The State of Cloud Security (Pt. 1): Fundamental Risks

By By Dennis Barker, GRIDtoday

July 14, 2008

That cloud computing is risky probably doesn’t surprise you. You hand off your data to someone else, and the cloud provider might hand it off to someone else, from whence it might go somewhere else. Little details — like where it’s being stored, who’s touching it along the way, and what safeguards are being taken — aren’t always clear.

“The most significant issue for cloud computing is the simple fact that data storage falls outside the control of a company’s security infrastructure,” says Larry Ponemon, founder of the Ponemon Institute, which specializes in information security practices and privacy risk management.

A New Mountain to Climb

“[T]he cloud” has a big target painted on its side. For certain types of hackers, it’s an opportunity for new exploits, a new wall to climb, the thrill of sneaking into the servers of a very huge company. For other types, there’s the potential for a big data score. “Sophisticated cybercriminals are likely to see more value in cracking the cloud, which might contain data from a wide range of organizations,” Ponemon says.

You don’t see confirmed detailed reports, but cloud providers are attacked routinely. “Attacks are getting much more sophisticated, and more numerous,” says the CEO of one cloud services provider. “I can watch the firewall and sometimes there are a thousand probes a day into the grid infrastructure. I talk to other ISPs and hear that this is not uncommon. If you have an unprotected machine in the datacenter, it will be compromised within 10 minutes.”

“In the cloud or grid, everybody’s in the same datacenter, and this makes the security situation much worse than in a traditional environment,” says Dave Durkee, CEO of ENKI, a cloud services and virtual datacenter provider. “Everybody’s in the soup together. Cloud providers have to understand the threats and build better defenses. Too many cloud services today give their customers a software firewall and that’s it. Certain types of attacks can overwhelm a software firewall easily.”

 “Cloud is almost synonymous with shared,” says John Engates, chief technology officer for Rackspace, the big IT systems hosting company with its own cloud division, Mosso. “Historically, shared has been a bad word in hosting and IT. Shared meant that you had only logical (software) security boundaries between customers and companies rather than the traditional physical boundaries you get with dedicated gear.” He added that today’s virtualization technologies have helped to mitigate certain security and resource-contention issues.

One of the biggest problems of that shared space is sharing resources from the communal pool. Companies who store files in the cloud need to be concerned about data leakage, says Craig Balding, technical security lead for a Fortune 500 company and a man so concerned about cloud security he started cloudsecurity.org. “Cloud storage gets recycled. The storage you freed an hour ago becomes my storage when I write my files,” Balding says. “The published API calls for cloud storage are pretty high-level … thus, on the surface, the opportunity for abuse, for devious data recovery, seems low. However, my gut feeling is that there will be incidents of data leakage — through tricky or undocumented API usage or simply through failures of isolation. This will get solved over time, but there will be casualties.” 

Dominique Levin, executive vice president of marketing and strategy for LogLogic, which makes network management/surveillance tools, says “there is nothing unique about cloud computing from a security point of view.” But don’t take a lot of comfort in that sentiment. “The consequences of a security breach could be much more severe when the data of many customers is aggregated in the cloud,” Levin says. “Rather than just impacting one organization, a security breach at a cloud provider could potentially impact many customers. This in itself attracts more accidental hackers and organized crime. … It may also be more tempting for rogue employees to monetize some of their legitimate access to customer data.”

Mihai Christodorescu, a researcher in computer security at IBM’s TJ Watson Research Center (who does not speak for IBM), says he sees two significant issues around cloud computing: (1) “[t]he provider has unlimited, unauthenticated and unaudited access to the data of a cloud computing customer”; and (2) “[m]ultitenancy: cloud-computing providers often aggregate multiple customers onto the same physical machines, possibly exposing customers’ data to each other.”

And don’t forget the classic security gap: human error. “The hackers from Uzbekistan get the most press, but what we see in our monitoring is that 98 percent of security breaches are human error,” says Tamar Newberger, vice president of marketing for Catbird, a provider of monitoring and management tools for virtual and physical networks. “I can’t tell you how many times we see SSL certificates that have expired. Letting your SSL certificates expire is alarming. You have to make sure your security model for the cloud is sensitive to human error.”

Who? Where?

