Clouds are a long way from the personal computer that appeared in the mid-1980s and took over the industry. Home personal computers were thought of as private, just another standalone appliance like a vacuum cleaner or an electric coffee pot. A personal computer was a personal possession. Their owners controlled all access. Owners bought software and installed it on their computer in the same way they bought a new dishwasher and installed it in their kitchen. Both the software and the dishwasher was theirs and theirs alone. Anyone who wanted to use either the software or the dishwasher had to enter the owner’s home with the owner’s permission. An intrusion into a private personal computer was housebreaking or trespassing, an occasion for the classic work that police have performed for many decades.
Networks , especially the Internet , connect home computers to the outside world. Laptops, smartphones, and tablets unleash computer users from their desktop machines and free them to ramble outside the home.
Now, via networks, individual computers of all kinds use resources that are in physically distant clouds. This arrangement offers important benefits. Although our devices are much more powerful than the devices of a decade or two ago, our expectations from our devices far exceeds their capacity.
For example, laptops today often have multi-terabyte disc drives. Ten years ago, 500 megabytes were considered adequate for a laptop. Like many others a decade ago, I stored a dictionary on my laptop. I no longer do that. Instead, I use the Internet to access a much larger and continuously updated dictionary that is stored in a cloud. Although I have a hard drive on my laptop that is orders of magnitude larger than the drives of 10 years ago, the online dictionary I access is larger and more frequently updated than anything I could host locally. Wireless Internet connections are everywhere and so convenient, the requirement for an Internet connection is not a bother.1
It’s the same for most everyone. You could not even consider storing on your private hard drive the data that Google scans or Wikipedia contains. We now use smartphones, tablets, and laptops in addition to desk top PCs, and they are all connect to clouds, each of which supplies services that we could not duplicate with our own local resources.
Clouds have increased the usefulness and entertainment value of our personal devices , but not without a cost. There are now a host of security threats and concerns that are not easily addressed with old-fashioned police work.
What Is the Cloud?
Clouds are all over the place. Often, everything seems to be on its way into the cloud. As much as the term is used, people frequently have a misconception of what a cloud is. Perhaps surprisingly, a cloud is both a business and a technical concept , and both aspects of the cloud have a direct bearing on individual cloud security.
Cloud Business
Clouds are a business arrangement between a consumer and a provider. The provider agrees to provide certain computing services to the consumer and, unless the service happens to be free, the consumer agrees to pay the provider at some agreed upon rate. The service may offer the use of simulated computers and other computing resources in remote data centers, or the service may be an application like an accounting program that runs on the provider’s servers, or the provider could offer storage services on their remote storage devices. In all cases, the provider supplies the equipment for generating and delivering the service and maintains the service. In most cases, the consumers pay for the services in proportion to what they consume.
For instance, a music service provider stores recorded music on disk drives and other devices in their system and makes sure the music is available to their consumers. The consumer pays for the service, not the equipment for producing the service. The service is different from buying a CD or DVD at a music store. After a customer buys a CD, the customer owns the CD that stores the recording of the music. If the CD is damaged, the customer has to buy another CD. Subscribing to a music service, the consumers have rights to the music they have subscribed to, but not the physical devices that store the music. The subscribers do not care what happens to the equipment that stores the music they listen to. Equipment issues are the provider’s problem.
This business arrangement offers benefits to the consumer. In the case of a music service , they probably have access to more music at lower cost than they did when purchasing their own CDs and DVDs . Media storage no longer takes up space in their homes, they no longer have to box up heavy media and lug them around when they move, and they don’t have to worry about damaging their CDs or insuring them against accidents. However, subscribers usually can’t sell their music to someone else when they get tired of it like they can sell a CD.
The business behind these marvelous services can be confusing or worse. The agreement between a cloud service provider and consumer is complex compared to an ordinary purchase. Buying and selling has been going on for a long, long time and the rules have been worked out and embodied in customs we all know. The common law and statutes of buying and selling are thoroughly understood by the legal system. Most people have an intuitive idea of the rights and responsibilities of buying and selling.
Cloud service consumer -provider relationships are not as clear. The exchange is abstract. There is nothing like a CD to see or touch. Most people do not have a clear notion of what it means to have rights to the music, but not physical media. For example, they do not have an immediate understanding what happens when their music provider goes out of business. Do they have any rights to the music they once had? Or do their rights terminate with the departure of the provider?
Commonplace rules for buying and selling physical objects are often unclear when applied to abstract rights. Rather than rely on bewildering legal arguments to sort out rights and obligations, cloud providers and consumers usually agree on explicit agreements that spell out the rights and obligations. These are service contracts . These contracts spell out the rights and obligations of the provider and consumer. They often contain provisions that specify the guaranteed performance and reliability of the service, and incentives and penalties to encourage compliance. Most importantly, the agreement will spell out the limits on the liability of both the consumer and provider. For example, the agreement may stipulate that the provider is not liable for performance degradation due to network issues. These agreements are documented in a service contract that is binding on both parties.
Service contracts are often sources of contention. When a large enterprise enters into a contract with a cloud provider , they have some leverage and the possibility of negotiating a mutually acceptable agreement. Individual consumers and smaller businesses do not have leverage and the provider calls the shots and writes a click-through contract that the consumer must agree to before they can access the service. Consumers can easily agree to the contract without reading it. Thus, consumers often do not fully understand what they have signed up for and are later surprised that the service was not what they thought, to the point that they feel they have been treated unfairly.
Cloud Technology
Technically, “the cloud” does not exist. There are many clouds. When someone says “the cloud” they either mean the collection of all clouds, or, more likely, the cloud they happen to be using at the moment. A cloud is a pool of computing and storage resources. These resources are linked together to run virtual machinesfor parceling out resources to consumers. A virtual machine is a software program that imitates a physical computer in such a way that other software can be run on this software imitation computer as if it were a real physical computer. Virtual machines are created and taken down as needed by cloud consumers . See Figure 6-1. This has proven to be a flexible and efficient way to support the business side of the cloud concept.
