We have already entered the cloud era with several organizations joining the troop of public cloud adoption. But just like in any other transitions, there is the “fear” of something new or something unknown. To cloud and virtualization, concerns loom around security and/or vulnerability. It professionals are convinced that security threats largely emanate from within or the internal sources. This may not be just a simple case of an employee falling prey to viruses or attempting to access restricted company resources, it could be as significant as hardware and software problems. The last few weeks have been flickered with news on security vulnerabilities of big companies such as Intel, Microsoft and Cisco.
An intrinsic hardware flaw alerted users on vulnerability of their Intel CPU’s to hackers. Security being a major tech and global issue at this day and age, the United States Computer Emergency Readiness Team (US-CERT) made a public announcement that stated that some 64-bit operating systems and virtualization software running on Intel CPU hardware are in danger to a local privilege escalation attack or guest-to-host virtual machine escape.
Microsoft was one of the first organizations to liberate a security bulletin for their users. Parcel of the said announcement include:
“This security update resolves one privately reported vulnerability and one publicly disclosed vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that exploits the vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.”
“This security update is rated Important for all 32-bit editions of Windows XP and Windows Server 2003; Windows 7 for x64-based Systems; and Windows Server 2008 R2 for x64-based Systems.”
Tackling a similar agenda, Xen Security advisory released on June 12th reads: “Rafal Wojtczuk has discovered a vulnerability which can allow a 64-bit PV guest kernel running on a 64-bit hypervisor to escalate privileges to that of the by arranging for a system call to return via sysret to a non-canonical RIP. Intel CPUs deliver the resulting exception in an undesirable processor state.”
FreeBSD as well detailed their observation on this security issue: “FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call.”
Addressing security vulnerabilities before the going gets tough is like firefighting. There is no room for another mistake, else the whole thing will be burnt down to ashes. Cisco, being a leader on cloud and virtualization, knows exactly the gravity of flawed security arsenals to their business. Before the previous week ended, Cisco Sytems made multiple security updates to address concerns in the following products: AnyConnect Secure Mobility Client, ASA 5500 Series Adaptive Security Appliances, Cisco Catalyst 6500 Series ASA Services Module and Cisco Application Control Engine (ACE) software.
The company briefly expounded on the situation via an advisory: “During a malicious attack, any website that hosted a copy of the vulnerable component could masquerade as a trustworthy site and attempt to convince the user to instantiate the vulnerable component.”
If not patched immediately, the nuisance could effortlessly permit an attacker to carry out malicious code on a particular user’s system and to downgrade the client to an older version.
One of the trusted companies in security issues problem-solving, McAfee upgraded its cloud security and Intel identity kit. It beefed up its array of data loss systems to cover email and web gateways. The update also included simplified management control and reporting pane that will allow common policy and control settings in all hybrid clouds and on-premises systems.
Vikas Jain, director of product management for application security and identity products at Intel, told The Register last month: “This is the starting point in the direction of the vision of how we can make sure that the transaction from the client to the cloud are secure. This is just phase one of that and more contextual elements will come in the future.”
Cloud security issues are wide-ranging, with hardware and software being the prime targets. Adding more layers of security onto the present infrastructure could potentially aid this challenge. But, concentration of researches should be on holistic approach to eradicate threats around cloud technologies.