When you store data in the cloud, you don’t really know where it’s being stored. It could be in a datacenter on the other side of the country, it could be in another country. While this might not be a security concern for some cloud users, companies governed by certain federal data requirements, such as HIPAA and Sarbanes-Oxley, will need to know where their data is physically located.

“Enterprises considering using the cloud are less concerned about getting hacked than about auditing and compliance requirements,” says Thorsten von Eicken, chief technology officer at RightScale, a company that helps customers run and manage scalable applications on Amazon Web Services. “They want to make sure the cloud provider understands and can assist with these audits.”

As for who is handling or has access to your valuable data, you won’t necessarily know. Your provider might seem totally reliable, but who are they relying on? This reliance on lower-level providers — what Balding calls “outsourcing of trust” — is a “potential landmine.” “Layered cloud services rely on lower levels to function correctly,” he explains. “As a high-level cloud service provider, my security rests on the layer below me. What due diligence did I do?  How accurate is my understanding of their security?  Do I just ‘trust’ what they tell me?”

Virtual Problems

The virtual machines that populate the cloud carry the same dangers as their metal-and-plastic counterparts. “A virtual machine, after all, is just a virtualized version of a physical machine, with all the same risks. You have to assess the risks and take precautions,” says Catbird’s Newberger.

But the virtual environment does raise two significant concerns, she says: (1) it can be very easy for a person to launch rogue machines into the network; and (2) because there apparently have been no successful compromises yet, the hypervisor that controls the environment is “a juicy target for hackers.”

The hypermobility of VMs also raises complications. What if regulated data is migrated to an unprotected rack? What about a machine image that’s been lying in some obscure location in the cloud, can you be sure it’s secure when it reappears on the network? Does it have the latest patches?

Just the Beginning

Nearly everyone interviewed for this astory pointed out that these are “the early days” of cloudward migration and that new threats and new defenses will develop. “Despite security issues, cloud computing is cheap, efficient, and likely to grow in importance over the next few years,” security expert Ponemon says. “Companies need to find ways to enjoy the benefits of cloud computing without sacrificing too much control over security.”

“To really take the cloud to where it can go, and to increase the value it can give customers, cloud service providers need to get much more serious about protecting cloud assets of their clients,” ENKI’s Durkee says. “They need to offer the same security services they’d have in their own datacenter. It has to improve, but people will have to first go into a loss state or a fear state — they’ll have to lose something or fear something.”

Subscribe to HPCwire's Weekly Update!

Be the most informed person in the room! Stay ahead of the tech trends with industy updates delivered to you every week!

OpenPOWER Reboot – New Director, New Silicon Partners, Leveraging Linux Foundation Connections

July 2, 2020

Earlier this week the OpenPOWER Foundation announced the contribution of IBM’s A21 Power processor core design to the open source community. Roughly this time last year, IBM announced open sourcing its Power instructio Read more…

By John Russell

HPC Career Notes: July 2020 Edition

July 1, 2020

In this monthly feature, we'll keep you up-to-date on the latest career developments for individuals in the high-performance computing community. Whether it's a promotion, new company hire, or even an accolade, we've got Read more…

By Mariana Iriarte

Supercomputers Enable Radical, Promising New COVID-19 Drug Development Approach

July 1, 2020

Around the world, innumerable supercomputers are sifting through billions of molecules in a desperate search for a viable therapeutic to treat COVID-19. Those molecules are pulled from enormous databases of known compoun Read more…

By Oliver Peckham

HPC-Powered Simulations Reveal a Looming Climatic Threat to Vital Monsoon Seasons

June 30, 2020

As June draws to a close, eyes are turning to the latter half of the year – and with it, the monsoon and hurricane seasons that can prove vital or devastating for many of the world’s coastal communities. Now, climate Read more…

By Oliver Peckham

Hyperion Forecast – Headwinds in 2020 Won’t Stifle Cloud HPC Adoption or Arm’s Rise

June 30, 2020

The semiannual taking of HPC’s pulse by Hyperion Research – late fall at SC and early summer at ISC – is a much-watched indicator of things come. This year is no different though the conversion of ISC to a digital Read more…

By John Russell

AWS Solution Channel

Maxar Builds HPC on AWS to Deliver Forecasts 58% Faster Than Weather Supercomputer

