Account credentials are a major cloud security issue because vulnerability scanners or penetration testing can't...
determine if they've been compromised or if they're being abused by attackers. Are there any cloud-specific ways to detect if cloud credentials have been stolen? What are the best ways to protect them?
Cloud credentials are definitely a weak spot in cloud security. Usernames and passwords are easily shared, and phishing attacks lure individuals into inadvertently disclosing credentials. As cloud providers and application developers become better at locking down code -- such as avoiding coding techniques that can be exploited by injection attacks -- the path of least resistance to compromising cloud systems may be user credentials.
Compromised credentials become a problem when they are used. If someone shared cloud authentication credentials with a fellow employee and that person left the company and never used the credentials, the organization might never discover the exposure. The first opportunity to detect compromised credentials will likely be when they are used. Metadata about an attempted login -- such as the geolocation of the IP address of the client device or the type of client device -- might indicate a potential problem. For example, if the owner of the credentials usually works in one office and is suddenly attempting to log in from a different part of the country, it could be an indication of compromised credentials -- or it could simply mean the person is on a business trip.
Other signs of compromise can lend more support to a hypothesis about compromise. Multiple attempts to log in simultaneously from different locations is one example; login attempts from geographical locations with no apparent business relations to the organization is another example. Constant monitoring of credential use is one way to detect compromised credentials, but the method is subject to potentially high rates of false positives if the detection rules are too strict. Alternatively, weak detection rules may miss actual compromised credential use.
Two-factor authentication can help mitigate the risk of compromised cloud credentials, such as username and passwords or private keys. Decades ago, users would have to keep a two-factor authentication device nearby. This was inconvenient and costly. Fortunately, two-factor authentication apps are readily available as apps for smartphones essentially eliminating an old but significant barrier to adoption.
Ask the Expert:
Have a question about cloud security? Send it via email today. (All questions are anonymous.)
Learn how to avoid SSO land mines in the cloud
Move beyond Active Directory to cloud authentication techniques
Harden cloud authentication keys for more security
Dig Deeper on Cloud Provisioning and Cloud Identity Management Issues
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading