Luiz - Fotolia
Many computer technology fields are adopting the cloud, and the trend is expected to continue due to its various advantages. Most enterprises are already using some kind of cloud-based service, so it's important to understand that despite the advantages, there are also cloud security threats that need to be addressed when moving there. The basic principle an enterprise needs to remember is that it cannot rely on the cloud service provider (CSP) to take care of every problem. Instead, companies have to communicate with the CSP and solve the issues together.
In this tip, we'll review the most important threats enterprises should be aware of before migrating to the cloud.
Cloud computing threats
When moving to the cloud, enterprises need to address the threats of cloud computing to enhance the security of the entire environment. Some of the most important security threats in cloud computing include:
- Ease of use: Cloud services can be easily used by businesses -- but they can also be easily used by attackers for malicious purposes like spamming, malware distribution, command-and-control servers, distributed denial-of-service (DDoS) attacks, password/hash cracking, etc.
- Vulnerable data transmission: Data transferred from clients to the cloud needs to be properly encrypted by using SSL/TLS, which prevents attackers from intercepting unencrypted data off the wire. The data can be intercepted by man-in-the-middle attacks, which can be hard to decrypt.
- Insecure APIs: Various web cloud services are exposed by APIs, which are accessible from anywhere on the Internet. Malicious attackers with the authentication/authorization token will be able to access the API in the customer's name and therefore be able to manipulate the customer's data. It's imperative for the CSPs to provide secure APIs to minimize the attack surface.
- Malicious insiders: CSP employees could have complete access to enterprise data and resources, so CSPs need to have security measures in place to track employee actions like viewing customer data. Since CSPs don't always follow the best security guidelines or security policies employees can gather confidential customer information without being detected.
- Shared technology issues: CSPs use scalable infrastructure to support multiple tenants that share an underlying infrastructure with multiple layers. Each layer can be attacked by using different techniques such as exploiting a vulnerability in a hypervisor, breaking out of the virtual machine (VM) sandbox (Red/Blue Pill), unauthorized access to shared data through side-channel attacks, etc.
- Data loss: Data stored in the cloud could be lost due to a number of reasons. A hard drive could fail, a CSP employee could accidentally delete the data, or an attacker could modify or steal the data. The best way to protect against data loss is by having data backup in place that can restore data.
- Data breach: A VM could have access to the data of another VM on the same physical host, which could lead to a data breach. By having multiple VMs, each belonging to separate enterprises, on the same physical server, one company could have access to the data of another company. These attacks are known as side-channel attacks, in which data is stolen from shared components like processor's cache, for instance.
- Account/service hijacking: If cloud access is only password protected, an attacker that knows the password will have equally easy access. Therefore, it's better to use two-factor authentication when available. This requires an attacker to also have access to the user's phone -- in the case that SMS messages are enabled for additional security -- to be able to access the cloud service.
- Unknown risk profile: When moving to the cloud, companies must have an accurate risk profile of their systems and infrastructure, even if they are off-premise. Software security updates need to be applied regularly, log monitoring needs to be enabled, IDS/IPS systems should constantly scan for malicious traffic, and SIEM needs to be used to gather all the data in one place. Additionally, multiple unknown attack techniques that haven't been discovered yet could be lurking on the Internet.
- Denial of service (DoS): An attacker can disrupt cloud services by issuing a DoS attack against the cloud service to render it inaccessible. There are several ways an attacker can disrupt the service in a virtualized cloud environment by using shared resources like CPU, RAM, disk space or network bandwidth.
- Lack of understanding: Enterprises should invest time and resources into education before moving to the cloud, because there's nothing worse than a company not knowing what it is getting itself into. The enterprises and the CSPs should agree on the services each will be taking care of. For example, if the CSP doesn't provide a backup strategy, the enterprise should. Users should understand the cloud security threats in order to properly defend against them, which is why proper education of users is an important aspect of enhancing the security when moving to the cloud.
See Infosec Institute's accompanying article on Maximizing SSH Security Service in the Cloud.
These are the most common threats to cloud computing in an enterprise environment, all which need to be considered before moving services to the cloud. The migration can be done by the CSP or the enterprise, but in most cases it takes the cooperation of both to achieve maximum security. The enterprise shouldn't rely on the CSP to address and solve all cloud computing threats, but it should communicate with the CSP to determine the best ways to enhance security. The first step is to research and understand the threats lurking on the Internet before the problems are addressed. Additionally, a backup strategy should be in place to protect the data when a hard drive fails, the CSP goes out of the business, or any other unforeseen circumstances occur. Most importantly, the problems should be solved by using communication between the CSP and the enterprise to achieve maximum security.
About the author:
Dejan Lukan has an extensive knowledge of Linux/BSD system maintenance, as well as security-related concepts including system administration, network administration, security auditing, penetration testing, reverse engineering, malware analysis, fuzzing, debugging and antivirus evasion. He is also fluent in more than a dozen programming languages, and constantly writes security-related articles for his own website.
Better understand the real and perceived security threats in cloud computing.