Cloud computing security incidents

There's lots of talk about cloud computing and the security issues that surround it these days. There are some issues that deal with regulatory compliance that get tricky when data's in a cloud, but how many actual security vulnerabilities have been discovered that relate specifically to cloud computing? It's easy to answer this question if we look at the Cloud Computing Incidents Database. It's not clear how reliable or comprehensive the information in the CCID is, but it currently has information on 18 separate incidents that have taken place in the past two years.

All but one of these incidents are the loss of service or the loss of data. The single incident that's an actual exploitable vulnerability is a bug in the way Google used SAML 2.0 in their single sign-on service for Google Apps. This particular vulnerability even has its own listing in the National Vulnerability Database, which you can find here and you can find the original paper that described this vulnerability here. Here's how the abstract of this paper summarizes the vulnerability:

Single-Sign-On (SSO) protocols enable companies to establish a federated environment in which clients sign in the system once and yet are able to access to services offered by different companies. The OASIS Security Assertion Markup Language (SAML) 2.0Web Browser SSO Profile is the emerging standard in this context. In this paper we provide formal models of the protocol corresponding to one of the most applied use case scenario (the SP-Initiated SSO with Redirect/POST Bindings) and of a variant of the protocol implemented by Google and currently in use by Google's customers (the SAML-based SSO for Google Applications). We have mechanically analysed these formal models with SATMC, a state-of-the-art model checker for security protocols. SATMC has revealed a severe security aw in the protocol used by Google that allows a dishonest service provider to impersonate a user at another service provider. We have also reproduced this attack in an actual deployment of the SAML-based SSO for Google Applications. This security flaw of the SAML-based SSO for Google Applications was previously unknown.

Many people think of the confidentiality of data when they think of information security, but the history of cloud computing should be a good reminder that the integrity of data and the availability of data are just as important.

  • Travis Holt

    I think cloud computing could explode if they can provide enough security to meet the new standard the government will be putting on businesses to protect their data. It is going to be much too costly for small to medium sized businesses to take the necessary precautions to protect their network in house and cloud computing could step in and be a huge resource for those companies in my opinion. This is my first trip to your blog but I’ll look forward to following it in the future. I have a blog about data privacy, security and the insurance industry. If you’d like to read it, check it out at iprotectyourdata.wordpress.com.

    Reply

  • Rahul More

    Hello Mr. Luther Martin, the link provided for Cloud Computing Incidents Database seems to be broken. Can you post the correct link to the DB.
    Regards
    Rahul.

    Reply

  • Luther Martin

    It looks like this database has been moved to http://cloutage.org/incidents.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *