by Simon Biles
Founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.
I’ve known this for a while – not that it stops me from wanting shiny things – but it really came to my attention with “cloud computing”. I don’t know how many of you are aware (or for that matter how many of you would care, really, when it comes down to it) but the British Government has, in its published ICT Strategy (PDF here) proposed the “g-cloud”. This was created by our previous, Labour, government and published January this year, but it doesn’t seem to have gone away under our current, ConDem (I _love_ that abbreviation), rule. I don’t know who’s to blame for the daft name, or for the fact that, whilst “g-cloud” is number 2 in the strategy “Information Security” is number 10 – but nonetheless we have it, and so, as a fully paid up consultant, I was trying to figure out what is required to jump on the bandwagon and charge good money to secure “clouds”.
Fortunately, what I discovered was that I’d already been securing “clouds” for the last 10 years, and, as I pointed out earlier – there is nothing new, just a nice new shiny name, and some (ranging in quality) pretty web interfaces. Now, as a bit of a UNIX head and command line aficionado, the latter is of no great interest to me, so I’m left with a new name …
So what is cloud computing then? (a) Cloud computing is virtualisation – where someone else owns the hardware and the hypervisor, and then allocates you, at your cost, via a rental agreement, elastic virtual machine instances to do with it what you will and (b) cloud computing is distributed computing – where your data is spread over a number of machines &/or locations. That’s it. All there is. It doesn’t matter if you are talking about “compute cloud” (virtual processors) or “storage cloud” (virtual disks) the above stands, and the security implications are _exactly_ the same as we faced over the last nine decades. To wit, confidentiality, availability & integrity How can we maintain our “private” data as “private” when we are uploading it to somewhere outside our control, how can we assure ourselves that it will be available when we need it, and how do we know that it will be the same when we get it back as when we put it there – that nobody has fiddled with it, be they system or person ?
Given that we have had virtualised operating systems as far back at least as the mid-1960s (http://en.wikipedia.org/wiki/IBM_M44/44X) and that distributed computing was, in fact, the way that we all started out, with satellite terminals to mainframes ( those terminals going from “dumb” to “sentient” remarkably quickly), with centralised storage and computing power being available pretty much universally, certainly as soon as the end of the last century, as I recall both of them from my University days – what’s new in the cloud ? Each of the above technologies has developed working controls for securing the solution – point-to-point encryption, file encryption, checksums, non-repudiation, single-sign-on ( Kerberos was developed for the MIT distributed computing environment – see http://en.wikipedia.org/wiki/Project_Athena), hypervisor security – ensuring VM isolation and so on. All the technology exists, and has existed for some time, “There is nothing new, except what has been forgotten” – Marie Antoinette.
Rather annoyingly, the truth of the matter is that we have to rely on SLAs with our “cloud” vendors primarily as our security, we have so little control (unless we are running our own “clouds”, but that’s just distributed computing and virtualisation if you do it yourself.)
Interestingly enough though, while, as a Security Professional, I’ve found nothing to fear from the “cloud”, as a Forensic Analyst, things look a little different. In this area, I’m not an expert, and I’ve not had enough time to experiment to prove a point one way or another (I have, however, bought my first “cloud” – an Amazon EC2 account and made a few “instances” – so I’m working on it!) but I would imagine that a lot of things have now gone: file fragments and “deleted” files – gone, USB artefacts – gone, I don’t know what else, but I imagine that the Trojan defence probably scales well to the cloud:
“M’lud – it wasn’t me running the cloud, it must have been compromised by person or persons unkown, you know _everyone_ can access the cloud”.
Couple this with the rapid allocation and de-allocation of IPs in clouds, the ability to create new, clone and delete instances – and to take instances from other people, I think that the cloud is going to give us some interesting times ahead.
Click here to discuss this article.
Simon Biles is one of the founders of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK. He has worked on security projects for commercial, charity and government organizations for over 10 years. Simon is studying Forensic Computing at Cranfield University, although very slowly because of work commitments! He posts on the forum as Azrael and you can read an interview with him here.