As companies move to Cloud the definition of their platform will dictate how much responsibility they bare in maintaining each layer. This is commonly demonstrated as in the Microsoft Azure Service Model diagram detailed below. The commonly overlooked threat contained within this is exclusion of security responsibility. Each level that the consumer is responsible for includes security considerations.
Figure 1: Azure Shared Responsibility
Security considerations could include data protection, within IaaS and PaaS, as well as critical vulnerabilities that need identifying and mitigating when maintaining an O/S in an IaaS setup. Businesses need to take a risk-based approach across all security aspects no matter which service model is chosen, taking a due diligence approach when the provider owns responsibility, and an active position when it’s your own responsibility.
Both AWS and Azure have around 25 service categories, composed of hundreds of different services each with their own settings and configurations. With the wealth of services available it is almost inevitable that there will be misconfiguration with different levels of risk and cost. Examples of which are, via unrequired cloud resources, or through security breaches. In 2017 as many as 7% of S3 buckets were seen to be public and 35% were unencrypted, which helps to explain why data leaks were so common and so large. One catastrophic misconfiguration failure was Voter Record leak which exposed 198 million voter personal records after a bucket was left unsecured. When new services can be created and exposed in an instant, traditional controls and change management needs to be adapted and reinforced. Instead, automation and continuous scanning technologies should be implemented to catch and alert misconfigurations before they have a chance to expose security vulnerabilities. Internal tools can aid in this, AWS native Trusted Advisor or Amazon Inspector and for Azure the Security Centre recognise and recommend actions based on your Cloud Infrastructure. Even well configured Vulnerability Scanners can offer services to scan and report on misconfigurations.
By its design Cloud is accessible by worldwide audience. Key terminals used to maintain a consumer’s infrastructure is no longer limited to a single computer. Although measures can be applied to reduce the attack vector to allow only trusted address sources, user identity & access process is an even more critical process to maintaining a secure infrastructure. Although this sounds simple, the intricate login landscape has complicated the system for users and created vulnerabilities for attackers to exploit.
Organisations should move to implementing advanced Single Sign On (SSO) solutions which harness SAML to simplify the login experience. The simplification then has a dual benefit. It makes it easier on users. Only needing to remember one account avoids login fatigue, and it allows the organisation to use further advanced identity and access management solutions to harden the single point of entry.
Some of the key hardening practises are moving towards being standard not only for business infrastructure but also for our day to day lives. Many of us now use MFA in a variety of accounts and for good reason. Microsoft states that “MFA can block over 99.9 percent of account compromise attacks” which is a huge figure for a feature that is moving towards the normal and configuring this should be a high priority. Beyond this, a regular account audit should be built into the IAM controls, removal of old and out of use accounts forms the basis of these. A more mature IAM system should consider moving towards the principle of least privilege utilising Zero Standing Privileges and Just In Time Privileges to eliminate the vulnerable standing privileges.
As companies take advantage of the ease and flexibility of cloud there can be a push to mitigate infrastructure in design that is not fit for purpose. As a result, functionality takes president whilst the security takes a back seat – the companies cloud offerings become functional at the cost to the security infrastructure and strategies.
Security architecture should be developed alongside business goals to give a thorough security architecture framework that is built for the cloud. This needs to consider areas such as open ports, as well as routine vulnerability assessments. An ideal system not only maintains a threat model but has continuous threat and vulnerability and security assessments to maintain security in an evolving cloud environment.
Businesses have been using and securing on-prem services for decades alongside the engineers who have vast experience this this area. In the move to Cloud Engineers suddenly need to be experts not only in their existing on-prem infrastructure but also in a variety of Cloud technologies. This is where partners can be leveraged. By using their experience in Cloud setup and maintenance the overnight expertise can be sidestepped creating a baseline security infrastructure built in from the outset.
As Cloud infrastructure is worldwide, our considerations also need to be worldwide whilst remembering that our data still physically exists in a data centre somewhere. This is crucial when it comes down the regulation compliance. The often-confusing world of rules and regulations is muddled further when the storage and data transfer exist over multiple countries and regions. Cloud Data centres can be in remote areas to take advantage of cheap power and data connections, so the consumer needs to be aware of where their information is truly stored. The consumer and provider need to have a transparent relationship which details were their data is being stored as well as the local jurisdictions and laws that apply there.
Compliance cannot be seen as simply a check box exercise. It needs to be embedded in culture, working throughout the organisation to impact the technology, the processes and equally important is ensuring this is embedded in the employees. When compliance becomes part of a company’s culture this moves away from an internal exercise and becomes part of their identity, creating value in their conduct.
Through this blog we have investigated five threats that Cloud infrastructure and its consumers face, all of which require careful consideration both as businesses adopt the cloud, and as an ongoing concern as your services mature over time. Each of these topics have been touched upon via a high-level introduction as a starting point leading to further conversations about Cloud and the threats that can materialise.