Platform-as-a-Service (PaaS) is one of the buzzwords that’s mentioned often in the cloud computing space. I’ve written a blog post describing IaaS, PaaS and SaaS. In short, PaaS is a platform for delivering applications, similar to a pre-built system with hardware, OS and application stack all built in. In the PaaS case, this system is hosted. All you have to do is “upload” the application code and it should take care of the executing and scaling of it.
A quick survey of the land (by no means comprehensive, I am also including ONLY application platforms, not service-specific platforms such as DabbleDB) shows that there’s a plethora of PaaS players out there, each with their own target audience. Some provide more of a raw execution platform, some provide a full suite of tools for creating applications online. Unfortunately, most of these vendor approaches will lock you into their proprietary platform. If you ever want to move to another platform, you have to rewrite at least a portion of code using the new vendor’s API. Phil Wainewright has written about this in his blog post “A plethora of PaaS options.”
|Google App Engine
||Python web applications
||Social networking applications
In one of the CloudCamp SF sessions in July, one of the guys from Microsoft asked whether the OS matters in cloud computing. My answer to that was it depends on the type of application. If it’s a web centric application that has a web front end, uses a database for storage, and doesn’t use any of the low level file IO, then really there’s no need to know what the OS is. In that case, the OS doesn’t matter.
All these vendors have targeted applications that are delivered over the web, and almost all of the vendors listed above try to abstract the OS from the developers so that they don’t have to worry about the underlying infrastructure. As Mosso’s slogan claims, “Code, load and go.”
Even though cloud computing is still in its infancy; however, as it matures, cloud providers will move upmarket to provide additional business value to customers. We will see a rise of cloud application platforms appear on the horizon. Specifically, we will see more domain-specific cloud platforms for different verticals or application types. For example, I can imagine there are developers working on a MMORPG cloud platform (maybe it’s here already if you consider Metaplace to be that) that will provide execution and management (of virtual goods, zones, accounts) for MMO developers; or a data analytics cloud platform that provides all the basic OLAP functions.
Recently we seem to be hearing more and more security exploits aimed at core Internet protocols. In July, Dan Kaminsky revealed a critical exploit aimed at the DNS protocol.
A couple of days ago “[t]wo security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.” See Revealed: The Internet’s Biggest Security Hole | Threat Level from Wired.com for more detailed reporting.
According to Wired.com,
The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.”
. . .
Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotel) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed to target addresses, not from them, and it can’t always vacuum in traffic within a network — say, from one AT&T customer to another.
The clever trip the researchers have done is to
use a method called AS path prepending that causes a select number of BGP routers to reject their deceptive advertisement. They then use these ASes to forward the stolen data to its rightful recipients.
All these core protocol exploits have direct impact to cloud computing as the nature of cloud computing is that computing will happen out there on the Internet somewhere. According to the article,
The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs.
Craig Balding from Cloud Security wrote an interesting piece on the security benefits of cloud computing back in July (that I just now got to read.) Craig qualified the post as potential security benefits of Cloud Computing.
After reading through it, I felt compelled to respond, even though it’s a been over a month since the post is up. Craig mentioned he won’t talk about the “flip” side of these benefits in this post, so I figure I will do that.
I have only quoted the headers from Craig’s article so please refer to the original article for all the details.
Overall, Craig has made a good list of potential benefits. However, we really need to distinguish the benefits of virtualization vs cloud computing. Many of the benefits listed here are really benefits of virtualization and not cloud computing. When I read the title, I was hoping to read about how the cloud could be more secure than enterprise environments. I think this list has a mix of that, and how enterprise could use the cloud for some security use cases. That’s fine but mixing them together can be misleading.
