Posted on January 9, 2018 by Mark Johnson
Connect with Mark Johnson on LinkedIn!
Government Information Security Officers are rightfully concerned about security of their data and systems and this week’s revelations of the Meltdown and Spectre vulnerabilities at the heart of most modern processors have made me think again about the right balance for government’s hybrid cloud future. I’ve heard both sides of the argument that private data centers are more secure than public cloud and vice versa and although I see good points for both sides, there are some vulnerabilities in public clouds that just don’t exist in private clouds.
Virtualization is used by most cloud services to optimize the use of resources, but as far back as November 2012 it was demonstrated that side channel attacks could be used to steal crypto keys from another user on the same physical hardware. Another exploit was revealed in September 2015 using a cache attack to steal the crypto keys of a neighboring virtual machine. In August 2016, the Flip Feng Shui attack was revealed, using a hardware vulnerability termed Rowhammer (known as far back as 2012) to elevate privilege and gain unauthorized access to a victim machine. Although these vulnerabilities exist(ed) in systems in a private cloud, if there are no other users on the physical hardware, they can’t be exploited.
The Meltdown and Spectre vulnerabilities were discovered around June of 2017 (is it just me, or does the frequency of these revelations seem to be increasing?) and are similar to Rowhammer in that they rely on a physical hardware vulnerability, not a software bug. Cloud providers scrambled to issue patches and updates, but permanent fixes may take new hardware. If the data is critical enough, remote access to the physical machines in a private data center can be cut off to ensure security.
It’s important to note that FedRAMP and the DoD Cloud Computing Security Requirements would have done nothing to mitigate the Meltdown and Spectre vulnerabilities. Even the controls required at DoD Impact Level 6 (for classified information) would not stop an attacker from exploiting these vulnerabilities—assuming they could access the system. Cutting off all connectivity to a critical system in a public cloud until a patch is applied is not possible, since physical access is not an option.
I am a strong believer in public cloud for the right workloads, but think a hybrid cloud best meets the functional and security needs of government organizations. Fortunately, the exploits noted in this blog were all found by researchers before malicious hackers, but the day is coming when one of these critical zero-days is used by a person or organization with more nefarious intentions. It may even be discovered by a nation-state and used to steal our government’s most valuable secrets—or worse—as a weapon against our critical real world systems. It is possible for a hacker to get inside our government data centers, but putting sensitive applications and data in a public environment removes one layer of the security that is available—and the ability to raise the drawbridge over the moat in a time of crisis.
Mark Johnson, Vice President Enterprise IT Strategy, Mythics Inc.