2016-07-02

Protection [or the lack of] cyrptogrpahic primatives in a public cloud environment

As I watch the market mature and see organizations attempting to deploy their own private cloud solutions, generally citing security and note cost, I find an opening to a potentially receptive audience on the risks of public cloud security.  All solutions have trade offs ranging from cost, security, risk acceptance, risk mitigation, etc.

Unfortunately, technological innovation almost always out-paces appropriate security measures.  This all circles back to the never ending problem of forging ahead clueless of security and then having to patch security instead of baking it into the development cycle from the start.

Most of us know that the end result is an insecure product that can never hope to get the security aspect correct and we shake our heads and hope that the next iteration sysadmins and developers might actually include security from the start and "bake it in".  The day where that becomes the norm is on our door-steps and rapidly the secure after you deliver the product to market model is going to become extinct.  This last remark is not delusional euphoria or hopeless optimism.  Apparently companies are slowly learning that the lack of baking in security from the beginning may actually cost them more in the long term.  Consumers are actually paying attention and demanding better security than we are all used to (especially true for banking in the US compared to Europe).

The cloud panacea is starting to show increased fractures such as https://eprint.iacr.org/2016/596.  This paper is another iteration in how to attack multi-tenant issues inside a single physical host.  The game changer is that we're talking about consistent 2048-bit RSA key recovery via nothing more than another guest VM once you can determine it co-locates with your target host/cpu, which is easy to determine and establish.  The attack described is *with all fully patched OpenSSL that has protections against these sorts of attacks*.

You cannot bolt on security after the fact and expect good results.  However, even in cloud computing that is exactly the model currently being used.  If we cannot secure cryptographic keys in the public cloud environment, then there can be no guarantees *PERIOD*.  Well, that's unfair there is a guarantee that the security will fail and be completely undermined.

No comments:

Post a Comment