Tough questions should be asked of cloud providers: Garrett

Tough questions should be asked of cloud providers: Garrett

Summary: Linux kernel developer, Matthew Garrett, says different security considerations are needed when running software in the cloud, because an evil cloud provider is more dangerous than an evil traditional collocation host.

TOPICS: Cloud, Security

When you run software in the cloud, not only do you have the same security concerns as traditional IT architectures — trusting the silicon, the firmware, and an operating system, as well as the usual array of daemons — but now you have to trust the hypervisor and worry about the security of other guests on the same hardware, Matthew Garrett, Linux kernel developer and cloud security developer at Nebula, told the audience of yesterday.

Delivering the Thursday keynote, Garrett said that while cloud computing usage has increased, and users are trusting it more and more, few still have the faintest idea of what it is.

"There are people that think of the cloud as just being any remote datastore, there are people who think of cloud computing in terms of virtualisation, there are people for whom the cloud is just 'well, there's a magic box somewhere that contains my data, I don't know where'," he said.

"People running tablet operating systems are often not running anything particularly interesting on the tablet, and that means that the attack surface is much smaller. If all my personal data is in the cloud instead, then isn't that going to be better? I don't have to worry about how much I can trust my device, all I have to do is trust the cloud."

Garrett said that was a choice he would not personally make, and that users should be aware of the trade-off of security for convenience if they are giving their data to a cloud provider, and trusting the providers not to steal or lose the data.

The former Red Hat employee focused on the security of the hypervisor as an area that needed examination.

"On the balance of probabilities, you have to assume that hypervisors probably do contain vulnerabilities, that they do contain flaws that can be exploited to gain access and allow guests to break out into the hypervisor.

"If you host with Amazon, you have no idea what else is running on the same hardware, you have no way of seeing the other guests, what services they are running? It's conceivable that your personal website could be hosted on the same piece of hardware as a credit card processing system."

Garrett said that although nominally, the hypervisor should protect other guest machines from a compromised guest, users should still be concerned about potential breakouts into the hypervisor, which would allow for compromising otherwise protected guests.

"These guests may have nothing to do with each other, but can you trust them?" he said. "What if someone is actively running a malicious guest on the same piece of hardware as your website?

"Is it absolutely certain that if someone compromises a guest on the same hardware as you, that that compromised guest will then not be able to break into the hypervisor, and then from the hypervisor compromise your system?"

Consequently, Garrett said that a number of difficult security questions need to be asked of cloud providers about what is used to isolate guests; if a security issue is found in the hypervisor, how does the provider respond, what mechanisms are used to detect compromises, can a cloud provider say with certainty that a host machine has been compromised in a fundamental way, and what tools do they use to conduct this analysis?

"To be fair, these are intensely difficult questions," Garrett said.

"Nobody publishes their security implementations publicly; you just have to take us on trust. The entire public statement from Amazon about guest security is that 'the hypervisor protects guests from interfering with each other'," he said.

Being able to trust your service provider is more important than ever, since the cloud allows for easier compromising than traditional bare metal systems.

"An evil cloud provider can do much more damage to you than an evil hosting provider," Garrett said. "They can do the same amount of damage, but they can do it undetectably, whereas an evil traditional hosting provider, you would probably notice that your system went away for 20 minutes and came back ... it is trivial to perform runtime introspection on virtual machines. A cloud provider can log in to their hypervisor and then read all the memory of your running guests. They can pull out an exact duplicate of the running system without your being able to see that.

"Whoever owns the hypervisor potentially owns the guests, and your cloud provider owns the hypervisor. You need to trust your cloud provider to still be good, unfortunately."

Questions should not only be asked of cloud service providers, Garret said, but also of any company that hosts in the cloud with whom users may do business.

"If you are doing business with a company that hosts in the cloud, you need to ask them which questions did they ask the cloud provider? What guarantees do they have that their VMs are secure? What policies are they [using] in order to monitor the behaviour of their VMs and reduce the probability that they're being compromised by external forces?"

Going forward, Garrett said that all parties should be more aggressive about securing every layer of systems, but do so in a way that allows users to modify their system and not make them choose between security and freedom.

"Cloud vendors need to asked hard questions. It's not acceptable for a cloud vendor to not have no security policy, it's not acceptable for a cloud provider to be unable or unwilling to tell you what they do to keep their clouds secure. We cannot allow that to continue."

Topics: Cloud, Security


Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Cloud is trust in another entity

    Cloud to me is trusting another entity to protect not only itself but you as a client in the cloud. So far that trust is hard to come by and as far as I am concerned its hard when so many are waiting in the hacker dark ally to try and steal information. Its just too tempting for hackers to not try and break those security barriers. The more you embrace the cloud the more you risk losing. I think questions remain on how diligent cloud service providers are in protecting your data. As we know nothing is 100% secure and what bothers me is like in the Target breech. How long it takes to notify the affect user of that breech. This is truly the frightening thing about personal information stored in the cloud.
    • True, but it isn't just hackers

      We have all internal threats too.

      The question needs to be would they do a better job than you are currently doing? Unfortunatly there are many organisations out there that don't do a diligent job, so many cloud providers look better already. As alluded to in this article, going cloud changes your threat profile and risks, but it is a myth to think your responsibilities as data custidians also migrates to the cloud.

      I sense they do very well against the external threats these days, but remain exposed on the internal threats, and most certainly are unable to address the threats from government.
  • Trusting Providers

    While there are a lot of timely comments on this, lets go a little deeper. What about your switch provider? What about your proxy server? what about any base security service? Even in your own company, if you use a hypervisor, it is equally trivial to take the listed snapshot. If any part of your network is compromised, it doesn't even need to be an inside job. In the end, your cloud provider is a security service as much as whatever other service(s) they provide. Any one of the previously mentioned areas are a vector of attack which we have "vetted" as trustworthy - the cloud provider should be no different. There is no reason to hold them to a higher level of scrutiny than these other security methods. While I don't disagree that these questions SHOULD be asked, how many of you have asked such questions of your current vendors?
  • You're doing it wrong. Cloud, Yes Have Security.

    "It's not acceptable for a cloud vendor to not have no security policy."

    This quote sums up the entirety of this uninformed zero value article.

    What a ridiculous statement. Please name a single relevant cloud provider that "not have no" [sic] security policy.
    Chris Ssabmud