Shostack + Friends Blog Archive


Cloudiots on Parade

UPDATE: Should have known Chris Hoff would have been all over this already. From the Twitter Conversation I missed last night:

Chris, I award you an honorary NewSchool diploma for that one.

From:  Amazon Says Cloud Beats Data Center Security where Steve Riley says, “in no uncertain terms: it’s more secure there than in your data center.”  Groovy.  I’m ready to listen.  Steve’s proof?

AWS is working on an Internet protocol security (IPsec) tunnel connection between EC2 and a customer’s data center to allow a direct, management network to EC2 virtual machines.

Well, bad guys might as well give up their metasploit now, huh?  Pack it in fellas, Amazon’s got IPSec tunnels!

Any virtual machine generating communications traffic is forced to route the traffic off the host server and onto the data center’s physical network, where it can be inspected. A virtual machine’s attempt to communicate with another virtual machine on the same server is refused. “We prohibit instance-to-instance communication,” another security measure, Riley said.

“inspection” “refused” “prohibit instance-to-instance communication”.  These are all relatively soothing words to some, and granted, it’s kind of *all* we can do – but to outright say”cloud is more secure” that’s a pretty big claim.  And one that needs to be substantiated by, oh, what’s the word I’m looking for…. data?  Or even a logical model, would be interesting, really.

Sorry Steve, I’m NewSchool, I can’t just take your word for it.

The problem is that our current ability to inspect rarely prevents any significant threat, and is very difficult to operate efficiently as a detective control.  Refusing/prohibiting non-specified intra VM communication is great.  Happy to hear about it.  And I’m thrilled that there’s never, ever been any vulnerability and any associated code and that it’s the bestest-estest ever and will never ever have any other vulnerabilities in them.

Look, I’m not saying that using the cloud can’t meet your risk tolerance.  I’m cool with cloud computing.  I’m not saying “run away from the cloud ahhhhhhhh” or any such nonsense.

What I am saying is that from what we know about software and network security, I find it hard to believe that adding (non-security) computing functions and complexity makes things *more* secure than an exact similar environment *without* that extra computing.

Information Security is not “there’s a weak girder in a bridge so architect a solution to reinforce the bridge”.  But unfortunately I have this sinking feeling that as long as the “cloud security” discussion is dominated by IT architects with half a security clue presenting these sorts of engineering solutions with that sort of mindset, we’re just going to have to live with them missing the point.

9 comments on "Cloudiots on Parade"

  • My little tirade based on this article last night led me to this: or…

    “If AWS has to work that hard to try & convince ppl their security is superior by demonstrating reliance on obscurity, it says what, exactly?”

    My favorite expression of frustration with AWS’ posture is this one:

    Dear Santa: All I Want For Christmas On My Amazon Wishlist Is a Straight Answer…



  • Andre Gironda says:

    I was just agreeing with Rich Mogull the other day when we got to meet and discuss cloudsec. I said something about how Alex Stamos was bearish on Access Key IDs and Secret Access Keys as modes for authentication into IaaSes (or API keys into PaaSes) compared to secure multi-tenancy.

    Then I imagined Amazon doing everything to help customers protect their keys, but then watch them do stupid things like hand them out to every sysadmin and appdev in the entire company and follow that with mass firings of the same groups. Or worse, the keys could certainly be sitting somewhere in various Web Services, integration tiers, external entities, or whatever else — and probably searchable by Google in cleartext.

    If I were APT, I would go after my cloud targets by shelling cloudkick and similar services. You’d get access to thousands of authentication keys and ensue mass pwnage. The threat-models around cloud are globally affecting and globally interesting, regardless of private cloud or VPN-cloud connectivity.

  • Chandler says:

    If it’s “a direct link to [my] data center”, then it becomes, at a minimum, an annex to my data center. So how can my data center be more secure than my data center?

    Or is this just Amazon’s subtle way of telling me that my in-house IT Security is crap? 😉

  • Robin Wilton says:

    And of course, no mainframe has ever been able to enforce the concept that VM-to-VM communication is not allowed… So that kind of capability would not have been knocking around data centres for the last 30 years or so…

    I genuinely heard someone say this (in public) recently:

    “I’m happy putting my data in the cloud, because it’s harder for someone to find it there, and hack into it, than if it were on my own premises”

    Our work here is not done yet…

  • Dmitriy says:

    I am not an infosec professional, don’t hold any security certifications but I develop applications that run in the cloud.

    My question is not about being a smartass, I am just genuinely trying to find the answer.

    Is there really a set of documents (probably some sort of standard) or other things that an IaaS cloud could produce that would appease your concerns? Could it be this simple?

    If a cloud SP shows you their logical model, will it make you feel better about security concerns posed by the cloud (you only said “it would be interesting” in the post)? What if they show you all their algorithms under NDA? What if they give you their running code under NDA?

    What would I need to get from a cloud provider to be able to say that from info sec perspective, using this cloud is OK?


  • alex says:


    Cool. I am genuinely trying to find an answer, too. You may want to read “securing the cloud is not the problem” post I did:

    Any “documentation” is a great point in time estimate of the hypothetical construct of “secure”. But we (infosec folks) know that this is of limited assurance – esp. against strong, determined attackers.

    I’m all for CloudAudit and strong Vendor Management programs. At the end of the day, though, the only “answer” is radical transparency.

    Sorry if this doesn’t help give you a concrete answer.

    Warm Regards,


  • The reality (@Dmitriy) is that the answer is more complex than that.

    Even if an IaaS vendor like AWS were, in some measurably demonstrable way, “more secure” than an Enterprise, they are at a minimum still only 50% of the equation were they to exclusively host an Enterprise’s applications and information on their infrastructure.

    The other 50% still falls on the practices of said Enterprise to secure the OS/Applications/Information within the VM. If they suck doing that in their own environment over which they have total control, what does moving to the Cloud mean in that context?

    The fact is that even though we run proprietary software within our own walled gardens of the Enterprise, we also have an embarrassment of riches when it comes to compensating and detective controls. We can perform forensics. We have a view up and down the stack.

    None of those options easily exist in AWS today and likely, given their architectural choices and the markets they serve, won’t ever exist.

    That’s not to say that at the end of the day we should simply replicate what we do in the Enterprise to AWS. Far from it. Many of our practices are inefficient and do not lead to better “security” but come from having to deal with legacy…if we got to start over like AWS or Google, don’t you think we’d make different decisions?

    In many cases what they do and how they do it offer lessons that the Enterprise can and should learn from. More automation, more efficiency, lower costs, etc. However, you’ll notice that their actual security capabilities are weak when compared to that of an Enterprise.

    The majority of “security” outside of ensuring the availability of THEIR platform, is pushed back on the consumer in AWS’ case.

    When moving to AWS (or any public cloud provider) it’s important to understand this means wholesale architectural overhauls of people, process and technology (from all sorts of angles, including security.)

    That said, most Security folks would look at that statement and explore the timeline on how long that would take and what it would mean to get there.

    AWS chooses to essentially denigrate current IT/InfoSec practices as woefully ineffectual and that their offerings are TODAY superior, even though they do a small percentage of what an Enterprise is forced to grapple with.

    They paint that picture by comparing apples to elephants.

    They offer no metrics other than a SAS-70 and marketspeak to demonstrate their competence and so-called security superiority.

    Just because you say something doesn’t make it true.

    Check out “You Can’t Secure the Cloud”


  • Dmitriy says:

    Thanks for your answers, I sincerely appreciate them.

    As an infosec outsider and someone who doesn’t work at a public IaaS cloud provider (so I am not selling anything in this thread), I am only interested in moving the cloud security debate further.

    It occurs to me that public cloud vs infosec community debate is stuck. Both sides have stated their positions and are currently awaiting the other party’s move.

    For example, a suggestion in the above post for a cloud provider to provide “data” to support its claim. How can this accomplished? A security architect of said public cloud says it is so. I can see how it could be perceived as not enough. Should they go through an audit to make sure their claims are verified? How confident are we as cloud practitioners that auditors will know how to audit something as new as multitenant cloud? (Have you read the Big Short book? Do you remember how rating agencies blindly rated those securitized subprime mortgages?) I have very little experience with IT compliance and accompanying audit practices, but how can it be audited if there is no yet a good framework to be audited against? And how could such framework appear if everyone is waiting for it and not moving to cloud? Catch-22.

    What if both security architect and CTO say same thing? What if it’s stated as part of their SEC filing?

    On the other hand, are cloud providers to blame? Are cloud providers intentionally avoiding some sort of industry standard certification or audit that you know would answer all your appropriate questions?

    What other ways do you see that would get this debate “unstuck”?

    I am considering a blog post on this topic. It would be a look by an outsider on this problem. I have yet to refine my thoughts on this subject so please don’t judge this comment too harshly.


Comments are closed.