Cloud / November 18, 2016

Got Public Cloud Security Woes? The Remedy to the Top 12 Security Concerns Is Visibility

The Cloud Security Alliance (CSA) calls it “The Treacherous Twelve.” Others have called it the Dirty Dozen. But by whatever name, this is the list to know if you have concerns about security in the public cloud. To be honest, much is being done to address the items on this list.

In fact, some predict that in a few years’ time the public cloud may be more secure than private ones—and certainly more than traditional networks. Imagine, even, the possibility of security being the reason to go to—rather than shun—the public cloud.

Still, it’s important to understand what the top concerns are and separate them into those that you can directly impact versus those that your provider is mainly responsible for.

  1. Data Breaches – The potential theft of valuable data is a concern in all enterprise networks that store it. However, the risks and worry are exacerbated in public cloud environments for two main reasons: 1) the underlying infrastructure is shared with other tenants whose security practices may make their neighbors vulnerable; and 2) the public cloud provider’s technology and personnel are beyond the span of control of the tenants or customers who may be vulnerable to them. From this, it is clear that the responsibility for securing compliance and security-intense data in the public cloud is a shared one. As highlighted above, public cloud infrastructure and service providers are investing and innovating in ways to bolster defenses. Public cloud tenants still have to do their share to ensure proper access controls to critical workloads hosted in the public cloud. A means to monitor and analyze the activity in and out of those workloads is also highly advisable as is an investment in visibility technology for data in motion in the public cloud.
  2. Insufficient Identity, Credential and Access Management – Public cloud users have several options for implementing identity and access management. They can use the role-based access controls available from their cloud provider or federate identity management by extending the reach of their own systems. Either way, they must take care to ensure that privileged user information does not fall into the wrong hands—which would effectively mean compromise of all workloads, including those hosted in the public cloud. The now defunct company Code Spaces offers a cautionary tale and evidence of the need to ensure that identity and credential management is a top security priority along with keeping information up to date to reflect changes in personnel and access privilege.
  3. Insecure Interfaces and APIs  Cloud providers offer application programming interfaces as a way for customers to customize the design and management of hosted systems. Part of the risk in using APIs, however, is that their leverage may introduce third parties into the programming and design equation that ultimately create more complex data flows. Having the means to continually monitor those data flows is absolutely vital for troubleshooting and spotting unexpected communications paths.
  4. System Vulnerabilities- Exploiting unpatched systems is a common way for hackers to successfully infiltrate networks, second only to use of phishing scams. Ensuring that all systems, including those hosted in the public cloud, are patched to the latest version (or as emergencies warrant), is something well in the control of cloud tenants and a straightforward way to eliminate some of the risk associated with cloud hosting
  5. Account Hijacking – In short, this is someone taking control over your public cloud-hosted workloads—websites in particular—and acting on your behalf. This should be of particular concern to those who host client services and applications in the public cloud because data theft is only part of the worry; the cost in lost business and impact to reputation can be massive. Protections here harken back to number 2 (insufficient identity, credential and access management) and to ensuring not only the strictest of access rights, but also that the monitoring and management of them is continuous and a top priority.
  6. Malicious Insiders – The inside job in public cloud security breaches is usually that of a disgruntled employee, contractor, or business partner who used privileged access (that remained even after separation) to infiltrate networks and steal data. This is by far the most common scenario in breaches of this type. Of particular concern for cloud computing is the notion of a super administrator who manages the entire cloud infrastructure. The credentials of a super admin in the wrong hands could lead to long-term damage to the organization and, often, protracted breach windows as the perpetrators can wipe their tracks as they go along. Closely monitoring the activity of privileged users and limiting their access—only to role and need to know—are part of the mitigating tactics. If using the cloud providers’ controls for this, then mutually ensuring the desired granularity is a shared responsibility.
  7. Advanced Persistent Threats (APTs) – Advanced persistent threats leverage phishing and social engineering to burrow in networks and move laterally toward high-value targets. While cloud providers employ numerous, sophisticated APT-detection capabilities, customers, too, have to monitor communications in and out of their public cloud environments in order to ensure that they have not been breached. Malware can be inadvertently introduced by cloud tenants; and although the cloud provider may be able to ensure tenant isolation, their methods may not protect all of the workloads of the affected tenant. As a result, additional layers of monitoring and access control are highly advised.
  8. Data Loss – The permanent loss of valuable data is always a concern in public cloud hosting. Though catastrophic outages are now uncommon, it is still necessary to confirm with cloud providers their processes as well as service-level agreement parameters for back-up and recovery. If the data being stored is particularly sensitive, you may want to consider encrypting it at rest in the cloud—taking great care to protect the encryption key and perhaps keeping secondary copies in alternate locations, including on premises.
  9. Insufficient Due Diligence – Individual organizations must understand the level of exposure they have by going to the private cloud. Are you merely migrating some medium-security workloads or are you rolling out a new customer-facing service? Are the properties of your new service putting an additional commercial burden on the cloud provider for availability and security? What about data that may change physical location while cloud hosted? Do you have legal exposure when data is accessed in locations outside of your state or country? What about the compliance-driven controls you have currently implemented on your premises? Do you have a plan to replicate those in the public cloud for affected data? These questions are part of the necessary due diligence that would ideally precede a public cloud project and ensure that identified risks have accompanying mitigation strategies.
  10. Abuse and Nefarious Use of Cloud Services – The public cloud offers limitless compute—which is pure treasure for hackers who need a lot of it for DDoS attacks, information mining, and password cracking. The onus falls predominantly with cloud providers to monitor the appropriate use of their resources, but tenants, too, have to keep vigil and report suspicious and anomalous activity seen in their public cloud instances. Once again, this begs for the facility of continuous and pervasive monitoring of public cloud-hosted traffic.
  11. Denial of Service: Since cloud-hosted services are well advertised, they are also easy to locate and attack. Aiming a deluge of traffic at those interfaces or launching low-and-slow targeted attacks at cloud-hosted application servers is not only costly in terms of outages and slow Web server response, but can also add up in terms of compute owed by the targeted tenant to the cloud provider. Fortunately, cloud providers, especially larger ones like Amazon and Microsoft, have the means to mitigate even large-scale DDoS attacks. On the other hand, smaller cloud providers may not, thus invoking the need for a customer-conceived mitigation plan.
  12. Shared Technology Issues – Cloud computing offers unprecedented economies of scale because of the shared nature of its components, including infrastructure, platforms, and applications. Public cloud providers segment resources, largely in software, so that each receives the portion they require to meet business demands. Nonetheless, inappropriate segmentation and component protection can lead to cross-pollination of a single threat so that entire communities of organizations, businesses (e.g., cloud tenants) are affected. To mitigate these risks, cloud service providers implement hypervisor and network segmentation, host- and network-based threat detection, and least-privilege access when it comes to management of the shared infrastructure.

What’s Ahead

Gartner predicts that there is enough momentum and investment from the likes of Amazon, Microsoft, and Google in making public clouds safer to actually drive adoption even among the most security sensitive (e.g., public sector) organizations. In fact, Neville Cannon, research director at Gartner, has said public sector organizations will start to realize that most major cloud providers are better equipped to deal with security threats than they are themselves.

Still, it’s important to understand what the top concerns are and separate them into those that you can directly impact versus those that your provider is mainly responsible for.

Keep in mind that, regardless of who is expert or responsible, consumers of public cloud offerings can augment any and all efforts to secure their piece of the cloud by implementing visibility technology.

Originally posted in Database Trends & Applications

Back to top