In the recent past we see the term “cloud computing” is being significantly used in the industry. Although the concept was there for several years, with the advancement of the technologies such as virtualization and big IT vendors like Microsoft, Amazon Web Services, Oracle starting to provide cloud services, the term became commonly used and an option for many companies to consider, to easily access corporate data and systems from anywhere.
In simple terms the cloud represents that your data and systems are not tied up to a single location. So it’s everywhere making our life easier in accessing them. Adoption of the cloud brought down the headache of maintaining on premise infrastructure hosting, which had a considerable decrease in capital investments as well as maintaining physical and environmental security.
The cloud is capable of delivering many benefits, enabling greater connectivity, business agility and speed to market. With the flexible cost structures like Pay-as-you-go, cloud has become a popular deployment strategy for many organizations.
While the new computing paradigm brings benefits, there are certain risks associated with it. Organizations will be totally relying upon a cloud computing vendor and will not have the control over the IT assets that the organizations used to have, particularly with a Software as a Service (SaaS) provider. With this they will have to reassess the security model which they have been using. With the cloud model, you lose control over physical security as well.
In a public cloud, organizations are sharing computing resources with other organizations. In a shared pool outside the enterprise, you don’t have any knowledge or control of where the resources run. Exposing organizational data in an environment shared with other organizations could give the governments “reasonable cause” to seize organization’s assets because another organization has violated the law. Simply because you share the environment in the cloud, may put your data at risk of seizure. Storage services provided by one cloud vendor may be incompatible with another vendor’s services should you decide to move from one to the other. Vendors are known for creating what the hosting world calls “sticky services” ; services that an end user may have difficulty transporting from one cloud vendor to another; e.g., Amazon’s “Simple Storage Service” [S3] is incompatible with IBM’s Blue Cloud, or Google, or Dell. This will also create vendor lock-in and sometimes you might have to live with the rising charges over the years without having any thoughts for moving out to another vendor.
Also hackers prefer to target clouds as its a treasure trove of data. While the cloud provides unprecedented benefits to digital businesses, it can also leave customer and employee data vulnerable. Major data breaches at tech giants like Yahoo, which has confirmed last year that three billion of its email accounts were compromised in August 2013, demonstrate that no company is completely safe from a hack. Oracle, Sony, T-Mobile and Dropbox are just a few other consumer tech companies that have dealt with massive hacks in recent years.
Things to watch out!
Information security professionals are working hard continuously to make the cloud a better place and a safe environment that the organizations can invest on. Cloud Security Alliance (CSA) is one of the leading organizations who provide security best practices that should be considered in securing the cloud. Their latest report “Treacherous 12 Top Threats to Cloud Computing Plus: Industry Insights” focuses on 12 security concerns that was derived after conducting a survey of industry experts to compile professional opinions on the greatest security issues within cloud computing.
According to CSA, a data breach might be the primary objective of a targeted attack or simply the result of human error, application vulnerabilities, or poor security practices. It might involve any kind of information that was not intended for public release, including personal health information, financial information, personally identifiable information, trade secrets, and intellectual property. An organization’s cloud-based data may have value to different parties for different reasons. The risk of data breach is not unique to cloud computing, but it consistently ranks as a top concern for cloud customers.
During the past year Yahoo! Came out from the closet reporting that they have been the victim of the biggest data breach in the history impacting 3 billion user accounts. So it’s not uncommon that any of the organization would become a victim at any time for a breach.
Insufficient identity, credential, and access management
Attackers masquerading as legitimate users, operators, or developers can read, modify, and delete data, issue control plane and management functions, snoop on data in transit or release malicious software that appears to originate from a legitimate source, CSA says. As a result, insufficient identity, credential, or key management can enable unauthorized access to data and potentially catastrophic damage to organizations or end users.
Insecure interfaces and application programming interfaces (APIs)
Cloud providers expose a set of software user interfaces (UIs) or APIs that customers use to manage and interact with cloud services. Provisioning, management, and monitoring are all performed with these interfaces, and the security and availability of general cloud services depends on the security of APIs, CSA says. They need to be designed to protect against accidental and malicious attempts to circumvent policy.
System vulnerabilities are exploitable bugs in programs that attackers can use to infiltrate a system to steal data, taking control of the system or disrupting service operations. Vulnerabilities within the components of the operating system put the security of all services and data at significant risk, CSA says. With the advent of multi-tenancy in the cloud, systems from various organizations are placed close to each other and given access to shared memory and resources, creating a new attack surface.