Figure 6-1. Cloud subscribers connect to private virtual machines that run on physical computers
Virtual machines break the binding between software and hardware. From a datacenter that pools together large numbers of computers, a cloud provider can offer to create as many virtual computers with as much capacity as a consumer wants and the consumer can increase or decrease the capacity when they want, limited only by the total physical capacity of the entire datacenter. The provider can offer virtual computers to many different consumers simultaneously.
When an underlying physical computer breaks down, the virtual computers it supported are moved, almost always automatically, to other physical computers. The cloud datacenter is in continual flux with virtual computers starting, stopping, and moving from physical computer to physical computer, responding to consumer requests and changes in the computing environment. Cloud technology has advanced to the point that a single public cloud may be implemented in several geographically dispersed datacenters. Often data is copied to each datacenter. If a power outage disables one datacenter, the load is transferred to datacenters in other regions unaffected by the outage. Constantly adjusting to circumstances, a cloud datacenter can be more reliable and safer than a traditional system.
These computers are all virtual, but to the consumer, they are almost indistinguishable from a physical computer . Ordinarily, software does not need to be rewritten to run on a cloud, but it is often changed to optimize performance on a cloud. The consumer usually pays in proportion to the number, size, and running time of the virtual machines they use. The consumer can tailor their capacity to their needs to an extent that is impossible with physical machines they purchase or lease. The ability to adjust capacity and costs has led many businesses to replace all or part of their computing hardware with off-site public cloud services that are offered by providers like Microsoft and Amazon Web Services . Personal consumers usually are not aware of the virtual machines behind the services they use, but they are there.
Clouds are implemented in many ways. Some clouds are private, owned and used by a single enterprise that manages their IT equipment as if it were deployed on an external provider cloud. Other clouds are public, offering cloud services to all comers. There are also variations in which clouds are shared among several users, private clouds may offer some access to external entities, and so on.
Providing raw computing power rather than a service implemented on a cloud is called infrastructure as a service (IaaS) . IaaS replaces a computer or a group of computers and storage resources with similar devices running in a cloud. Most individuals are not exposed to this type of cloud service. Instead, another party implements a service on a cloud and then offers services publicly.
Virtualized cloud technology enables many companies to offer services, like Dropbox , Google Docs , or Intuit QuickBooks Online , that run in remote cloud datacenters and use remote storage rather than the consumer’s physical computer and disk storage. Cloud applications are usually much more powerful than an individual’s desktop, laptop, tablet, or smartphone could support although they may be hindered by a draggy network . These cloud-based applications are maintained by the provider, not the consumer. This is another reason cloud-based applications are attractive.
Cloud Exposures
Although the cloud confers many benefits, it is also a relatively new paradigm for computing . This paradigm has security issues that conventional computing does not have. Some of these issues have greater implications for business than individuals, but many apply to individuals as well. Some of these differences stem from the business aspect of clouds; others are technical .
A service running on virtual machines in a cloud has most of the security vulnerabilities of an application running locally on an individual machine. However, instead of a non-technical home user, the security of an application running in a provider’s well-run datacenter is the responsibility of a security professional and the application runs on well-maintained hardware placed in an optimum environment in a highly secure datacenter . Security breaches are still possible, but they are less likely than a breach to a casually maintained application running on an unsecured laptop left on a table at Starbucks.
Services executing in a cloud datacenter are subject to another kind of issue that is not a security breach. Mistakes made by datacenter operators can lead to interruptions or degradations in service. For example, the operators may fumble maintenance on the system, which results in a slowdown or complete interruption. Although a non-technical user is more likely than a trained professional to cause maintenance issues, expectations for the professional are higher. Users can take cold comfort in blaming themselves for the problems they cause for themselves, but that may be more satisfactory than a mysterious interruption that was not supposed to happen.2
A few years ago, the biggest obstacle to cloud adoption among government agencies and large enterprises, particularly in the financial industries, was security. These questions have not gone away, but many have been answered. Both businesses and government are used to security risks and regularly accept risk, but they avoid what they call unmanaged risk. Risk is deemed to be managed when the business has a clear estimate of the probability and magnitude of a loss and have taken steps to mitigate the loss. Early cloud implementations were often considered to be unmanaged risks and therefore avoided. Decisions on the manageability of business risks are usually made by auditors. Corporate and government auditors have subsequently developed methods for assessing and mitigating the risks in cloud deployments. These have included auditing standards and security certification for cloud providers . Although some uncertainty lingers, the hesitancy has diminished substantially. Amazon Web Services , for example, offers a cloud implementations tailored to government risk requirements.3
Cloud Attack Surfaces
The attack surface of a service is the set of points where the service is vulnerable to attack. All other things being equal, a service with a small attack surface is more secure than a service with a larger attack surface. A traditional application is vulnerable to attack on the computer where it runs. There are a limited number of points where an intruder can gain access to the system, such as the Ethernet adapter, the Bluetooth radio, the wireless radio, the keyboard, etc. These vulnerable points can each be identified, watched for intrusions, and protected.
Services implemented on clouds have larger attack surfaces than traditional applications that run on the user’s device. Traditional applications are contained; an invader must gain access to the user’s device to affect the application. Personal devices certainly have considerable attack surfaces that have often been penetrated, but the tools for fending off attackers, such as antivirus tools and frequent system updates, are well known and generally used.
Cloud attack surfaces include the interfaces that are used for managing and interacting with cloud application , the network connection to the consumer, and the internal operations of the provider, not to mention the vulnerabilities of the consumer’s personal devices . Some of these attack surfaces are proprietary implementations, others are standard, but they are not as well known and subject to wide public scrutiny as personal device interfaces.
Cloud services are supported by trained and experienced professionals who are much better prepared to protect their systems than a typical individual user. Nevertheless, their attack surface is larger and less well known, which means more opportunities for criminals to develop new threats.
Hypervisor Vulnerability
Virtualization implementations have an important vulnerability that could seriously affect cloud implementations . This potential weakness is important because with the current state of technology, virtualization is unavoidable. Cloud implementations depend on virtualization to deliver services that are dynamically tailored to the varying needs of their consumers. There is really no alternative to virtualization available or on the horizon today. However, virtualization implementations are vulnerable to a chilling exploitation.
