It's no secret that there are risks to putting data, systems and applications into cloud environments. Organizations like the Cloud Security Alliance (CSA) have been describing risks in a variety of cloud deployment models for some time now, and in a May 2015 report titled, Mistakes in the IaaS cloud could put your data at risk, Symantec described a number of major areas that could pose risks to customers of infrastructure as a service (IaaS) cloud services. In an interview, Bill Murray, senior manager of security programs at Amazon Web Services, stated his biggest concern regarding cloud security is that customers won't apply fundamental security best practices to the IaaS assets they deploy and manage. This aligns with the results of Symantec's research, which found 0.3% of 16,000 discovered cloud domains had easily guessable folder structures that were not only accessible, but led to 11,000 files that contained sensitive data like credit card transactions, usernames and passwords, and email addresses becoming readable to anyone. The researchers also discovered a number of leaked and accessible credentials, some of which were hardcoded into applications.
The top issues Symantec discovered during its cloud security research include insecure interface APIs, shared resources, data breaches, malicious insiders and misconfiguration issues. All of these align with the CSA report, The Notorious Nine: Cloud Computing Top Threats in 2013, which describes these issues and several more. Symantec discovered some concrete examples of these data security IaaS risks during its research, however, which should provide food for thought as organizations implement and evaluate cloud services today.
Watch out for insecure APIs
A core theme of the Symantec report is that many of the most serious IaaS risks are largely due to cloud administrator misconfiguration or lack of attention to security controls within the operating systems, applications and cloud management interfaces. The first major risk listed is the lack of secure APIs, which are frequently offered by cloud providers to allow more seamless integration with their services and management of those services. While providers are responsible for offering secure APIs and patches, customers should perform their own evaluation of the APIs, including the transport methods supported and what data is sent back and forth during interaction with the provider. Updates to APIs or applications could easily lead to compatibility issues or even data exposure scenarios, too, so customers should test their exposure from API interaction on a regular basis.
Cloud provider responsibilities
Cloud users alone cannot wholly mitigate insider threats, of course -- the cloud provider must monitor activity and implement sound separation of duties and privilege management processes and controls. The report explicitly mentions storing encryption keys in the cloud, where a malicious insider could potentially access them. The same problem exists for hypervisor vulnerabilities -- customers have no visibility into hypervisor configuration or controls, and so providers will need to be attentive to patches and new flaws related to virtualization platforms and tools in use. Most cloud providers also have strong controls in place for distributed denial-of-service attacks, as well as controlling data loss. However, users are not controlling access to cloud account credentials or monitoring IaaS logs for illicit activity or account usage. Attackers are selling cloud service accounts for $7 to $8 each on underground marketplaces.
Protecting against IaaS attacks
Symantec's report describes a number of different attacks that could ensue against IaaS environments, including storage enumeration, leaked access tokens and more. Cloud customers are recommended to thoroughly investigate cloud provider security controls and service-level agreements before engaging them for IaaS. Customers should leverage multifactor authentication whenever possible, encrypt data to mitigate insider threats and maintain control of keys, and start focusing more than ever on logs available in the cloud environment. Scanning cloud-based systems regularly for vulnerabilities is also a best practice.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
Find out what policies should be in a cloud infrastructure security program and some best practices for server configuration management on IaaS clouds