When weather threatens drilling rigs, refineries, and other energy facilities, oil and gas companies want to move fast to protect personnel and equipment. And for firms that trade commodity shares in oil, precious metals, crops, and livestock, the weather can significantly impact their buy-sell decisions. Read more…

Intel® HPC + AI Pavilion

Supercomputing the Pandemic: Scientific Community Tackles COVID-19 from Multiple Perspectives

Since their inception, supercomputers have taken on the biggest, most complex, and most data-intensive computing challenges—from confirming Einstein’s theories about gravitational waves to predicting the impacts of climate change. Read more…

What’s New in HPC Research: Mosquitoes, [email protected], the Last Journey & More

June 29, 2020

In this bimonthly feature, HPCwire highlights newly published research in the high-performance computing community and related domains. From parallel programming to exascale to quantum computing, the details are here. Read more…

By Oliver Peckham

OpenPOWER Reboot – New Director, New Silicon Partners, Leveraging Linux Foundation Connections

July 2, 2020

Earlier this week the OpenPOWER Foundation announced the contribution of IBM’s A21 Power processor core design to the open source community. Roughly this time Read more…

By John Russell

Hyperion Forecast – Headwinds in 2020 Won’t Stifle Cloud HPC Adoption or Arm’s Rise

June 30, 2020

The semiannual taking of HPC’s pulse by Hyperion Research – late fall at SC and early summer at ISC – is a much-watched indicator of things come. This yea Read more…

By John Russell

Racism and HPC: a Special Podcast

June 29, 2020

Promoting greater diversity in HPC is a much-discussed goal and ostensibly a long-sought goal in HPC. Yet it seems clear HPC is far from achieving this goal. Re Read more…

Top500 Trends: Movement on Top, but Record Low Turnover

June 25, 2020

The 55th installment of the Top500 list saw strong activity in the leadership segment with four new systems in the top ten and a crowning achievement from the f Read more…

By Tiffany Trader

ISC 2020 Keynote: Hope for the Future, Praise for Fugaku and HPC’s Pandemic Response

June 24, 2020

In stark contrast to past years Thomas Sterling’s ISC20 keynote today struck a more somber note with the COVID-19 pandemic as the central character in Sterling’s annual review of worldwide trends in HPC. Better known for his engaging manner and occasional willingness to poke prickly egos, Sterling instead strode through the numbing statistics associated... Read more…

By John Russell

ISC 2020’s Student Cluster Competition Winners Announced

June 24, 2020

Normally, the Student Cluster Competition involves teams of students building real computing clusters on the show floors of major supercomputer conferences and Read more…

By Oliver Peckham

Hoefler’s Whirlwind ISC20 Virtual Tour of ML Trends in 9 Slides

June 23, 2020

The ISC20 experience this year via livestreaming and pre-recordings is interesting and perhaps a bit odd. That said presenters’ efforts to condense their comments makes for economic use of your time. Torsten Hoefler’s whirlwind 12-minute tour of ML is a great example. Hoefler, leader of the planned ISC20 Machine Learning... Read more…

By John Russell

At ISC, the Fight Against COVID-19 Took the Stage – and Yes, Fugaku Was There

June 23, 2020

With over nine million infected and nearly half a million dead, the COVID-19 pandemic has seized the world’s attention for several months. It has also dominat Read more…

By Oliver Peckham

Supercomputer Modeling Tests How COVID-19 Spreads in Grocery Stores

April 8, 2020

In the COVID-19 era, many people are treating simple activities like getting gas or groceries with caution as they try to heed social distancing mandates and protect their own health. Still, significant uncertainty surrounds the relative risk of different activities, and conflicting information is prevalent. A team of Finnish researchers set out to address some of these uncertainties by... Read more…

By Oliver Peckham

[email protected] Turns Its Massive Crowdsourced Computer Network Against COVID-19

March 16, 2020

For gamers, fighting against a global crisis is usually pure fantasy – but now, it’s looking more like a reality. As supercomputers around the world spin up Read more…

By Oliver Peckham

[email protected] Rallies a Legion of Computers Against the Coronavirus

March 24, 2020

Last week, we highlighted [email protected], a massive, crowdsourced computer network that has turned its resources against the coronavirus pandemic sweeping the globe – but [email protected] isn’t the only game in town. The internet is buzzing with crowdsourced computing... Read more…

