nobeastsofierce - Fotolia
Businesses make a big mistake when they assume the cloud will automatically keep their workloads and data safe from attack, theft and other malfeasance. Even in the cloud, vulnerabilities and the potential for exploitation are inevitable.
Cloud platforms are multi-tenant environments that share infrastructure and resources across countless global customers. A provider must work diligently to maintain the integrity of its shared infrastructure. At the same time, the cloud is a self-service platform, and each customer must carefully define the specific controls for each of its workloads and resources.
Before we delve into these cloud security challenges and how to protect against them, enterprises must understand the differences among the three major types of dangers: threats, vulnerabilities and risks. These terms are often used interchangeably, but they carry different meanings for IT security professionals.
- A threat is something that is actually happening -- an action or behavior -- that the organization must defend against, such as a denial-of-service (DoS) attack, human error or natural disasters.
- A vulnerability is an oversight, gap, weakness or other flaw in the organization's security posture. This could include an improperly configured firewall, an unpatched OS or unencrypted data.
- A risk is the careful assessment of potential threats against the organization's vulnerabilities. For example, someone stores unencrypted data in the public cloud and human error could allow the data to be accessed or changed. This could be perceived as a significant risk for the business that must be addressed.
When users understand public cloud vulnerabilities, they can then identify potential security gaps and common mistakes. An IT team needs to recognize and address each type to prevent its system from being exploited. Below are six of the most common areas of focus.
Users are responsible for configurations, so your IT team needs to prioritize mastery of the various settings and options. Cloud resources are guarded by an array of configuration settings that detail which users can access applications and data. Configuration errors and oversights can expose data and allow for misuse or alteration of that data.
Every cloud provider uses different configuration options and parameters. The onus is on users to learn and understand how the platforms that host their workloads apply these settings.
IT teams can mitigate configuration mistakes in several ways.
- Adopt and enforce policies of least privilege or zero trust to block access to all cloud resources and services unless such access is required for specific business or application tasks.
- Employ cloud service policies to ensure resources are private by default.
- Create and use clear business policies and guidelines that outline the required configuration settings for cloud resources and services.
- Be a student of the cloud provider's configuration and security settings. Consider provider-specific courses and certifications.
- Use encryption as a default to guard data at rest and in flight where possible.
- Use tools, such as Intruder and Open Raven, to check configuration errors and audit logs.
2. Poor access control
Unauthorized users take advantage of poor access control to get around weak or absent authentication or authorization methods.
For example, malicious actors take advantage of weak passwords to guess credentials. Strong access controls implement additional requirements, such as minimum password length, mixing upper and lower cases, the inclusion of punctuation or symbols and frequent password changes.
Access control security can be enhanced through several common tactics.
- Enforce strong passwords and require regular resets.
- Use multifactor authentication techniques.
- Require regular reauthentications for users.
- Adopt policies of least privilege or zero trust.
- Avoid the use of third-party access controls and employ cloud-based access controls for services and resources within the cloud.
3. Shadow IT
Anyone can create a public cloud account, which they can then use to provision services and migrate workloads and data. But those not well-versed in security standards will often misconfigure the security options -- leaving exploitable cloud vulnerabilities. In many cases, such "shadow IT" deployments may never even recognize or report exploits. This denies the business any opportunity to mitigate the problem until long after the damage is done.
Today's businesses are more tolerant of shadow IT, but it's vital that organizations implement standard configurations and practices. Business users, departments and other organizational entities must adhere to the business's set standards to combat vulnerabilities and keep the overall organization safe.
4. Insecure APIs
Unrelated software products use APIs to communicate and interoperate without any knowledge of the internal workings of each other's code. APIs usually require -- and grant access to -- sensitive business data. Many APIs are made public to help speed adoption, enabling outside developers and business partners to access the organization's services and data.
But APIs are sometimes implemented without adequate authentication and authorization. They wind up completely open to the public, so anyone with an internet connection can access -- and potentially compromise -- data. Consequently, insecure APIs are rapidly becoming a major attack vector for hackers and other malicious actors.
Whether using a cloud provider's APIs or creating business APIs deployed in the cloud, it's important to develop and use APIs with the following:
- strong authentication
- data encryption
- activity monitoring and logging
- access controls
Businesses that develop and implement APIs should treat the APIs as sensitive code and subject to thorough security reviews, including penetration testing. Cloud and other outside APIs should be subject to the same scrutiny. Avoid outside APIs that don't meet established security guidelines.
In cloud computing, the provider is responsible for the security of the cloud, while the customer is responsible for security in the cloud.
In this shared responsibility model, the provider maintains the integrity and operations of the infrastructure and controls the separation of customer resources and data. The customer is responsible for configuring application and data security, such as access controls.
When a threat successfully exploits a vulnerability and accesses data without a proper business purpose, the business is solely responsible for that breach and any subsequent consequences. Consider several common examples:
- Sensitive customer data is stolen, which puts the business in violation of prevailing regulatory obligations and damages its reputation.
- Important data is stolen, which causes a loss of intellectual property, compromises the organization's competitive position and jeopardizes the investment that yielded that data.
- Internal business data is altered or erased, which creates a raft of potential impacts such as production problems.
Breaches usually carry penalties for the business. For example, breaches that violate regulatory obligations may result in significant fines and penalties. Breaches that involve data stored for clients or customers may result in contractual violations that lead to time-consuming litigation and costly remedy.
Ensure proper configurations and follow other precautions outlined in this piece to mitigate any regulatory or legal exposures.
Cloud infrastructures are vast, but failures do occur -- usually resulting in highly publicized cloud outages. Such outages are caused by hardware problems and configuration oversights, precisely the same issues that plague traditional local data centers.
A cloud can also be attacked through distributed denial of service and other malicious mechanisms intended to impair the availability of cloud resources and services. If an attacker can render any public cloud resources or services unavailable, it will impact every business or cloud user that employs those resources and services. Cloud providers are adept at handling attacks, and support teams can help when specific business workloads are attacked.
While businesses and other public cloud users cannot prevent cloud outages and attacks, consider the impact of such disruptions on cloud workloads and data sources, and plan for such events as part of your disaster recovery strategy.
Given the vast nature of public clouds, disaster recovery can usually be addressed through high availability architectures implemented across cloud regions or zones. Still, such postures are not automatic, and you must design them carefully and test regularly to ensure the business will be as unaffected as possible.