Securing Cloud Services: Air Defense for Information Systems

Amazon likes to play it cagey about exactly how big its Amazon Web Services (AWS) division is, but every once in a while they just can’t stop themselves from dropping some astounding fact or figure:

Like the 762 billion objects stored on their servers … or the fact that every single day the company adds enough computing power to have powered their original business through its first five years.

Some sleuthing from those tidbits reveals that AWS alone powers a full one percent of all Internet traffic, and that around one third of all Internet users visit an AWS-hosted site at least once per day. Most of us never even realize it, but AWS is actually behind massive daily-use sites like Netflix, AirBNB, Yelp, and Expedia.

And those numbers are all from way back in 2012. No one other than Amazon knows the volume today, only that it has likely increased by orders of magnitude.

And Amazon isn’t the only major cloud services provider. Microsoft, Google, Rackspace, and hundreds of other competitors all host major websites and services, powering web-commerce and private companies, hot startups and government agencies.

Cloud services can be a one-stop shop for a hacker good or lucky enough to crack them. The sheer volume of targets and depth of information stored in the cloud is mouthwatering stuff for cybercriminals.

Featured Programs:

Cloud services security teams carry the weight of the Internet on their shoulders, out of sight and mind of most web users, and sometimes even the companies that rely on them. Yet their domain continues to expand and the resources and challenges they deal with are unique.

Master’s-educated cybersecurity analysts, auditors, architects and administrators looking to position themselves on the front lines of today’s most urgent information security conflicts only need to look as far as cloud services.

Splitting the Workload to Deal With Threats

The power of cloud computing comes from the shared services model, a throwback to the days of timeshare computing. Servers at most companies operate with frightening inefficiency, running at a tiny fraction of their full capacity. In steps cloud service providers, taking jobs from countless different customers and throwing the tasks at massive remote servers to keep them fully utilized to the extent possible. The scale of allocating, servicing, and operating servers this way results in a much lower cost per compute cycle than any individual company could achieve.

But this means that every server is running code and processing data from many different users simultaneously. For hackers, this amounts to having half their work done for them— getting code that is already executing on the same machine as a potential target. Methods for subverting shared service virtualization were developed as far back as 2006, right around the same time AWS was introduced.

For both regular users and cloud cybersecurity staff, the potential for compromise at the hands of malicious fellow users is the nightmare scenario.

Cloud services deal with this by bifurcating the security responsibilities. The provider assumes control from the bare metal of the servers up to the configuration level accessible to users, at which point the user becomes responsible for the data and services running on the server.

This makes customers generally responsible for dealing with external threats, leaving cloud providers free to focus on internal issues.

How Scale Brings Security in Addition to Efficiency

The massive resources pouring into cloud providers can make them more secure in addition to more efficient. With their reputation on the line, major cloud companies spare no expense in securing their networks.

At Amazon, everything from data center construction to patching to auditing is governed by industry best practices designed to ensure compliance with a variety of third-party standards. Google has a 500-person information security team just to oversee cloud operations, monitoring a layered security model designed to keep customer data secure and separated.

Marshaling Custom Hardware Configurations and In-House Software Development

In addition to being able to afford large, dedicated security teams, cloud providers generally have another advantage over smaller, single-service server operators: they operate at a scale where it’s feasible to design and build their own hardware and software stack. This allows them to configure special-purpose servers, using only required code on them that has been carefully vetted.

Almost all Unix operating systems today still come with a tiny service installed named finger. Famously, a flaw in the service was exploited to deliver the very first computer worm virus, the Morris Worm, in 1988. Designed to provide information about other users on the system, almost no one uses finger today, but it’s still there. By building special-purpose servers and writing the software that runs on them, this is exactly the kind of potential in-road for incursion cloud services providers are able to prevent.

Other vulnerabilities in this and other vestigial services remain undiscovered. But cloud providers sidestep this by configuring their servers without any extraneous code that could serve as a vehicle for compromises.

Playstation Hacks and Lightening Strikes: How Both Abuse and Mother Nature Can Threaten Cloud Infrastructure

The on-demand availability of high-performance, high-capacity computing resources is a boon for regular businesses and hackers alike. A stolen credit card and forged email address can set a hacker up with everything they need to launch attacks on third-party systems with complete anonymity, using cloud services as the platform.

Cloud provider cybersecurity staff constantly monitor traffic going out of their networks as well as what’s coming in, watching for the signature of various attack profiles emerging from malicious users.

In one incident, a user fraudulently rented and used an Amazon EC2 (Electronic Computing Cloud) instance to hack Sony’s Playstation network. Using the EC2 instance prevented Sony and law enforcement from being able to track the hacker directly.

Hackers are also suspected of using rented cloud processing power to perform brute-force password cracking and other processor-intensive hacking techniques. Just like it is for legitimate businesses, it’s simply easier and less expensive for hackers to get such power from cloud providers. And there’s another major obstacle to consider: it can be difficult for cloud cybersecurity teams to differentiate between legitimate processing activity and nefarious hacking efforts.

Almost as bad as intentional abuses are the inadvertent problems that can lead to data being lost or compromised.

In one instance, Amazon’s European cloud servers were hit with a lightening strike, causing a glitch that began automatically erasing customer data. The company wasn’t going to let a random act of nature undermine the integrity of servers again. Amazon responded like the billion-dollar boss it is by increasing the geographic distribution of data storage to add redundancy in case of isolated failures.

Cloud Providers Band Together to Take on Security Threats

Recognizing that major exploits of cloud computing services threaten the very business model, many cloud service providers have come together to form the Cloud Security Alliance, a non-profit organization dedicated to establishing and sharing best practices for cloud computing security.

Contributing cybersecurity experts from each of the providers guide policy and best practices and conduct research on topics that include:

  • Top threats to cloud computing infrastructure
  • Governance, risk, and compliance assessment
  • Big data security in cloud services

The organization also offers certification and training for cloud information security professionals. Despite being in competition with one another, most cloud service cybersecurity experts recognize that they have to band together to defend themselves against hackers.

Back to Top