In a cloud, virtual machines are popping up and down and transferring from one physical machine to another all the time. These virtual machines are controlled by a process, often called the hypervisor. The job of the hypervisor is to supervise the frenzy of activity in a virtualized environment . The hypervisor starts each virtual machine and then supervises it from start-up to shut down. The hypervisor maintains contact with each virtual machine and maintains basic control. Communication is always supposed to be from the hypervisor to the virtual machine, never the reverse.
Virtual machines can communicate via a network , actually a virtual network that can connect with a physical network, just like physical computers . This network communication is vulnerable to attack in the same way that any network connection is vulnerable. Data must be protected and unauthorized use of the network must be prevented. The protective measures such as firewalls, encryption , and other defenses are effective in protecting virtual systems.
However, virtual machines have an additional vulnerability: communication through the hypervisor. If the hypervisor has a defect that allows virtual machines to access the hypervisor, one virtual machine could affect another virtual machine through the hypervisor rather than the known and controlled network connection.
This vulnerability is especially insidious. An attacker who gains access to one virtual machine and exploits a hypervisor vulnerability could gain access to many other virtual machines, including those owned by other consumers. A bad-guy subscriber, or an innocent subscriber with weak security, could become a platform for invading all the subscribers to a compromised cloud. If the cloud were from one of the large cloud providers , the results could be disastrous. See Figure 6-2.
Figure 6-2. Theoretically, a hypervisor bug could allow a hacker to attack virtual machines belonging to other cloud consumers
Let’s look at a theoretical example of a devastating hypervisor attack . Suppose a successful hypervisor attack were directed toward a public cloud like Amazon Web Services , which is used by many businesses. A hacker exploiting a hypervisor bug could open a credit card account with a large public cloud provider , request a virtual machine for a few dollars, then use the virtual machine to gain access to virtual machines of other users of the public cloud. One of those users could be an entertainment streaming company like Netflix, which happens to be an AWS cloud customer. The streaming company’s virtual machines could be broken into through the public cloud hypervisor. With sufficient knowledge of the streaming system, the hacker would be able to perform all kinds of mischief, free streaming, streaming fraudulently charged to the streaming company’s subscribers; there are many possibilities. The worst part is that the problems will appear to be the fault of the streaming company, but the real vulnerability would be the public cloud’s hypervisor code, over which the streaming company has no control.
Fortunately, hypervisor code is relatively short and straightforward. No code is ever completely safe, but short and straightforward code is the most likely not to have flaws. Compared to sprawling operating systems like Windows or Linux, this kind of code is easy to keep secure.
At this time, the real-world examples of hypervisor attacks are unknown. There have been no reports of successful attacks through hypervisors although researchers have found a few exploitable flaws. These were quickly fixed. Both cloud providers and virtual platform developers are aware of the potential consequences of an exploitable hypervisor flaw and have striven to keep the hypervisor platforms iron-clad. Some of the risk is removed by minimizing the cases where hypervisors cross cloud subscriber boundaries. For instance, a large streaming company would probably have their own exclusive hypervisors that are not touched by outsider’s virtual machines .
In addition, a hypervisor attack is a chancy fishing expedition requiring considerable knowledge of the cloud implementation and the way the cloud is used by its subscribers. An attacker would have to do substantial research to plan an invasion with a reasonable probability of success. This would require both technica l and business prowess. Many other attacks are more certain to yield profits with less effort. Criminal hackers are much more likely to pursue easy money than chase after an expensive and risky hypervisor hack. On the other hand, a hacker who succeeded in a hypervisor hack would get considerable respect from his or her peers, which could be a motivation more powerful than greed.
There have been a few hypervisor exploits that have proved out in the lab, but have not resulted in any known successful invasions. Looking at all sides of the issue, hypervisor attacks are only theoretical and not a significant threat. However, the instant the industry ceases to exercise adequate vigilance and caution, the threat will increase.4
Network Exposure
A cloud-based service depends on the provider’s equipment and implementation, the connecting network, and the end user’s computing device. Dependency on three parties instead just the end user increases the attack surface and makes identification of the source of vulnerabilities more difficult. In addition, pointing out which party is responsible for each vulnerability can be confusing.
Network Vulnerability
Unlike traditional applications that use only the resources on the user’s computer, cloud services are remote and rely upon transmission over a network, usually the Internet , to connect the consumer to the cloud implementation of the service. This presents a new set of security issues and vulnerabilities.
The provider is responsible for what happens in the cloud; the consumer is responsible for what happens on their device. The responsibility for the successful transmission of data depends on the network providers. A failure at the provider, the network, or the user’s own software and hardware can cause the service to malfunction. In addition, data is sometimes transferred from network operator to network operator on its route between consumer and provider, adding further complications.
The consequences of this distribution of responsibility appear when an individual customer of a cloud service, say a music service , calls the provider’s customer service to say that their music is coming in bursts with gaps of silence. The service rep checks the situation out and says “Everything is fine here, call your ISP.” The poor user barely knows what an ISP is (an Internet Service Provider) and when they call their ISP, they don’t know how to articulate their problem in a way that a network engineer can understand and the best the user gets in reply an unsatisfying suggestion to wait and try again later.
There may have been an issue like a denial of service attack or a host of other things, such as a satellite transmission garbled by solar emissions, a overloaded router somewhere in the Internet , a broken connection that had to circumvented. The possibilities are endless, but the point is that finding the source of the disturbance involves many participants. If the cause is hacking somewhere in the system, finding and stopping the hacker may be difficult.
Denial of Service Attacks
All cloud services are subject to denial of service attacks, perhaps the most serious network vulnerability . These attacks are directed at the service provider , but affect the consumers of the service. I’ve talked about denial of service in other chapters. A denial of service attack is a flood of messages directed at a provider site that is intended to overwhelm the provider, and block service to the provider’s legitimate consumers.
