Hollywood & NASA Paving the Way: The Rise of the Billion-Node Machine Part 2
Windows 7- To Virtualize or not to Virtualize - that is the question!

Mayday, Mayday, Cloud under attack!

Imported from http://consultingblogs.emc.com/ published August 1 2010

In several recent discussions with security groups and agencies within private and public sector, the issue of security has of course come up. There are several facets to security, but the specific issue was regarding ‘breaking out of the hypervisor’ that facilitates virtualization and zero-day attacks. These are certainly points to consider amongst the euphoria surrounding Cloud models.

Cases, such as the Google attack in January 2010, reiterate the need for vigilance in the large scale constructs known as Public Clouds. That Google was able to determine attack vectors and attack surface indicate a high level of skill and diagnostic tool capability. However, note, this was ‘after-during’ the attack, not ‘before’.

One of the reasons that many organizations would like to go Private Cloud, ahead of the expounded benefits of the Public Cloud model, is exactly the sense that their data and systems are secure behind their own perimeter networks. Make no mistake; Public Cloud providers also have perimeter networks, firewalls and DMZs (demilitarized zones) as thick as picket fences around their infrastructure. Nonetheless, much of this is rendered useless, or at least of limited value, when an innocuous eMail or PDF document is sent to a user, who unwittingly unleashes ‘the Mother of all Malware!’.

These types of attacks can subvert the ‘goodness’ of the Cloud to absolutely insidious uses – imagine millions of systems in a Cloud Provider environment attacked, subverted, and then infiltrating other Clouds and consumer PCs – a veritable storm of trouble!

It is important to note that the attacks themselves are not always sophisticated attacks, but with the use of techniques commonly used to protect environments and data, such as encryption, malware/botnets can also start to cover their traces and make themselves ‘protected’. Panda Labs has the Mariposa-botnet analysis example of non-sophisticated but effective botnet activity. It is difficult to differentiate a program as being good or bad upon sighting aloe. A botnet can also be a benign entity in the form of a distributed program running across many different systems.

So what is happening in the Cloud to protect against such attacks?

Well actually, a lot of investment and research is going into precisely preventing or at least limiting the reach of these attacks. RSA, an EMC division, has its enVision suite that automates security event analysis and remediation across large networks. The ability to ‘perform parallel processing, correlation and analysis’ allows the security framework itself to use in parallel the same Cloud resources that are potentially under attack.

It should be clear that only software/hardware enhanced programs running on this mega scale allow us to proactively manage the environment from a security and risk perspective. The RSA enVision flyer says it all. The ability to analyse and draw in ‘tens of thousands of device log' entries in near real-time is an ability of paramount importance. To this is added the ability to use policies and advanced heuristics to determine ‘suspicious’ behavior.

There are other products and vendors out there offering functionality targeted at finding the proverbial ‘needle-in-a-haystack’ that points to an attack, and being able to lock this down asap. Network providers such as Cisco are offering network level awareness of attacks, and literally locking down the attacks ability to use the network to propagate. Cisco calls this MARS, the Cisco security monitoring, analysis, reporting system. Again, a very powerful tool that is integrated at all levels of the computing environment.

Effectively, even if a hypervisor has been compromised, the network itself would be able to potentially lock-out that node from the entire network. This blocks the ability to propagate the botnet/malware further. VMware, Microsoft, Citrix, Novell, RedHat, Oracle together with the myriad other hypervisor manufacturers are actually pretty careful to ensure that their code is rock solid. The fact that the dedicated hypervisors actually are focused on just the activity of providing virtualization means that they can be well locked down. There are many additional best practices to further harden the systems that are published.

VMware provides the VMsafe interfaces that allow virus scanning engines to interface to the hypervisor itself and prevent infection before reaching the virtual machine itself. Large scale protection paradigms are now beginning to materialize. This agent-free approach starts to link into the policy based engines that drive the clouds of today, such that new protection schemes, rules and filters can be applied literally across thousands of machines to stop zero-day attacks from gaining any form of ascendancy in the Cloud infrastructure.

The use of software firewalls that can actually process huge amounts of information with the increasing core density in the underlying infrastructure (‘Multi-Core Gymnastics in a Cloud World’) allow virtual machines to be protected on a per VM basis. This actually provides higher protection than in the physical constructs they replace. Policy driven engines can update firewall rules across millions of virtual machines in a very short space of time.

Other operating system enhancements, silicon-enabled security baked into the chip, protocol enhancements in IPv6, wide spread easily accessible encryption are paving the way for a myriad of ways to protect systems, the data, unauthorized access and detailed audit trails (privacy is still an issue here) to follow attacks to their source.

In conclusion, there are many existing and new technologies being integrated directly into the fabric of virtualization. This in turn is making the ability of security analysts in pinpointing and locking down attach vectors en masse far more efficient.

The best thing of all is the unprecedented level of integration into the hypervisor itself that allows these multi-layered defense mechanisms to be easily deployed and managed. So yes, Clouds can be safe to conduct business – but caution still needs to be applied. A lot of good common sense and expertise built up in organizations over time is still valid. However, good procedures, design, implementation and operations are still keystones of safety.

The Cloud paradigm itself is finding ways of protecting itself. The side-effects of cloud usage are themselves of benefit. With the move to virtual desktop and servers, the ability for an organization to patch its systems frequently without scheduling changes over months, has allowed one of the principal attack vectors, the compromised PC, to be protected.

That protection is gradually shifting down to the physical PCs in the form of free virus scanners (better than none at all – yes that still exists;-) reduced application software footprint and the use of SaaS offerings with frequently updated protection filters is slowing down the spread of infection.

The Cloud paradigm, and the evolving security eco-system, indicates large scale infrastructure can protect itself. The Private Cloud still prevents a very strong case for privacy, security and compliance as it is felt to be inherently secure. Clouds still need to be able to protect themselves and other Clouds at the same time. This stops/slows the movement of infection/malware until appropriate identification and removal countermeasures can be deployed. Get your feet wet in the Private Cloud first, security-wise, and then consider the Public Cloud. This is a perfectly valid Journey-Route to the Cloud!


The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by EMC and does not necessarily reflect the views and opinions of EMC.


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.