An Introduction to Cloud Computing

Introduction:

Lately in the IT community all the hype is on Cloud Computing. We have small start-ups offering several variations of Cloud services as well as some of the established big players (Google, Amazon, IBM, Novell (aimed at cloud service providers),Sun) stepping up their offerings of cloud services.

But what exactly is Cloud Computing? Simply put it can be seen as this: think of a utility service you use, say for example electricity. You get your meter read every few weeks and you receive a bill for energy consumed between readings.

The same underlying premise can be applied to a cloud service, an end user can subscribe for any of the offered cloud services and based on service usage from the provider be billed for consumption of that particular service or series of services for its specified time-frame.

Once can safely state that Cloud Computing as an on-demand, self-service, pay-as you go utility, evolved from a combination of grid computing, virtualisation, and automation.

Experts estimate that this industry will grow to a 42 billion dollar industry by 2012 [1] (maybe that's what the Maya foresaw.)
However the implementation and usage of cloud computing models and services is not without issues.

Most business managers will most likely consider how much money can be saved and still maintain operational efficiency by implementing one or more cloud computing services.

Whilst Cloud Computing's claim is to lower costs, increase business agility and help increase the velocity at which applications can be deployed, one can expect its implementation to be disruptive.
This will be seen in the way business models will have to be adjusted or downright changed, effectively and efficiently managing the utility aspect of computing power used in everyday operations and the manner in which management will be able to utilize their IT resources.

As with any implementation, standards and regulation needs to be formulated and implemented in order to ensure that both vendor and the tenant are in compliance and within governance of an agreed format of policies.
With this every effort should be made to ensure the confidentiality,availability and integrity of data held within a cloud computing environment going forward.

Definition:

The National Institute for Science and Technology (NIST) defines cloud computing as “a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” [2]

Cloud Computing Models:

Cloud models can be one of the following three:

• Infrastructure as a Service (IaaS) e.g. Tier 3, Amazon EC2,while the subscriber does not control the cloud infrastructure they do have control over select portions of network e.g. firewalls, operating system, deployed applications and storage.

• Platform as a Service (PaaS) this goes back to the early 70's when it was referred to as Framework as a Service. What is does is simply to provide different combinations of services to a subscriber supporting an application development life-cycle e.g. Google's App Engine which will let a subscriber run web applications on Google's infrastructure or Azure.
In essence the subscriber will use programming(.Net Java python) and tools supplied by the service provider with no underlying responsibility for the cloud deployed network, severs, operating system and storage etc.

• Software as a Service (SaaS) e.g. Facebook, Salesforce.com, applications running on a cloud infrastructure that can be accessed via a web browser interface.

Bear in mind that there can be dependencies and a relationship between the models as Infrastructure as a Service can be stated as the foundation of Cloud Computing services, upon which Platform as a Service and then Software as a Service is built upon.[3]

Social Engineering and Profiling at Airports

So I flew in to the Orlando (MCO) airport yesterday returning from a trip to the UK. Without realizing it I was taking note of security procedures and mentally checking off items as I stood in line waiting my turn with the C & I official. Of course, I will not share potential security issues I saw in such an open forum.

As any good IT Security professional and CISSP worth her salt knows, IT security is not only about computer related items but also the physical and non technical “hacking” skills as well.

After having my bags scanned, x-rayed, and physically searched very thoroughly at least twice I might add, by UK airport security teams; then patted down at my exit point in the UK,all very politely of course, I was suitably comforted in the fact that, best efforts were being made to ensure the safety of my flight into the US...physical security professionals, you know what I mean.

Typically when I fly in to the US from the UK, I use one of the northern airports and I'm always amazed at the sense of welcome I feel when passing through customs. I will never forget the gentleman at La Guardia a few years ago when he simply stated “welcome home.”

Those two words had such a profound impact on me that I still feel the warmth to this day. Warmth and welcome that, those who spout negativity towards America, need to experience before passing judgment on the whole based on experiences with the few.

