Cloud storage is becoming a popular commodity for both business and home users. Services such as Amazon S3, Box, Copiun and Thru boast feature-rich offerings that enable users to easily back up, sync and store documents and files.
However, while average consumers can use such services without many concerns, there are quite a few security considerations that organizations need to address when choosing a cloud storage service, ranging from encryption to data lifecycle management. One of the emerging areas of focus for enterprises is in defining and controlling access methodologies and controls to cloud-based storage implementations.
In this tip, we'll explain why cloud storage access control is a concern and what enterprises should consider when developing and implementing cloud storage access controls and architectures. We'll also discuss how to evaluate the controls in place within cloud providers' environments.
Cloud storage access control measures
For both cloud provider administrators and enterprise users, managing access controls and session security for access to the storage environment should be of paramount concern. For example, Jacob Williams’ presentation at the 2013 Black Hat Europe conference concerning Dropbox malware delivery, command and control, and data exfiltration illustrates why unfettered access to cloud storage repositories can be dangerous.
In 2012, reporter Mat Honan's iCloud account was hijacked, with social engineering tactics and possibly keyloggers involved in the breach. While a more consumer-focused example, the issue of access control was still put front and center due to the incident. Restricting who can access cloud storage, how they can access it and from where should be priorities when evaluating cloud storage options.
The following is a list of questions that enterprises should focuson with regard to access control mechanisms when implementing cloud storage services:
- Do management tools and other administrative applications store user passwords in an encrypted format? If so, what type? Is this encryption tested regularly? Also, does the storage management application allow for the configuration and enforcement of password length, type and duration?
- What types of secure connectivity are permitted to the cloud storage infrastructure? Are generally secure communications protocols such as SSLv3, TLS and SSH supported?
- Is there an active user session timeout? Without a reasonable timeout, the risk of session hijacking at idle client endpoints is considerably worse.
- Do the management tools support multiple administrator profiles to provide granular security levels? Administrative applications for accessing and configuring cloud storage should have configuration options that restrict administrator access based upon time, day and function. All administrator actions should be logged for auditing and alerting purposes, and those logs should be made available to enterprise security teams.
- Does the cloud storage management application have the ability to define granular roles and privileges? To maintain proper separation of duties and enforce the least-privilege principle, this capability should be considered mandatory.
In addition to these pivotal questions, the overall design and architecture of access methods to cloud storage infrastructure should be carefully scrutinized. One method that enterprises can consider is "CloudCapsule," an innovative approach to cloud storage access control put forth by the Georgia Tech Information Security Centers (GTISC) in its "Emerging Cyber Threats Report 2014." CloudCapsule makes use of a secure virtual machine locally that users can leverage to access cloud storage, with the data being encrypted automatically before transmission. This creates both a degree of separation between the user’s local system and data exchanged with cloud services while also enabling automated encryption for any data bound for a cloud environment. Following the model developed by GTISC, some organizations now require that all cloud storage services be accessible via virtual desktop infrastructure virtual machines, which can be carefully controlled and scanned with data loss prevention (DLP) policies.
Encryption gateways that interface directly with cloud storage providers are also becoming more popular. For example, CipherCloud proxies can automatically encrypt data bound for Amazon's S3, RDS and EBS storage services, as well as for storage providers such as Box. Endpoint security tools such as whitelisting and DLP agents can also be used to limit the installation of cloud storage clients, and new network-based monitoring tools from companies such as Skyhigh Networks can enable monitoring and control of access to cloud storage services.
We've established how an organization can scrutinize its own cloud storage access controls, but the internal access control measures within a cloud provider environment should be evaluated just as closely. When assessing a cloud storage provider, look for a number of distinct access control and data protection policies that should already be in place:
- First, administrative users, and particularly storage administrators, should be required to utilize strong authentication methods when accessing storage components and areas internally at the cloud provider.
- Provider storage environments should leverage isolation and segmentation techniques such as secure zoning, fabric authentication of switches and hosts beyond World Wide Name or iSCSI qualified name values alone, and secure administration of both individual switches and the entire fabric.
- Cloud providers should also ensure that the systems servicing each customer are segregated from other network zones both logically and physically, with separate firewalled zones created for Internet access, production databases, development and staging areas, and internal applications and components.
While cloud-based storage offers many advantages to willing enterprises, there are many security implications that can't be ignored before transferring valuable data to cloud storage providers. Thankfully, there are security vendors moving into this particular space to ensure that organizations can implement the proper access controls for cloud storage. As long as an enterprise does its homework beforehand and makes sure it has the answers to the above questions, cloud storage can represent a business advantage that is hard to ignore.
About the author
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO at Configuresoft; as chief technology officer at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, as well as the co-author of Hands-On Information Security from Course Technology. Recently, he co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.