When clouds attack: 5 ways providers can improve security
- 09 September, 2010 05:33
Criminals intent on attacking others can lease networks of compromised computers, or botnets, from other criminals serving the underground community. These resources could be considered "clouds" in their own right, but researchers warn that operators of legitimate clouds need to worry about being used for illicit attacks as well.
In a presentation at the DEFCON hacking conference in August, two researchers did just that. David Bryan of Trustwave and Michael Anderson of NetSPI created a handful of virtual servers to attack a small financial company--a client that wanted to test its security against just such an attack. Rather than renting a botnet from criminals, the researchers used Amazon's Elastic Computing Cloud (EC2) to rent less than a dozen virtual servers to overwhelm the target's network with traffic.
The researchers claimed there was no indication that Amazon detected the attack and called for all cloud providers to take more care in monitoring how their resources are used.
"Lets get ahead of this before it turns into the Wild West," says Trustwave's Bryan.
[In the cloud, what's the security responsibility of the customer, not the cloud service provider? See CIO.com's Cloud Computing's Top Security Risk: How One Company Got Burned. ]
While Amazon may not have caught these particular security researchers, the company asserts that catching the bad guys will be much easier in the cloud.
"Illegal activities across the Internet have been commonplace long before the cloud," Amazon said in a statement sent to CIO.com. "Abusers who choose to run their software in an environment like Amazon EC2, make it easier for us to access and disable their software. This is a significant improvement over the Internet as a whole where abusive hosts can be inaccessible and run unabated for long periods of time."
Yet, companies have to monitor their own cloud space for such usage.
Here's a look at some of the security strategies that Amazon and its peers are taking now to improve cloud security.
1. Easy for customers, easy for attackers
Making cloud resources easy to use for customers or internal clients is good business. Yet, those same benefits can easily extend to attackers, says Archie Reed, chief technologist for Secure Advantage and Cloud Security at Hewlett-Packard.
"All the benefits that we subscribe to cloud, especially the public cloud services--the relatively low cost, instant provisioning, and the ability to access anywhere and any time--all of those benefits can be taken over by someone with the knowledge and the will," Reed says.
Rather than making a decision to shutdown a possible customer based on incomplete information, HP opts for less black-and-white choice. Rather than block a potential malicious user, the company's technology throttles back their bandwidth.
"We are working with customers to detect suspicious behavior and perhaps slow things down so the customer can react faster," Reed says. "You don't want to shut your customers down, but you don't want to be the host for bad behavior either."
2. Design security in from day one
The denial-of-service attack leveled by Trustwave and NetSPI researchers peaked at a modest 150 megabits per second. Over two hours, the duo sent about 10 gigabits of data, which cost them less than six dollars.
Such abuse should have been detected, they maintain.
While Amazon could not comment about the specific incident, the company did say that it's important to design security into the cloud--something that its engineers continue to do.
"There is nothing inherently at odds about providing on-demand infrastructure while also providing the security isolation that companies have become accustomed to in their existing privately-owned environments," the company says in its statement.
3. It's all in the logs
One technology that all companies should have invested in by now is log management. In a recent Data Breach Investigations Report, Verizon Business found that attacks on businesses are reflected in log data more than 90 percent of the time, but less than 5 percent of companies monitor their data often enough to detect the attacks.
"Implementing log management is important of everyone, especially in your data centers," says Raffael Marty, founder and chief operating officer of cloud-based log-management firm Loggly. "You have to have a handle on what's happening, not just for your SLA (service level agreement) but for security as well."
Cloud providers, such as Amazon, should also develop technologies to quickly act on information gleaned from their logs, he says.
4. Scale security, not just computation
A major benefit of cloud computing is that large operators can provide virtual systems at a low cost, taking advantage of economies of scale. However, providers also have to use that same scalability to better protect their resources, says Amazon.
"The same economies of scale that enable us to provide elastic capacity at low cost enable us to build effective, scalable protection," the company says.
Amazon is able to invest significantly more money in security than other companies who might not have the same economies of scale. Using the company's APIs, a security or operations officer can identify every machine instance running in the cloud.
5. Watch for good customers turned bad
One of the most common attacks on cloud systems is account hijacking, according to Cloud Security Alliance. In its March, 2010 report on the top threats to cloud computing, nefarious use of cloud resources was the No. 1 danger. Rounding out the six listed threats, however, was misuse of accounts by attackers.
HP's Reed recommends that all cloud providers use two-factor authentication to limit the success of account hijacking attempts.
"There is a general level of protection that cloud providers need to put in place to protect their own infrastructure and brand," Reed says. "Now that attackers know that you can get, not just a book from Amazon, for instance, but a whole computing environment, those accounts become a target."
Follow everything from CIO.com on Twitter @CIOonline.