By now you are probably wondering what's the point in my title, well here is what happened.

Incident 1: As I walked out of the passport check area and proceeded to collect my checked bag, I noticed a civilian dressed lady, checking bags on the carousel and then placing them on the floor. No badge in view, nothing identifying her as an authorized individual, and I verified this in a casual and complete 360 around her person, as I wandered around the carousel looking for my bag.

If she was a traveler, the bags couldn't all belong to her as, there were 15 bags at my count that she handled prior to my walking around her person and she continued on without being stopped or questioned.
Was she not stopped or questioned based on her ethnicity as a traveler?, or was she an authorized employee , but one who forget her official identification and someone let her into this area because they knew her?
My take as a security professional – if she was an employee then, no ID badge, no entry ! if you forgot it, go home and retrieve it,else I will think you lost it and that, is a security breach ! In terms of ethnicity, a real security professional knows terrorists have no ethnicity and as such is trained to look for specifics. On the other hand a low level employee profiling for a power play...well we have all probably experienced this at one time or another.

Incident 2 : So I stood and waited for my bag. Eventually it arrived and I noticed it was partially opened. My immediate concern was for my IT security forensics research material. With my back to a wall,I leaned over to look in the bag. A few seconds later I heard footsteps approaching, looking up I saw two uniformed individuals about 10 feet away and closing toward me.

Not thinking anything of it, I mean why would I ? my immediate blood relatives are 8th generation American, with a lineage that's goes back before America's fight for independence in 1776. Over the years these relatives fought for America in several wars and do include currently alive US Army, Navy and Airforce veterans. I was wrong in my assumption that I was not the target of interest in this instance though.
Before you think further, let me state that I have no problem with anyone carrying out their job function as required,even if that means some inconvenience on my part. And the uniformed individuals were also not Caucasian nor Black,nor Asian. However one of the individuals could walk through a South American street as well as a Middle Eastern village without a second glance from locals.

This one I will refer to as Eddy and his associate as Peyna. Without identifying themselves,Eddy commenced a very bad imitation of a Wall Street Blues interrogation (what?! Anyone can steal uniforms and waltz into a building and pretend to be someone they are not see http://www.suntimes.com/news/transportation/900748,tsa041708.article and

Michael Boyd, an airline consultant asks, "if TSA can’t maintain security over their uniforms and ID badges, how well can they actually maintain security of the airports?” )

Eddy's first question “Where are you from?” my response “here,why?” His response “well you are well dressed in black”, huh?? my thought,since when was it suspicious to wear designer clothing,wasn't he trained in interogation..maybe he wasn't paying attention that day in class or was absent. I see well dressed people it all the time in Manhattanand the NY -EWR airports.My response “haven't you been to NYC and see how people dress? (Peyna broke a grin at this point).

Second question ,”where are you coming from,”my response, “the UK”, his response “are you sure?” my thought was according to my ticket and passport stamps it states so, and isn't there a clear and defined paper/digital trail of all my movements. I mean in London alone I counted 21 cameras within a 3 minute walk from the tube to a street exit. At this point I glanced over at the lady from the first incident above and guess what?, she is still rummaging around the suitcases and this guy wants to practice interrogation 101 on me. She could be stealing, removing content,smuggling or planting items in an unsuspecting passenger's belongings. She could be trying to create a distraction if she intends to, or was part of a a plan to carry out a more sinister act.

Third question “what do you do?” my response IT Security, Peyna scanned the area briefly,after seemingly assessing my threat level as zero within the first minute and just going with his partner's flow.

Fourth question “where is your office? My response was the major Florida city that our registered office is located. Eddy looked confused at this point and Peyna had to explain that that was indeed a town in Florida. What !!! This “officer” didn't know his state's geography and especially the existence of a major-minor city ?! As he was about to attempt a fifth question Peyna who appeared to have made his conclusion on me and seemingly had enough of the questions said something along the lines "that's o.k. now" and bade me farewell.

