At BlackHat this past summer, we ran a survey in our booth asking a series of questions related to security in the cloud. We had more than 500 respondents and the signal was quite strong – everyone is confused about security in the cloud!
Let’s start with the simplest, most basic question – who is responsible for security? To illustrate this, let’s use a simple scenario - you have just decided to use some cloud provider to host some servers. In this case I am talking about infrastructure as a service (IaaS) - AWS, RackSpace, Google Compute Engine, etc. In ‘real’ terms it is pretty simple what we are doing - we are renting the right to run a VM hosted in a giant server farm somewhere. From a security perspective there is now quite a bit to consider, and it starts at a very low level. Let’s first lay out what needs to be addressed.
- Physical Security – ultimately no matter what we do, if someone can steal our physical machines (grab a hard-drive or flash our memory) we are in trouble.
- Hypervisor Security – in our virtualized world we rely on the hypervisor for segregation of resources, disk storage, RAM, CPU.
- Network Security – our world is not self-contained, so managing the communication and the connections that our systems can make is a critical piece of the equation.
- Operating System Security – all of our applications and services ultimately run on an operating system which is performing the basic tasks for us - running processes, networking, storing data, etc.
- Application Security – all of our actual value for running these systems resides at the application layer. The valuable processes and services provided by these applications are the whole reason for all of the other layers.
Now given our scenario above who is responsible for what? What should you be responsible for versus what your IaaS provider “owns.”
Well, according to our survey results, there isn’t a whole lot of thought behind most of the answers. For example, only 43% of people expect their IaaS provider to supply physical security – if the provider is not supplying this exactly how is this being done? Are we deploying magical virtual machines capable of fending off intruders tampering with the servers they run in? Probably not, but if you have one of those leave me a comment at the end of this post.
In the same vein, only 36% expect their provider to manage the security of the Hypervisor – none of the providers mentioned above will let you even get close to the hypervisor much less do anything related to monitoring the hypervisor. The last confusion was that 37% of the respondents were planning on deploying network-IDS into these environments – again most providers make this next to impossible.
With the nature of understanding demonstrated by the answers to these questions I am left wondering, what exactly is going on up there? Are customers of these providers educating themselves on what they are responsible for? Are they taking advantage of the security features offered them?
The only conclusion I can reach is that there is nothing but confusion surrounding security in the cloud. This is an entirely unacceptable situation, given the momentum of organizations increasingly moving their applications to the cloud.
This is the first in a series of blogs about cloud security. In future blogs, I will share insights about cloud security and provide suggested courses of action.