In my last post, I presented the different terms and taxonomy related to information security investment and cost optimizing strategy. As a logical way, the BYOR series is continuing with this article on cloud security. During these last days, I was listening to the Pink Floyd album ”Dark side of the moon” and I decided to name this article after this wonderful piece of musical creation. The only thing that changed is the meteorological reference used to emphasis on this particular structure of enterprise network architecture.
Through this article we will discover the motives (cost related for most of them, of course) pushing every enterprise to consider the cloud transition and the different security challenges cloud’s customers are facing afterwards. An emphasis in this article would allow us to discover some aspects of the security and, more precisely, the cloud’s forensic challenges causing a disruption into this digital utopic world known as the cloud.
Until ten years ago, every organisation would have its data and applications on their own servers. Some years ago (~2008) most organisations have begun switching to outsource their applications and data to large datacenters, hosting providers and cloud providers. Suddenly cloud services are becoming the backbone of our digital society. Public data about the uptake of cloud computing shows that in a few years from now, the majority of organisations will be dependent on cloud computing. One of the reason residing in the fact that the vast majority of the entertainment publicly available was built using the premises of the cloud architecture. Being able to access, share and view data everywhere was and still is a main edge – therefore influencing and modeling the needs for business processing and accessibility from everywhere.
Bright side of the cloud
Nowadays, large cloud providers are serving tens of millions of end-users. Cloud computing services are increasingly playing an important role for society and the economy. The Government of Canada Cloud Adoption strategy[i], published in 2015, aims to speed up the adoption of cloud computing for financial and economic benefits. The Japanese government, for example, after the large earthquake of 2011, actively promoted cloud computing as a way to improve the resilience of information infrastructures to withstand natural disasters.
The increased dependency of society on cloud computing makes it also relevant from a national CIIP (“Critical Information Infrastructure Protection”) perspective. Cloud computing is, in a way, a double-edged sword:
- On the one hand, cloud computing offers important benefits in terms of costs, information security and resilience, for example in the event of a DDOS attack.
- On the other hand, the concentration of IT resources in a few large datacenters implies that failures or cyber-attacks could have a larger impact on society and the related economy.
This metaphor is actually illustrating the cause of our study on the security exposure of such cloud based architecture. That’s why we will, first, explore the advantages in terms of cost.
Cloud computing can be compared to public utilities used to deliver commodities such as gas, water or electricity. Instead of acquiring and operating computing infrastructure, such as storage and servers, computing power is purchased from the utility provider. Much like the electricity flowing into a home, cloud computing is on-demand, metered to rising and falling needs of the consumer, and priced on the basis of what is consumed. The cost of the infrastructure used to deliver the commodity is amortized across the charges to the consumer. Cloud computing offers:
- Economies of scale;
- On-demand provisioning;
- Flexibility (grows and shrinks according to the client’s needs);
- Offerings regulated by service-level agreements;
- Enhanced security.
Public cloud services offer benefits that enable CIOs to make significant advances in all of these areas, such as follows:
- Service performance : Self-service provisioning of computing resources can dramatically reduce the time to meet a requirement. Metrics-based service levels that are contractually enforced help ensure consistent performance levels.
- Security : Cloud-service providers hold internationally recognized security certifications that are assessed by third-party security professionals. These certifications include robust security features that would be a challenge for any one consumer to fund individually.
- Innovation : New features are being continuously deployed, and the costs are amortized across a global service customer base. New technologies such as social media, mobile platforms and analytic tools are all available through subscriptions without large capital investments.
- Agility : Rapid access is available to multi-featured computing resources at the required capacity to carry out projects from planning to full operation.
- Elasticity : Commoditized services can grow and shrink with the level of demand; consumers pay only for what is needed for the time it is needed.
Here’s the link to an online calculator specialized in comparing on-premises vs cloud total cost of ownership (TCO). Some staggering results are including license and subscription, installation and set-up, customization and integration (very important), data migration, training, maintenance and support, etc. allowing you to fully customize your forecast on solution TCO.
Most of the comparison I made with the simulator landed a clear 5-year period TCO advantage ranging between 30 % and 200% in favour of the cloud. And now, I see the smile on your face denoting a sentiment of victory because we succeeded in following this transitioning model between an ancient enterprise architecture, relying mainly on complete private infrastructure, to a new one where the notion of private boundaries is rendered obsolete. In addition to lowering the cost related to the full operationalization of those business lines.