What were my issues you ask well here goes:
Fresh of a course on crime and investigations in the UK, I could not help but recall the 1000 times the retired head of one of Scotland Yard's division emphasized that, one must ensure a suspect or person of interest is notified that “anything they say can and will be held against them in a court of law.” Anyone of us who grew up or lived in America have heard this from a variety of different media.

What bugged me here:
Item one
- No verbal identification of who they were, no visible laminate or identification cards. There was a tiny name tag that anyone can buy at an office supply shop.
Item two
- I was not given the opportunity to identify myself (I do know I have the constitutional right to remain silent otherwise) nor was I advised of my rights before questioning.
Item three
- The attempt to bully and intimidate me on US soil no worse, by the very people who we pay (in taxes)to protect us, just because I was “dressed well”,rather than lounging in a ripped jeans,flip flops and t-shirt maybe?I'm certain that Eddy had no clue as to that incident that involved UK passports and an alleged and I repeat alleged Mossad operation
Item four
- These are the people that are supposed to keep our airports safe for us,I guess they target mild mannered travelers for practice but avoid potential trouble makers (Incident 1) until an event occurs, then it's the average traveler to pay the price. On the premise that they were officers, then, a competent officer such as Peyna would be severely handicapped in performing his duties when he has to pay attention to a loose cannon such as his partner.

In terms of interrogating passenger data, TSA should equip their people with crypto-enabled hand-helds which syncs with daily flight data, I mean with the amount of background checks,screening and biometric recordings I have been subject over the last 8 years, pushing a few buttons would have given them information on me up to possibly the type of tissues I purchase.
Equipment like this should expedite a random screen and free up eyes.

Live Forensics within the Cloud Computing environment

Traditionally analysts performed analysis on static data, either from a core dump, bit to bit imaging etc. Recently we have seen an increased focus directed at the live forensics environment.

I read an article a few weeks ago where cloud proponents stated that an advantage of Cloud Computing is, an ability to conduct live forensics without disrupting mission critical systems.

According to Brian Carrier - “The only difference between a live and a dead analysis is the reliability of the results; a live analysis techniques use software that existed on the system during the time-frame being investigated;dead analysis techniques, use no software that existed on the system during that time-frame.” - Bear in mind though that there are different aspects and levels to these statements.

A few of the experts in this field that I was able to interact with did state that when conducting a live analysis, the system under investigation will be altered in some manner. This in essence can define a live analysis as not a pure forensic form by definition. However the potential for gaining valuable data is looked on as the lesser of two worse case scenarios.

The Cloud Computing environment is susceptible to classical attacks as any regular system. My concern as a security consultant is the potential for exploitation of the system under live analysis. One instance can be with rootkits, and if an attacker can compromise a host's cloud system....well.. but we don't even have to get as deep into that inner circle to manipulate a system covertly.

Rootkits as we know can be divided into database rootkits and BIOS rootkits.The potential for exploiting both and remain undetected is high e.g.by manupulating the ACPI(Advanced Configuration Power Interface)in BIOS via it's ASL programming language to modify hardware features or memory.

Hypothetically speaking one may be able to insert a rootkit which reacts to a forensic probe and then output pre-programmed results to suit an attacker; remember that a snapshot of a running system cannot be reproduced at a later time-frame.

In another scenario the rootkit may be programmed to respond by purging and shutting down the system -- “A "hard" reboot includes a power cycle, which ensures that sensitive information in volatile memory is purged”- Vernon, R.C. Irvine, C.E. Levin, T.E. Naval Postgraduate Sch., Monterey, CA ISBN: 1-4244-0130-5.

Researchers at University of Illinois at Urbana-Champaign demonstrated in a paper that it was possible to construct a working rootkit that did not change the host OS code or data, essentially evading detection with current techniques: - Cloaker: Hardware Supported Rootkit Concealment
Francis M. David, Ellick M. Chan, Jeffrey C. Carlyle, Roy H. Campbell


I am certain thought that security teams and IT auditors for cloud providers are investigating means to mitigate these risks..right?

Any further thoughts on this will be appreciated !

Cloud Security - Concerned Much?!

Cloud Computing providers claim to have infrastructure and assets in place to ensure the security of the client's data as effectively as possible, but will these measure be enough to continue to maintain the stated security as subscribers grow and more subscribers share the same infrastructure and assets?

One train of thought regarding the cloud is that crackers may not be able to target a specific prey and thus our data will be safe. Hooray !!!

However, wouldn't the same marketing pitch regarding ease of access, lower IT costs and flexibility be tools that a cracker can capitalizes on to breach more systems?

My accountant recently stated that he was concerned about data ownership within the cloud and security within that ownership. Whilst he is looking to cut IT spending,he claims that for now, if we decide to buy cloud services it will be used for data that we can afford to lose and to create a separate virtual working environment for our contractors.

A few of my associates ask the same question, as well as “how confident can we be that our data is still ours when held within the cloud and, who holds responsibility if our “data segment” within a cloud is compromised?

Having been within security environments (both physical and virtual) for over 12 years, I always start with a worse case scenario and work up,no matter the environment.

Within the cloud one of my concerns is, what if my “neighbor” manages to access my allocated segment and use my data or utilities to commit a crime. I could have fingerprints and tracebacks pointing to my data segment with no means of disputing that I was not complicit. Then what?!

Another cause for concern is the process of accessing data stored in a cloud. In the OSI environment, we will fire up a web portal to access the Internet and hope that we are properly secured via Intrusion detection and prevention systems.

In the cloud however, how can the processes from the web portal to the application we are accessing, as well as application to application interaction or application to data interaction be kept secured?

Will we use the traditional methods of encryption and authentication and if so how can we manage and track such applications? I would venture to state that tracing participating entities down to specific functions will be time and labor intensive and thus counter productive for the cloud provider.

I recently read a case study located on microsoft.com/casestudies regarding Windows Azure which states customers,“can enhance their services with additional layers of security by implementing VeriSign SSL for encryption and authentication, just as they would in an on-premises server infrastructure environment,” sounds great right?!

But the pessimist in me responded with, well, didn't Moxie Marlinspike demonstrate techniques to defeat SSL encryption at Black Hat 2009 and as a cloud subscriber, wouldn't you also want to know how data is validated so that expectations are met for both data going out as well as coming in;and just as pertinent; how will error handling be managed by the vendor?

The list of concerns go on and on, and only time and techniques will govern how we deal with security within the cloud. I am certain that companies such as RSA or any one of the other established security providers as well as up and coming startups, will present effective encryption and authentication methods for use within the cloud and maybe in a few years we will wonder what all the fuss was about. Right?

Amazon EC2, Google AppEngine and Microsoft Azure

Part 1
Expanding on my introduction to cloud computing article, I wanted to take a look at three of the main platforms being offered for consumers i.e. the Platform as a Service model (PaaS).

As a customer or tenant you should ensure your resources are in place to ensure the maintenance and management of of your identity management and authentication systems.

When drafting your SLA ensure that the provider explains items such as, their facilities to include backup facilities, rack space, power, cooling, networking, physical security and business continuity plans.

