Security Issues with Content Management Systems (CMSs) on the Cloud

Østdahl, Thomas

January 2011

Although cloud computing is the major hype nowadays, it is actually a relatively “old” concept which can be dated back to the 1950s. Then, AT&T was developing a centralized infrastructure and storage space, where their customers could connect to using advanced telephones. Cloud computing works in a similar fashion, where customers subscribe to centralized service models. The models are separated in three main categories; Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS). The cloud is a multi-tenant environment, i.e., several customers are able to use the same service simultaneously. More- over, the cloud is highly scalable, which means that resources can be allocated on demand. Cloud computing follows a pay-per-use payment model. Customers could reduce their operational and maintenance costs significantly, because they subscribe to a Cloud Service Provider (CSP) which is responsible for these tasks. Moreover, an organization is no longer dependent on costly upfront investments.Most of the industry-leading technology organizations (e.g., Amazon, Apple, Google, Microsoft) have their own cloud services. Thus, the barrier to adopt the cloud for customers has lowered. Organizations have hasted to move their services to the cloud, without questioning the cloud’s maturity. Even though cloud security has been a priority from the beginning, numerous attacks have been reported. The CSP’s data-centers provide both physical and infrastructure security. However, traditional security threats to IT systems, is still applicable to cloud applications. Furthermore, new cloud-specific security risks emerge. Confidentiality, integrity and availability of data are always of importance, however, becomes challenging in the cloud due to its dynamic environment. Ensuring integrity of data, with- out knowing the whole data set, is one of several challenges. Moreover, due to the increasing incidents of Denial-of-Service (DoS) attacks, availability of data has become problematic. Although the cloud is able to scale well with such attacks, disruptions of services still occur. The scalability of clouds could also potentially be a threat, if malicious users are able to create bot-nets of multiple clouds.The Internet is a hostile environment, likewise is the cloud. However, this does not stop people from rapidly adopting it. Organizations have hasted to offer their services on the cloud, to benefit from its advantages. Content Management Sys- tems (CMSs) are examples of such services. They are widely popular, and used to create professional websites without requiring technical skills. CMSs provides a user-friendly platform to manage the contents (e.g., text, pictures, music), then customize it with templates and extensions. Open source CMSs benefit from their communities of developers, which contribute to keep their systems up to date and safe, with the current technologies. Since many CMS have non-technical users, they tend to be attractive targets for adversaries. Especially, third-party exten- sions have been considered a major threat. The “core” of the systems are often secure. However, web application vulnerabilities apply to these systems.Joomla! is a widely popular open source CMS, due to its simplicity and remark- able community. The latest version (Joomla! 1.6) has made it suitable for both new unexperienced users, as well as professional users. Joomla! can be used as a PaaS, to benefit from the cloud’s advantages. Anyhow, Joomla! is an attractive target, due to its non-technical audience. It is considered secure by default. How- ever, with simple open source tools, it is possible to obtain valuable information about the system, e.g., server spesifications, OS, CMS version. Moreover, the se- curity of the back-end have potential for improvements. Since many customers use weak passwords, and the back-end is always located in the same folder, adversaries could brute-force their way through. Many CMSs have static files and resources, which finger-printers utilize to determine the system specifications. Furthermore, poorly coded extensions are gateways for attackers. If an exploit is found in a com- ponent, adversaries could automate attacks against websites with this vulnerable component installed. Hence, it is critical for users to always keep up to date.The emerging future would introduce numerous new ways of cloud usage. Many companies invest in enormous data-centers, which is the size of small villages. More and more services would move to the cloud, and software licenses would start to be excess. The threats to the cloud are not significantly increased in numbers, compared to traditional IT systems. However, the multi-tenancy could be exploited by malicious users. Moreover, distributed attacks originating from several clouds, could force CSPs to evolve cloud security.

ntnudaim:6111

MTKOM kommunikasjonsteknologi

Informasjonssikkerhet