We’re currently experiencing a massive evolution in the way that information is accessed and used. In the past twenty years everything has changed, with the advent of the Internet, the proliferation of mobile devices and the huge expansion in new ways of using technology. Cyber-security has been trying to keep pace with this growth, while maintaining a balance between the seriousness of the risks involved, the cost of protection and the acceptance of constraints. But how is it responding to the new challenges posed by the latest manifestations of evolving cyberspace: the move to the ‘infosphere’ as represented by Cloud computing and Big Data.
Cloud computing is a whole new way of using and providing computing resources (processing power, connectivity, storage…) to businesses and individuals. It can be seen as a combination of outsourcing and shared sourcing. Outsourcing has structured way that computing has evolved (see Figure 1). Before, the network, physical and virtual machines, applications and data all remained under the control of the organization. But when that organization uses a hosting provider, then control of its networks, storage and physical machines is shared with that provider. With IaaS (Infrastructure as a Service) delivered via the Cloud, the organization no longer controls the network, storage or physical machines. And finally, with SaaS (Sofware as a Service) – again delivered through the Cloud – the business no longer manages its data inputs and output either.
This form of outsourcing carries with it particular security risks, in areas such as privacy. Laws apply to specific territories: and while some see cyberspace as a whole new ballpark – out of the reach of anyone – it’s important to recognize that data is always held somewhere, where laws do apply. Data stored in the United States, for example, is accessible to US authorities (governed by its rules on lawful interception, the Patriot Act, etc.). The NSA’s PRISM surveillance program has made us all very aware of the reality of this threat. So proper risk analysis is essential. It must cover the risks relating to the state where the data is held, evaluating the probability of those risks (competitive, geopolitical, etc) and the potential harm it may do, in order to assess the appropriate level of financial commitment to make to cyber-security. A second security risk related to outsourcing is that of confinement: with backtracking either not guaranteed or even not provided for in the contract, prohibitive costs for data migration or recovery…
The second major feature of the Cloud is the large-scale pooling of resources. This concentration means it can offer colossal savings to IT Departments. We’re entering the industrial era of computing, with enormous IT factories: Amazon, for example, is going to have around half a million servers in its Data Centers. Numergy , the sovereign French Cloud operator, has said it is aiming to have a million virtual machines in 2016. Only when we get to this level will the economies of scale offered by the Cloud really count. This can only be achieved by pooling thousands of customers in a single physical infrastructure. This is not without its consequences for cyber-security. The likelihood of a cyber attack against these giant infrastructures is greatly increased, because they’re a more interesting and appealing target. If you have thousands of customers, the resulting probability that one of them being a target is also higher. And if the criminal’s aim is to erase data, they will not care much about neighboring users who might be affected.
This is a real collateral risk. Because resources are shared, data can be affected if the Cloud operator is targeted by an attack or legal proceedings. Here are just two examples: a legal authority seizes storage arrays because a customer who is a pædophile has stored images on them: but, by a stroke of bad luck, they also contain your accounts; another customer uses the Cloud fraudulently to carry cyber attacks (see box) with a risk of legal action or retaliation. Especially as the Cloud attracts cyber criminals by offering them the opportunity to carry out massive attacks, anonymously and with great ease.
Everything gets more complicated with the Cloud: like managing access rights. Typically, a company buys an SaaS service from an operator, who in turn rents the necessary infrastructure from a IaaS reseller (like DropBox, for example, which relies on Amazon EC2). So there are many different people (the end user, the customer administrator, the system administrator at the SaaS service provider, and at the IaaS reseller, and at the IaaS provider…) who’s security access has to be managed and for whom the ‘principle of least privilege’ has to be guaranteed with a high level of auditability.
Technology such as WAM (Web Access Management) can prove to be a good compromise (see Figure 2) for managing access to internal applications as well as those hosted on the public Cloud , while providing the essential reports required by auditors. Given the changing nature of threats and the now widely-accepted fact that it’s impossible to prevent an infection stemming from an attack, a cyber-defense strategy has now become essential. Only a state-of-the-art security operations center (SOC) can detect successful attacks, which always leave traces even if they are sometimes virtually imperceptible. Many terabytes of data has to be gathered: from firewall logs, vulnerability descriptions, access rights and roles matrices, audit reports, interconnection listings, etc. Then it’s all about make sophisticated cross references to detect these telltale but often very weak signals. What’s more, this is a clear example of Big Data: huge amounts of unstructured data, sometimes captured at very high speed, on which complex calculations (such as decision analysis or correlations based on signatures) are carried out.
Big Data is a big hit with the media. Everyone is talking about on the Web, because it raises as many concerns about protecting personal data as it does expectations about the value it may create. Technological developments (including Open Source software such as Hadoop) opens up new horizons, with the emergence of hitherto inconceivable new services (such as targeted mass advertising), allowing all data managers or ‘owners’ to potentially make money from the information they hold. This is of interest not only to operators of electronic communications, Internet access providers and Web agencies, but also to much of the scientific world, as well as defense and cyber-security agencies. There is a massive amount of data to be collected and consolidated: 90% of all the data on the planet has been generated in just the last two years. Since 2010, Facebook has been running the world’s largest Hadoop cluster for its MySQL infrastructure, holding some 35 to 40 Petabytes of data.
Along with the conventional risks that Big Data is already multiplying, a number of new, specific risks are emerging such as:
- In the case of large-scale distributed computing, when a cyber attack on one of the many compute nodes involved can destroy the work of the entire grid
- In the case of mass storage, which is traditionally prioritized according to how often the data is accessed and not on how critical the data may be
- The quality of data collected from mass market or business devices like smartphones and tablets
- The difficulty in ensuring end-to-end security through distributed, heterogeneous and insecure components
- The complexity of controlling access to data categories, so as to meet the various different security standards that must be complied with…
We are only at the very beginning when it comes to realizing the full potential of the Cloud and Big Data. Many cyber-security issues currently remain unresolved, and innovation in these areas is both essential and expected. And new security models are emerging, such as the ‘zero-trust model’, where end-to-end security is one of the first responses. Encryption in the Cloud is also a problem. How do you manage the keys as close as possible to the end users? How do you perform calculations on data that has been encrypted by the user and without decrypting it (so-called homomorphic encryption)? Providing secure access to the mass of encrypted Big Data would be easier if identity-based encryption were used; or even ecryption based on identity attributes. Clearly, taking cyber-security issues into account in the infosphere is a dual opportunity for computer users, first and foremost among them the government, and then the cyber-security industry at a national and even a European level. This is undoubtedly a challenge that will need to be met by some form of public-private partnership .
According to Bloomberg, in 2011 the Amazon EC2 Cloud service was used to attack the Sony PlayStation network and expose the personal data of nearly 10 million users, in one of the biggest cyber attacks every experienced by the United States. The attacker provided a fake Amazon identity and was able to use this to open an EC2 account.
Source: Le Magazine des Ingénieurs de l’Armement, March 2014