A few days back the Cloud Security Alliancereleased their paper on the Seven Deadly Sins for Cloud Computing
Security. This is a very good guide for security engineers to at least
read. The more traditionally minded will ignore it, but those who are
working in the cloud space, this gives us something to talk to the boss
about, and it is a talk well worth having.
Cloud Computing requires a different mindset when it comes to
information security than the traditionally minded information security
people will want to work with. Not just a limitation on the breath of
information that can be retrieved off the network due to the use of
virtualized systems, but the lack of infrastructure ownership that
information security people have grown accustomed to. Some of these
threats and risks are ones that information security people are already
familiar with; these are things we deal with every day. But the use of
cloud computing with its inherent information security data gathering
limitations puts a new wrinkle into what is otherwise a perfectly
running information security program.
The Seven Deadly Sins are:
- Abuse and Nefarious Use of Cloud Computing
- Insecure Application Programming Interfaces
- Malicious Insiders
- Shared Technology Vulnerabilities
- Data Loss/Leakage
- Account, Service & Traffic Hijacking
- Unknown Risk Profile
This is very similar to what we are dealing with every day as we
expose applications and API’s to the world for the services that we
provide. This is one of the reasons that simple best practices when
building servers, server hardening, and patch management should be part
of the cloud computing infrastructure. As the Cloud becomes more
utility and more people share services there are very simple security
precautions that need to be taken. What the CSA points to are very good
things to remember when building out something in the Cloud. Especially
as people start working on ways around the hypervisor segregation
between host and guest Operating Systems like this report here.
VM Abuse and how it can be used to abuse cloud computing services is
the next more interesting frontier in computer and systems hacking.
The biggest drawback to putting security in place is the lack of
visibility to any point beyond the box unless they are directly trying
to attack the box. While security systems are set up to monitor full on
networks, Cloud Security is more computer based than it is network
based. Limitations on visibility will not tip you off if your share
service guest OS owned by someone else is getting hacked, you will only
be able to see if someone is trying to hack your box directly. Hacking
happens in cloud services and it is possible to bring down a cloud
computer along the way. What makes the CSA report important is that it
is the basics, and the first very good beginnings on defining the Cloud
Security information space beyond NIST and its nascent efforts
to bring about a generalized road map for governmental level Cloud
Security. The CSA report is well worth reading, security engineer or
CISO/CIO will all find this a good reminder that sometimes the basics
are the first thing to think about.
(Cross-posted @ IT Toolbox )
