Antagonist: *S: (n) adversary, antagonist, opponent, opposer (someone who offers opposition)

For months now I've made it known to myself that the daythat I have to implement any form of cloud computing at myworkplace, would be the day that I would resign from thatsame company. I dont know about any other securityprofessional, but I do not and will not take the blame for mycompanys security becoming compromised because Itrusted my "cloud provider".

Security for me has been something of an evolving petri dishbased bacteria. I remember watching logs in real-time backin the mid to late 90s via terminal sessions using snoop ortcpdump in another. I can recall configuring Fred CohensDeception Toolkit, Big Brother, Shadow and other securityproducts while reading security based documents from guyslike Dan Farmer, Wietse Venema, Gene Spafford. I canrecall the pains of dialup connectivity waiting to see if RisksDigest had anything new to say while going over olderissues of Phrack Magazine, keeping eyes on forums, youname it, the security industry was so much easier to followback then.

Today’s security arena however is filled with so much fluff itbecomes difficult to keep tabs on it all. Who do we follow,why, how often, where did that *one* website go. What do Ior should I learn ASAP. Technology has been shifting so rapidly and the threats grow not only fast butsome are becoming more difficult to assess, even detect.

We’re now introduced to industry’s bastardized buzzword “Cloud Computing” or what I like to call"Cloud 9 Computing". As a security professional (dare I call myself one), my job consists of protectingdata and the infrastructure that I'm responsible for. There is no typical day for me. This industrychanges at such a rapid pace that if a security professional is not on his or her toes, the outcome canbecome catastrophic. I've seen and I’m sure others have as well, the biggest companies slip-upthroughout the years when it comes to security and on the same token, I've seen the biggestcompanies wise up to the security "arena". Of course the latter has comes via many regulatorycontrols and processes. Did you think most companies would spend on security based off their ownaccord?

So what is "Cloud Computing" and why wouldn’t I ever trust it. Even the definition of cloud computingis in my interpretation insanity at best - giving the keys to my kingdom, to someone else - allowingsomeone else - a completely independent company which knows nothing about my business - toaddress my security needs and concerns is outright stupid. So much so, that cloud computing couldbe the most insane idea I could think of and yet it to someone else, it is the best idea ever thought of.I’d settle for the prior before the latter.

Insecurities of Cloud(nine) Computing

Security needs differ across many industries andcompanies. This is evident by the differing controls somecompanies have been mandated to follow, SOX, GLBA,HIPAA, FERPA and the regulatory alphabet soup goeson and on. In a cloud computing environment, youretrusting that your "cloud computing" provider has all thebells and whistles in place to keep you in compliance.You're assuming this company has their act together andthat they are working 24/7/365 (366 on leap year) toensure that your resources are protected. Now askyourself realistically: Do you think they'll be as vigilant asyou would when it comes to protecting your assets.

The problem with cloud computing is, some companiesare inherently insecure as is, so what I envisionhappening eventually is, handing the keys to yourkingdom over to someone who doesn't "get it" the sameway that you would. Just because a company may talkthe talk, it doesnt necessarily mean they know how towalk the security walk. All companies differ (redundant)so try thinking of that *one* company which is a perfect fit for you.

Thinking even about one "cloud computing" provider overseeing say 20 companies (which is a verysmall number), since these companies each have a unique business model, each having all sorts oftechnologies in place to make themwork on a daily basis (24/7 ,365 with that extra day for leap year)sure boggles my brain. Can you think of that one company capable of having expert level PERL,Ruby, C#, C++, Java, Python, LISP programmers all under one roof. All performing security relatedtasks (a-la fuzzying say, RACL's, etc) to make sure that youre protected against the unknown. I can'tthink of one. Google you say? Even GMail has been down in case you’ve forgotten.

We can’t even take a step back outside of the "red team" stance of checking the security posture ofyour infrastructure since I haven’t gotten there, but let’s move forward on this. Let's start it off at thebottom of the OSI layer and work our way up shall we? So what does the “cloud computing” networkconsist of and why should you trust it. Remember, because you are in a cloud, you're hoping theprovider's network is robust enough to "always" be available in order to access this cloud. You wouldbe trusting your cloud provider and their network provider to always maintain a level connectivity andthis a problem in itself.

So problem numero uno - networks break, deal with it. No providerin their right mind would be able to provide us with one hundredpercent reliability. It would be too costly to even undertake such aposition. We can hear about the five nines which I don’t believeanyone is marketing anymore, but even four nines is difficult.Google’s GMail outage earlier this year didn’t meet 4 nines. So forthose who understand networking, I shouldn’t have to point out thehundreds of threads on mailing lists such as NANOG where atleast once a week another engineer is asking "who broke dot org"[1]. Not understanding me? I suggest you read the link associatedwith that comment.