As a consumer, there is little you can do to prevent denial of service attacks, other than avoid being an unknowing contributor to attacks by allowing your devices to become bots used to launch attacks. Consumers experience a denial of service attack as a slowdown or interruption in service. Sometimes, the service does not respond when brought up in a browser, or the pages populate slowly, or jerkily. Although these are symptoms of denial of service attacks, they can be caused by other issues. Often, services have service sites that post messages to explain what is going on. For instance, Amazon Web Services provides their Service Health Dashboard 5, which offers up-to-the-minute status information. The AWS dashboard is the place to check if any AWS service were undergoing a denial of service attack. Other cloud services provide similar dashboards.
During an attack, the provider is inundated with bogus requests and messages that take away resources from responding to legitimate transactions. Denial of service attacks, especially those that are coordinated attacks from many sources, called distributed denial of service attacks, are an issue that providers have taken seriously. Some denial of service attacks can now be squelched effectively, but hackers are innovative and attacks still occur. Hackers continually come up with new methods. The latest ploy is to use devices in the Internet of Things as bots. Like so many things in security, the latest innovative attacks succeed until the providers find an effective defense.
The good news is that denial of service is disruptive but seldom destructive. The attacks are launched for harassment or coercion rather than theft. For consumers, a provider under denial of service attack may be unreachable, or the service provided is slow and erratic, but the damage is limited to the unavailability of the service.
Man-in-the-Middle Attacks
Another network based cloud attack is the man-in-the-middle attack. This type of attack affects cloud consumers directly. The attack interferes with the connection between the consumer and the cloud provider . A man-in-the-middle attacker hijacks the network connection between the consumer and cloud and places himself in the middle so he can manipulate communication between consumer and provider.
Men-in-the-middle have several opportunities for mischief. They can log consumers’ data as it travels over the network wire as they forward it on to the provider. These logs are mined by the hacker for prizes such as passwords , payment card data, guarded intellectual property, and the like. The men-in-the-middle can also divert the stream of traffic from the provider to their own server and send fake responses to the consumer. This places the man-in-the-middle in a position to do great damage. For example, a man-in-the-middle attack could fake, or spoof, a banking site. The consumer may think that they are dealing with a legitimate bank, but in fact, they are dealing with a criminal hacker who steals credentials, creates bogus accounts, or executes any number of fraudulent schemes.
Man-in-the middle exploits are similar to some phishing expeditions that divert unwary victims to spoofing sites. In a phishing attack, the hacker will try to trick the user into clicking to an address that is a spoof of a legitimate site. Some man-in-the-middle attacks achieve the same goal, but they do it in a more insidious manner. The victim clicks on a legitimate address, but the hacker has rigged the addressing system so that the legitimate address takes the victim to an illegitimate site. A man-in-the-middle attack like this requires greater technical knowledge and is more difficult to pull off, but it can be effective. The phishing style attack can usually be warded off by vigilant inspection of network addresses. No amount of address inspection will help if the address itself has been diverted.
The basic defense against man-in-the-middle attacks is well maintained TLS (or SSL) connections. Personal users should take care that the connections with their services use https rather than http and pay attention when a browser says a certificate is invalid. For a TLS connection to succeed, the target must supply a valid certificate of identity issued by a verifiable certification authority . A hacker attempting to hijack a secure connection often shows up as an invalid certificate. Too often, users will order their browser to ignore the bad certificate, defeating TLS man-in-the-middle defense and leaving encryption of data in transit also vulnerable. However, an invalid certificate does not always signal a man-in-the-middle attack. The invalid certificate flag is also raised when a provider neglects to renew their certificate on time. A check with the provider support site can dispel doubts.
Interruptions
Everyone experiences network interruptions at one time or another. The Internet architecture assumes the network is unreliable and is designed to be resilient to network lapses. For this reason, when an interruption occurs, the network can often heal itself by routing traffic around the interruption; traffic slows, but does not stop. The Internet is surprisingly redundant and resilient, but sites still lose contact with the rest of the Internet. Entire countries are sometimes dependent on a single undersea cable that can be severed by an underwater earthquake or other mishaps such as shark bites.6 Communities often depend on suspended cables that fall in windstorms. Excavation damage to buried cables can also bring down communities. Network operators continue to improve the reliability of their systems, but network interruptions will probably never be eliminated.
Network interruptions can have important implications for data storage as well as the consumer experience. These implications are discussed below in the “Cloud Data Repository” section.
Service Contracts
When consumers use a cloud, they trust the cloud provider to take proper care of security and other interests that they have entrusted to the provider. The interests delegated to the provider can be data that consumers expect to be kept private and protected from corruption or loss. They also include processes that the consumer expects to behave as promised and perform reliably and well. In a traditional personal computing environment, users of a computing device have complete control. They choose the software products. They can install the latest antivirus software, keep their applications and operating systems patched, even disconnect the Internet when they feel it is needed. They can make sure their laptops, tablets, and smartphones are in safe places. They can put locks on the door to their desktop computer and they have many options for securing their environment.
A cloud computer user can and should take similar precautions, but their cloud applications remain in the hands of their cloud providers . The user has delegated responsibility to the provider, which has benefits. The user’s responsibility for updates and maintenance goes to the provider. The provider takes care of a large share of the security of the cloud service and the provider is responsible for deploying adequate hardware to support the application and the day-to-day necessities of keeping the service up and running.
All this is great, but there is a big if here. It’s great if the provider does their job, and it’s a nightmare if the provider slacks off. Delegation of responsibilities like these happens often in business. Contracts are negotiated to ensure each party fully understands their role and expectations for the transaction and see that the expectations set in the contract are legally enforceable.
The multimillion-dollar cloud service contracts signed when a large corporation engages a cloud provider are often the detailed product of lengthy negotiation. The service contracts that individuals agree to when they subscribe to a cloud service are seldom the product of negotiation. Instead they are click-through agreements that must be accepted in order to access the service. Users accept the agreement or they don’t. One size fits all, whether you like it or not. U.S. courts have generally enforced reasonable click-through agreements .7
However, reasonability depends on who is doing the reasoning. The provisions in these agreements invariably limit providers’ liability and often specify a process for dispute arbitration . Since the consumer has no role in formulating the agreement, it is not surprising that the provisions in these agreements are usually stacked heavily in the provider’s favor. A cynic might say that click-through agreements are written by reversing the service contract provisions that are demanded by powerful corporate consumers with the economic muscle to stand up to the provider.