By Oliver Peckham

Global Supercomputing Is Mobilizing Against COVID-19

March 12, 2020

Tech has been taking some heavy losses from the coronavirus pandemic. Global supply chains have been disrupted, virtually every major tech conference taking place over the next few months has been canceled... Read more…

By Oliver Peckham

Supercomputer Simulations Reveal the Fate of the Neanderthals

May 25, 2020

For hundreds of thousands of years, neanderthals roamed the planet, eventually (almost 50,000 years ago) giving way to homo sapiens, which quickly became the do Read more…

By Oliver Peckham

DoE Expands on Role of COVID-19 Supercomputing Consortium

March 25, 2020

After announcing the launch of the COVID-19 High Performance Computing Consortium on Sunday, the Department of Energy yesterday provided more details on its sco Read more…

By John Russell

Steve Scott Lays Out HPE-Cray Blended Product Roadmap

March 11, 2020

Last week, the day before the El Capitan processor disclosures were made at HPE's new headquarters in San Jose, Steve Scott (CTO for HPC & AI at HPE, and former Cray CTO) was on-hand at the Rice Oil & Gas HPC conference in Houston. He was there to discuss the HPE-Cray transition and blended roadmap, as well as his favorite topic, Cray's eighth-gen networking technology, Slingshot. Read more…

By Tiffany Trader

Honeywell’s Big Bet on Trapped Ion Quantum Computing

April 7, 2020

Honeywell doesn’t spring to mind when thinking of quantum computing pioneers, but a decade ago the high-tech conglomerate better known for its control systems waded deliberately into the then calmer quantum computing (QC) waters. Fast forward to March when Honeywell announced plans to introduce an ion trap-based quantum computer whose ‘performance’ would... Read more…

By John Russell

Leading Solution Providers

Contributors

Neocortex Will Be First-of-Its-Kind 800,000-Core AI Supercomputer

June 9, 2020

Pittsburgh Supercomputing Center (PSC - a joint research organization of Carnegie Mellon University and the University of Pittsburgh) has won a $5 million award Read more…

By Tiffany Trader

‘Billion Molecules Against COVID-19’ Challenge to Launch with Massive Supercomputing Support

April 22, 2020

Around the world, supercomputing centers have spun up and opened their doors for COVID-19 research in what may be the most unified supercomputing effort in hist Read more…

By Oliver Peckham

Australian Researchers Break All-Time Internet Speed Record

May 26, 2020

If you’ve been stuck at home for the last few months, you’ve probably become more attuned to the quality (or lack thereof) of your internet connection. Even Read more…

By Oliver Peckham

15 Slides on Programming Aurora and Exascale Systems

May 7, 2020

Sometime in 2021, Aurora, the first planned U.S. exascale system, is scheduled to be fired up at Argonne National Laboratory. Cray (now HPE) and Intel are the k Read more…

By John Russell

Nvidia’s Ampere A100 GPU: Up to 2.5X the HPC, 20X the AI

May 14, 2020

Nvidia's first Ampere-based graphics card, the A100 GPU, packs a whopping 54 billion transistors on 826mm2 of silicon, making it the world's largest seven-nanom Read more…

By Tiffany Trader

10nm, 7nm, 5nm…. Should the Chip Nanometer Metric Be Replaced?

June 1, 2020

The biggest cool factor in server chips is the nanometer. AMD beating Intel to a CPU built on a 7nm process node* – with 5nm and 3nm on the way – has been i Read more…

By Doug Black

Summit Supercomputer is Already Making its Mark on Science

September 20, 2018

Summit, now the fastest supercomputer in the world, is quickly making its mark in science – five of the six finalists just announced for the prestigious 2018 Read more…

By John Russell

TACC Supercomputers Run Simulations Illuminating COVID-19, DNA Replication

March 19, 2020

As supercomputers around the world spin up to combat the coronavirus, the Texas Advanced Computing Center (TACC) is announcing results that may help to illumina Read more…

By Staff report

  • arrow
  • Click Here for More Headlines
  • arrow
Do NOT follow this link or you will be banned from the site!
Share This