What we just saw can be qualified as the bright side of the moon. This fascinating, attractive, pearl white visible face. That’s the reason why most of today’s enterprises invest mainly on those services. Yes, we have the right to smile. However, by experience and by observing the trends related to this digital mist revolution, I have to underline the lack of comprehension and analysis ante mortem when addressing the cloud SLAs and legal terms.
Dark side of the cloud
As in every architecture, there’s a downside, a dark side. Welcome to the cloud of unknowing.
In the survey made by the ENISA[ii] in December 2013, they asked respondents from different sectors (eGovernment, IT, Healthcare, Finance, etc.) which incidents should be in scope of incident reporting. They first presented experts with a rough classification of the incidents according to their impact in 5 severity levels; for each level they provided one practical example. Then the experts were asked to indicate which incidents should be reported. The impact scale is presented below:
- Impact 0: Something went wrong in an exercise or a test. No impact on users.
- Impact 1: Incident had impact on assets, but no direct impact on customers.
- Impact 2: Incident had impact on assets, but only minor impact on customers.
- Impact 3: Incident had impact on customers.
- Impact 4: Incident had major impact on customers.
The graphic herein represents that only half the experts would potentially report an impact 2 incident. Why? When analyzing the report, some experts have noticed that often cloud providers are not in a position to determine the severity of an incident, and/or if an incident had an impact on the core business operations of customers and a potential impact on critical data.
Further away in the report, the same experts claimed that the most important parameter to report about is the criticality of the data or assets affected. This is in line with the fact that most experts would like to focus first on incident reporting in critical sectors. Besides this, most experts agree that incident reports should include information about the number of end users affected, and the impact on customers (loss of data access, the geographic spread, and the duration of the cloud security incident). The fact is some legal terms and specific regulatory issues bias comfort some cloud providers to not provide those incident reports and related details to their customers[iii]. In addition, they would take advantage of favorable contract terms, designed specifically to protect their interests.
So now you’re likely to dim your smile a bit and ask yourself: What are the data available in the cloud? Are they critical? What are the reputation impacts in case of data disruption? Do the contract terms have been completely evaluated and discussed? Does this fit my security posture? In order to answer these questions, this first rule should be always in head before dealing with the cloud: “Know your data and the rules of the game’’. This may sound goofy, but you’ll be surprised to see how many enterprises are helpless once they have engaged the cloud transition.
The term “Cloud Forensics” refers to the ability of reconstructing and analyzing cloud based incidents, cybercrimes or any digital evidence by applying suitable practices, techniques and methods.
A cloud incident is a breach of security in the cloud environment that has an impact on the operation of network and information system core services, which public administrations and market operators provide.
Ask yourself the question: ‘’ Now that an incident have been detected and confirmed, do I have the right tools to interfere and conduct a state of the art forensic analysis? ‘’ So being honest with yourself, and depending on the cloud model and level of service you’ve contracted, you may have the tools and the expertise but you won’t have the authority nor the legal right to do this analysis yourself.
Based on the literature review[iv], the main factors that make forensic investigations in the cloud harder than traditional investigations are the following:
- Legal issues including multiple ownership, multiple jurisdictions, and multiple tenancies;
- Limited access to remote and distributed physical infrastructure and storage;
- Lack of physical control and physical location of data;
- Lack of collaboration from the cloud provider(s);
- Segregation of duties among cloud actors;
- Difficulties in accessing and analyzing the log data / lack of transparency of log data to the consumer;
- Proliferation of mobile devices and endpoints.
The complexity of cloud forensics will often depend on 1) the cloud service models: in the IaaS model, customers may easily have access to data, while in the SaaS model customers may have little to no access to data required for cloud forensics, and 2) the deployment models: in private clouds, provider-side artefacts should not be segregated among multiple tenants, while in public clouds, the segregation is mandatory.
The deeper you control your TCP/IP stack on the cloud, the more you’re able to get those informations and conduct a proper forensic analysis. Here is a table provided by the ENISA and displaying the different consequences applicable to the customer and the provider:
· Client does not have a deep view of the system and its underlying infrastructure;
· Single sign-on (SSO) access control should be requested
· The client has to contribute to the forensic process, e.g. by implementing Proofs of Retrievability (POR).
· Logging tools should run on the provider infrastructure;
· Providers may not give access to the IP logs of clients accessing content or to the metadata of all devices.