Also ensure that there are no conflicts between your security policies and protocols and that of your vendor and look at how they will monitor systems, implement and configure firewall rules, anti-virus, intrusion detection/intrusion prevention systems and their protocol for log collection as well as packet filtering.
--------------------------------

Before commencing on Amazon EC2, I would like to briefly mention Amazon's Virtual Private Cloud(VPC). This system will enable a customer to connect existing infrastructure via a virtual private network (VPN) connection and implements industry-standard IPsec tunnel mode to authenticate gateways and protect data in transit from eavesdropping and tampering.[1]

The VPC gives a customer the facility to extend their existing management capabilities and security services,including the customer's AWS resources, allowing the customer to protect their information in the cloud in the same manner they do at their physical location/s.
--------------------------------
Amazon EC2

Amazon Elastic Compute Cloud (EC2) is a web service that provides resizable compute capacity in the cloud by enabling a customer to launch and manage Linux/UNIX and Windows server instances in Amazon's data centers via APIs or other available tools and utilities

It is designed to make web-scale computing easier for developers as, a developer can increase or decrease capacity within minutes rather than hours or days. It delivers scalable, pay-as-you-go compute capacity in the cloud as it gives a user the ability to commission one, or several hundreds to thousands of server instances simultaneously which are all controlled with web service APIs. [2]

Functionality in EC2 is very straightforward as either a customer can select and implement a pre-configured, template image and be up and running in a very short time, or a they can create an Amazon Machine Image (AMI) containing all items they want implemented within EC2.

Per the EC2 technical site some examples of what the system can be used for are :

-Scalable Applications
-Temporary Events e.g. conferences in virtual worlds, live blogging, distribution of newly released media, and short-term promotional web sites.
-Batch Processing e.g. video and image processing, financial data processing, and science and research applications.
-Fault Resilient Applications

EC2 Security:

One of the goals per their security publishing is to ensure that customer data contained with the EC2 system cannot be intercepted by an unauthorized user.
This by providing security on multiple levels viz. the operating system(OS) of the host system, the guest OS,firewall,and signed API calls, where each portion adds onto the security of the others.
--------------------------------

A key selling point for me is that as with all Amazon Web Services, Amazon does not “lock in” a customer into long-term contracts, or required some minimum payment scheme.

Also regarding Statement on Auditing Standards No. 70 (SAS70) Type II Audit,they have obtained a favorable unbiased opinion from independent auditors. This basically means that they have had an in depth audit of their controls related to operational performance and security with regard to safeguarding customer data and passed muster.

EC2 Operating Systems

-Red Hat Enterprise
-Linux
-Windows Server 2003/2008
-Oracle Enterprise Linux
-OpenSolaris
-openSUSE Linux
-Ubuntu Linux
-Fedora
-Gentoo Linux
-Debian

Pricing

As mentioned pricing is separated into On-Demand Instances or Reserved Instances (currently available for Linux/UNIX operating systems).

A simple calculator for services can be found here:
http://calculator.s3.amazonaws.com/calc5.html

Other Amazon Cloud Services:

Amazon SimpleDB

Amazon Simple Storage Service (Amazon S3)

Amazon CloudFront

Amazon Simple Queue Service (Amazon SQS)

Amazon Elastic MapReduce

Amazon Relational Database Service

AWS Premium Support

--------------------------------

There was a posting on CA Security Advisor Research Blog on December 9th 2009, which stated " A new wave of a Zeus bot (Zbot) variant was spotted taking advantage of Amazon EC2’s cloud-based services for its C&C (command and control) functionalities."[3]

Before we go off joining Chicken Little, I have to state that this abuse of EC2 service possibly stemmed from compromised computers at the customer/tenant side,where possibly an application in use was not updated/patched thus allowing the hacker into the cloud system.

Amazon could not take pre-emptive action as the trojan originated outside of their control zone and the same could happen to any Cloud Service provider.

Resources

[1]http://awsmedia.s3.amazonaws.com/Extend_your_IT_infrastructure_with_Amazon_VPC.pdf

[2]http://aws.amazon.com/ec2/

http://aws.typepad.com/

http://docs.amazonwebservices.com/AWSEC2/2009-10-31/GettingStartedGuide/

[3]http://community.ca.com/blogs/securityadvisor/archive/2009/12/09/zeus-in-the-cloud.aspx