Cloud Security

Amazon just announced "Spot Pricing" for their EC2 instances:

"Spot Instances are a new way to purchase and consume Amazon EC2 Instances. They allow customers to bid on unused Amazon EC2 capacity and run those instances for as long as their bid exceeds the current Spot Price. The Spot Price changes periodically based on supply and demand, and customers whose bids meet or exceed it gain access to the available Spot Instances. Spot Instances are complementary to On-Demand Instances and Reserved Instances, providing another option for obtaining compute capacity.

For customers with flexibility in when their applications can run, Spot Instances can significantly lower their Amazon EC2 costs. Additionally, Spot Instances can provide access to large amounts of additional capacity for applications with urgent needs. Just a few examples of categories of applications well-suited to Spot Instances are:

* Image and video processing, conversion and rendering
* Scientific research data processing
* Financial modeling and analysis"

This is innovative and in a world of "fair play" is a smart move by Amazon. But lets consider this from a Black Hat hacker perspective for a moment:

Black Hats have all kinds of reasons for needing massive compute power. The obvious one is password cracking and that can take an awful lot of CPU power...

But bad guys feel the credit crunch too and don't like to pay list price even when its not their money (think stolen credit cards). Spot prices for EC2 instances are discounts on regular EC2 pricing for all. The downside is, you have to wait until the spot price is equal to, or lower than your maximum bid. Some people won't wait for "the market" - they want their goodies faster. Since the market is nothing more than current utilization level of EC2, the spot price goes down when EC2 is less utilized. As a Black Hat, you might want to influence that to drive the spot price down. Suddenly all those DoS attacks that you could only use to either cripple your online enemies or bribe gambling sites and the like, have a new use case - crashing existing customers EC2 instances to artificially decrease demand for EC2 instances and thus lower the spot price.

Ouch.

The counterargument is that Black Hats won't bother going to all this effort - they don't need to. They already have access to enough disposable credit lines and/or vulnerable machines that they just won't bother. It's hard to disagree today. In Amazon PR terms, this is more a 'theoretical' attack - for now.

Regardless, the downside is that the introduction of an innovative pricing model today by Amazon, leaves existing EC2 customers more exposed to DoS attack than they were before.

Update:

Amazon note in their updated AWS Customer Agreement:

"You may not, directly, indirectly, alone or in cooperation with any third party, attempt to control, influence or manipulate the price for Spot Instances. Without limiting the foregoing, you may not submit requests for Spot Instances through any third party (e.g., “proxy bidding”) or share information with any third party regarding the maximum prices specified in your Spot Instance Requests".

Next Tuesday Wednesday (!) I'll be part of a virtual panel as part of a on-line event organised by InformationWeek’s Dark Reading and Black Hat. I encourage you to virtually attend as it promises to be an excellent Cloud/Virtualization Security discussion. You can register for free here.

The session will be hosted by my good friend and co-host of the Cloud Security Podcast, Chris Hoff.

In addition to the expertise that Chris brings to the table, the other guests are all hardcore in their own right. I promise you'll learn something - I'm pretty sure I will!

Here's the blurb:

Virtualization, Cloud Computing, And Next-Generation Security

The concept of cloud computing creates new challenges for security, because sensitive data may no longer reside on dedicated hardware. How can enterprises protect their most sensitive data in the rapidly-evolving world of shared computing resources? In this panel, Black Hat researchers who have found vulnerabilities in the cloud and software-as-a-service models meet other experts on virtualization and cloud computing to discuss the question of cloud computing’s impact on security and the steps that will be required to protect data in cloud environments.

Panelists: Glenn Brunette, Distinguished Engineer and Chief Security Architect, Sun Microsystems; Edward Haletky, Virtualization Security Expert; Chris Wolf, Virtualization Analyst, Burton Group; Jon Oberheide, Security Researcher; Craig Balding, Cloud Security Expert, cloudsecurity.org

Moderator: Christofer Hoff, Contributing Editor, Black Hat

Register for free here.

Today, ENISA published the results of their Cloud Computing Risk Assessment.

ENISA, supported by a group of subject matter experts comprising representatives from Industry, Academia and Governmental Organizations, has conducted, in the context of the Emerging and Future Risk Framework project, a risk assessment on cloud computing business model and technologies. The result is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also provides a set of practical recommendations.

I highly recommend reading at least the Executive Summary (pg. 4-10) that covers

• top recommendations
• top security benefits
• top security risks

The Risk Assessment was led by Giles Hogben and Daniele Catteddu of ENISA. They brought together a wide range of contributors to help develop the material. I count myself as privileged to have contributed - even if I would liked to have spent more time on it, it was a pleasure to work with the team. As such, I stand behind the major findings of the report and think its something you should read and show decision makers.

I caught up with Giles to ask the kinds of questions I often hear about these efforts - I hope you found his responses helpful in positioning the work.

First off, can you tell us a little bit about ENISA? (mission, funding, legal status etc)

GH: ENISA is a European Union agency. We collect and disseminate best practices in information security and try to create a proactive security culture in Europe. We also advise the Commission and the Member states on NIS policy. We’re based in Crete, Greece, but you’ll see us all over Europe - we’re very proactive in the security community.

ENISA came into being following the adoption of Regulation (EC) No 460/2004 of the European Parliament and of the Council on 10 March 2004.

What was the motive behind ENISA leading the development of this report?

GH: Cloud computing was identified by our own experts and by our industry and academic advisory group as one of the emerging applications which is likely to have the biggest impact on European businesses and governments in the near future.

Was there a specific trigger?

GH: If I had to point to one thing, it would be the economic crisis last year, which really put cloud computing on the agenda. After that, security conferences were abuzz with cloud computing and, more importantly, it really started to take off in the market.

