MASCOT - MeAsuring Security in Cloud OuTsourcing

In the business world and for the government, an increasing number of organizations are migrating their IT to the cloud. One of the arguments for this is security, for two commonly cited reasons. Firstly, cloud providers have highly qualified personnel trained in IT security. Secondly, it is argued that cloud providers have a distributed infrastructure spread across the world, enabling them to better provide continuity during local outages and more effectively fend off (DDoS) attacks.

However, the question arises as to whether cloud providers are genuinely secure. Various examples demonstrate that outages at major cloud providers are not uncommon and can have a significant impact. Add to that the fact that a small number of major cloud providers dominate the market, and the question arises whether we are becoming too dependent on them as a society. This research aims to address two questions.

1. Has the cloud made us safer?
2. What recommendations can we make for a secure outsourcing strategy to the cloud?

In early 2023, we discussed the MASCOT research with Prof. Dr. Ir. Roland van Rijswijk-Deij and Dr. Abhishta. Both are affiliated with the University of Twente. Roland leads the technical branch of the MASCOT project along with colleague Dr. Anna Sperotto, while Abhishta oversees the business and management aspects alongside Prof. Dr. Ir. Bart Nieuwenhuis. Roland provides insights into this collaboration: "To have an impact, a deliberate choice was made for this multidisciplinary approach. You cannot conduct cybersecurity research by purely examining the technology. Security begins and ends with people and the choices they make."

Technical Perspective on Outsourcing Security

From a technical perspective, large-scale internet measurements will be utilized to investigate the extent to which outsourcing to the cloud has already taken place. This is a necessary precondition to assess the impact of the failure of one or more cloud services. "If, as a cloud user, you share infrastructure with parties that are not meticulous, you can encounter issues," explains Roland.

Over the past year, PhD candidate Etienne Kahn conducted research on the 'dark cloud,' or Geo-blocking. Geo-blocking is the process of restricting access to online content based on the physical location of a user. Roland explains, "Etienne essentially explored the gray area where people offer services that are likely not entirely legitimate but also not actively malicious. He examined the abuse of various data center infrastructures. He succeeded in designing a methodology to identify the actual system or IP address that contacted the streaming provider. This allows us to determine what this gray area is. We see that there are places where the gray areas overlap with legitimate use. That is a risk because if things are shut down or IPs are blocked unjustly, it can cause problems for legitimate users. The result includes an overview of actors and parties in this ecosystem that need scrutiny. In addition to Etienne, Sousan Tarahomi (another PhD student outside the project) also looks into cloud security.

Research on Outsourcing Strategies

From a business perspective, outsourcing strategies are being examined for both cloud providers and their customers. Abhishta explains, "What we have seen in recent years is that the cloud market has become increasingly oligopolistic. There are a limited number of major players in the market with a relatively large share. As a result, if, for example, one of the services fails, many different organizations simultaneously experience outages, as seen in a recent major outage from Microsoft. That is a significant risk."

Furthermore, switching is often a (too) significant step for many organizations due to a lack of knowledge and fear that everything will work again after a transition. "A good example of the impact of a service outage is the research of PhD student Yashir Haq on the DNS service provider that went down in 2016. We observed that the number of customers responding to this outage by switching was actually very low. We then looked at which sector these early switchers came from. We thought these would be internet providers, but they turned out to be press agencies, related to not being able to miss their advertising revenue."

Roland adds, "We have data from about 65% of all domain names worldwide, giving us a good understanding of how these organizations have set up their systems. We have data from the last 8 years and can derive strong trends from it. For example, we see things like Microsoft Office 365 and Google Apps growing tremendously. We also noticed an increase in video conferencing since the COVID-19 period. So, we can truly see how changes in society are reflected on the internet and vice versa."

Partners

In the MASCOT project, researchers collaborate with four partners from the field, each with its own perspective on the problem domain.

SURF is the collaborative organization for ICT services within Dutch higher education and research. In addition to its own cloud services, SURF also procures cloud services on behalf of the entire sector from major players such as Microsoft, Google, and others. In MASCOT, SURF represents the role of a procurement organization for cloud services for the education and research sector.

Logius is part of the Ministry of the Interior and Kingdom Relations and plays a significant role in offering and procuring ICT services for the Dutch government. One crucial function of Logius is organizing a cloud exchange for offering cloud services within the government. Therefore, Logius represents the role of public users of cloud services within the project.

KPN is a large-scale service provider for the business market. They have their own cloud services, but they also have services from major cloud providers like Microsoft Office 365 in their portfolio. In MASCOT, KPN represents the perspective of a commercial provider of cloud services.

NLnet Labs, finally, is a non-profit foundation engaged in developing open-source software for core internet services (such as DNS and routing) and conducting applied research on these core services. Many of NLnet Labs' open-source projects are extensively used by major cloud providers like Amazon, Akamai, and Cloudflare. Within the MASCOT project, NLnet Labs brings the perspective of the developer of basic infrastructure for the cloud.

Future of Cloud Service Deployment

Based on the in-depth insights into the current usage and associated risks of the cloud, MASCOT is working on a new approach to deploying cloud services. Because the research is approached from both a technical and business perspective, and because it collaborates with partner companies in the field, the outcomes of the research are likely to quickly find practical application. With the results of this research, both large and small companies, governments, and others will be able to use the cloud even more securely, reliably, and stably in the future.