cloud such as private, hybrid, and public. The book brings up information on access storage speed and data replication as well as other topics that relate to cloud effectiveness. They also cover migrating to the cloud and maintaining a cloud environment.

“Cloud Security: A Gathering Storm” was written by multiple authors all in the department of Computer Science at the University of British Columbia. The article gives an introduction to cloud computing technologies and security. One such example they bring up is that added level of security needed due to the virtualization needed in cloud computing. If one virtual machine is hacked then all of the others within the same network are at risk. The article is mainly focused on the software security of cloud computing. Software based CFI (control-flow integrity) is discussed as a way to make sure that enforcement mechanisms are not disabled or tampered with. The last topic they bring up, which is not often talked about in cloud computing, is the lack of user knowledge. Many people think that once they are on the cloud they have no steps to take on their own part to upkeep security.

“Design flaw in ‘secure’ cloud storage puts privacy at risk, JHU researchers say” was a web article released by Phil Sneiderman in April of 2014. The article highlights a flaw in which confidentiality of information could be lost while sharing information in the cloud. The key sharing used by many popular cloud storage companies had the business operating as a trusted third party. Through this the providers could access their customer’s information. This is a problem because it makes the providers a man-in-the-middle while users believe that the provider cannot see their information. To fix this problem they suggested an independent party serve the role of providing third party keys.

“Cloud Security: Reports slam data protection, national Internets, access myths” was an article written by Violet Blue of ZDNet. Violet reviews three papers provided by Google that attempt to cover cloud computing issues that enterprises face. The three biggest issues according Leviathan Security Group who helped Google with this project are availability, scarcity, and vulnerability. When it comes to availability it is suggested that you take advantage of different providers and have your data stored in multiple regions. This is mainly because of natural disasters and other large scale events. For availability they also suggest that there is no latency difference between having a local or a cloud database if they are both located two thousand miles away. They are critical of cloud computing when it comes to security, but they also claim that having local data actually takes more tools, training, and people to protect that data.

“Cloud Computing Security Case Studies and Research” was a paper written in 2013 on instances of cloud computing vulnerabilities being exposed. An example of a cloud computing hiccup occurred in 2008 when Google Docs suffered a software bug, resulting in corporate data being shared with users who should not have had permissions to access that data. Another example of an exploit found in a cloud environment was in 2011 when researchers working out of Ruhr-University Bochum ran into a cryptography hole in Amazon’s services. The book goes through plenty of examples like this that stem from the early days of cloud computing that can serve as examples of security flaws in the methodology.

Current Development & Solutions

            More and more companies today are adopting cloud computing because it is cheaper and more effective than their current solutions, or a more desirable solution to building more infrastructure(s). This solution, just like any other implemented in the IT world, has its ups and downs. One major down being that the old idea of perimeter security is now dead. Information is not simply tied to locations and objects. For this reason, as well as others, cloud computing is still growing and changing to cover its flaws and work more effectively for businesses and government. What people lose sight of is that the security of the cloud today depends every bit as much on policy and procedures as it does the technology that runs it.

With the birth of the cloud came the security concern of users connecting to corporate data over public networks on personal devices. How do you secure the data if it is being sent through an insecure network on a device that the company does not have control of? To answer this question, the weight of solving this issue fell upon the cloud providers themselves. They have, and continue to, improve the product so that it is secure when delivering and receiving data. The same way the HTTPS would allow someone to feel safer submitting an online form at Starbucks using open Wi-Fi. This endpoint protection can give companies some peace of mind and allow employees some freedom in accessing information where and when it is needed.

One great method that is already in place with companies such as Google and Dropbox is two-factor authentication. What Google currently has in place is an authentication method where you enter your password and you are then required to enter a six digit one-time password that was sent to your cell phone. One-time passwords and two-factor authentication add a whole new layer to the security model and at least one of these two methods should be considered by all cloud providers. It makes the life of a hacker harder because dictionary and brute force password attacks are now more cumbersome. This procedure alone could make securing the cloud a much more manageable task.

Another issue that has come up with cloud security is the role of government. What should they be allowed to access? Under what circumstances can they read company or personal data off of the cloud? Over in the EU (European Union) a solution has already been proposed where users are told that there information has been accessed in an attempt to balance user security with a governments’ duty to protect its people.

An additional policy related issue with the cloud that has come up and will continue to impact the technology is encryption. Relating to the previous cloud computing concern, encryption gives companies and people a chance to have a say in if their data is accessed. In the case of a cloud storage server being hacked this would also help with hackers needing to break a code in order to see data they’ve stolen. Buying forensics teams time to investigate while the bad guy attempts to break the cryptography. If the government wanted to access a company’s information and used their authority to access cloud storage, encryption would still give the company a say in the matter where they could defend their rights. As more companies become more aware of how the cloud works, its pitfalls, and its upside, we’ll see more companies taking advantage of data encryption before sending data up to the cloud.

Continuing on the policy end of things, IBM is pushing collaboration to improve security within the cloud environment. The idea behind it is that attackers work together to hack into systems and carry out their agenda, so why would companies not also work together to enhance security? The company is putting out API’s (application programming interface) to allow different companies to add to it or harden their own information. This will be shared information so that companies can learn from each other to enhance their security. IBM is taking measures to make sure that only genuine users have access to this cloud and hopes that it will speed the process of advancing cloud security.

Future Development

            A dark, but potential future to the cloud and the internet in general is localization forced on the web by governments. This would be very damaging to end users and businesses that have international interests. Many countries are now known for not keeping to themselves on the Internet. Russia, China, nations within the EU (European Union), and even our own United States have all been found to be spying on other nations. Not only do these nations spy on their enemies but they keep a close watch on their own allies. While it is true that nations spy on each other and the cloud will only extend this problem, laws do not deter the lawless. Many within the IT community (and business) know the harm that could be done through localization and will fight it tooth-and-nail. This is a future that with cloud computing is hard to predict. If all out cyber warfare ever becomes reality many companies will convert to tight security models and the old perimeter network mentality could return very quickly.

Much of the technology to make the cloud grow is already moving at 100mph, but the policy and procedure side of things has grown slowly, and will be catching up to keep the cloud secure in the months and years ahead. When email was publicly available for the first time in the 1990s many more people fell victim to phishing because people and businesses had to adapt. The cloud can be a secure and effective tool when the policy and procedures behind it are secure and effective. Just like we’ve done with previous new technologies, we will have to adapt.

Conclusion

            The cloud is a wonderful tool that should be taken advantage of by government, businesses, and home users. There are steps that they can take to protect their information when placed out in the digital open. Companies and government can work together to advance cloud security and learn from each other for example. Another step is to incorporate secure tunnel technology with cloud communications to defend from man in the middle attacks. Finally to encrypt data that is placed in sensitive locations, like the cloud. These are but a few steps to help improve and already growing and improving technology that is bound to shape the future of information technology.