Cloud services offer convenience and potential cost savings, but a potential security issue may negate the benefits. Michael Kassner digs into some of the latest research.
I write about security, so my interest in "Cloud Services" or "Time-sharing Reincarnate" to us old timers is whether they are secure or not. Almost from the start, cloud services triggered my concern meter by the incessant reminding of how convenient the cloud is.
Since when is convenience a bad thing? Not normally, but current ideology in the digital world has convenience and security being polar opposites. I liken it to the mixing of water and oil. After a good shake, they may appear to be a single solution, but given enough time, they will separate.
I'm often asked for my opinion regarding cloud services. But, I politely refuse, explaining that current arguments -- pro and con -- about security and cloud services are moot. There hasn't been any supportable evidence either way.
That is until now...
The first chink
As I mentioned, I've been pursuing any and all leads about cloud-services security. And up until now, they have been dead ends. Then I caught wind of a research team, and their finding a vulnerability if exploited; jeopardizes the security of data residing in the cloud.
I'm afraid this is the real deal. The research team of Ari Juels (RSA Lab), Alina Oprea (RSA Lab), Michael Reiter (UofNC, Chapel Hill), Thomas Ristenpart (UofWI), and Yinqian Zhang (UofNC, Chapel Hill) have developed enough research to support multiple academic papers, and the capability to extract private encryption keys from a cloud service ("HomeAlone: Co-Residency Detection in the Cloud via Side-Channel Analysis" and Cross-VM Side Channels and Their Use to Extract Private Keys").
No way was I going to let a chance like this slip away. I contacted Dr. Juels, and he agreed to answer my questions. But first, I thought it best to define cloud services (courtesy of Wikipedia):
Is the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). The name comes from the use of a cloud-shaped symbol as an abstraction for the complex infrastructure it contains in system diagrams. Cloud computing entrusts remote services with a user's data, software and computation.Kassner: Dr. Juels, cloud services cover a lot of territory. In order for us to understand your research findings, would you please define what your concerns are? Dr. Juels: I think the term is appropriately broad, but it's worth highlighting elements relevant to security. Many of the security implications of the cloud stem from tenants entrusting computing resources to a third party that they controlled in the past.
The resulting loss of control and visibility gives rise to a large swath of security issues. Other security threats arise from the centralization that cloud services create and the resulting attraction of the cloud for attackers. But, centralization isn't without its security benefits either.Kassner: Using many Virtual Machines (VM) on a single physical server is a big reason why cloud services are economically feasible. Between your comments, and the research papers, one begins to sense sharing space on a physical server is asking for trouble. Why is that? Dr. Juels: VMs create an appearance of isolation between neighbors. This is a convenient abstraction, but glosses over an important reality: Sharing hardware means unintentionally sharing information. For low-security applications, this may not be a problem, but tenants need to understand the risks. Kassner: In order to verify if a party is indeed the only VM on the server, you and the research team created HomeAlone. The research paper on HomeAlone states:
The key idea in HomeAlone is to invert the usual application of side channels. Rather than exploiting a side channel as a vector of attack, HomeAlone uses a side-channel (in the L2 memory cache) as a novel, defensive detection tool.
What are side-channels, and would you please explain how HomeAlone works?Dr. Juels: Side channels are vectors of information leakage that arise as a byproduct of system design, rather than an explicit feature. For example, if two VMs share a cache, one VM can deduce information about the other by examining its cache footprint. The cache wasn't designed to transmit information between VMs, but effectively does so. Kassner: It almost seems no one believed you about the seriousness of side-channel attacks. To that end, you created an attack to prove your point. What were the results? Dr. Juels: Security professionals have long hypothesized that sensitive information can be exfiltrated across VM boundaries, but didn't have proof positive. We've confirmed their intuition. What we've shown is that under the right circumstances, an attacker VM can extract a cryptographic key from a victim VM resident on the same server. In other words, an attacker can breach the VM isolation boundary, and seriously compromise a victim. Kassner: We are always told it's one thing to create and prove something in the lab, but entirely different in the "wild." Is this approach accessible by anyone, and how hard would it be for them to get it up and running? Dr. Juels: The attack we demonstrated is pretty difficult to mount. The student who implemented it, Yinqian Zhang, has a deep knowledge of side channels in virtualized environments; and invested a lot of time and creativity in making it work. Broadly speaking, if you don't have more immediate concerns than side-channel attacks, you're probably doing a good job of securing your computing resources.
That said, I guess serious side-channel attacks are well within the capabilities of nation states, and they are an easily overlooked vector of attack. Moreover, once visible, attacks can become commoditized. While the development of Stuxnet probably required a well resourced team of experts, malware writers learned from it, and have adopted techniques it introduced. Side channels are a real problem and already taken quite seriously for some technologies, such as smartcards.Kassner: If you were required to setup a cloud service for a company, what would you look for in a cloud-service provider? Do you have any additional advice for those interested in a cloud service? Dr. Juels: It's a Hobson's choice at the moment. I would urge the industry to press for better standards and procedures to achieve visibility and control. Auditing standards like the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) are utterly inadequate for achieving meaningful security assurances from cloud providers.
What tenants need is real-time, high-assurance validation of cloud security posture -- not a checklist run through by some fellow showing up from time to time at a data center with a clipboard. The industry would benefit from a combination of tenants demanding better security reporting, and the development of new supporting technologies to secure the increasingly concentrated and critical infrastructure that is the cloud.Kassner: Dr. Juels, I'd like your opinion on something. There is significant debate about how secure cloud services are. You have researched the subject extensively. What are your feelings on the subject? Dr. Juels: The important point here is that nobody really knows. As I mentioned, cloud providers aren't required to or equipped to provide assurances of the security of their services that are commensurate with the responsibilities they're assuming. My impression is major cloud service providers are earnest about maintaining strong security, but it's not possible to have more than a vague impression.
Generally every new industry needs to relearn the security lessons of its predecessors, and treats security as an afterthought. What makes me somewhat optimistic about the cloud is that, in contrast to many past examples, security has been a major concern of customers from the very start.
It appears the floodgate is just cracked. Like many other sophisticated attacks that were quickly monetized, it's a pretty good bet this one will be as well. I'd like to reaffirm what Dr. Juels mentioned:
Cloud providers aren't required to or equipped to provide assurances of the security of their services that are commensurate with the responsibilities they're assuming.
In simple English, it is yet another case of “Buyer Beware.”
I’d like to thank the research team for their effort, and a special thanks to Dr. Juels for taking time to explain the team’s findings.