carloscastilla - Fotolia

Account credentials emerge as a weak spot for cloud app security

Experts say attacks on cloud application credentials are increasing, and vulnerability scans and penetration tests can't tell if an account has been compromised.

Unauthorized access to cloud applications has emerged as a growing area of concern for enterprises, as security experts say compromised credentials represent a blind spot for cloud app security.

A variety of cloud security professionals told SearchCloudSecurity that one of the biggest cloud security risks -- compromised credentials -- can't be detected through vulnerability scanners and penetration testing. Credentials can be compromised simply by being shared with unauthorized users or by being exposed to third parties outside of the enterprise, or they can be stolen by attackers seeking to gain entry into cloud applications and services, which could allow them further access to the corporate network.

As a result, if credentials to a cloud application have been stolen in a phishing attack or drive-by download, an attack could access the app without setting off any red flags, because it's a valid login. Unless an enterprise regularly monitors cloud account usage patterns and looks for anomalies (such as logging in from a foreign country), intruders could use the app and potentially access sensitive data, all while avoiding detection from vulnerability scanners and penetration tests.

Tim Byrne, product manager at Boston-based security vendor Core Security Inc.,  which offers vulnerability scanning and pen testing, said such products and services are crucial for any enterprise using the cloud. But he also said those critical components will only go so far.

"The biggest issue with any cloud app out there is the credentials -- how do you know they're not compromised?" Byrne said. "That's something that is really hard to determine."

'The biggest issue with any cloud app out there is the credentials -- how do you know they're not compromised?'
Tim Byrneproduct manager, Core Security Inc.

That's not to say that vulnerability scanners or penetrating testing ignore cloud credentials altogether -- quite the opposite. Jonathan Trull, CISO of security vendor Qualys Inc., based in Redwood City, Calif., said as part of his company's cloud vulnerability scans, it tests cloud app passwords using brute-force attacks. But the scans can't determine if credentials have been stolen or if an account has been comprised.

"The scan will test the strength of the password," Trull said, "but it doesn't test if it's been compromised."

Results of a recently released survey echo the experts' concerns. Crowd Research Partners recently polled more than 1,000 security professionals via the Information Security Community on LinkedIn and found cloud credentials were a top worry.

When asked what the biggest cloud security threat was, 63% respondents cited unauthorized access to public cloud services, which was the highest response on the survey. In addition, hijacking of public cloud accounts was the second biggest concern at 61%.

Morey Haber, senior director of endpoint and vulnerability management solutions at Phoenix-based security vendor BeyondTrust Inc., said there's good reason for concern about cloud app security and compromised credentials. Haber said BeyondTrust sees more attacks aimed at obtaining account credentials rather than direct attacks on the cloud app or service.

"What you don't find today is a lot of websites and Web applications getting hacked directly and having their data exposed, because there's better coding now," Haber said. "But what we're seeing more of is spear phishing and other attacks aimed at the credentials."

So while scanners can validate user credentials, they can't necessarily tell when an account has been comprised, or even if it is being used by an attacker during the scan. BeyondTrust's vulnerability scanning product BeyondSaaS, for example, validates customers through their Microsoft Live credentials and also provides two-factor authentication. But, Haber said, BeyondSaaS can't tell if a malicious actor has also gained access to those credentials.

Cloud scanning complexities

There are many complicating factors when it comes to scanning and testing cloud credentials. Because cloud and Web applications are usually hosted outside the customer's own infrastructure, vulnerability scanners and penetration tests have limited access and visibility into the application infrastructure; as a result, it's difficult for third parties to ascertain if someone has gained unauthorized access to an app.

In addition, experts say that many of the security measures used to protect account credentials, such as identity management and access control, make it harder to test them effectively without crashing the application or locking the account.

"The login credential piece is a critical piece. How do you properly test them?" Haber said. "If you keep adding layers of identity management and credentials over these cloud apps, you'll never be able to test them without blowing them up."

There are other complicating factors for cloud app security as well, according to Core Security's Byrne, including support for simultaneous logins, which make it more difficult for security professionals to determine exactly who is using the account besides the designated account owner. Additionally, most scanning and automated pen testing can't determine, for example, how many people are logged into a specific cloud app, where they are logged in from, and other related information that could be used to identify a potential threat.

Much of the work to verify that account credentials are protected has to be done manually, account by account, according Matt Johansen, manger of WhiteHat Security Inc.'s Threat Research Center in Santa Clara, Calif.

"You probably have to do manual pen testing and scanning on account credentials and logins," Johansen said. "And that can take a lot of time, depending on the situation."

An even bigger risk than the compromise of individual accounts, Johansen said, is the potential compromise of administrator control panels. Many cloud apps have admin control panels and dashboards that aren't protected by anything more than a username and password, making them as vulnerable as standard user accounts.

"Once that happens," Johansen said, "they can do a lot of damage, like exposing encryption keys."

Finally, the proliferation of "Shadow cloud," or cloud apps and services employees use without IT departments' knowledge or approval, makes the task of controlling credentials even more challenging.

Byrne said Core Security offers cloud discovery services, which are designed to identify shadow cloud apps and services within an enterprise, but with more shadow cloud being used by employees, Byrne said the risk of compromised credentials grows.

Until better automated scanning and testing methods are devised for cloud and Web applications, Johansen said enterprises need to be mindful that attackers are targeting their account credentials to gain access to cloud resources and should do whatever they can to protect them.

"That's the quickest and easiest way into the application," he said. "You have to look at these things the way hackers look at it."

Next Steps

Find out how Google's new security scanner looks to bolster cloud application development

Learn more about how shadow cloud services are jeopardizing enterprises

Dig Deeper on Cloud Computing Software as a Service (SaaS) Security