The recently released 2014 Cloud Security Report from Alert Logic Inc. indicated a recent increase in cloud attacks....
But are enterprise cloud infrastructures prepared to hold up against them?
The types of controls available for configuration and control by consumers will depend on the cloud services model employed. For software as a service (SaaS) implementations, the only configuration possible is within the context of the cloud application. This configuration could consist of logging and access controls, such as password policies and multifactor authentication, (MFA), as well as role and privilege assignments within the application. For platform as a service (PaaS) deployments, administrative controls are available within the service console, mostly focused on access controls and roles and privileges for users. Most PaaS environments also offer access to numerous application programming interfaces (APIs), which need to be carefully assessed for potential security issues.
In this tip, we'll discuss best practices organizations should follow for evaluating cloud security controls.
Vulnerability scanning and penetration testing
Vulnerability scans and penetration tests are necessary for all PaaS and infrastructure as a service (IaaS) cloud services. Whether they're hosting applications or running server and storage infrastructure in the cloud, the security posture of systems exposed to the Internet must be evaluated. Most cloud providers will agree to scans and testing, but will require coordination with the client and/or testers beforehand to ensure other tenants don't experience disruption or performance impacts.
For testing APIs and application integration with PaaS and IaaS environments, enterprises working with cloud providers should focus on data exposure in transit and potential illicit access to applications and data by way of authentication bypass or injection flaws.
Arguably one of the most important elements of cloud security is configuration management, including patch management.
In a SaaS environment, configuration management is handled entirely by the cloud provider. Customers should have some idea of patch and configuration management practices for providers via Statement on Standards for Attention Engagements (SSAE) 16 Service Organization Control (SOC) reports or ISO certifications, as well as Cloud Security Alliance Security, Trust and Assurance Registry attestations, if those are available.
In PaaS environments, platform builds and patching are handled by the provider. Application configuration and development libraries and tools may be managed by the enterprise customer, so secure configuration standards should still be defined internally. These standards should then be applied and monitored within the PaaS environment.
For IaaS environments, cloud providers should attest to their internal practices, but their customers also manage their own virtual machines (VMs). These should be locked down as securely as possible, given the exposure level within the cloud. Starting with security configurations from the Center for Internet Security, Microsoft, and other operating system and application providers is a sound approach, but enterprises shouldn't be satisfied with secure configurations run internally, as the cloud is naturally more exposed. Turn off all unnecessary services, remove any unneeded applications and code, limit user and group access to the bare minimum needed, and consistently keep the systems patched.
For IaaS environments where customers are running a private cloud implementation, a variety of network controls may also be configurable. For example, a virtual private cloud within Amazon Web Services can support a dedicated VPN connection via IPsec. Ensure the IPsec association parameters are configured properly, and any other network appliances (such as firewalls and intrusion detection and prevention systems) are correctly set up and protected.
Cloud provider security controls
Where does the cloud provider fit into the security configuration process? The cloud provider is responsible for all infrastructure it operates, including virtualization technology, networking and storage. It is also responsible for its code, including management interfaces and APIs, so some evaluation of its development practices and systems development lifecycle are warranted. Only IaaS customers will have any real control over full system specifications; if VMs are deployed from a provider-supplied template (an Amazon Machine Image, for example), these should also be carefully scrutinized and secured before use.
How should an organization determine the amount of time, effort and money it will invest in hardening itself against cloud attacks? The answer will depend on the sensitivity of its systems and data that are hosted in the cloud.
Regardless of sensitivity, all enterprises should invest time in evaluating cloud providers' security capabilities and controls, and determine whether they are satisfactory. The Cloud Security Alliance's Consensus Assessments Initiative Questionnaire, or CAIQ, is a good starting point for asking questions of cloud providers. Companies should ensure their audit and security teams regularly review the responses, as well as audit and attestation reports like a SOC 2. For systems and applications deployed in the cloud, patching; configuration management; and application security (both development and assessment) are the most important areas to invest in. User access control and assignment of roles and privileges are also critical.
Before attacks or incidents occur in cloud environments, it is critical that organizations understand as much as possible about the security controls maintained by providers, as well as those available for use by consumers, as this will drive more informed risk decisions overall.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager at several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, as well as the co-author of Hands-On Information Security from Course Technology. Recently, he co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
Learn more about cloud security controls as the sphere of influence shifts.
For more best practices for locking down your cloud, check out our essential guide.