The individual usually is given little protection by a click-through service contract. Typically, the provider will accept no liability for malfunction or interrupted delivery of the service. They also seldom accept responsibility for loss of data stored on the service. Furthermore, the consumer often agrees not to take the provider to court or to participate in class action suits against the provider. Instead, the dispute may be taken to an arbitrator chosen by the provider and the consumer may be required to pay the costs of arbitration .
After lamenting the state of click-through service contracts, I must say that I personally use a number of cloud services and find them quite satisfactory. Individual consumers are better off in some ways than big enterprises with iron-clad service contracts.
Although cloud service providers use their contracts to protect themselves zealously from the dissatisfaction of their users, in another way, the providers are at the mercy of their customers, no matter what their contract says. Their profits and corporate interests depend on the good will of their customers. If an individual has a month-to-month license to use an office service, they can drop the service whenever they please. Dropping a service may cause an individual some inconvenience, but large corporate service consumers often find switching providers to be too expensive to even think about.
Often, enterprises with carefully negotiated contracts slide into dependency on their providers and become stuck with their provider. The provider’s services become so deeply embedded in the enterprise business process that switching providers becomes an expense that can threaten executive careers. The cost of retraining for a new service can easily prohibit switching service providers .
Clearly, the enterprises have some advantages in dealing with cloud service providers, but possibly not as much advantage as appears on the surface. By all means, individual users should read click-through agreements before they accept them. Annoyingly, the best products can have the worst agreements. The dismal truth is that the alternative to a one-sided service contract is usually no service.
Without the protection of an equitably negotiated service contract, individual users must rely on the reputation and integrity of the provider. Not all providers are reputable, but most are, and bad reputations are hard to hide on the Internet . A draconian click-through agreement is a sign of an aggressive legal team, not necessarily poor service. One-sided contracts are often over-ridden by the desire to avoid a bad reputation with potential consumers.
Potential cloud service consumers should ask questions. Does the service have satisfied consumers? A service that has been available for a substantial period but has few users is certainly suspect. Look at reviews and user comments. Does the service have known technical deficiencies? These are often reported in blogs and trade publications. Is the service frequently down or slow? Does the provider offer a service health dashboard ? Do customers complain about the provider’s customer service? Is a stable company behind the service? Services that are acquired or go out of business may abandon their consumers or show a marked decrease in the quality of the service. In fairness, an acquisition or merger can also improve services from a struggling company.
Credential Compromise
Stealing passwords is a basic attack vector that applies to every aspect of computer security, including cloud services. Clouds are vulnerable to stealing passwords in the same way that any account is vulnerable. Phishing , keyboard logging , man-in-the-middle attacks, and peaking over someone’s shoulder as they type in a password work just as well with cloud passwords as with anything else; cloud credentials have the same vulnerabilities as smartphone PINs and tablet and laptop passwords .
Cloud service credentials are critical in direct proportion to the importance of the service itself. Locally installed applications are only accessible from the machine on which they are installed; cloud services are available from anywhere on the Internet .
Consequently, cloud services depend more on strong credentials to prevent unauthorized access. These credentials are the keys to important resources and should not be treated trivially. Both individuals and enterprises should take care with their cloud credentials, following the basic rules of password hygiene: long passwords, preferably random or phrases—not individual words, frequently changed, not duplicated, and kept secret. Use multi-factor authentication when available.
Cloud service vendors that offer multiple services often present users with a single account for accessing all their services. This is convenient and saves memorizing a handful of passwords for all these services. However, users must keep in mind that these passwords are of a great value to hackers because they unlock many treasures. Keep these passwords strong and change them often.
Cloud Data Repositories
Cloud data repositories are like personal hard drives that are accessible anywhere the Internet reaches and have larger data storage capacity than that of a personal device such as a smartphone, tablet, laptop, or desktop. A cloud repository is slower than direct storage, especially solid state storage, but is adequate for many purposes. Many people use cloud storage for bulky data such as audio files, photographs, and video. The data is slower to retrieve than data on an internal disk , but much faster than alternatives like carrying around a set of DVDs.
Besides increased data capacity, cloud repositories share data easily. For example, before cloud repositories, a team or group of friends with data that they all want to access could each keep copies of the data and email changes to each other. However, that method is slow and it is hard to keep track of who has what version of the data. If one person misses an email, the whole collection of data can turn into a mess of compounding errors.
Sharing via a cloud can be much easier and efficient. A single copy of the data can be stored in the cloud and each member of the group has access. There is only ever one copy of the data. This is less error prone and avoids the effort of exchanging data. Placing the data in a central repository is also a more efficient use of network bandwidth than transferring data to members who may not use it.
Another related use is for synchronizing data between devices. People who have several devices—a desktop, laptop, tablet, and smartphone—may want to access their data from each of these devices. Storing the data on a cloud repository fills the bill. Each of their devices can access the same data in the cloud. Some data repository services like Dropbox or OneDrive will store copies of the data locally on each of the devices and manage synchronizing them. This can be very convenient when the devices are not always online.
Cloud repositories are also useful because they are remote from personal devices . When data is only stored locally, it is subject to local disasters. A cautious user may store backups from the office at home and from home at the office, but when a hurricane wipes out the whole town, caution did them no good. Typically, cloud repositories store data redundantly in widely separated data centers, providing protection from even regional disasters. Cloud repositories also provide some protection from ransomware attacks that render local data inaccessible with a key which the criminal offers for ransom. Storing files in a cloud data repository can help recover from ransomware attacks, which have become a frequent threat.8
Cloud Repository Risks
A reputable cloud provider can store data more securely than an individual. Cloud datacenters can be physically secured and guarded more effectively than most individuals are able to protect their personal devices . In addition, cloud administrative teams are usually better prepared to defend against malicious hackers than most individuals.