Account or service hijacking is not new, CSA notes, but cloud services add a new threat to the landscape. If attackers gain access to a user’s credentials, they can eavesdrop on activities and transactions, manipulate data, return falsified information and redirect clients to illegitimate sites. Account or service instances might become a new base for attackers. With stolen credentials, attackers can often access critical areas of cloud computing services, allowing them to compromise the confidentiality, integrity, and availability of those services.
While the level of threat is open to debate, the fact that the insider threat is a real adversary is not.. A malicious insider such as a system administrator can access potentially sensitive information, and can have increasing levels of access to more critical systems and eventually to data. Systems that depend solely on cloud service providers for security are at greater risk.
Advanced persistent threats (APTs)
APTs are a parasitical form of cyber attacks that infiltrates systems to establish a foothold in the IT infrastructure of target companies, from which they steal data. APTs pursue their goals stealthily over extended periods of time, often adapting to the security measures intended to defend against them. Once in place, APTs can move laterally through data center networks and blend in with normal network traffic to achieve their objectives, CSA says.
Data stored in the cloud can be lost for reasons other than malicious attacks, CSA says. An accidental deletion by the cloud service provider, or a physical catastrophe such as a fire or earthquake, can lead to the permanent loss of customer data unless the provider or cloud consumer takes adequate measures to back up data, following best practices in business continuity and disaster recovery.
Insufficient due diligence
When executives create business strategies, cloud technologies and service providers must be considered.. Developing a good roadmap and checklist for due diligence when evaluating technologies and providers is essential for the greatest chance of success. Organizations that rush to adopt cloud technologies and choose providers without performing due diligence expose themselves to a number of risks.
Abuse and nefarious use of cloud services
Poorly secured cloud service deployments, free cloud service trials, and fraudulent account sign-ups via payment instrument fraud expose cloud computing models to malicious attacks, CSA says. Hackers might leverage cloud computing resources to target users, organizations, or other cloud providers. Examples of misuse of cloud-based resources include launching distributed denial-of-service attacks, email spam, and phishing campaigns.
Denial of service (DoS)
DoS attacks are designed to prevent users of a service from being able to access their data or applications. By forcing the targeted cloud service to consume inordinate amounts of finite system resources such as processor power, memory, disk space, or network bandwidth, attackers can cause a system slowdown and leave all legitimate service users without access to services.
Shared technology vulnerabilities
Cloud service providers deliver their services scalabily by sharing infrastructure, platforms or applications, CSA notes. Cloud technology divides the “as-a-service” offering without substantially changing the off-the-shelf hardware/software—sometimes at the expense of security. Underlying components that comprise the infrastructure supporting cloud services deployment may not have been designed to offer strong isolation properties for a multi-tenant architecture or multi-customer applications. This can lead to shared technology vulnerabilities that can potentially be exploited in all delivery models.
What is a Cloud Access Security Broker (CASB)?
Gartner predicts that through 2020, 95% of cloud security failures will be the customer’s fault and by 2020, 60% of the large enterprises will use CASB.
According to Gartner, a cloud access security broker (CASB) is an on-premise or cloud-based security policy enforcement point that is placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as cloud-based resources are accessed. Organizations are increasingly turning to CASB vendors to address cloud service risks, enforce security policies, and comply with regulations, even when cloud services are beyond their perimeter and out of their direct control.
Service offerings in CASB can protect organizations from majority of the Treacherous 12. Features of the CASB will include:
Detect data breaches by monitoring privileged users, encryption policies and sensitive data movement.
Monitor and detect weak password expiration policies, user or service account access patterns and non-compliant cryptographic keys.
API usage in clouds and detect unusual activities originating from API calls.
Implement security-hardened baseline configurations, continuous monitoring, and alerts if there is a change to the desired configurations and change in the application access patterns.
Monitor for overly privileged user accounts, plus user profiles, roles, and privileges for drifts from compliant baselines. Also can detect malicious user activity using user behavior analytics.
Detect anomalies in inbound and outbound data (data exfiltration), which helps to discover when a network has been the target of an APT attack.
Monitor workloads in IaaS and access patterns in SaaS services to detect abnormal launch and termination of compute instances, and to detect abnormal user access patterns.
Monitoring of compute, storage, network, application, user security enforcement, and configurations, whether the service model is IaaS, PaaS, or SaaS.
Cloud computing has several benefits. Although any opportunity has its own set of risks, organizations shall do their own risk assessments before consuming these benefits and take appropriate actions to mitigate the security risks.
Author: Buddhika De Alwis (CISSP, CISM, CISM, CGEIT)
Buddhika has over a decade of experience in Cyber security working with companies like KPMG and Ernst & Young. He is also an ISO 27001 Lead Auditor. He works as a security consultant for CMS - Remote Technology Center of Bluecorp.