About Cloud Computing Security Eecs 2010 5 [629082]

What’s New About Cloud Computing Security?
Yanpei Chen
Vern Paxson
Randy H. Katz
Electrical Engineering and Computer Sciences
University of California at Berkeley
Technical Report No. UCB/EECS-2010-5
http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.html
January 20, 2010

Copyright © 2010, by the author(s).
All rights reserved.

Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission.

What’s New About Cloud Computing Security?
Y anpei Chen, Vern Paxson, Randy H. Katz
CS Division, EECS Dept. UC Berkeley
{ychen2, vern, randy}@eecs.berkeley.edu
ABSTRACT
Whiletheeconomiccaseforcloudcomputingiscompelling,these-
curitychallengesitposesareequallystriking. Inthisworkwestrive
toframethefullspaceofcloud-computingsecurityissues,attempt-
ing to separate justified concerns from possible over-reactions. We
examine contemporary and historical perspectives from industry,
academia, government, and “black hats”. We argue that few cloud
computingsecurityissuesarefundamentallyneworfundamentally
intractable; often what appears “new” is so only relative to “tradi-
tional” computing of the past several years. Looking back further
to the time-sharing era, many of these problems already received
attention. On the other hand, we argue that two facets are to some
degree newand fundamental tocloud computing: the complexities
ofmulti-partytrustconsiderations,andtheensuingneedformutual
auditability.
Categories andSubjectDescriptors
C.2.0 [Computer-Communication Networks ]: General— Secu-
rityand Protection
GeneralTerms
Design,Security, Reliability
1. INTRODUCTION
Theeconomiccaseforcloudcomputinghasgainedwidespreadac-
ceptance. Cloud computing providers can build large datacenters
at low cost due to their expertise in organizing and provisioning
computational resources. The economies of scale increase revenue
for cloud providers and lower costs for cloud users. The result-
ing on-demand model of computing allows providers to achieve
better resource utilization through statistical multiplexing, and en-
ablesuserstoavoidthecostsofresourceover-provisioningthrough
dynamic scaling[12,2].
At the same time, security has emerged as arguably the most sig-
nificant barrier to faster and more widespread adoption of cloud
computing. This view originates from perspectives as diverse as
academiaresearchers[12],industrydecisionmakers[35],andgo v-ernment organizations [29, 3]. For many business-critical compu-
tations, today’s cloud computing appears inadvisable due to issues
such as service availability, data confidentiality, reputation fate-
sharing,and others.
To add to the confusion, some have critized the term “cloud com-
puting” as too broad [21]. Indeed, cloud computing does include
established business models such as Software as a Service , and the
underlying concept of on-demand computing utilities goes back as
farasearlytime-sharingsystems[17]. Atthesametime,thelackof
consistent terminology for cloud computing has hampered discus-
sions about cloud computing security. Thus, security criticisms of
cloud computing have included a murky mix of ongoing and new
issues.
This context frames the genesis of our paper. We recognize that
security poses major issues for the widespread adoption of cloud
computing. However, secure or not, cloud computing appears here
to stay. Thus, our ambition is to get past terminology isuses (Sec-
tion 2) and attempt to sort out what are actually new security is-
sues for cloud computing, versus broader and more general secu-
rity challenges that inevitably arise in the Internet age. Our goal
istoadvancediscussionsofcloudcomputingsecuritybeyondcon-
fusion, and to some degree fear of the unknown, by providing a
comprehensive high-level view of theproblem space.
We ground the develpment of our viewpoint in a survey of con-
temporary literature on cloud computing security, coupled with a
review of historical work on early time-sharing systems and vir-
tual machine monitors. Contemporary discussions reveal security
concerns that are indeed “new” relative to computing of the past
decade (Section 3); however, looking back several decades, many
contemporary challenges have quite similar historical counterparts
(Section 4).
Webuildthecasethatfewofthesecurityproblemsarisingincloud
computing are in fact new, even though satisfactory solutions for
manystillwillrequiresignificantdevelopment. Thecombinedcon-
temporary and historical viewpoints allow us to identify a number
of research topics that deserve more attention (Section 5). On the
other hand, we argue that two facets are to some degree new and
fundamental to cloud computing: the complexities of multi-party
trustconsiderations,and theensuing need formutual auditability.
2. DISTRACTEDBYDEFINITIONS
The lack of a clear and widely accepted definition has posed a bar-
rier to talking about cloud computing in general. Clearly “cloud
computing" is an evolving term, defined more by usage than by

written documents. That said, overly broad use has lead to criti-
cism that cloud computing “include[s] everything that we already
do" [21]. Similarly, splitting hairs on the precise definitions dis-
tractsusfromthecoretechnologyissues. Inthissection,webriefly
framethedefinition we usefor theremainder of our discussion.
An “early” (less than one year old!) effort at systematically fram-
ing cloud computing, “Above the Clouds: A Berkeley View of
Cloud Computing,” defined cloud computing to include applica-
tion software delivered as services over the Internet, and the hard-
ware and systems software in the datacenters that facilitate these
services [12]. Key characteristics of cloud computing include the
illusion of infinite hardware resources, the elimination of up-front
commitment, andthe abilityto payfor resources as needed.
Thiswhitepaperspurredaflurryoffollow-oncloudcomputingdef-
initions and reports. For our purposes, the most notable of these is
thatpublishedbytheU.S.NationalInstituteofStandardsandTech-
nology (NIST) [30]. NIST frames a broader definition, one that
includesnearlyallcommontermsusedincloudcomputingdiscus-
sions and forms the basis for the NIST guide on cloud computing
security [29]. It appears that other efforts may converge on a sim-
ilar framing; most visibly, the European mirror effort to [29], a re-
portfromtheEuropeanNetworkandInformationSecurityAgency
(ENISA), defines cloud computing in the same spirit as the NIST
definition[3].
AccordingtotheNISTdefinition,keycharacteristicsofcloudcom-
puting include on-demand self service, broad network access, re-
source pooling, rapid elasticity, and metered service similar to a
utility. There are also three main service models—software as a
service (SaaS), in which the cloud user controls only application
configurations; platform as a service ( PaaS), in which the cloud
useralsocontrolsthehostingenvironments;andinfrastructureasa
service (IaaS), in which the cloud user controls everything except
the datacenter infrastructure. Further, there are four main deploy-
ment models: public clouds, accessible to the general public or a
large industry group; community clouds, serving several organiza-
tions; private clouds, limited to a single organization; and hybrid
clouds,amix of theothers.
In keeping with this evolution, and because we believe the broad
scope of the NIST definition enables us to encompass the full set
of issues of interest, for the rest of this paper, we will talk about
“cloud computing" inthe spiritof the NISTdefinition.
3. CONTEMPORARY ASSESSMENT
Inthissection,weassesswhatappearsnewtocloudcomputingand
whatdoesnot,sothatwecanidentifythemostchallengingaspects
of thecloud computing securitythreat model.
3.1 What is notnew
With increased employment of cloud computing comes increas-
inglyfrequentcloudcomputingsecurityincidents. Arguablymany
oftheincidentsdescribedas“cloudsecurity"infactjustreflecttra-
ditional web application and data-hosting problems. The underly-
ingissuesremainwell-establishedchallengessuchasphishing[4],
downtime[24],dataloss[38],passwordweaknesses[31],andcom –
promisedhostsrunningbotnets[20]. TheTwitterphishingincident
provides a typical example of a traditional web security issue now
miscast as a cloud computing issue [4]. In contrast, we find the
recent Amazon botnet incident noteworthy because it reflects one
of the first known compromises of a major cloud provider [20],highlighting that servers in cloud computing currently operate as
(in)securelyas servers intraditional enterprisedatacenters.
In academia, cloud computing security has begun seeing the de-
velopment of dedicated forums such as the ACM Cloud Comput-
ing Security Workshop, as well as dedicated tracks at major secu-
rity conferences such as the ACM Conference on Computer and
Communications Security (CCS). To date, most papers published
on cloud security reflect continuations of established lines of secu-
rity research, such as web security [40, 13], data outsourcing and
assurance [14, 18], and virtual machines [41, 34]. The field pri-
marily manifests as a blend of existing topics, rather than a set of
papers with an exclusive focus on cloud security, though there are
exceptions, such as [32],whichwe discussbelow.
The “black hat” community has also discovered cloud computing
exploits that reflect extensions of existing vulnerabilities, with a
dedicated cloud security track emerging at Black Hat USA 2009 .
For example, username brute forcers and Debian OpenSSL exploit
tools run in the cloud as they do in botnets [28]. Social engineer-
ing attacks remain effective—one exploit tries to convince Ama-
zon Elastic Compute Cloud (EC2) users to run malicious virtual
machine images simply by giving the image an official-sounding
name such as “fedora_core" [28]. Virtual machine vulnerabilities
alsoremainanissue[25],asdoesweakrandomnumbergeneration
due tolack of sufficiententropy [37].
3.2 What is new
Forblackhats,cloudcomputingoffersapotentiallymoretrustwor-
thy alternative to botnets. While the recent brute-forcer presenta-
tion [28] claimed that using the cloud is presently more expensive
than using botnets, another Black Hats presentation asserted that
the botnet market likely suffers from the “lemon market" problem,
where the lack of trust and the inability to verify the quality of
goods leads to a minimal volume of goods being exchanged [22].
If this were the case, then attackers can find more reliable service
in cloud computing at a premium price.1That said, botnets in the
cloud are easier toshutdown thantraditional botnets.
Also, because cloud computing introduces a shared resource envi-
ronment, unexpected side channels (passively observing informa-
tion) and covert channels (actively sending data) can arise. One
noteworthypaper[32]tacklespreciselythisproblem. Theexposed
vulnerabilities include ways to place an attacker virtual machine
(VM) on the same physical machine as a targeted VM, and then to
construct a side channel between two VMs on the same physical
machine, which enables the SSH keystroke timing attack outlined
in [36]. This work also provides an example of research targeted
exclusively atcloud computing.
Another new issue comes from reputation fate-sharing, which
has mixed consequences. On the plus side, cloud users can
potentially benefit from a concentration of security expertise at
major cloud providers, ensuring that the entire ecosystem em-
ploys security best practices. On the other hand, a single sub-
verter can disrupt manyusers. For example, spammers sub-
verted EC2 and caused Spamhaus to blacklist a large fraction of
EC2’s IP addresses, causing major service disruptions. There-
1Note that the prices can be quite low. For example, we estimate
that to reduce the brute force exploit in [36] to a single minute,
rather than 1.3 PC-days, would require 200 extra-large EC2 in-
stances, which at January 2010 pricing would total at about $2 per
exploit.

after, if someone wants to send email from EC2, they must
fillouttheform( http://aws.amazon.com/contact-us/
ec2-email-limit-request/ ),providealistof(static)EC2
addresses to authorize for sending, and document their use-case.
Upon approval, Amazon forwards the EC2 addresses to Spamhaus
forwhitelisting [8].
A second noteworthy fate-shring incident occurred during an FBI
raid on Texas datacenters in April 2009, based on suspicions of
thetargeteddatacentersfacilitatingcybercrimes. Theagentsseized
equipment,andmanybusinessesco-locatedinthesamedatacenters
facedbusinessdisruptionsorevencompletebusinessclosures. One
affected customer applied for a temporary restraining order, and
was denied because the equipment concerned may have been used
forcriminal activities without the customer’sknowledge [6].
3.3 Novelties in the cloud threatmodel
Puttingtogetherthesediscussions,wearguethatthecloudcomput-
ingthreatmodel includes severalnovel elements.
First, data and software are not the only assets worth protecting.
Activity patterns also need to be protected. Sharing of resources
means that the activity of one cloud user might appear visible to
other cloud users using the same resources, potentially leading to
theconstructionofcovertandsidechannels. Activitypatternsmay
also themselves constitute confidential business information, if di-
vulging them could lead to reverse-engineering of customer base,
revenue size,and thelike.
Business reputation also merit protection. When using shared re-
sources to do business-critical computations, it becomes harder to
attribute malicious or unethical activity. Even if there are ways to
clearly identify the culprits and attribute blame, bad publicity still
creates uncertainty that can tarnishalong-establishedreputation.
In addition, one must often accommodate a longer trust chain. For
example, the application end-user could potentially use an appli-
cation built by an SaaSprovider, with the application running on
a platform offered by a PaaSprovider, which in turn runs on the
infrastructureofan IaaSprovider. Whiletoourknowledgethisex-
treme example cannot occur in practice today due to a lack of suf-
ficien APIs, it illustrates that with any model of cloud computing,
stakeholders’ can find themselves with relationships considerably
morecomplicated thansimplya provider-user relationship.
Some participants could be subverters, who maintain the appear-
anceofaregularclouduserorcloudprovider,butinfactperpetrate
cybercrime or other cyber attacks. Examples include cloud users
who runbrute forcers,botnets, or spamcampaigns fromthe cloud;
or cloud providers who scan cloud users’ data and sell confidential
informationtothe highestbidder.
Furthermore, competitive businesses can operate within the same
cloud computing ecosystem: using the same cloud, or ending up
in a provider-user relationship. This can lead to strong conflicts of
interest, and creates additional motives to access the confidential
informationof acompetitor.
These complications point to the need for auditability in cloud
computing—already a requirement for health care, banking, and
similar systems. What is new to cloud computing is mutualau-
ditability. Because the system includes stakeholders with poten-
tially conflicting interests, cloud users and providers both need re-assurancethattheotherinafashionthatisbothbenignandcorrect
(fromabilling standpoint).
Mutual auditability can also significantly assist with incident re-
sponse and recovery, since both the cloud provider and the cloud
usercouldbeeitherthesourceorthetargetofanattack. Auditabil-
ity also enables the attribution of blame in search and seizure inci-
dents, which can prove vital so that law enforcement agencies do
not overreach incarrying outtheir duties.
Finally, a subtle difficulty with understanding cloud computing
threats arises from potentially inaccurate mental models of cloud
computing as an always-available service. This viewpoint—which
arises from the general paradigm of drawing upon a commodity
service with much the flavor of a utility—can create a false sense
of security, leading to inadequate security good practices, such as
regular data backups across multiple cloud providers. As such,
we could find that while cloud computing fails at the same rate as
other types of systems, the impact of those failures manifest more
severely.
4. SOMEDEJA VU
In this section we present three explorations of early computing
systemsthathadcharacteristicssimilartowhatwecallcloudcom-
puting today. The profiles suggest that many contemporary cloud
securityissueswillprovetractable,astheirsimilarhistoricalcoun-
terparts were indeed successfully tackled; but also that some as-
sumptions from the past no longer wholly apply, and risk compli-
cating our assessment of security issues due to out-of-date mental
models. Thesehistoricalapproachesalsoofferusstartingpointsto
consider for current cloud security research, as we then develop in
Section 5.
4.1 Multics
Multics introduced the “computing utility” concept as early as
1965 [17], in the same sense that cloud computing has taken off as
providing today’s computing utilities. Security considerations per-
meated all aspects of Multics design [33], and its security mecha-
nismsinfluencedthoseofsubsequentsystems. Consequently,Mul-
tics was the first system to receive a Class B2 certification per the
Orange Book[39].
AstrikingaspectofMulticswasitssecuritydesignprinciples[33],
which deserve re-emphasis today. First, Multics used permission-
based protection mechanisms, rather than exclusion-based. Every
access to every object checked current authority. Second, Multics
embodiedaformofKerckhoffs’principle,maintainingopendesign
foritsmechanisms,withonlytheprotectionkeyssecret. Third,the
system always operated at least privilege. Finally, the design ex-
plicitly recognized the importance of human usability—especially
relevant todaywith theproliferationof social engineering attacks.
Multics security design also framed the importance of preventing
systemadministratorsfrombecomingdecisionbottlenecks. Other-
wise, users will bypass administrators by habit (in modern termi-
nology, a form of “satisficing”) and compromise protection mech-
anisms[33]. RecallfromSection3.2thattheresponsetotheAma-
zon EC2 spam blacklist incident involved imposing email limits
that require administrator intervention to increase; this mechanism
may become unscalable if EC2 users who wish to send email sig-
nificantly increase.
Multics did not aim for security in an absolute sense, but allowed

users to build protected subsystems [33, 42]. Similarly, in cloud
computing different users will have different security needs, so a
good design would offer a choice of security levels and security
mechanisms. Cloud providers have begun taking the first steps
in this direction with offerings such as virtual private clouds, with
dedicated resources and virtual private networks that “guaranteed”
isolation [1]. The “spectrum of security” approach is worth advo-
cating.
On a related note, key “Multicians" had a heavy influence on the
Department of Defense Orange Book certification document [39,
9]. The Orange Book includes a treatment of covert channels quite
similartothatofcontemporarysidechannelwork[32,36]. Inboth
cases, the risk assessment principles involve a quantification of the
channel bit-rate, accompanied by an assessment of the bit-rate that
constitutes a significant risk. The Orange Book sets this bit-rate as
thelevelnecessarytooperateacomputerterminal. In[36],thebit-
rate corresponds to the workload reduction for a brute force pass-
word breaker. But even putting bit rate aside, in some settings the
merepresenceofacovertchannelorsidechannelconstitutesasig-
nificant risk, and more broadly both types of information leakage
arefundamental concerns for cloud computing.
InclosingtheMulticsdiscussion,wenotethatanumberofMultics
security mechanisms, state-of-the-art at the time, remain prevalent
today even though they do not work as well for modern comput-
ing environments. These mechanisms include access control lists
(ACLs),machine-generatedpasswords,andweakencryptionofthe
password file [33, 39]. Thus, while historical work can provide
valuable insights into modern cloud security issues, naturally we
musttemperourassessmentofthosemechanismswithdueconsid-
erationtohow computing has changed over time.
4.2 Early VMMs
Wefindearlyworkonvirtualmachinemonitors(VMMs)notewor-
thybecausedifferentkindsofvirtualizationconstituteamajorfacet
ofcloudcomputing. Here,wereviewtheoriginalargumentofwhy
VMMsaremoresecurethanordinarycomputingsystems[26],and
frame why the core assumptions of this argument no longer hold
fortoday’s VMMs.
The argument has several parts. First, lower levels of multipro-
gramming (i.e. concurrent execution) lead to lower risks of secu-
rityfailures;intheextreme,amonoprogrammingoperatingsystem
(OS)hasamuchlowersecurityriskthananOSrunningmanycon-
currentprograms. Thus,VMMswithlowmultiprogramminglevels
willprovemoresecurethanOSswithhighmultiprogramminglev-
els. Second, even if the level of multiprogramming is the same,
VMMs are more secure because they are simpler and easier to de-
bug. Third,foraguestOSthatrunsonaVMMthatinturnrunson
bare metal, security violation occurs only when both the guest OS
and the VMM fail simultaneously. Thus, a VMM running kguest
OSs with each OS running nprograms fails much less easily than
anOSrunning k×nprograms. Fourth,thefailureofeachprogram
is independent, and hence the failure probability is multiplicative.
Thus, overall, any one program on a VMM running kguest OSs
with each OS running nprograms fails much less frequently than
the same program on an OS with k×nprograms. The multiplica-
tioneffectamplifies thereduction ineach failure probability.
The argument makes three crucial assumptions. First, VMMs are
simple. Second, guest OSs have a lower multiprogramming level.
Third, the VMM and guest OS have independent failures. ModernVMMs undermine allthreeassumptions.
ModernVMMsarenolonger“small"inanabsolutesense. Forex-
ample, Xen has approximately 150,000 lines of code [11]. While
stillconsiderablysmallerthanrecentoperatingsystems(e.g., ≈12
million lines for Linux 2.6.32 [7]), this level is comparable to
176,250 lines of code for Linux 1.0 [5], which already constituted
a fairlyfeature-richgeneral purpose OS.
Additionally, today a guest OS usually has the same level of mul-
tiprogramming as the native OS. Users treat guest OSs the same
waytheywouldtreatanativeOS,underminingtheassumptionthat
guestOSs have lower multiprogramming levels.
Further,somerecentVMMshavetheguestOSrunningonaVMM
that in turn runs on a host OS [10]! In such a setup, clearly the
VMMisas(in)secureasthehostOS,andthehostOSsignificantly
enlarges thetrustedcode base.
Other researchers have raised similar concerns [23]. Thus, for
cloudcomputingsecurity,clearlyweneedtoexaminewhethersuch
assumptionsholdforvirtualizationsatnetworkordatacenterlevels.
4.3 National CSS,Inc.
We finish our framing of historical perspectives with a case study
examination of National CSS, Inc., a time-sharing company com-
parable to cloud providers today. The founders of the company
envisioned moving upfront costs to variable costs, and the com-
pany succeeded due to the increased flexibility that their ready-to-
use computing capability provided [15]. Cloud computing offers
similar economic benefits today.
Whiletheexperiencesofonecompanyfromthepastclearlydonot
generalize to the experiences of others several decades later, we
want to highlight two incidents on reputation fate-sharing which
may prove illuminatingfor cloud computing today.
The first incident led to a negative outcome for National CSS.
In 1979 an attacker stole a password directory from National CSS,
compromising the security of all its corporate customers [27]. The
company warned its 8,000 clients about a security problem, but
did not provide additional details, which lead to a strong negative
reaction. On the other hand, while their clients wanted more infor-
mation,thecompanyalso“drewthewrathofmanyindustryprofes-
sionals for not covering up the incident.” Eventually, the FBI also
became involved, creating even more negative publicity.
In contrast, another incident proved a major success. A hardware
failure led to data loss for Bell Labs, a major National CSS cus-
tomer. Contrary to standard procedure, there were no backups and
the company deemed the data loss “irrecoverable". National CSS
conveyed the failure directly and honestly to Bell Labs. The mes-
sage was that National CSS had screwed up, and would do all it
could to help Bell Labs recover the data. After the initial shock,
BellLabsworkedwithNationalCSS,typingindatafromstacksof
printouts. TheincidenceresponsesoimpressedBellLabsthatthey
became amuch bigger customer of thecompany [19].
Thus,whilecloudcomputinghascomplicatedstakeholderrelation-
shipscoupledwithreputationfate-sharing,theseincidentsaresug-
gestive with regard to the benefits of managing security risks by
aligning business interestsand buildingstakeholder partnerships.

5. NEW OPPORTUNITIES
Combining the contemporary and historical viewpoints, we arrive
at the position that many cloud computing security problems are
not in fact new, but often will still require new solutions in terms
of specific mechanisms. Existing contemporary works already ex-
plore many pertinent topics; we highlight here several areas that
deservemore attention.
First, cloud providers should offer a choice of security primitives
with well-considered defaults. Cloud users know more about their
applications, but cloud providers potentially know more about the
relevant security issues due to a higher concentration of security
expertise. The cloud user would ideally choose from a spectrum
of security levels and security subsystem boundaries. We believe
thisflexibilitycouldprovetobeamajorimprovementifdonewell.
One possible approach would be to formulate the security primi-
tives around defending different stakeholders against different p ar-
ticular threat models. An additional feature might support “plug-
and-play" services readily compliant with common standards such
as thoseof HIPAA or Payment CardIndustry.
Another important research area concerns determining apt gran-
ularities for isolation. Several are possible: isolate by virtual or
physical machines, LANs, clouds, or datacenters. We at present
lack a good understanding of the tradeoffs between security and
performance for each of these options, but it would appear likely
that cloud providers can fruitfully offer different granularities of
isolationas apartof their spectrum of security.
Sidechannelsandcovertchannelsposeanotherfundamentalthreat,
one which interplays with the granularities of isolation discussed
above. While not a panacea (e.g., it takes very few bits to steal
a password), a helpful analysis could include when appropriate a
quantification of channel bit rates, coupled with an assessment of
the bit rate required to do harm. The approaches in [32] and [36]
providegood examples.
Oneimportantareathathasyettoreceivemuchattentionis mutual
auditability . The auditing capabilities of most existing systems fo-
cus on one-way auditability. In cloud computing, providers and
users may need to demonstrate mutual trustworthiness, in a bilat-
eral or multilateral fashion. As discussed above, such auditability
can have major benefits with regard to fate-sharing, such as en-
abling cloud providers in search and seizure incidents to demon-
stratetolawenforcementthattheyhaveturnedoverallrelevantev-
idence, and prove to users that they turned over onlythe necessary
evidence and nothing more. Recent work notes that implement-
ing thorough auditing is not a simple matter even for straightfor-
ward web services [16]. In cloud computing, it remains an open
challenge to achieve thorough auditing without impairing perfor-
mance. To complicate matters even further, the auditor fundamen-
tallyneedstobeanindependentthirdparty,andathird-partyaudi-
tor requires a setup quite different than today’s practice, in which
cloudprovidersrecordandmaintainalltheauditlogs. Inshort,mu-
tualauditabilityneedssignificantwork. Ontheplusside,achieving
itrobutslywould constitute animportant securityfeature.
More broadly, we see a need for research that seeks to under-
stand the ecosystem of threats. Current work in the literature gen-
erally focuses only single aspects of the cloud security problem.
As we begin to understand problems in isolation, we should also
start to put together an understanding of how different issues and
threats combine. For example, in web security we understand se-curityproblemsatahigh-levelasanecosysteminvolvingtheinter-
play between worms, bots, scams, spam, phishing, active content,
browsers, usability, and other human factors. We argue that future
work on cloud security needs to similarly bridge established topic
boundaries.
Lastly, we would highlight that breaking real clouds makes them
stronger. Such studies involve obvious ethical issues, but provide
much more compelling results than breaking hypothetical clouds.
For example, the EC2 information leak study in [32] triggered a
highly visible security effort by Amazon Web Services, and serves
as a model for similar future work in academia. Similarly, the Air
Force Multics security enhancements [42] originated from a com-
panion effort to find security exploits. Such coupled attack and de-
fense approaches serve as a model for potential government cloud
securityprojectstoday,andcloudprovidersshouldsponsorinternal
adversarial efforts to discover vulnerabilities before they become
exposed in the wild. Needless to say, stakeholders also need to
continue to track black-hat perspectives. Finally, research partner-
shipsbetweendifferenttypesofstakeholderswilllikelyprovevery
beneficial toadvancing thefield.
6. FINALTHOUGHTS
Given the stakes, it strikes us as inevitable that security will be-
come a significant cloud computing business differentiator. Fur-
thermore, in addition to revisiting approaches for specific issues in
securing shared computing, history teaches us that developing se-
curity architectures early in the process can pay off greatly as sys-
tems evolve and accrue more disparate functionality. On the other
hand,thehistoryofcommercialInternetofferingsrepeatedlyshows
that time-to-market and undercutting prices can greatly sway cus-
tomers even in the absence of sound security underpinnings. The
situation may be somewhat different this time around, however,
given that much of cloud computing targets customers who have
extensive business reasons (and scars from the past) leading them
totreat securityas an elevated priority.
Wecloseourdiscussionwithwhatwefindtobeaninterestinganal-
ogy. CompaniessuchasNationalCSSbeganbyofferingaffordable
computation for businesses. Time-sharing eventually gave way to
personal computers, which brought affordable computation to the
general public. In a similar fashion, cloud computing currently of-
fers affordable, large-scale computation for businesses. If the eco –
nomic case prevails, then we may find that nothing—not even se-
curity concerns—will prevent cloud computing from becoming a
consumer commodity. Just as the commodity PC and the Internet
brought about the Information Revolution, and made information
universally accessible, affordable, and useful, so too does cloud
computing have the potential to bring about the Computation Rev-
olution, in which large-scale computations become universally ac-
cessible, affordable, and useful. Let’s hope we can add to this out-
come “and be reasonably safe”.
7. REFERENCES
[1] Amazon virtualprivate cloud.
http://aws.amazon.com/vpc/ .
[2] Amazon webservices economics center.
http://aws.amazon.com/economics/ .
[3] Cloudcomputing riskassessment.European Network and
InformationSecurity Agency. November 20, 2009.
[4] Gone phishing.Twitter Blog.January03,2009.
[5] Linuxkernel. Wikipedia.

[6] Liquid Motors,Inc.v. AllynLynd andUnited States of
America. U.S.DistrictCourtfor the NorthernDistrictof
Texas, Dallas Division. April2009.
[7] Summary of Linux2.6.32. h-online.com.
[8] Thread 37650: Email changes. Amazon Web Services
DiscussionForums.
[9] TrustedComputer SystemEvaluation Criteria(Orange
Book).DepartmentofDefenseStandard.DoD5200.28-STD.
December 1985.
[10] VMware Workstation. http:
//www.vmware.com/products/workstation/ .
[11] Xen hypervisor.
http://xen.org/products/xenhyp.html .
[12] Michael Armbrustetal. Above theClouds: ABerkeley View
of CloudComputing. Technical reportEECS-2009-28,UC
Berkeley,http://www.eecs.berkeley.edu/Pubs/
TechRpts/2009/EECS-2009-28.html ,Feb2009.
[13] RobertBiddle,P. C.vanOorschot, Andrew S.Patrick,
Jennifer Sobey, andTara Whalen. Browser interfaces and
extended validation sslcertificates: anempirical study. In
CCSW ’09: Proceedings oftheACM workshoponCloud
computing security .
[14] Kevin D.Bowers,AriJuels,and Alina Oprea. Hail: a
high-availabilityandintegritylayerforcloudstorage.In CCS
’09: Proceedings ofthe16th ACMconference onComputer
and communications security .
[15] P. Ceruzzi.An Interview withRobertE.Weissman. Charles
Babbage Institute.May3, 2002.
[16] Anton Chuvakin andGunnar Peterson. Logginginthe ageof
web services. IEEESecurity and Privacy ,7(3):82–85, 2009.
[17] Fernando J.Corbatóand V. A.Vyssotsky.Introductionand
overview of themultics system. IEEEAnn.Hist.Comput. ,
14(2):12–13, 1992.
[18] ChrisErway, Alptekin Küpçü, Charalampos Papamanthou,
andRobertoTamassia.Dynamicprovabledatapossession.In
CCS’09: Proceedings ofthe16th ACMconference on
Computer andcommunications security .
[19] H. Feinleib. ATechnical Historyof National CSS.Computer
HistoryMuseum.April2005.
[20] M.C.Ferrer.Zeus in-the-cloud. CACommunityBlog.
December 9,2009.
[21] G. Fowler andB.Worthen. Theinternet industryison a
cloud—whatever thatmay mean. Wall StreetJournal.March
26, 2009.
[22] C.Herley. Economics andthe underground economy. Black
Hat USA 2009.
[23] P. Karger. Securing virtualmachine monitors—what is
needed. Keynote address,ASIACSS 2009.
[24] E.Knorr. Gmailfollies and Google’s enterprise pitch.
InfoWorld. September 8,2009.
[25] K. Kortchinsky. Cloudburst—aVMware guesttohostescape
story.BlackHat USA 2009.
[26] Stuart E.Madnick and JohnJ.Donovan. Application and
analysis of the virtualmachine approach toinformation
systemsecurityand isolation.In Proceedings ofthe
workshoponvirtualcomputer systems .ACM,1973.
[27] V. McLellan. Caseof thepurloined password.New York
Times.July26, 1981.
http://www.nytimes.com/1981/07/26/
business/case-of-the-purloined-password.
html.[28] H. Meer,N.Arvanitis, andM.Slaviero. Clobberingthe
cloud. BlackHat USA 2009.
[29] P. MellandT.Grance. Effectivelyand securely usingthe
cloud computing paradigm. National Instituteof Standards
and Technology. October 7,2009.
[30] P. MellandT.Grance. NIST definitionof cloud computing.
National Instituteof Standards and Technology. October 7,
2009.
[31] D. Raywood.The twitter hacking incident lastweek should
be acall tobetter security awareness and notabout cloud
storage. SCMagazine. July20, 2009.
[32] Thomas Ristenpart,EranTromer,Hovav Shacham, and
Stefan Savage. Hey, you, getoff of mycloud: exploring
information leakage inthird-partycompute clouds.In CCS
’09: Proceedings ofthe 16thACM conference on Computer
and communications security .
[33] JeromeH. Saltzer. Protectionand the controlof information
sharinginmultics. Commun. ACM ,17(7):388–402, 1974.
[34] N. Santos,K.P. Gummadi, and R.Rodrigues.Towards
trustedcloud computing. HotCloud2009.
http://www.usenix.org/event/hotcloud09/
tech/full_papers/santos.pdf .
[35] S.Shankland. HP’sHurd dings cloudcomputing, IBM.
CNET News.October 20, 2009.
[36] Dawn Xiaodong Song,David Wagner, and XuqingTian.
Timinganalysis of keystrokes and timingattacks onSSH. In
SSYM’01: Proceedings of the10thconference on USENIX
Security Symposium .
[37] A. Stamos,A.Becherer, and N.Wilcox. Cloudcomputing
security—raining onthe trendynew parade. Black HatUSA
2009.
[38] J.Stokes.T-Mobileand Microsoft/Danger data lossis bad
for thecloud. Ars technica. October 2009.
[39] T.van Vleck. How the Air Forcecracked multics Security.
multicians.org. May21,1993.
[40] K. Vikram, AbhishekPrateek, and BenjaminLivshits.
Ripley: automatically securingweb 2.0applications through
replicated execution. In CCS’09: Proceedings of the16th
ACM conference on Computer andcommunications security .
[41] Jinpeng Wei, Xiaolan Zhang, Glenn Ammons,Vasanth Bala,
andPengNing.Managingsecurityofvirtualmachineimages
ina cloud environment. In CCSW’09: Proceedings ofthe
ACM workshoponCloudcomputing security .
[42] J.Whitmore, A.Bensoussan,P.Green, D. Hunt,A. Robziar,
and J.Stern.Designfor multics securityenhancements.
Technical reportESD-TR-74-176,Air Force Systems
Command, http://csrc.nist.gov/
publications/history/whit74.pdf ,Dec 1973.