The fast-paced advance of cloud computing has made business leaders and company CEOs rethink their business strategies in the challenging economic conditions worldwide. They can clearly see cloud computing not only provide a huge advantage of cost-savings to their business processes, but also show attractive characteristics like agility, elasticity, performance, scalability, data resiliency, reliability, and resource sharing. Business analysis groups like IDC and Gartner had positive predictions of multiple-fold yearly growth in cloud investment. Even the most reluctant business leaders have to start paying attention to what cloud computing can offer, because they know if they don’t, they might lose the competitive edge in the market place.
When forward-thinking business leaders view the cloud as opportunities, hackers also shift their attention to the cloud service provider websites. The reason is obvious. They can potentially gain access to data of multiple companies if they break into major cloud vendor sites, because of the multi-tenant nature of such websites.
Because of such higher chances of threats, security is the most important concern of the cloud customers when they consider moving their business to the cloud.
Have the cloud providers done enough to defend threats and attacks under any circumstances?
The answer is no.
There are several recent breaches at popular cloud sites that had caught attention of customers and press. Major vendors understand the challenges and have invested billions in security and data protection to safeguard the websites and customer data end-to-end. Many improvements have occurred in the past few years.
Nevertheless, we also have to know that not all cloud providers are really ready in terms of security and data protection. They rushed their cloud services to the web without full-fledged security measures.
What are the major security threats for cloud service sites?
The following discussion mainly concerns public cloud offerings.
Customer or user side
Most of the current public cloud websites use traditional user name and password for sign-in. Some of them don’t require SSL during login operation. If the vendor login URL shows protocol HTTP, not HTTPS, anyone with a network sniffer can easily catch the user name and password, because they are transmitted on the wire in plain text. Unless you are not concerned about exposing the user name and password, you should negotiate the login to be over SSL.
On the client side, user ID and password are likely the only things needed to access the cloud account. Once a single user account is compromised, the attacker can access the cloud site and cause damages. Strong password policy should be enforced by the cloud registration. Changing the password at least every couple of months is also recommended.
Some cloud vendors now implement multi-factor authentication (MFA) to make it harder for the system to be compromised. MFA is a multiple step process for user login. The user might need to enter not only a pair of user name and password, but also one-time secure ID that is generated from a device. In some cases, biometric data, such as fingerprints, may be used.
Phishing is another way to attempt to acquire user’s sensitive information, like user name and password, e-mail address, and even credit card number, by manipulating the URLs to deceive users to the phisher’s fake website as the cloud website.
The client machines should be protected from malware, spyware, trojans, and rootkits. Some of these can install key tracking software, or keystroke logger, to catch what is typed by the owner of the affected computers. Then, such information is passed back to the hackers. These key logger programs can also prevent you from downloading patches and installing them. Thus, leave your machines wide open for further attacks by the hackers. They become “zombies,” or “botnets,” such that the hackers can control them to launch denial-of-service (DoS) attacks to other websites (see below).
Cloud provider side
Because the public cloud services are usually wide open on the Internet, anyone with Internet access can access them. Lack of firewall’s protection make such systems easily accessible. Anyone with a credit card can create an account and start using the system. Malicious people can do the same thing.
How hard is it for a hacker to get a credit card number?
Most public cloud websites use virtualization technologies to create virtualized environments. For PaaS or IaaS cloud offerings, after the virtual machines are provisioned, the guest systems (virtual machines) are under the full control and monitor of the cloud customer, not the cloud vendor. It’s the customer’s responsibility to patch the operating systems. This is often forgotten or neglected by the users. Often, we see the scenarios in which the operating system (OS) patches are not updated in a timely fashion. Hackers then can exploit vulnerabilities in various components in the guest operating system. Often, it is a race of time to get such operating systems patched before they are attacked.
Virtual Machine Monitor/Manager (VMM), so-called hypervisor, is the software that lies at the OS Kernel level in the host system. It has direct access to underlying hardware, such as CPU, network, input and output, memory, and so on. It creates the virtual machines and allocates resources according to their specification. A special rootkit called HVM Rootkit (Hardware-assisted Virtual Machine Rootkit) can be a potential threat to a virtualized systems.
The objective of the HVM rootkit is to undermine the capability of the host operating system by setting it to a less privileged position and replacing itself as the host OS. In this way, everything that happened to the original OS then gets trapped by the rootkit. Thus, the rootkit can cause undesirable or damaging effects designed by the hacker. Several such types of rootkits have been identified, SubVirt, Virtriol, BluePill, and Hyperjack. Although there are no reported cases yet of such rootkit attacks, researchers have predicted that sooner or later malicious cyber criminals will find a way to cause outages to popular websites or systems.
Currently, distributed denial-of-service (DDoS) is one of the top cloud threats. Time and again, DDoS has been reported, because it’s relatively easy to cripple a company’s website. The attackers can take control of a large number of computers (zombies or botnets) over the Internet and issue commands on these zombie computers to flood the cloud offering system with overloaded requests on certain network ports, or database requests.
In summary, it’s very real that malicious attackers are attracted to cloud provider websites to try to attack multiple sites and cause damages. Both cloud vendors and users have to work together to eliminate potential threats and protect the websites and customer data.