In its December 2009 cloud computing security guidance paper, the Cloud Security Alliance (CSA) focused on adding clarity to what it described as a “complicated landscape, which is often filled with incomplete and oversimplified information.” Indeed, in talking to providers of cloud security services and products it would seem there is an unimaginable range of security concerns, each requiring its own unique solution from yet another solution provider.
But beyond the concerns there appears to be the opportunity to minimize risks in some areas while simplifying security at the user level. In other cases, existing security concerns that are magnified by cloud computing can bring new attention to them and foster new approaches to solving them. One such security risk that has been around since computing began is the one of administrator rights.
“Historically, if you are in an administrative role you’ve got root access, and root access is the equivalent of being omnipotent on that machine,” says Brian Anderson, chief marketing officer for BeyondTrust, a solutions provider for privilege authorization management, access control and security solutions for virtualization and cloud computing environments. “You can literally do anything, under any circumstances, to any amount of data, no matter how sensitive it is, and no matter how much encryption.”
Of course the level of data security policy should be matched to the sensitivity of the data and the vulnerabilities of the network where it resides. If you are running an estimating program in the cloud as strictly a number cruncher, with no associated customer information, then your risks are lower than if running it with customer information.
Access Management Policies
The CSA cites nine aspects, (page 66 of the guidance paper noted above), related to access control that you should review when you are selecting a cloud service or product. At the same time the organization admits the immature state of the cloud ecosystem and recommends an honest assessment of your own company’s ability to manage an access system. It also highlights the importance of knowing your cloud computing provider’s abilities related to access management. One important consideration involves the cloud provider’s access system used for its own administrators.
Anderson points to the risk associated with cloning a virtual instance of your virtual server. He describes it as virtual sabotage and outlines the process. An administrator who has access to the hyper visor, (the traffic cop for all the virtual servers), clones the server where your data lies and then deletes it. The deletion however does not remove the server’s image. Then the administrator remounts the server outside of its original environment and has access to all the data with no one ever knowing it was stolen. With ample time the administrator could then crack the encryption scheme if one was present. This doesn’t necessarily have to be a cloud provider’s administrator – it could be one of your own – and that’s a risk Anderson says is often taken too lightly.
“Even my most trusted admin potentially could go psycho one day,” he says. “We talk a lot about intentional, indirect and accidental misuse of privilege. Intentional misuse of privilege is when the cloud administrator wasn’t happy with the raise he got, or decided he could make more money by selling your assets to a competitors, so he used his authority to create harm. If they have full authority at the root level through their cloud servers, (typically Linux or Unix), then they can plant logic bombs, they can copy data, and they can bring the system to its knees if they want to be intentionally harmful.”
He says though, it’s more likely they’re going to do accidental things like issue the wrong command in the wrong directory and delete all the users. That’s why he says his company focuses on setting up an environment where administrative permissions are parceled out privilege by privilege.
“So now, instead of giving root access to your cloud administrator, he comes in as a standard user, but when he wants to do a function it goes through the policy management function and inquires if the user has the authority to do that function,” Anderson explains. “If so, the operating system grants the authority for that administrator to do just that function.” He adds that there is also no more logging out and back in, or re-authentication needed.
Those in construction and architecture and engineering often have a good understanding of the access and the authentication processes, but may not be as knowledgeable on authorization. Whether moving to the cloud or not, that third piece of access control adds an important security element.