Cloud Security Threats—Baker’s Dozen.
Information Systems, IT Enterprises of all sizes are no longer wondering if they should risk migrating applications and data to the cloud. They're doing it -- but security remains a serious concern.
The shared, on-demand nature of cloud computing introduces the possibility of new security vulnerabilities, data leakages and breaches that can erase any gains made by the switch to cloud technology. Cloud services, by nature, introduce security risks. New controls must be put in place.
Threat No. 1: Data breaches
Cloud environments face many of the same threats as traditional corporate networks, but due to the vast amount of data stored on cloud servers, providers become an attractive target. The severity of potential damage tends to depend on the sensitivity of the data exposed. Exposed personal financial information tends to get the headlines, however breaches involving health information, trade secrets, and intellectual property can be more devastating and more valued targets from threat actors.
When a data breach occurs, companies may incur fines, or they may face lawsuits or criminal charges imposed by regulatory agencies. Breach investigations and customer notifications can rack up significant direct and indirect costs. Brand damage and loss of business can impact reputation and the organization for years. Some organizations never recover from these events and quickly devolve into insolvency.Cloud providers typically deploy security controls to protect their environments, but ultimately, organizations are responsible for protecting their own data in the cloud.
Threat No. 2: Compromised credentials and broken authentication
Data breaches and other attacks frequently result from lackadaisical authentication mechanisms, weak passwords, and poor encryption key or certificate management. Organizations often struggle with identity management as they try to allocate permissions appropriate to the user’s job role. More importantly, many organizations never remove user access when a job function changes or a user leaves the organization.
Multifactor authentication systems such as one-time passwords, phone-based authentication, and smartcards protect cloud services because they make it harder for attackers to log in with stolen credentials/passwords. The Anthem breach, which exposed more than 80 million customer records, was the result of stolen user credentials. Anthem had failed to deploy multifactor authentication, so once the attackers obtained the credentials, they proceeded to exploit the enterprise with no internal indication or resistance from Anthem IT security systems. Game Over.
Organizations planning to federate identity with a cloud provider (e.g. O365) need to understand the security measures the provider uses to protect the identity management process and platform. Centralizing identity into a single repository has inherent risks. Organizations need to weigh the trade-off of the convenience of centralizing identity against the risk of having that repository become an extremely high-value target for attackers. Threat
No. 3: Hacked interfaces and APIs
Practically every cloud service and application now offer an API (application program interface) - a set of routines, protocols, and tools for building software applications - for programming graphical user interface (GUI) components. IT teams use interfaces and APIs to manage and interact with cloud services, including those that offer cloud provisioning, management, orchestration, and monitoring.
The security and availability of cloud services -- from authentication and access control to encryption and activity monitoring -- depend on the security of the API. Risk increases with third parties that rely on APIs and build interfaces that expose more services and credentials to these uncontrolled entities. Weak interfaces and APIs expose organizations to security issues related to confidentiality, integrity, availability, and accountability.
APIs and interfaces tend to be the most exposed part of a system because they're usually accessible from the open Internet. Adequate controls are usually missing. Threat modeling applications and systems, including data flows and architecture/design, become important parts of the development lifecycle. We recommend security-focused code reviews and rigorous penetration testing.
Threat No. 4: Exploited system vulnerabilities
System vulnerabilities, code defects, and exploitable bugs in software programs, are not new, but they've become a bigger problem with the advent of multitenancy in cloud computing. Organizations share memory, databases, and other resources in close proximity to one another, creating new attack surfaces.
As in “on-premise” solutions, best practices include regular vulnerability scanning, prompt patch management, and quick follow-up on reported system threats.
According to the Cloud Security Alliance (CSA), the costs of mitigating system vulnerabilities “are relatively small compared to other IT expenditures.” The expense of putting IT processes in place to discover and repair vulnerabilities is small compared to the potential damage. Regulated industries need to patch as quickly as possible, preferably as part of an automated and recurring process. Change control/management processes that address emergency patching ensure that remediation activities are properly documented and reviewed by technical teams as one component of a mature IT Enteprise.
Threat No. 5: Account hijacking
Phishing, fraud, and software exploits continue to be successful ‘social engineering” mechanisms and cloud services add a new dimension to the threat because seasoned attackers can readily eavesdrop on activities, manipulate transactions, and modify data. Attackers may also be able to use the cloud application to launch other attacks.
Common defense-in-depth protection strategies can contain the damage incurred by a breach. Organizations should prohibit the sharing of account credentials between users and services as well as enable multifactor authentication schemes where available. Accounts, even service accounts, should be monitored so that every transaction can be traced to a human owner. The key is to protect account credentials from being stolen in the first place. Sometimes easier said than done.
Threat No. 6: Malicious ‘Insiders'
The insider threat has many faces: a current or former employee, a system administrator, a contractor, or a business partner. The malicious agenda ranges from data theft to revenge with malicious intent. In a cloud scenario, a disgruntled insider can destroy whole infrastructures and/or manipulate data. Systems that depend solely on the cloud service provider for security, such as encryption, are at greatest risk.