· Core application is under the control of the customer;
· The customer has no direct control of the underlying runtime environment;
· Logging mechanisms and additional encryption can be implemented.
· Some CSPs provide diagnostic features that offer the ability to collect and store a variety of diagnostics data in a highly configurable way.
· IaaS instances provide much more information that could be used as forensic evidence than the PaaS and SaaS models;
· Some examples are: the ability of the customer to install and set up the image for forensic purposes, to execute the snapshot of virtual machine; RFC 3227 contains several best practices applicable to a IaaS useful for responding to a security incident especially in the case of live investigating systems.
· Virtual IaaS instances, in many cases do not have any persistent Storage (Persistent data has to be stored in long time storage) and volatile data might be lost.
· Providers may be reluctant to provide forensic data such as recent disk images because of privacy issues that arise.
· Some problems may arise from the unclear situation regarding how the provider handles the termination of client contracts and from the inability of the client to verify that the sensitive data stored on a virtual machine has been deleted exhaustively.
The tools currently available are actually the ones used in traditional investigations. In particular, network forensic tools are used to capture data (information, logs, etc.) on IaaS, as IaaS instances provide more information for forensic evidence in case of an incident than the PaaS and SaaS models do.
In the SaaS model, the customer does not have any control of the underlying operating infrastructure or even the application that is provided. For the support of forensics analysis, the customer has to buy specific services from the providers (for example logging and trace activities application, access control toolkit) to create useful information for the analysis.
In the PaaS model, it might be possible to implement logging mechanisms at the application layer to help the forensic investigation. However, the customer has not direct control of the underlying environment and the data acquisition for collecting evidence depends strongly on the prior agreement with the CSPs.
Therefore, to depict the cloud forensics status in the cloud landscape we can define these three categories:
- The technical dimension refers to the specific features of the cloud computing model that are to be considered in the forensic investigations in the cloud computing environment.
- The organizational dimension refers to the aspects related to the coordination of parties involved in the forensic investigations in the cloud computing environment.
- The legal dimension regards the legal and contractual aspects between the parties involved in the forensic investigations in the cloud environment.
In order to close this article, we will expose the different challenges that organisations face when dealing with the aforementioned categories.
In the case of cloud based environments is usually more complex than in traditional investigations, particularly given the remote nature of the evidence, the lack of physical access and the distributed and dynamic nature of the cloud model that makes it difficult to demonstrate the integrity and authenticity of the gathered evidence.
In addition, the challenges exposed below add more complexity:
- Dynamic nature;
- Volatile data;
- Data deletion;
- Cumulative trust issues across Cloud layers;
- Cloud and time synchronization dynamics;
- Cloud and time synchronization dynamics;
- Unification of different data format of the logs;
- Lack of cloud-specific tools;
- Encryption of data;
- Re-usable and shareable resources;
- User Accountability.
The complexity of forensics and investigations in a cloud environment is related to the organisational challenges:
- Evidence collection;
- Limited collaboration;
- Responsibilities based on chosen deployment model.
Here are some of the legal challenges, often related to the jurisdiction and particularly:
- Cross-national legislations
- Lack of CSP obligations
- No agreement between CSPs
- Chain of evidence
- SLAs regarding forensics analysis differs depending on the CSP
For more information regarding the legal challenges in cloud environments, we refer you to this study, “Étude sur les incidences juridiques de l’utilisation de l’infonuagique par le Gouvernement du Québec”, conducted by the University of Montreal (Professor N. Vermeys and our legal counsel, Julie M. Gauthier). Even if the study was carried out in a “public” perspective, some of the legal challenges mentioned therein are the same in the private sector.
Finally, is there a need to rethink our enthusiasm concerning a migration in the cloud? Well, yes, and as said earlier, it will depends on the degree of awareness and analysis you will beneficiate before signing an agreement with a CSP. But there’s an undeniable need, for cloud providers, to address those issues and to provide an enhanced environment to the customer in order to answer rapidly and efficiently in case of an incident.
Special thanks to the ENISA for this excellent expertise on the matter. See you in 3 weeks for the BYOR : Attacks in the Cloud (Part 3).
Alexandre Pieyre, M.Sc., CISM, CEH, CCNP, Information Security Consultant
[iii] Stanford Technology Law Reviews, Volume 16, Number 1, Fall 2012