Data Loss
Data loss from cloud repositories is possible, but not as likely as many people fear. Cloud providers usually store data redundantly so that more than one storage device has to fail before data is lost. Often, copies of data are stored in geographically remote locations to guard against disasters like fires or floods that take down all storage in a single area.
Temporary Loss of Access
Data repositories are subject to all of the risks that apply to all cloud services, such as denial of service attacks and network interruptions .
Maintenance and System Issues
Maintenance or other system issues can interrupt service. The length and frequency of these interruptions depends on the quality of the provider’s internal practices. Enterprises protect themselves from these interruptions with service level agreements in their service contract that call for penalties on the provider when service interruptions exceed a threshold. Individual users ordinarily do not have service level agreements. Fortunately for individuals, when providers strengthen their processes and equipment to avoid service level penalties, service is often improved for all users, not just the enterprises that pay for service level agreements, because most improved practices usually apply to the entire service, not specific accounts. This is because clouds are architected as pools of physical resources that are allocated by the hypervisor to individual virtual machines . Any account may, at any given time, be assigned any available resource from the pool by the hypervisor. If any resource is less reliable or the pool is not adequate to meet the demand, the account may not get their contracted level of performance. The practical solution to this is to design the cloud to support all users at a moderate level and expect to absorb some premium customer service level penalties. This, of course, benefits personal accounts that are not likely to have any service level agreements at all.
Denial of Service
When a cloud repository provider is undergoing a denial of service attack, users will see the attack as a degradation of access to their data. Slow or stopped downloads and uploads may halt activity on the user’s device when the repository is under attack. The disruption may last a few minutes or a few days, depending on the provider’s defenses and the attacker’s resources. The good news is that denial of service attacks rarely destroy data. When the attack is over, the user’s data will be intact.
Network Interruption
Another issue that arises with cloud data repositories is a break in the network that blocks access to users’ data. Network interruptions are technically called network partitions because they partition the network into groups of computers that cannot communicate with other groups. Partitions are unavoidable and frequent enough that they must be anticipated and ways found to maintain reliable network communications even when partitions occur. Partitions are most serious when they interrupt activity that must complete, such as accounting transactions.
Elaborate methods have been developed to deal with network interruption of transactions. These methods aim at insuring that transactions always complete satisfactorily. Some methods assure the user that a transaction is either complete or totally rejected. This form of assurance is considered the gold standard for transaction integrity. However, enforcing this approach is resource intensive and the “make or break” policy halts business during an interruption, which can mean losses for an active online business. Often today, methods guarantee that all transactions will eventually complete correctly when the partition is removed rather than halting transactions until the interruption is over. Using this approach, an order submitted by a customer may not immediately arrive at the vendor, but the system guarantees that it will be delivered and recorded accurately when the interruption is over. Businesses often operate this way because they prefer to stay open for business while the network is misbehaving rather than force their customers to wait and possibly change their mind.
Data handling policies that ensure transactional integrity contribute to the security of cloud-based repositories. These policies give users confidence that their data will arrive at the cloud storage site and be distributed correctly to the cloud providers’ redundant sites, and the user will be able to retrieve the data consistently.
Privacy
The primary tool for keeping data private on cloud data repositories is encryption . Unencrypted data in cloud storage is subject to intrusion in several ways. Government authorities may demand access with search warrants, subpoenas, or other forms of legal authorization. The provider’s system may be hacked into and data taken. A rogue employee of the cloud provider may access data and expose it. An operations or administrative error in the service may unintentionally expose data. Some form of business disruption—a bankruptcy or hostile takeover, for example—can cause business and operational chaos that exposes data, renders it inaccessible, or destroys it.
Security experts often distinguish between data in transit and data at rest . See Figure 6-3. Data must be secured in both states.
Figure 6-3. To be secure, data must be protected both in transit and at rest
Keep in mind that no matter how strong an encryption , given time and resources, the encryption can be broken. Eventually, every encryption becomes insecure as the industry evolves. The point of encryption is to make the cost in time and resources to break the encryption prohibitively greater than the value of the encrypted data . Keep in mind that you can reasonably expect that at any moment in time, data encrypted 10 years before is now easily decrypted.
Currently, the Advanced Encryption Standard (AES) is the most generally accepted algorithm for secure encryption. It was developed by the United States government and published by the National Institute of Standards (NIST) in 2007.9 AES is used by the United States government to encrypt classified documents. Although it has critics, it is generally accepted as the strong encryption standard. There are encryptions other than AES , but AES is best known and a safe choice.
The standard supports keys that can be 128, 192, or 256 bits long. These are referred to as AES 128, AES 192, and AES 256. The U.S. federal government requires AES 256, but most experts feel AES 128 is now practically as secure as AES 256.
The number of possible 128 bit keys is a 39-digit decimal number, the number of possible 256 bit keys is a 78-digit decimal number. Theoretically, AES 256 is much, much stronger that AES 128. However, the practical difference in strength is negligible because cracking AES 128 with the best current technology would take more than 13.7 billion years, the age of the universe. AES 256 would take much longer, but who cares?10
Most, if not all, cloud data services encrypt. Anyone with any concern whatsoever for data privacy should choose a service with encryption . Data should be encrypted both at rest and in transit. Most cloud storage products encrypt data resting in the cloud and use TLS to protect data in transit from snooping and man-in-middle attacks.
Where encryption keys are stored is also important. Some cloud repository providers keep the encryption keys on their system. This is convenient because they manage and protect the keys for you. It’s sort of like the old hotel system where you left your room key at the front desk, which was convenient but the desk clerk could give your key to the wrong person. Similarly, a cloud repository provider may be compelled to give the key to someone you may not authorize, such as a government agent, to view your data. If the consumer holds the only key, the provider is unable to reveal your data under any circumstances, including under a subpoena or warrant. On the other hand, a key managed by the provider will probably be well-chosen and will not be lost or forgotten.
Probably the most significant weakness in AES encryption , or any encryption, is not the algorithm , but faulty implementations of the algorithm, which is always a danger everywhere in computing. If a weak algorithm is substituted in the code by mistake, the AES algorithm not coded correctly, the encryption keys not managed well, or many other potential flaws, the encryption is vulnerable.11
An alternative to ensure absolute privacy is to encrypt data before it is handed over to the cloud repository service. There are several products on the market that support independent local encryption. They are more trouble for the user, but the data is more private and secure.
