By Robert Clauff, Security Engineer, Solutionary
More and more organizations are moving to the “CLOUD.” It seems as though you can’t read an article about IT or turn on the TV without seeing someting about the increasingly ubiquitous cloud. Of course, the cloud is more than just an IT buzzword, it’s an increasingly important part of IT that requires organizations to consider the security implications of “moving to the cloud.”
Moving to the cloud can benefit a lot of organizations. However, you need to know how to keep things secure while you migrate to such an environment. The term cloud is frequently thrown around in discussions; but in reality, a lot of IT professionals do not really know all the downsides of cloud migration, and security issues are often overlooked.
I keep reading and hearing statements like, “The cloud is so much easier to manage and makes your information more secure.” These types of blanket statements are just not accurate.
The cloud does mitigate some common security issues, like data resiliency and availability, as well as some physical threats. Yet, when organizations decide to migrate to the cloud there are other layers of security that they need to acknowledge, which are often ignored by companies that do not look at all of the facts.
The reality is that cloud computing opens up new ways in which your security can be compromised, and you have to trust your cloud provider’s security to be up to par. You can improve your overall security posture if you do not let your security posture relax, but, in fact, take this opportunity to tighten it even more. New threats can range from basic to very advanced techniques, and organizations will see some of the issues occur when trying to protect data because there are “Catch-22s.”
While data loss and data leakage are both bad, the security measures to mitigate one can exacerbate the other. I personally get an uneasy feeling about concentrations of several organizations in the same physical environment, which happens constantly in the cloud. For example, multi-tenant cloud databases which are improperly designed and flawed applications could allow a hacker to access not only the data of one client, but the host as a whole, and potentially all client data stored by the provider.
As we all know, security issues do not always originate from malicious hackers. User errors will do just as much (if not more) damage. In 2011, the EC2 cloud had data loss because of constant backups and a “re-mirroring storm,” all due to user error. Something as easy as losing encryption keys for the data can cause catastrophic damage to an environment.
We have seen an example where an attacker on a virtual machine listened for activity that signals the arrival of encryption keys from another virtual machine on the same host, using a ‘side channel timing exposure’ technique. However, as far as we know, this advanced technique has not been tied to any large breaches (yet). Cloud environments could help put a large bull’s-eye on your organization because compromising an array of cloud servers could make for one heck of a malware server farm or even a nice Denial-of-Service (DoS) attack, all in one easy shot. (Attack the cloud provider, and affect dozens or hundreds, or thousands, of clients). In fact, Solutionary Security Engineering Research Team (SERT) research has shown that leading Internet Service Providers (ISPs) and hosters are a haven for hosted malware.
Among all of the different security issues, the same “oldie but goodie” issues are still present. Account hijacking is and always will be a serious security issue due to phishing, vulnerabilities and buffer overflows. Session hijacking is just as prominent in the cloud and can lead to service hijacking while compromising the confidentiality, integrity and availability of your data. Malicious users and rogue administrators still exist, just as they always have, but there are easier ways like throwing a VM on a flash drive and walking out of the building with it.
DoS attacks are still a very real threat, even in the cloud. If your organization experiences a DoS attack, you could still be charged for resources being used while the services are unavailable. Or, if your servers are compromised at the cloud provider, you could be charged for any bandwidtch used because of a DoS attack. You can probably get those charges cancelled, but chances are you will still have to take action to do so.
A lot of these situations can be mitigated just by using security best practices and having a good sense of security from the ground up when developing your cloud infrastructure. Don’t just trust that cloud providers have a secure infrastructure. Instead, ask them what their practices are, and ensure they are supporting a secure environment. Whenever possible, include two-factor authentication and security-conscious applications when considering what you will be interfacing with.
The provider should be using security best practices, and have an effective application development security program if they are implementing applications for you. A large percentage of compromise in the cloud is due to flaws in applications or Web functionality. Be sure to do your due diligence.
Insecure Application Program Interface (API) can be your worst enemy. APIs could give anonymous users access using third-party authentication for services such as Facebook, Google and Twitter. These authentication methods are often found to be broken and vulnerable to compromise. In general, relying on third-party security practices to secure your applications is bad practice.
Dealing with IT security every day, I see how many bad situations could have been avoided if security was taken into account when the environment was built. While security best practices are a great avenue to keep your data secure, it always helps to have someone watching your back. The Cloud Security Alliance (CSA) is a great resource to have when needing answers for real-world questions.
Having a Managed Security Services Provider (MSSP) watching over your cloud environment is always a great benefit as well. As any IT professional knows, it is impossible to have eyes everywhere while tending to day-to-day operations.
I hope that after reading my little rant you will definitely do your due diligence on the cloud before jumping into something just because upper management starts throwing around buzzwords like “The All Powerful CLOUD!” Just remember that you will need real-world, information security practices, and there is never anything as easy as a special man behind a curtain to solve your problems.