Networks will always be unreliable - that’s just Murphy’s Lawand for any company willing to place an entire infrastructureon an external network - that company better have someserious backup plan in place. One can't wave a magic wandand hope that a beaver doesnt chew on a fiber connection [2],or that someone doesnt drop an anvil in the wrong place [3].This is security lesson number one: If it's not on premise, it isway out of your control, don’t expert any level of expertsecurity. I don’t care who the vendor’s name is. Aside fromthat, remember Murhpy’s Law. You can't tell a beaver "donteat that fiber", you can't tell a person "dont make a mistake".This is just common sense.

How about we calculate the potential costs of an issue evolving from one of the three givenscenarios, say a beaver chewing on fiber: Say it takes four hours for a crew to be dispatched to alocation where there is a fiber cut. Splicing fiber is not an easy task, nor is it quick, so I gave it an in-sanely fast correction time of four hours. Recall I mentioned 20 companies being managed in a cloudthat is now disconnected. We’ll make it 20 small companies of say 150 employees, all relying on this"cloud” that they can no longer reach. To be non-biased I'll give everyone a salary at the US minimumwage of $6.55 per hour. So 20 companies x 150 employees = 3000(employees) x 6.55(wage) =$19,650.00 per hour in salaries alone. $78,600.00 for this particular incident at four hours withoutincluding potential loss of sales, consumer confidence, etc. Numbers can be so much fun dont youthink.

Now imagining for a moment that the five nines actually held true; every provider offered 99.999%availability! Wouldn't that be great? That would mean how much in potentially lost revenue at thatmoment of 5.39 minutes (99.999%) in downtime. Imagine that! Every Fortune X-numbered companytaking an unexpected hit unable to perform work, do business because they entrusted theirinfrastructure to a "cloud". What? And you just wanted to save from licenses, seats, software, costs?How much is it *really* going to cost you though? And to think, I havent even gotten on security yet,have I?

Getting away from the common senseaspects of the initial failures and moving backinto the security aspects of it all, I now askagain, who can you, who should you, who willyou and why should you trust any companyoutside of your own, to manage yourbusiness. Are businessmen and women thatnaïve to allow marketing teams to pollute theirminds with insane ideas. I'd seriously hopenot. I would hope someone would take alogical step back and see cloud computing forwhat it really is... Hype.

Virtualization has been the bestthing that has happened toforeign intelligence since

Aldrich Ames. [6]

So you've ignored advice and decided to go with Acme Company X.All has been well for a year or two, no compromises, no outages,smooth sailing. What's this on the news? Acmes going out ofbusiness!? Their CxO was cooking books!? Feds raided the placeand now were offline!? Where is our data being stored? Moreover, ina cloud computing environment, how can you be sure your data isn'tbeing housed in say a third world country torn say genocide orpolitical dismay. Something which CAN and likely would affect yourbusiness. How can you get your data back when you want it, canyou even get it back? Would you be willing to trust a provider toplace your data in say Somalia? How about placing it in a country ofyour biggest competitor? Some may recall the instances of theUnited States National Security Agency snooping Airbus informationto snag contracts for Boeing. [4, 5]. Are you willing to take a chancein allowing someone to take the potential opportunity to sell yourdata? How can you be sure it won't happen, after all, the World Bankjust got "owned” not too long ago

Jesus, to think I still havent even really touched on "real" security yet(firewalls, pentesting) - ironic? I can point out the flaws with cloudcomputing without even having to get too technical, without havingto touch on algorithms for encryption, the differences between IPSEC tunneling (main mode versusaggressive mode), methodically - the layers of cloud computing come crumbling down on their ownjust fine without all of the technical write ups. Without having to touch upon the necessity to performconstant penetration testing, security assessments, business impact analysis’, DRM and the list cangrow far deeper than I'd actually care to touch upon anyway. I can tell you this much from a personalperspective though, from the onset, the cloud concept was riddled with stupidity, it is only now whenone digs deeper into it - outside of pretty marketing, does cloud computing resemble a dream. Fornow, it's just a pipe dream as far as I’m concerned. Cloud nine. Remember, dreams are made fromyour brains tendency to make things up out of utter boredom while you sleep.

[1] http://www.irbs.net/internet/nanog/0407/0033.html[2] http://www.irbs.net/internet/nanog/0407/0225.html[3] http://www.irbs.net/internet/nanog/0408/0558.html[4] http://crookedairbus.blogspot.com/2007/02/senator-says-eadsairbus-use-bribes-to.html[5] http://www.transparency.org.au/documents/Economist12.6.pdf[6] http://lists.immunitysec.com/pipermail/dailydave/2009-April/005689.html

J. Oquendojoquendo@e-fensive.netInformation Security Professionalhttp://www.infiltrated.nethttp://www.linkedin.com/voipsec