Cloud Backup
Although cloud backup is subject to all the risks and limitations of any cloud service, it has many advantages, both in security and convenience. They are a specialized form of cloud data repository services.
Usually, a simple cloud repository acts as an overflow for data that exceeds local capacity or is used to share data between physical devices. A complete system backup is more difficult than simply copying a few files. Experts use backup programs that are designed to copy every system and data file, and store them in a way that the backed-up computer can be restored efficiently and accurately after a disaster. A simple cloud data repository can be used to back up data and complete systems, but doing it without a backup system is an error-prone process, which is exactly what you don’t want in a critical process like restoring a backup.12
Cloud backup services automate the backup process. The expertise to reliably manage backup and restoration is built into the system. The backup software chooses the correct system files and data to back up after a relatively simple set of configuration steps. Backups are usually scheduled automatically, or backed up as they change, so backups are not inadvertently skipped. The service automatically copies only files that have changed since the last backup, which shortens the backup and decreases the amount of network traffic. The system will probably periodically schedule a total backup of all files in case a changed file was somehow missed. The service also manages restoration from backups stored on the cloud. Often, restoring a file is handled with a click on the file directory display and system restores are quick and error-free.
An important benefit of cloud backup services is convenient remote and redundant storage of backups, which a well-implemented cloud backup service will do in the background without the user being aware. See Figure 6-4. Most people know that they should store a copy of their backups outside their house or office so the backup will not be destroyed by a fire or other disaster. But who has the discipline and motivation to keep up that effort week after week? A common problem with including any manual step in backup procedures is that after months or years of no need for a restoration, discipline fails and steps are neglected. Then disaster strikes, and there is no recourse.
Figure 6-4. Cloud backup systems store backups redundantly to ensure they are always available and the failure of one datacenter will not bring down the service
Some people worry that cloud backup services are unreliable because they don’t trust the network and the provider’s implementation of the service, but the deciding question is this: is the person is more reliable than the cloud service? All I can say is that I use a cloud backup service.
Although email is seldom thought of as a cloud data repository service, email was the first widely available cloud service. Most large email services provide remote cloud storage of emails. If the email service is small, such as a private email server, email may be stored on a single disk on a single server, but larger services, such as Google Gmail or Microsoft Outlook (formerly Hotmail) make use of cloud architecture for storing email.
An email service is similar to a cloud backup service in that it requires more software than a generic data repository, but essentially, sending an email is copying a file to storage on the email server. Receiving an email is copying a file from the email server to storage on the local device. However, email gets special handling for addressing, formatting and so on.
Even a very small email service is subject to the same cloud risks as a huge email provider. Email services all depend on network reliability and security and they depend on the integrity of the provider’s implementation. The service can fail, from issues on the server or from issues in the network . A well-run and prepared small service may be as capable as a mega-service in mitigating risks. Mega-services usually have the staff and expertise to deal with issues, but smaller services may pay more attention to the issues of an individual subscriber and they are a smaller target for hacker attacks.
Some email services protect email in transit with TLS (also called SSL) encryption and authentication, making it unlikely that emails will be snooped on or subjected to a man-in-the-middle interception. However, it takes a partner to tango or use TLS. Google Gmail , Yahoo Mail , and Microsoft Outlook (Hotmail) services all support TLS, but only when communicating with other services that support TLS. Thus, security of emails is somewhat variable because it depends both the sender and recipient using TLS. Most services provide some flag to indicate when the email was transmitted using TLS . Some services also encrypt email data at rest , just as simple cloud data repositories encrypt.
Another, more secure but more onerous, approach places the responsibility on the sender and receiver rather than the sending and receiving services. This approach encrypts emails before they are sent and the receiver decrypts the message. Asymmetric private-public key encryption works well for this. The sender encrypts with a public key and the receiver decrypts with a private key, all independent of email services. The drawback is the sender and receiver have to agree to use encryption and receivers distribute their public keys to senders. There are various add-on packages available that manage the encryption and decryption and more or less manage the keys.
These packages increase the security of email considerably. The email is protected both in transit and at rest in the service repository and the sender and receiver do not depend on both the sending and receiving email services supporting TLS , nor can the provider provide access to email contents in court proceedings (electronic discovery) or when requested by government authorities.
Privacy Intrusion
Users should keep in mind that there is no free lunch in cloud services. Many services, such as cloud storage, are offered for free. Cloud-based Internet search appear to be free. The cloud service providers who offer these services are not charities. Their stockholders expect them to produce profits; companies either turn a profit, convince their stockholders that they will turn a profit in the future, or disappear. There is always a motive behind a free service.
Free cloud data storage is probably the most benign. Cloud data storage costs very little. A few gigabytes of storage costs only pennies and the storage provider can offer a free service as a loss leader, expecting the free user to eventually convert to a paying user. Free users should always look carefully before jumping in but, generally, there are some great deals available. Remember that the provider always has the option of converting a free service to a paying service. You may be forced to discontinue the service and move your data off the service or begin to pay.
When a user opens a browser, they will almost always eventually engage with a cloud service of some type. Bringing up a remote page, they reveal something about themselves, if only that they have some level of interest in the page they opened. If they go to an online retailer, they reveal their interest in the products they browse. If they perform an Internet search, they reveal their interest in the object of the search. Their smartphone reveals their location. The pattern of smartphone locations reveals where they live, work, shop, and where they go for entertainment. Social media sites are also sources of information on their users’ likes, dislikes, friends, and relatives. When all this information is connected, which can now be done using big data techniques, a remarkably detailed profile of a person emerges.
If this profile is used for targeted advertising , the targeting can be precise. If the profile shows that a person goes out to dinner every Tuesday evening, on Tuesday afternoons, they might be targeted for special offers from restaurants close to their route home on every web page they open. Look up nasal allergies on a health site and receive ads for nasal spray at local drugstores. Look up something you are not interested in by mistake and get ads for things you don’t want.