We recommend that organizations control the encryption process and keys, segregating duties and minimizing access given to users. Effective logging, monitoring, and auditing administrator activities are also critical.
As the CSA notes, it's easy to misconstrue a bungling attempt to perform a routine job as "malicious" insider activity. An example would be an administrator who accidentally copies a sensitive customer database to a publicly accessible server. Proper training and management to prevent such mistakes becomes more critical in the cloud, due to the greater potential exposure.
Threat No. 7: Advanced Persistent Threats
Advanced Persistent Threats (APTs) infiltrate systems to establish a foothold, then stealthily exfiltrate data and intellectual property over an extended period of time.
APTs typically move laterally through the network and blend in with normal traffic, so they're difficult to detect. They can also metamorphose (mutate) over time and change functionality. The major cloud providers apply advanced techniques to prevent APTs from infiltrating their infrastructure, but customers need to be as diligent in detecting APT compromises in cloud accounts as they would in on-premises systems.
Common points of entry include spear phishing, direct attacks, USB drives preloaded with malware, and compromised third-party networks. Security training can help users recognize phishing techniques. Regularly reinforced awareness programs keep users alert and less likely to be tricked into letting an APT into the network -- and IT departments need to stay informed of the latest advanced attacks.
Threat No. 8: Permanent data loss
As the cloud has matured, reports of permanent data loss due to provider error have become extremely rare. But bad actors and malicious hackers have been known to permanently delete cloud data to harm businesses, and cloud data centers are as vulnerable to natural and man-made disasters as any facility.
Cloud providers recommend distributing data and applications across multiple zones for added protection. Adequate data backup measures are essential, as well as adhering to best practices in business continuity and disaster recovery. Daily data backup and off-site storage remain extremely important with cloud environments.
The burden of preventing data loss is not all on the cloud service provider. If a customer encrypts data before uploading it to the cloud, then that customer must be careful to protect the encryption key. Once the key is lost, so is the data.
Compliance policies often stipulate how long organizations must retain audit records and other documents. Losing such data may have serious regulatory consequences. The new EU data protection rules also treat data destruction and corruption of personal data as data breaches requiring appropriate notification.
Threat No. 9: Inadequate diligence
Organizations that embrace the cloud without fully understanding the environment and its associated risks may encounter a variety of commercial, financial, technical, legal, and compliance risks. Due diligence is necessary whether the organization is trying to migrate to the cloud or merging (or working) with another company. For example, organizations that fail to scrutinize a contract may not be aware of the provider’s liability in case of data loss or breach.
Operational and architectural issues arise if a company's development team lacks familiarity with cloud technologies while apps are deployed to a particular cloud service. Organizations must perform extensive due diligence to understand the risks they assume when they subscribe to each cloud service.
Threat No. 10: Cloud service abuses
Cloud services can be commandeered to support nefarious activities, such as using cloud computing resources to break an encryption key in order to launch an attack. Other examples including launching Distributed Denial of Service (DdoS) attacks, sending spam and phishing emails, and hosting malicious content.
Providers need to recognize these types of abuses and offer tools for customers to monitor the health of their cloud environments. Customers should make sure service providers offer a mechanism for reporting abuse. Although customers may not be direct prey for malicious actions, cloud service abuse can still result in service availability issues and data loss.
Threat No. 11: DoS attacks
DoS attacks have been around for years, but they've gained prominence again thanks to cloud computing because they often affect availability. Systems may slow to a crawl or simply time out. DoS attacks consume large amounts of processing power, a bill the customer may ultimately have to pay. While high-volume DDoS attacks are very common, organizations should be aware of asymmetric, application-level DoS attacks, which target Web server and database vulnerabilities.
Cloud providers tend to be better poised to handle DoS attacks than their customers. The key is to have a plan to mitigate the attack before it occurs, so administrators have access to those resources when they need them.
Threat No. 12: Shared technology, shared dangers
Vulnerabilities in shared technology pose a significant threat to cloud computing. Cloud service providers share infrastructure, platforms, and applications, and if a vulnerability arises in any of these layers, it affects everyone. Common sense says: a single vulnerability or misconfiguration can lead to a compromise across an entire provider’s cloud.
If an integral component gets compromised -- say, a hypervisor, a shared platform component, or an application -- it exposes the entire environment to potential compromise and breach. Recommendations contain a defense-in-depth strategy, including multifactor authentication on all hosts, host-based and network-based intrusion detection systems, applying the concept of least privilege, network segmentation, and patching shared resources.
Threat No. 13: Ignorance
Ignorance is not bliss in CyberSecurity. Today's security and risk professionals must reset their approaches to risk and security to facilitate a balance between the needs to protect the organization, and the needs to run the business. Risk Management and security professionals must use the power of risk management and security to deliver value, and to influence business decision making.