[Disclaimer: text below is my personal opinion]
I've engaged in a lot of discussion lately on governments and public cloud and my take has always been: don't do it. Well, not so much as 'don't do it', but more along the lines of: 'kill it with prejudice'. I'm really, really against the idea of governments using public cloud. To preempt any further discussion, here's why I think that.
But first: my take on the oft-played argument 'my cloud provider lets me bring my own cryptographic key (and therefore I'm safe)'. Let's be brief about encryption of disks in cloud environments (because that is what it is): they cover only a minimal attack surface. So minimal in fact that it's bordering on deceit (commercial firms speaking half truths in their marketing - never!).
Here's the truth: encrypted disks protect you from someone looking into your storage when the cloud infrastructure is turned off (which it is, by definition, never), or against the courier walking away with the striped disks for backup purposes (which, admittedly, is a risk, but let's at least admit that the insider threat may be a lot bigger than that and if it is - cloud providers - what are you doing?!). So, cloud providers: please stop using this argument. It makes you look silly and (slightly) deceitful.
So, apart from the (almost) bogus argument that you have data-at-rest security, and I'm going to tie one arm behind my back here - I won't even consider insider threats. I'm assuming for the sake of - oh I don't know, nothing really - that the personnel inside the cloud facilities is all A-Ok. I also won't go into the argument that EU entities using US public cloud facilities is a violation of the GDPR. This is blatant and a scandal but a legal argument and I'm a technical person. So, that being what it may:
- You don't know where the cloud hardware came from. The NSA was caught in 2014 [Snowden et al] setting up logistic rerouting of Cisco switch hardware to their own hardware facilities in order to modify them. That was twelve years ago. There are pictures. You can Google them yourself. I can assure you that they've only gotten better in the mean time.
- The chance that your state actor adversary has hired tenant space on your public cloud provider's infrastructure (to host their all-important online bicycle accessory shop or some such, but in reality a cyber-weaponized logic bomb), is 100%. Not 20% or 50% but the whole shebang. Think about it for yourself for a minute. What would it cost? (next to nothing). Will your commercial public cloud provider screen customers well enough? (not likely). Will it allow with maximum efficiency the deployment - within milliseconds - of their cyberweapons on your infrastructure? (certainly). Will your public cloud provider schedule your adversary's tenant next to yours at some point in time (inevitably, yes). Which brings me to:
- Rowhammer and Meltdown (-like) exploits are here to stay. So long as we keep cramming memory cells in ever smaller spaces, and so long as our addiction to the speed that predictive execution on CPU's provides lasts, they're not going anywhere. That means that your adversary simply has to wait until the very point that they're running on the same CPU as you and - bam - they can take and change whatever they want. Admittedly, not with enormous bandwidth. But completely undetectable. And:
- They won't even have to wait that long. They can spend the interval usefully by analyzing your traffic. They know what you're doing and when. Not just, like in the old days, when you choose to share but also when you would like to avoid it. What OS's you use (telling them exactly when and why you're vulnerable). But also, your usage patterns cannot help but break free from your VM's: who you're talking to. What type of traffic you generate and consume. What the periods of intense activity are, and which are not.
- And even then: the IBM hypervisor (arbitrary example. I could have used VMWare or whatever) was root-remote-vulnerable in 2021 three times (source: MITRE CVE) - and that's what we know about. And whoever owns the hypervisor, owns you. Maybe they're already waiting for you. They're probably already waiting for you.
Don't be waited for. Don't walk into a trap.
Freelance Cybersecurity Consultant
2 年Als je statelijke data soevereiniteit belangrijk vind, blijft dat inderdaad een moeilijk hard te maken verhaal in de public cloud. Eerdere pogingen om dat te repareren vanuit een juridisch en diplomatiek perspectief, zoals Privacy Shield, bleken een wassen neus. De vraag is of het nieuwe Trans-Atlantic Data Privacy Framework het wel gaat houden. Ik heb er een hard hoofd in. Zie bijvoorbeeld ook deze analyse: https://www.ncsc.nl/actueel/weblog/weblog/2022/de-werking-van-de-cloud-act-bij-dataopslag-in-europa. De Amerikanen leggen telkens weer nieuwe bommen onder die verdragen. Tegelijk vraag ik mij af of we netto nou echt minder risico lopen als we overheids-IT die aan internet gekoppeld mag (of moet!) zijn, zelf veilig proberen te houden met eigen ijzer of private IaaS-constructies, versus het op een goede manier bij een van de grote cloud providers zetten. Ook al introduceert de cloud zijn eigen risico's (data soevereiniteit, bugs in het cloud platform, maar ook eigen misconfiguratie - S3 buckets, anyone?) maar wat betreft de beveiliging van de cloud platformen zelf hebben de grote drie security-kennis, -kunde, -materiaal en -mankracht om jaloers op te zijn. Ik ben er nog niet over uit wat minder risico oplevert.
F???????? S??????? E???????
2 年Toevallig pas een discussie met een collega over nut van encrypted disks in een cloud server. Toegevoegde waarde is idd nihil als de server altijd aan staat.