Top threats in a PaaS cloud service and how to avoid them
Platform as a Service offerings suffer from vulnerabilities, such as lax default application configurations and holes in Secure Sockets Layer (SSL) protocols, which should be monitored and mitigated.
In this tip, the third in our series of technical tips on cloud security, the focus is on the top Platform as a Service (PaaS) threats you are likely to encounter. In the Software as a Service (SaaS) model, the user relies on the provider to secure the application. In the PaaS model, however, control and security of the application is moved to the user, while the provider secures the underlying cloud infrastructure (i.e., firewalls, servers, operating systems, etc). Therefore, dealing with top concerns such as default application configurations, flaws in Secure Sockets Layer (SSL) protocol and insecure permissions on data becomes a user necessity.
This tip will present a group of persistent threats that a user can mitigate on his or her own, not those that a provider is relied on to extinguish.
From my experience, here are the most likely threats you'll have to deal with in a PaaS offering:
- Default application configurations
- SSL protocol and implementation flaws, and
- Insecure permissions on cloud data
While many more risks and vulnerabilities exist, the ones listed above are the most likely to affect you and your deployment. Remember that the threats to SaaS previously discussed are still applicable and must be alleviated as well.
Default application configurations
When running an application on a cloud infrastructure, the odds that the application is secure in its default configuration are probably zero. Thus, making changes to the default application installation will be the number one security mitigation that you will perform. Familiarize yourself with the security configuration of the following applications, meaning know how to secure them if you use them, as they make up roughly 80% of all applications that exist in the cloud:
- LAMP: In the LAMP (a common configuration based on Linux, Apache, MySQL, and PHP) stack, Apache, MySQL and PHP will require your focus and expertise.
- Windows: In a Windows environment, you will need the ability to secure Internet Information Services (IIS), Microsoft SQL and .NET , which is basically a Windows LAMP equivalent.
As far as practical mitigation steps for the above items, the three top things to look for are:
- Default and sample files and directories left after installation.
- Excessive services offered, such as WebDAV, FrontPage, Lightweight Directory Access Protocol (LDAP), Simple Network Management Protocol (SNMP) and so on.
- Default usernames and passwords for application administration (typically Web or SNMP).
If you need more information than these issues listed here, you should go to the specific vendor site for security configuration recommendations.
SSL protocol and implementation flaws
The second greatest threat to PaaS users will be SSL-based attacks. SSL is the underpinnings of most of the "security" utilized in the cloud and, for that matter, the Internet in general. The current focus of the hacking community on breaking SSL will become a major exploit vector in the near future. Understanding this and taking all possible steps to mitigate attacks on SSL must be secondary only to making sure the applications are not open to default attacks.
To give some scope to the problem, in November 2009 a protocol-level bug in SSL opened up a number of man-in-the-middle (MITM) attacks related to renegotiation. Since this is a flaw in the protocol, any implementation that was based on the protocol has to be patched. Another occurrence early last summer showed how to spoof an SSL certificate by adding a "null" string character to the certificate fields, which subsequently fools the client into thinking it was talking to the real server. These are just several of the recently research attacks on SSL. There will be more, and you will need to be diligent.
As far as mitigating these threats, they will be very implementation specific. You will need to rely on the application vendor to provide details on how to apply the correct configuration and/or patches in a timely manner. Timeliness is critical here; make sure you have a change management program that will allow patches and changes to SSL to occur quickly.
Insecure permissions on cloud data
The third major threat that PaaS users will need to address is insuring the proper permissions on data stored in the cloud. While this may seem like a given, many of the applications I have performed security testing on have had serious information leakage, as the data's underlying permissions were not set correctly. From a security standpoint, this means that too much access had been granted.
The mitigation for this threat is twofold: Design your application to use granular security, and ensure all users of the application are required to authenticate prior to using the application. This way, you can apply appropriate permissions to the data and the application can make access control decisions based on user authentication.
These are the top three "real" threats in a public cloud PaaS offering. Properly securing your applications, dealing with SSL issues in a very quick manner and assigning user accounts and applying appropriate access permissions based on the user and/or role will be very effective in making your PaaS offering secure.
As a final note, I cannot overstate my concern over the SSL-based issues that will be surfacing over the next year or so. Do not underestimate the depth and extensiveness of the problem.
ABOUT THE AUTHOR:
Phil Cox is a principal consultant of SystemExperts Corporation, a consulting firm that specializes in system security and management. He is a well-known authority in the areas of system integration and security.
His experience includes Windows, UNIX, and IP-based networks integration, firewall design and implementation and ISO 17799 and PCI compliance. Phil frequently writes and lectures on issues dealing with heterogeneous system integration and compliance with PCI-DSS. He is the lead author of Windows 2000 Security Handbook Second Edition (Osborne McGraw-Hill) and contributing author for Windows NT/2000 Network Security (Macmillan Technical Publishing).
Phil holds a BS in Computer Science from the College of Charleston
Discover how to create hybrid clouds past Azure