My Life is a James Bond Film – Mitigating Cloud Sidechannel
January 5, 2018

Queue the music maestro…

2018 starts with a James Bond style explosion.  Too sidechannel attacks were published called Meltdown and Spectre resepectively.  They allow malicious actors to read memory addresses on a machine that does not belong to them.  What does this mean in simple terms?  Come and sit down on my knee young Padawan as I take you to a time when the cloud was young.  Originally the world was physical.  If you wanted to run a server for people to see your cat videos, you had to buy one and install web site software to host the page.  Then you rented a numbered Internet Protocol (IP) address address with the Internet Assigned Numbers Authority (IANA) which you listed under a rented domain name with that great bit phone book in the sky, Domain Name Service (DNS).  Voila you had an address on the web where kitty aficionados could find you.

Now that is all done virtually.  What this means is that large Internet provides such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud host server farms of hundreds of thousands of servers with millions of addresses and virtual servers on them.  A virtual server is when an actual metal machine hosts many software cat web servers that are isolated to certain segments of the physical hardware.  Normally one kitty can cannot see or hear the cats on the same box to prevent fighting.  Now there is a way for one cat to knock on the boxes of another and by the responses know what is in the other virtual box.  This attack is not trivial, nor is it undefended, but it is possible.

Before you call you hardware manufacturer and datacenter engineer to order more servers, please read a few more sentences.  Not all server hosts are vulnerable.  For example AWS has been aware of sidechannel attacks for over a decade.  For example reference Rowhammer.  In fact, only a small portion of the infrastructure has been reported to be vulnerable prior to patching.  (OFFICAL STATEMENT).   There are also defenses that other sources have described as early as 2013.  Thus, the sky is not falling, not today.  This does not mean however that you ought to let your guard down.  Always employ the best Security, Risk and Compliance (SRC) personnel who can explain and quantify risk to the board and the stakeholders.  And have a Security Strategy.

A Security Strategy measures current state, desired state and what it takes to get there.  Or as my Professor Joseph Billingsley taught me from GWU and US Army Strategic Studies, it is “Ends, Ways and Means.”  “Where am I?”, “Where do I want to go?”, and, “What do I have to get there?”  In this case, the first step for your SRC team is to quantify acceptable level of risk to the business.  In other words, “How much business must we do to justify risking exposed secrets.”  A simple example helps.  Your firm sells iPads at a store.  It costs you $100,000 to sell iPads in a year which returns $25,000.  You have a rate if 2% of fraudulent transactions per year ($2000) when employing security costing $2500/yr.  Without security your fraud rate climbs to 5% ($5000).  In this situation security is worth it.

For the cloud you will want your team to perform these same types of calculations, albeit more elaborate and following Generally Acceptable Accounting Practices (GAAP).  To use our case above, “Hosting x virtual machines translates to y number of transactions which has a return of z dollars.”  “It costs a dollars to protect this operation with an exposure of b transactions with a likely rate of compromise of c.”  Thus, “Over l period of time m will be compromised costing n.”  Or to use our example above, “Our virtual servers cost $10 million a year to produce $40 million in transactions.”  The fraud loss without security is 10% or $4 million.  With security costs of 2% or $800,000 we reduce the fraud loss to 5%, or $2 million.  It costs the firm $800,000 to save $8,000,000.  In this case business is profitable with security over our hypothetical one year.
The question that noodles the noggin right now though, is, is it worth it to do business in the cloud.  The question isn’t exactly whether doing business in the cloud is profitable.  The question is over your time horizon, does it make more sense to do business in the cloud or onpremises.  Or does it make sense to do business at all.  The risk is whether your firm has already been compromised.  What it costs to mitigate it, and what is the cost of the same risks onpremises.  Internal datacenters are at risk for virtual machine attacks by insiders.  One must compare the risk of being compromised internally with the cost of operating internally to the risk of being compromised in the cloud against the cost of the cloud.

If these calculations pique your interests, or boggle your mind, you are a candidate for Security Risk and Compliance (SRC).  If they do not interest you, you may be a candidate for SRC if you do business in the cloud.   Contact your Security team today to discover your current vulnerability and costs.  Then make a strategy and execute.