Exploring Cloud Computing Information Leakage
If you are in cloud computing security (or part of an organization with infrastructure in a public cloud), this paper is a must read. As more organizations seek to realizes the benefits of the cloud, it’s important that we continue to investigate the risks as well. Granted this research only applies to virtual machines on a shared host. Cloud Computing service provider usually provide “private” cloud offerings with only one client’s virtual machines per physical server.
Does the remote chance of your virtual server being attacked by another virtual server on the same host server justify the added cost of a private cloud deployment? That’s for each client to decide. Ensure you are doing your due diligence before making a decision one way or the other.
Abstract:
Amazon’s EC2, allow users to instantiate virtual machines (VMs) on demand and thus purchase precisely the capacity they require when they require it.In turn, the use of virtualization allows third-party cloud providers to maximize the utilization of their sunk capital costs by multiplexing many customer VMs across a shared physical infrastructure. However, in this paper, we show that this approach can also introduce new vulnerabilities.Using the Amazon EC2 service as a case study, we show that it is possible to map the internal cloud infrastructure, identify where a particular target VM is likely to reside, and instantiate new VMs until one is placed co-resident with the target. We explore how such placement can then be used to mount cross-VM side-channel attacks to extract information from a target VM on the same machine.
Download paper: http://people.csail.mit.edu/tromer/papers/cloudsec.pdf
|
William J McBorrough is a Security Expert with many years of success Managing, Designing, and Implementing medium and large enterprise Physical and Information Technology Security Solutions. His experience spans the spectrum from small e-commerce start-ups to multi-campus state and federal agencies to global financial sector organizations. He is on the faculty of various universities including University of Maryland University College, EC-Council University, George Mason University and Northern Virginia Community College where he conducts research and teach graduate and undergraduate courses relating to cybersecurity, cybercrime, cyberterrorism, and information security and assurance. He holds a Bachelors of Science in Computing Engineering with a concentration in digital networks and a Masters of Science in Information Security and Assurance. He is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified in Risk Information System Control (CRISC), and Certified Ethical Hacker (CEH).He is well versed in personnel, systems and network security risk management. His core competencies include Developing cost effective solutions to enable mission assurance in the following areas: Enterprise Risk Management, IT Governance, Security Organization Development, Information Security and Assurance
|
Related posts:
- Cloud Computing = Loss of Confidentiality?
Interesting excerpt from article in ITWorldCanada: “Adi Shamir, a computer science professor at Israel’s Weizmann Institute of Science and also the “S” in the RSA encryption algorithm, warned against trusting... - IBM X-Force handicaps future trends in security
Looking ahead, the X-Force Research and Development team has identified some key trends to watch for in the future, including: Cloud Computing — As an emerging technology, security concerns remain... - Will your Cloud Provider be around in two years?
I just read that my hosting company, GoDaddy, is on the auction block to be sold to the highest bidder. Naturally, I’m thinking of how this change of ownership could... - Are you ready for Cloud Computing?
As a final research project for my most recent class, I assigned the task of outlining some of the security issues associated with moving to a cloud based solution for...