1. Centralised Data
- Reduced Data Leakage
As Craig said, “this is the benefit I hear most from Cloud providers”. Unfortunately I have to disagree with Craig here. In my view, the cloud providers are dead wrong about this one. Many of the cloud providers talk about how laptops or backup tapes being stolen as the biggest threat to data leakage, and they are right about that. However, having enterprise data stored in the cloud doesn’t reduce these risks one bit. Travelers will continue to copy data to their laptops as they need to access them while on the road. Old habits die hard. Enterprises will continue to backup data to tapes because they can’t simply reply on cloud providers to backup their data. These will still happen no matter where the data is stored.
In fact, there likely will be an increased chance of data leakage by using cloud computing because now the cloud providers will have to somehow backup their data (maybe on tape!!)
- Monitoring benefits
Most enterprises, probably including the one Craig works for, have centralized file servers, content management systems, etc etc. However, we continue to see problems with data leakage. Having data stored in clouds is not all that different than storing on centralized corporate file servers. Centralized storage and monitoring is not an advantage for clouds. Enterprises had centralized storage/archiving solutions for years.
In my opinion, cloud storage makes it even tougher to monitor data leakage. Think about the tools available to monitor enterprise file servers. Many of them monitors all types of access: read, write, via CIFS/NFS/etc, via local system. How do you do all of that in the cloud? Think S3, the only thing S3 provide you are http access logs. You have no way of knowing who else viewed your files if it’s done locally, for example.
2. Incident Response / Forensics
- Forensic readiness
To a certain extent this benefits is real. However, it’s not a cloud-only benefit. You get the same benefit by simply doing virtualization on your infrastructure. VMware allows you to easily clone an image so that you can perform whatever analysis is needed on the image instead of the original virtual machine. Same as Xen.
However, think about the cases where forensics require physical hard disk scan in case the attacker has “rm” the “bad stuff” such as audit trails or root kit. You now have NO WAY of getting to that in a virtualized environment. Granted, this is probably an issue with any network/san attached storage.
- Decrease evidence acquisition time
Same as above, it’s not a cloud-exclusive benefit. It’s simply a benefit of virtualization. The only real benefit of the cloud, as mentioned by Craig, is not having to “find” storage. Though I would say that’s the least of your worries if there’s a real attack that happened.
- Eliminate or reduce service downtime
First, if the server/VM is truly “0wn3d”, I am not sure you want to keep that system up and running. You may want to bring a good copy of the VM up and run that instead. (or just go back to a previous good snapshot.)
Second, with the cloud, you don’t even have a CHOICE of using physical acquisition toolkit. So I am not so sure that’s a benefit.
- Decrease evidence transfer time
Again, not a real benefit of the cloud. First, bit-by-bit copies of the VM in the cloud still takes time just like if you would in the real world. Second, this benefit can also be realized as part of the internal VM infrastructure, not cloud-exclusive.
- Eliminate forensic image verification time
Ok, so this is a minor benefit, but not a security benefit of the cloud. It’s more about the performance and scalability of the cloud.
- Decrease time to access protected documents
Both this and the next benefit are really about the elasticity and scalability of the clouds and not security.
3. Password assurance testing (aka cracking)
- Decrease password cracking time
Same as above, this is about the benefits of elasticity and scalability, not security.
- Keep cracking activities to dedicated machines
Same as above, this is about the benefits of elasticity and scalability, not security.
- ‘Unlimited’, pay per drink storage
- Improve log indexing and search
- Getting compliant with Extended logging
Ok, this is about the utility and scalability of the cloud. Not a cloud security benefit. It’s about using the cloud for security tasks.
5. Improve the state of security software (performance)
6. Secure builds
- Pre-hardened, change control builds
This I agree with. Having pre-built images that are secure from the start is a HUGE benefit. Though it’s a benefit of virtualization and virtual machines, not cloud-exclusive.
- Reduce exposure through patching offline
I don’t understand this one. Once the VM is running in production, I can imagine taking that down to do patching. You would have to manage the patching process like any other machine, no?
Now image templates can be updated with patches so if new machines are started, they are pre-patched.
- Easier to test impact of security changes
Again I agree. However, it’s still the benefit of virtualization, not necessarily cloud-exclusive.
7. Security Testing