Targeted advertising may be intrusive and annoying, but still as innocuous as tasteless ads on traditional television. Targeting can even be desirable. A restaurant discount on your day to dine out may be a welcome surprise—and a boon to a restaurant owner who wants your business. If you need nasal spray, you may appreciate the ads. Being barraged by ads for something you looked up by mistake may not be pleasant, but it is not terrible either.
But target marketing profiles can also become sinister when they are used for other purposes. Some patterns may suggest that a person is an alcoholic or drug abuser. This inference may be correct, or it may not. If the inference is correct, facts are facts and might lead to beneficial intervention. However, if the inference is wrong, the effects could be horrible for an innocent victim. False inferences in a profile can silently affect vital aspects of life such as employment, insurance rates, and credit ratings. Although these profiles can usually be accessed with some effort, an affected person may easily be unaware of a malignant profile and unknowingly suffer from it. When the victim is aware of the profile, it may be time-consuming and expensive to correct.
Disturbingly, a target marketing profile compilation system is successful if the inferences are correct frequently enough to support increased purchases. A system that is wrong 25% of the time may still be a roaring success at generating sales. However, if the same profiles were misused for something like employment screening or criminal investigation, errors in 5 out of 20 cases are likely to seriously damage individuals. With all good intent, conclusions from these profiles may be a tempting shortcut replacement for a more expensive personal investigation and result in serious injury.
Clouds are a critical part of this kind target profiling. They have the capacity to pool vast quantities of data. These data pools are rich sources for big data analysis that connects the dots to form a profile of the individual. The profiles are often the price paid for free cloud services. On the one hand, they offer desirable free services and streamline the connection between buyers and sellers, but they also offer opportunities for abuse.
Are Clouds Worth the Trouble?
Enterprises use clouds as an extension of their datacenters and as an alternative for delivering computer-based services to their customers. Most individuals consume services offered from clouds rather than use them as a direct extension to their personal devices . These uses are different, but the security issues overlap. When enterprises and individuals use clouds to manage and extend their own capacity for data processing, they trust their data and processes to their cloud provider . Enterprises use service contracts and service audits to protect themselves.
Individuals do not usually have these tools. They are offered take-it-or-leave-it click-through contracts that are seldom read and often absolve the provider of almost all responsibility. Audits are expensive and providers are unlikely to submit to an audit for a single consumer. Consequently, individual users are left on their own.
After these negatives, there are many vendors that offer reliable, secure, and economical services. Cloud datacenters are generally more secure than all but the most fortified home systems. Typically, they are manned by security and IT professionals who are trained to deal with invaders and equipment failures and are more likely to defuse a dangerous situation than any individual. Although click-through service contracts tend to be slanted in the provider’s favor, the providers still have strong incentives to provide good and reliable service because they compete on the cost and quality of their services in a robust marketplace.
However, users are still obliged to follow basic security practices like good password management. Most important, users should take the time to be aware of what the service will and will not do. For instance, users should be aware that a storage service can recover specific files or groups of files, but it usually will not restore a complete system like a backup service. If you have privacy concerns, as most people do, find out if your privacy expectations match the provisions the provider offers.
Finally, the basic security tradeoff, more secure equals more hassle, applies to cloud services as much as anywhere else. Strong passwords and multi-factor authentication are bothersome, but they buy a more secure service. Encryption and decryption slow processing but they increase privacy . Consumers have to choose products that satisfy their preferences for safety and convenience.
Footnotes
1 Wireless connections offer their own security issues, but that is a discussion for another section.
2 For example, a maintenance mistake at Amazon Web Services caused a significant loss of service for Netflix in 2012. Steven Musil, “Amazon apologizes for Netflix’s Christmas Eve streaming outage,” CNET, December 31. www.cnet.com/news/amazon-apologizes-for-netflixs-christmas-eve-streaming-outage/ . Accessed April 2014.
3 See AWS GovCloud (US). https://aws.amazon.com/govcloud-us/ . Accessed November 2016.
4 The debate over hypervisor vulnerabilities is active. The following references represent contrasting views. A view that discounts the danger: Jason Perlow. “Hypervisors are the pillars of the Cloud, not the Achilles Heel,” ZDNet, April 1, 2014. www.zdnet.com/article/hypervisors-are-the-pillars-of-the-cloud-not-the-achilles-heel/ . Accessed April 2016.
A view that warns of the danger: Neil MacDonald, “Hypervisor Attacks in the Real World,” Gartner Blog Network, February 20, 2009. Accessed April 2016.
Both views are credible.
6 Really. See YouTube. “Shark Bites Optic Cables Undersea 15.8.2014,” August 15, 2014. www.youtube.com/watch?v=XMxkRh7sx84 . Accessed April 2016.
7 Wilmer Hale, “Are ‘Click Through’ Agreements Enforceable?” Publications & News, March 22, 2000. www.wilmerhale.com/pages/publicationsandNewsDetail.aspx?NewsPubId=86850 . Accessed April 2016.
8 Be cautious. Using a cloud data repository will not always help in a ransomware attack. See Chapter 10 for more detail on combatting ransomware.
9 National Institute of Standards and Technology, “ Announcing the
Advanced Encryption Standard (AES),” Federal Information
Processing Standards Publication 197, November 26, 2001. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf . Accessed May 2016.
10 Mohit Arora, “ How secure is AES against brute force attacks?” EETimes, May 7, 2012. www.eetimes.com/document.asp?doc_id=1279619 . Accessed May 2016.
11 From decades of experience in development, I can say that bonehead mistakes happen. Sound quality assurance testing eliminates many issues, but humans are always human. Cutting edge technology remains bleeding edge technology.
An example of a faulty implementation is documented here. In this case, the faulty implementation was in ransomware attack malware. Steven J. Vaughan-Nichols, “How to easily defeat Linux Encoder ransomware,” ZDnet, November 16, 2015. www.zdnet.com/article/how-to-fix-linux-encoder-ransomware/ . Accessed April 2016.
12 I cannot tell you how many times I have helped restore systems after a backup failed to restore a damaged system. Faulty backups prolong and magnify damage after a catastrophe.