Cloud Computing and the Malicious Insider
Francisco Rocha, alumnus of the Carnegie Mellon Portugal Program, and Miguel Correia, researcher at Universidade de Lisboa, presented a paper titled “Lucy in the Sky without Diamonds: Stealing Confidential Data in the Cloud,” at the First International Workshop on Dependability of Clouds, Data Centers and Virtual Computing Environments (DCDV 2011) [http://www.cse.ust.hk/DCDV2011/program.html], in conjunction with the 41st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2011). The conference was held on June 27, 2011, in Hong Kong, China.
This paper results from Francisco Rocha thesis, titled “Privacy in Cloud Computing”, developed in the scope of the Master program in Information Technology – Information Security. After finishing his professional master program, Rocha continued to work with Miguel Correia, his advisor during the course, and to pursue research in the cloud computing area. His thesis focused on one of the threats that cloud computing faces, i.e., “the malicious insider”. Francisco Rocha in his thesis described that a “malicious insider could be, for example, an administrator of the cloud that goes rogue and as root access to the servers that compose the cloud.” Francisco explained that these kinds of attacks are difficult to quantify, because “when they happen companies do not want the media to report them or else their public image will be deeply affected.” Recently, this alumnus read that an administrator was convicted for compromising the servers of his previous employer.
One of the main conclusions of his thesis was that “current cloud computing services cannot be relied on to provide high confidentiality levels to the information entrusted to them by cloud users, why?,” explaining that “because the technology they use is not enough to assure the best security levels in this type of services.” Rocha continues: “in my opinion, we need to have trusted computing involved if we want to obtain a more trustworthy cloud environment. With trusted computing we can verify the integrity of code running in a machine; this is a very useful resource.”
The paper “Lucy in the Sky without Diamonds: Stealing Confidential Data in the Cloud” that Francisco Rocha will present at the First International Workshop on Dependability of Clouds, Data Centers and Virtual Computing Environments, shows that a malicious insider can steal confidential data of the cloud user, so the user is mostly left with trusting the cloud provider. In the author’s opinion, “the paper achieves this goal by showing a set of attacks that demonstrate how a malicious insider can easily obtain passwords, cryptographic keys, files and other confidential data.” Additionally, the paper shows that recent research results that might be useful to protect data in the cloud, are still not enough to deal with the problem.
Francisco Rocha believes that cloud computing is here to stay, and that industry is pushing the utilization of the cloud. Therefore, it is necessary to be aware of the problems that come with the adoption of this paradigm and to be sure of the security levels it offers before moving sensitive data (e.g., medical records) to the cloud. Therefore, he believes that “the path to follow is trusted computing”. “If we are able to come up with an architecture that is capable of providing proofs of integrity for the running software, we have a more secure system” Rocha adds. However, when companies have complex software this is not enough because the software will always contain vulnerabilities. This means that we should also use mechanisms to remove as much vulnerabilities as possible.