Demystifying the risks of public cloud computing Christopher J. Hodson Technical Report RHUL–ISG–2018–2 2 March 2018 Information Security Group Royal Holloway University of London Egham, Surrey, TW20 0EX United Kingdom Student Number: 140134520 Christopher J Hodson DEMYSTIFYING THE RISKS OF PUBLIC CLOUD COMPUTING Royal Holloway University of London Egham, Surrey, TW20 0EX United Kingdom Supervisor: Dr. Geraint Price Submitted as part of the requirements for the award of the MSc in Information Security at Royal Holloway, University of London. March 2017 1 DEMYSTIFYING THE RISKS OF PUBLIC CLOUD COMPUTING | Christopher J Hodson DECLARATION I declare that this dissertation is all my own work, and that I have acknowledged all Quotations from the published or unpublished works of other people. I declare that I have also read the statement on plagiarism in the General Regulations for Awards at Graduate and Masters Levels for the MSc in Information Security and in accordance with it I submit this project report as my own work. Please sign here to show that you have read the above: ______________________________________________________ Date: ________________ Christopher John Hodson 2 ACKNOWLEDGEMENTS Tuesday 14th July 2016 Before a word is figuratively penned of this dissertation, I want to start with the most important part. The sincere and unequivocal thanks to those closest to me. Alexandra, Matilda, Mabel and Ralph – you have made enormous sacrifices of your time and energies to support my professional and educational endeavours. You have tolerated hours locked away in my office, at work and / or overseas and I am forever indebted to you all for such a generous, understanding approach to things. I could never dream of being so selfless and I think you are all beautiful. Thank you does not begin to cover it, but it is a good place to start. 3 DEMYSTIFYING THE RISKS OF PUBLIC CLOUD COMPUTING | Christopher J Hodson TABLE OF CONTENTS 1. Introduction ............................................................................................................... 10 1.1. Motivation ........................................................................................................................ 11 1.2. Objectives ......................................................................................................................... 12 1.3. Scope ................................................................................................................................ 14 1.4. Methodology and Structure .............................................................................................. 14 1.4.1. Methodology ................................................................................................................. 14 1.4.2. Chapter Structure ........................................................................................................... 15 1.4.3. Document Formatting .................................................................................................... 16 2. Cloud Computing ....................................................................................................... 17 2.1. Definition of Cloud ............................................................................................................ 17 2.2. The Evolution of Infrastructure and Journey to Cloud ........................................................ 18 2.3. Benefits of Cloud ............................................................................................................... 19 2.3.1. Business Benefits............................................................................................................ 19 2.3.2. Security Benefits ............................................................................................................ 20 2.4. Cloud Actors ...................................................................................................................... 24 2.5. Essential Characteristics .................................................................................................... 27 2.5.1. On Demand, Self-Service ................................................................................................ 27 2.5.2. Broad Network Access.................................................................................................... 27 2.5.3. Resource pooling ............................................................................................................ 27 2.5.4. Rapid Elasticity............................................................................................................... 28 2.5.5. Measured Service ........................................................................................................... 29 2.5.6. Multitenancy and Virtualisation ..................................................................................... 29 2.6. Service Models .................................................................................................................. 29 2.6.1. Software as a Service ..................................................................................................... 29 2.6.2. Platform as a Service ...................................................................................................... 30 2.6.3. Infrastructure as a Service .............................................................................................. 30 2.6.4. Anything as a Service ..................................................................................................... 31 2.7. Deployment Models .......................................................................................................... 32 2.8. Cloud Reference Architecture and Taxonomy .................................................................... 32 2.8.1. Cloud Reference Architecture Frameworks ..................................................................... 32 2.8.2. Taxonomy ...................................................................................................................... 36 2.9. Cloud: Networking and Datacentre Dependencies ............................................................. 38 2.10. Conclusion......................................................................................................................... 39 3. Cloud Risks ................................................................................................................. 41 3.1. What is Risk? ..................................................................................................................... 41 3.2. Risk Assessment ................................................................................................................ 44 3.2.1. Quantatitive Risk Assessment......................................................................................... 45 3.2.2. Qualitative Risk Assessment ........................................................................................... 46 3.3. How Does This Apply to Cloud? ......................................................................................... 47 3.3.1. Fear of Cloud.................................................................................................................. 53 3.4. Cloud Threat Actors ........................................................................................................... 53 3.5. Cloud Threat Events .......................................................................................................... 55 4 3.5.1. ISF .................................................................................................................................. 55 3.5.2. Cloud Security Alliance ................................................................................................... 56 3.5.3. NIST ............................................................................................................................... 58 3.5.4. ENISA ............................................................................................................................. 59 3.5.5. Legal Considerations in the Cloud ................................................................................... 59 3.6. Cloud Vulnerabilities ......................................................................................................... 62 3.7. Mitigating and Minimising Risk .......................................................................................... 65 3.8. Cross-Industry Cloud Adoption .......................................................................................... 67 3.9. Shadow IT: The Catch-All Vulnerability .............................................................................. 69 3.10. Conclusion......................................................................................................................... 69 4. Multitenancy and Resource Isolation: Threats and Vulnerabilities ............................... 71 4.1. What is Multitenancy? ...................................................................................................... 71 4.2. Why Focus on Multitenancy? ............................................................................................ 72 4.3. Contemporary Data Centre Strategy and the Role of Multitenancy .................................... 73 4.4. Multitenancy: Decomposition Across Service Models ........................................................ 76 4.5. Vulnerabilities Associated With Multitenancy ...................................................................