Rethinking security in a cloudy world


The world of information and communication technology is experiencing changes that, regardless of some skepticism, are bringing to life the concept of ``utility computing’’. The nostalgics observed a parallel between the emerging paradigm of cloud computing and the traditional time-sharing era, depicting clouds as the modern reincarnation of mainframes available on a pay-per-use basis, and equipped with virtual, elastic, paid disks-as-a-service that replace the old physical disks with quotas. This comparison is fascinating, but more importantly, in our opinion, it prepares the ground for constructive critiques regarding the security of such computing paradigm. In this paper we explore similar analogies to discuss our position about the current countermeasures (e.g., intrusion detection systems, anti-viruses), developed to mitigate well-known security threats. By reasoning on said affinities, we focus on the simple case of anomaly-based approaches, which are employed in many modern protection tools, not just in intrusion detectors. We illustrate our position by the means of a simple running example and show that attacks against injection vulnerabilities, a current menace that is easily recognizable with ordinary anomaly-based checks, can be difficult to detect if web services are assumed to be regular web applications. Along this line, we concentrate on a few, critical hypotheses that demand particular attention. We conclude that, although only a minority of threats qualify as novel, they are well camouflaged and can be difficult to recognize behind the confusion caused by the cloud computing excitement.