Public cloud security is not impossible. It can be achieved. Debunking the myth that public clouds are inherently insecure requires enterprises to begin thinking differently about the cloud. It does not solely concern servers or other on-premises technology, as it is changeable, flexible and transforms every day. With these changes come better security and technology to protect ‘big data’.
Another aspect to take into consideration is the human factor. There will always be people involved in building and managing clouds, and there will always be people who want to attack them. Therefore, we need to consider these two key factors when businesses implement a cloud solution, with security as the primary concern.
First, let’s discuss technology and layers of security. "It's more about giving up control of our assets and data (and not controlling the associated risk) than any technology specific to the cloud." This quote is from ‘2011 Data Breach Investigations Report’, a study conducted by the Verizon RISK Team. If architected with security in mind, it seems there is no evidence that specifically proves the cloud is any more or less secure than a dedicated environment. In fact, regulatory compliance such as PCI-DSS 2.0 for credit card information and HIPAA for healthcare data is regularly achieved in the public cloud. It seems the biggest reservation of organizations resistant to moving into the cloud is the fact that a majority of the infrastructure is shared.
Depending on your goals, there are essentially two key ingredients for true security in the cloud. The first, and most important, is separation. This is absolutely essential – not only should your data be segregated from other tenants on the infrastructure, your network traffic, virtual machines and even security policies should be separate as well.
For instance, although a firewall or web application firewall may be shared, in most cases, it's imperative that policy modification does not impact anyone other than the tenant it was modified for.
Network, data, virtual machines – they all should be segmented, so much in fact that other public cloud tenants have no way of impacting security. Without this separation, or with limited separation, security and protection is at the mercy of other tenants on the same cloud. In a scenario where a cloud environment is shared with someone who happens to get exploited, or even rooted, the environment should not be adversely affected at all.
The other key ingredients are transparency and auditability. If you've decided to move to the cloud, how do you know you are getting what was advertised? Simply put, you don't. Transparency is essential in keeping tabs on your cloud hosting provider. Being able to see behind the curtain should allow you to understand exactly how your environment is being protected. Not only does it give you peace of mind, but it's required to perform regulatory compliance audits.
With data separation, and being able to keep a watchful eye on resources, most organizations are better off moving to the cloud from a security perspective. Reducing cost by only paying for resources you need, when you need them, is a substantial benefit, but being able to leverage a provider's security infrastructure is even more attractive. Most organizations don't have the expertise – or the budget – to implement security measures such as high-end firewalls, DDoS mitigation, VPN with two-factor authentication, web application firewalls, IDS, IPS, patch management, anti-virus and a host of other security measures. As a result, some may actually be more secure in the cloud.
In April 2011, Sony PlayStation players were compromised. The attack vector in this case is still unclear; however, experts have some ideas as to what may have caused this – all easily preventable.
The most likely vector, according to a diagram supposedly released by Sony explaining the hack – involves an attacker using a vulnerability on a Sony web application. Once in, database credentials were most likely stored in plain text in a configuration file, and using the application server as a pivot point, the attacker was able to view the database at their leisure. Leaked PSN access logs show multiple XSS and local files include vulnerabilities being executed (granted there is no way to know whether or not those particular requests were successful).
Last year, CitiGroup was hacked by criminals who stole more than 200,000 customer bank account details. This damage was done through what was apparently a trivial, insecure direct object reference vulnerability – number four on the OWASP top ten. By simply manipulating the URL in the address bar, authenticated users were able to jump from account to account, as they did tens of thousands of times. This vulnerability could have easily been detected by not using direct references to account numbers, secure code review, or web application firewalls and application log monitoring and review.
Essentially, organizations are failing to execute the most basic care in such a way that they are routinely being compromised due to low-hanging fruit. The most elementary of controls and security measures will prevent most breaches. For example, a large number of hacks contributing to data breaches had something to do with either compromised login credentials or the use of default or easily guessable credentials.
From a security perspective, there are a number of perceived obstacles to implementing a public cloud infrastructure. All of these may appear, at first sight, to be perfectly valid. This is largely because many existing public cloud environments have been built with capacity, connectivity, scalability and other core attributes for hosting as a priority, with security implemented as a secondary layer.
A truly secure public cloud is possible, but only if it is built upon a secure framework. This ensures that, no matter how hosting technologies change and develop, there is always a secure foundation underpinning the entire architecture.
Chris Hinkley, CISSP, is a senior network and systems security engineer with FireHost