Adoption of cloud-based services in 2013 should spur new questions in most organizations about data continuity, data security and reliability, according to a new threat report.
Spend time with the lawyers and make sure that all your needs are met and requirements are clearly outlined so that both sides know their responsibilities when an incident takes place.
Chester Wisniewski, senior security consultant, Sophos
The Sophos 2013 Threat Report warns that businesses take on new risks when adopting cloud-based services. Risks that need to be addressed during contract negotiations, well before data is transferred to the service provider's massive data center. In some cases, cloud-based services increase an organization's attack surface and weaken the security controls and policies already in place, said Chester Wisniewski, a senior security consultant with the UK-based security firm.
"Spend time with the lawyers and make sure that all your needs are met and requirements are clearly outlined so that both sides know their responsibilities when an incident takes place," Wisniewski said.
Organizations need to consider three questions when adopting cloud-based services, he said.
1. How will information leakage be prevented?
Services such as Dropbox enable employees to easily store and share documents containing company data. While companies initially attempted to clamp down on third-party services such as Dropbox, today, some organizations are adding controls, such as encryption to ensure that sensitive data doesn't fall into the wrong hands, Wisniewski said. The security technology protecting the data should be deployed properly and in a way that makes it easy for users, he said. "You need to know that the data is secure before it goes up in the cloud," Wisniewski said.
Wisniewski believes cloud-based services have the potential to amplify an organization's broken approach to data security. There are ways to provide security controls that enable employees to access data with mobile devices or remotely tap into systems in the cloud. An Apple iPad app can provide encryption and decryption capabilities to provide another layer of protection. "Finance, sales and marketing people shouldn't have to be cryptography geniuses to protect data," he said.
"You have to clean up all the known stuff that is innocently happening and then look at what is remaining," Wisniewski said.
2. Are cloud providers being properly vetted and security standards being placed in contractual requirements?
Targeted attackers have learned that business partners, typically the smaller firms that service large enterprises, can be an entryway into a major corporate network. Manufacturers of parts in the aerospace and defense industries, shippers and suppliers can all potentially fall into an attacker's cross hairs, Wisniewski said.
"Cybercriminals are realizing that small companies that are business partners with the big guys have lax security but are still trusted entities," Wisniewski said. "It's become a real problem."
Contractual arrangements should include the ability to ensure a third-party's systems have been tested and have the appropriate security controls, he said. Cloud providers should provide proof that they are meeting security standards and provide a mechanism to allow independent testing to take place. "There are firms that have had PCI assessments within months of a credit card breach, so a piece of paper showing compliance doesn't hold that much weight," Wisniewski said.
Data retention, failover, incident response procedures, system monitoring and maintenance should all be clearly communicated in the contractual agreement. Ensure that if the relationship with the cloud provider sours, there is a way to get the data out and move on to another provider.
"If you're that paranoid and you can't come to an arrangement to properly protect the data to your standards, then you need to run your own data center," Wisniewski said. "Part of cost benefit of using companies out in cloud is that it is massively distributed; you don't know where your data is going to be. Some of those things are controllable by contract but other parts of it like who can pop a hard drive out of a server in many cases is beyond your ability to control."
3. Can you prevent snapshotting of virtual servers that capture current operating memory images—including all working encryption keys?
Rather than using public clouds, many firms are using virtual machines to set up private clouds within their own data centers. The approach is seen as a great way to reduce costs and improve efficiencies, said Wisniewski, but it also opens up questions about data security.
Extremely technical hypervisor attacks have been demonstrated by security researchers, but the risk of the sophisticated attack being used by a cybercriminal is minimal, experts say. Instead, organizations face potential pitfalls with virtual servers. Configuration errors and poor policies can open up weaknesses that can be used by an attacker to gain access to sensitive data. For example, whenever a virtual snapshot is taken of a system state – a common way to backup systems – often passwords and encryption keys are in memory because they have to be available to decrypt files. The snapshots are a great time saver and great backup mechanism, but it needs to be stored securely, Wisniewski said.
"You have to store encryption keys in memory, but you should obfuscate them in memory," he said.