While still in its early stages and largely an unknown terrain, cloud security is a solvable problem that needs more research and investment, Yuecel Karabulut, Ph.D., told an audience gathered at the Symantec vCafe for a joint meeting of the Security and Cloud Services SIGs on May 3, 2010. The keys to solving the cloud security puzzle, according to Karabulut, Chief Security Advisor at SAP, are rigorous metrics and innovative uses of encryption.
In the area of metrics, Karabulut, a former adjunct professor at Carnegie Mellon University (CMU), advocated that software vendors supplement other security measures with a formal approach to the measurement of application attack surfaces. Reducing attack surfaces is even more important in cloud computing because of the rapidly evolving nature of the technology. Cloud security architectures, Karabulut argued, must be based on the assumption of constant change: “As new threats emerge, code considered secure today may not be secure tomorrow.”
Karabulut explained a method for measuring attack surfaces that he developed with other researchers at CMU. The method involves summing the damage potential-effort ratios (DER) of relevant resources. The relevant resources of an application include its channels, such as TCP ports; methods, such as API calls; and data, whether persistent, in memory, or in transit. The DER of a resource is the ratio of potential damage to the effort required to breach the resource.
Karabulut demonstrated a tool for calculating attack surfaces that he and colleagues at SAP developed as an extension to Eclipse, a popular open-source integrated development environment. The tool discovers application resources and combines that data with DER numbers to generate attack surface metrics for software components. While the discovery of resources is fully automated, the tool requires context specific configuration based on experience, judgment, and a threat modeling process. Karabulut believes the success of the tool, now in pilot at SAP, depends mostly on usability and the appropriate definition of usage scenarios.
Also important to cloud security, Karabulut argued, is the application of encryption to reduce the trust required for customers to adopt cloud computing. Karabulut pointed out that cloud vendors are now telling customers to trust them, forcing customers to either make that leap of faith or forego cloud computing. Arguing that encryption can overcome this impasse, he presented a scalable approach for encrypting data in the cloud. Combining attribute-based encryption (ABE) and symmetric cryptography, the model calls for a Message Warehousing Service (MWS) that securely makes content available to users whose exact identities are unknown to the content creator but who meet the requirements set forth by attributes attached to the content.
In this model, the cloud vendor has access only to metadata, not the encrypted content. The approach is scalable because it does not require specialized software on user devices, reduces loads on processors, and frees users from knowing the identities, and thus public keys, of those who require access, which is important in the dynamic world of cloud computing. Ultimately, this method gives users greater control over who is allowed to see their data. While the MWS approach is still under development, Karabulut said, it a good example of how encryption can solve the problem of cloud security by enabling the collaborative and message exchange scenarios necessary for the delivery of software as a service.
Cloud computing brings new risks, Karabulut concluded, but “with additional effort cloud vendors can overcome customers’ fears of losing control.”