Black Hat Researcher Rains On Cloud Computing's Parade With Talk Of Vulnerabilities
iSEC Partners partner (and Black Hat researcher) Alex Stamos says there's really no such thing as cloud computing. According to him, it's just a trendy name to take your money. Regardless of what you want to call it though, the vulnerabilities inherent to it are very real. That was Stamos' message in a briefing he gave this morning at the Black Hat conference in Las Vegas. Among the highlights of my podcast interview with him; Salesforce gets a gold star and Windows-based virtual machines are ar
iSEC Partners partner (and Black Hat researcher) Alex Stamos says there's really no such thing as cloud computing. According to him, it's just a trendy name to take your money. Regardless of what you want to call it though, the vulnerabilities inherent to it are very real. That was Stamos' message in a briefing he gave this morning at the Black Hat conference in Las Vegas. Among the highlights of my podcast interview with him; Salesforce gets a gold star and Windows-based virtual machines are architecturally more secure than Linux-based ones.To listen my podcast interview with Stamos, you can press the tiny play button (just before the link in this sentence), you can click on the tab hanging off the left side of the page to open the podcast player, or you can right click on the link in this sentence and download the MP3.
"The term cloud computing is useless" said Stamos. "It's way overused. It's mostly about gathering venture capital or selling your products."
Forget what you call it though. Stamos says that one big downside is that "you lose control over a lot of things with all these cloud computing models and it's very easy to want to lose that control -- to pay someone else to do that work for you -- but it's easy to forget the benefits you get from some of that control."
A good example of such control might be the idea of encrypting your data at rest. Most cloud computing providers don't offer their customers the option of encrypting their data at rest (when it's sitting on a hard drive somewhere in the cloud). If that's an option that a customer wants, it must wait for the cloud computing provider to decide to offer it. At least in the case of software or platforms as a service. With infrastructure as a service (eg: running a virtual machine in Amazon's Elastic Compute Cloud), you have control over whether your data at rest is encrypted or not. Likewise, when you run your software stack on your own premises behind your own firewalls, you have complete control.
"Have people lay out 'What do I do in my current enterprise environment? What do I do in my current Web application to make it secure? What kind of controls do I have that I want to see replicated [in the cloud]?' Because, in many cases, it's hard or impossible to get the same level of assurance in a cloud computing environment that you'd get if you do it on your own."
Another downside has to do with forensics and transparency. In the interview, Stamos gives an example of what happens when a reporter calls you up to tell you that he's got some number of your company's internal documents. Depending on the controls and systems you have in place, you can take certain measures and do the forensics work necessary to find out how the reporter exploited your network and close the hole. With many cloud computing providers, it's difficult if not impossible to do the equivalent forensic work. The transparency of what's happening behind their firewall just isn't there. Stamos says this is one area -- transparency when it comes to dealing with incidents -- where Salesforce gets a gold star. Not only does Salesforce.com keep detailed log data, they'll make it available to Salesforce.com customers in an effort to resolve a range of incidents (security related or not).
Just as important, according to Stamos, is how well your data is legally protected from prying eyes. Stamos argues that cloud-housed data in the US isn't necessarily protected by the 4th Ammendment. The importance of this distinction is two-fold. First, instead of a warrant, only a subpoena is required for a third party to get access to your data. Second, in many cases, you may have no idea that a subpoena for your data was issued to your cloud provider since law enforcement agencies will at times demand that the nature of their investigation be kept secret. The problem with subpoenas vs. warrants is that a judge must agree to a warrant. In other words, the legal hurdle to getting at your data is significantly higher when the data is on your premises than when it's in the possession of a cloud provider.
Technologically speaking, there are other insecurities associated with cloud computing. According to Stamos, all operating systems do a bunch of crypto stuff at bootup and the entropy pools upon which those OSes rely for the necessary randomization are far more reliable when they have access to the underlying hardware. Where a problem arises when it comes to cloud computing is what happens when virtual machines are run on cloud infrastructures like Amazon's EC2. In this case, the VMs have no access to the hardware which in turn impacts the quality of the entropy pools. In those cases, the entropy pools are seeded by the operating system's software events since bootup of which there are really too few to securely support the cryptography that takes place right after a virtual machine is started.
Even more troubling is how many of these virtual machines in the cloud may be running off copies of the exact same image (essentially relying on the same battery of software events to seed their entropy pools).
On this one point, Stamos pointed out that Windows is actually more secure than Linux (you can listen to the podcast to get the full explanation). Stamos was careful to note that this is not a problem for virtual machines that stay up and running for long periods of time (which is the case for most VMs running behind corporate firewalls). His comments are more directed at the virtual machines that are repeatedly booted, shut-down, and booted again. The longer virtual machines run, the better their entropy pools are and thusly the more secure the virtual machines are. But for many VMs, there's a brief window of time shortly after bootup where the machines are most vulnerable.
The news isn't all bad, according to Stamos. One advantage of turning to the cloud that's sort of a silver lining is how the cloud provider's security investments get amortized across all the customers.
"Most companies, even big companies, do not have a large staff of qualified software security experts" said Stamos. "They don't have a lot of people going through their code making sure their not making mistakes and testing and such. [Cloud companies] do. Google has something like 70 application security folks. Microsoft has hundreds. They don't all work on their software as a service. [With cloud computing, you get the benefit] of sharing those security people across thousands of enterprises and millions of individual users."
Update: Alex Stamos has published the slides from his presentation entitled Raining on the Trendy New Parade on Slideshare.
David Berlind is the chief content officer of TechWeb and editor-in-chief of TechWeb.com. David likes to write about emerging tech, new and social media, mobile tech, and things that go wrong and welcomes comments, both for and against anything he writes. He can be reached at firstname.lastname@example.org and you also can find him on Twitter and other social networks (see the list below). David doesn't own any tech stocks. But, if he did, he'd probably buy some Salesforce.com and Amazon, given his belief in the principles of cloud computing and his hope that the stock market can't get much worse. Also, if you're an out-of-work IT professional or someone involved in the business of compliance, he wants to hear from you.
Server Market SplitsvilleJust because the server market's in the doldrums doesn't mean innovation has ceased. Far from it -- server technology is enjoying the biggest renaissance since the dawn of x86 systems. But the primary driver is now service providers, not enterprises.