Who is the target audience of the report?

GH: The main target is businesses, especially SME’s because they are the biggest customers of cloud computing and they probably need the most help in understanding the security issues. Generally they would like to know how to get the obvious benefits of going cloud, while minimising their risks.

What we’ve written is also applicable to larger businesses and we give some recommendations for research directions and legal recommendations which are aimed at governments.

Is it a “cloud security standard”?

GH: I suppose you’re referring to the assurance framework - the security checklist. It’s not as formal as that yet. We’re responding to two main requirements with this:

First of all, businesses would like to know what questions to ask when evaluating cloud providers’ security. This can also be related to certification. If they already have a certification such as ISO 27001, they may be required to gain certain assurances from the providers.

Secondly, cloud providers are overloaded with requests for audit and assurance - this takes up valuable time and can even weaken their security perimeters if it involves access to premises.

The check-list is aimed to address both these issues, but it’s only a first step. We are also working with a group of interested organisations to make something more formal, which might be closer to what you’re talking about.

Is ENISA trying to tell us how we should run our clouds?

GH: Absolutely not - we’re offering a framework for cloud providers to answer the right questions about security, just once instead of over and over again. If you look at the check-list, you’ll see that it has quite a lot of open questions which just point out the areas in which information should be provided about practices which are followed. It’s not very prescriptive, but in terms of pointing out the questions that really should be answered one way or another by the average provider, you could also see it as a best practice guide.

How will ENISA get the report into the hands of those that would most benefit?

GH: Media and blogs like this are one channel. We’ll be presenting the report in conferences around Europe, such as the World Cloud Computing Summit in Tel Aviv in December. We are also inputting the results into the Commission’s consultation on research priorities for cloud computing and we’ll be issuing a video in the next week or so to publicise the report.

Can you tell us a little about the process that was followed to develop the report?

GH: We started with a survey of SME’s asking questions about their attitudes to cloud computing and security issues. This was input to a set of scenarios which bring out the main risk areas to be addressed. We used scenarios to do a risk analysis similar to the ISO 27001 process, starting with identifying the assets, then looking at risks as vulnerabilities leading to threats on assets. We classified the risks according to their impact and probability.

For the security check-list, we looked at how the risks we identified should be addressed, and using the ISO 27001 controls as a basis, we identified the areas and questions which are most specific to the cloud.

There are a number of groups producing cloud security related works. Which groups did ENISA co-ordinate with?

We have been in close contact with the Cloud Security Alliance - we will be organising a joint conference next year. We also have a member from the Jericho forum in the expert group.

What were your goals when pulling together the working group?

GH: We wanted to get experts from major cloud providers, research projects, legal expertise and some independent security consultants. I was very pleased with the makeup of the group. They were very motivated and we had some great discussions.

Were there any aspects of the survey results that surprised you?

GH: One point was the number of SME’s who cited non-repudiability as a concern - basically for the customer, that would equate to - how do you prove you’re not responsible if something nasty is done with your account. I don’t know if this was just a statistical blip, or if they didn’t understand the word, but maybe people really are concerned about this.

We often hear about US based cloud services and adoption stories. What is your personal view on the rate of adoption of cloud services across Europe?

GH: There’s definitely more caution over here. The US government is already moving quite heavily into the cloud for lower assurance applications but I am not aware of any European governments who have reached that stage.

What are ENISA’s future plans around cloud security?

GH: Next year, we are organising a conference dedicated to this topic. It will be in Barcelona in March. We are also collaborating on a more formal version of the assurance framework. Expect an announcement on this towards the end of the year.

What IT security areas are you focusing on next with ENISA and where can people find out more?

GH: Next year, I will be working on evaluating Botnet measurement techniques and creating a set of best practices for Botnet defence and detection with a community of stakeholders. I’ll also be working on security exercises and following up the work on cloud computing I mentioned. So far, ENISA has focussed more on the lower layers - DNS, IPV6 etc… I want to drive our work more into the application layer, because I think many of the most important problems are higher up the stack.

Finally, what aspect of cloud computing fascinates you the most?

GH: Personally I’m very interested by higher assurance clouds - I’d like to know more about virtual private clouds, for example. How does key management work in large distributed architectures? Another question which fascinates me is how could cloud computing could be built so that the customer does not have to trust the provider - could we ever have workable encryption techniques which allow processing which can’t even in theory be accessed by the cloud provider? At the moment, the customer can encrypt data in clear-text, but as soon as they want to do anything with it in a CPU, they have to decrypt it.

—

I’d like to thank Giles for sharing his thoughts. I hope this gives people insight into the motivation, process and objectives of ENISA’s cloud efforts.

Thanks to those that requested a copy of my RSA Europe 2009 presentation, “What Everyone Ought To Know About Cloud Security”.  RSA gave me the go-ahead to post it on my blog so here it is.

Whilst at RSA, Mirko from Help Net Security asked me to talk on a 5 minute podcast about Cloud Security from a technical perspective (thanks Mirko!).

This was my last high level presentation on Cloud Security issues - there’s lots of chewy cloud goodness to dive into hence future presentations will be more technical in nature.

I’ve received some requests for the slides I presented at BruCON, so here they are.  As the slides are mostly devoid of text, I’ve included the speaker notes.  The notes are not polished, hence treat accordingly ;-).  To view in “Full Screen” mode click on the icon at the bottom right of the slideshare embed below and click “Fit to Height” to see the notes.

P.S If you weren’t at BruCON, you missed an excellent security conference - strong content, excellent organisation and facilities, friendly crowd.  Thanks to Benny & crew for being excellent hosts!