Companies are no longer hesitating to move to the cloud, but concerns remain about the security risks of migrating their applications and sensitive data to a place vulnerable to hackers. It’s not often a day goes by without hearing about a major cyber attack in the news. But the cloud is here to stay. Rather than delaying the inevitable, it’s best to understand potential risks and take the necessary actions to avoid them.
The first step to minimizing risks in the cloud is to identify the most critical security threats. The Cloud Security Alliance (CSA) in a report recently mentioned the 12 major threats to cloud computing organizations face in 2016. CSA released the report to help customers and cloud providers focus their defensive efforts.
The shared nature of on-demand cloud computing introduced the possibility of new security holes that can erase the gains made by switching to cloud technology, said the CSA. As noted in previous reports, cloud services allow users to bypass security policies across the organization and establish their own accounts under the shade of IT projects. New controls should be put in place to prevent it.
The recent CSA release of the top threats of 2016 details some of the most common security threats businesses will have to deal with in the cloud.
Cloud platforms face many of the same threats that traditional corporate networks face, but due to a large amount of data stored on cloud servers, it becomes an attractive target. The severity of the potential harm tends to depend on the sensitivity of the data present in the cloud. Exposing personal financial information tends to be the main security risk, but breaches involving trade secrets, health information, and intellectual property can be more devastating.
When a data violation occurs, companies can incur fines or may face lawsuits or criminal charges. Customers can accumulate significant costs with the lack of research gaps and notifications. Indirect effects, such as brand damage and lost business may have an impact on organizations for years.
Cloud host providers used to deploy security measures to protect their environment, but companies are mainly responsible for protecting and maintaining their own data in the cloud. The CSA has recommended organizations to use multifactor authentication and encryption to protect against data breaches.
Interfaces and APIs
Virtually all cloud services and application now offer APIs. IT teams use interfaces and APIs to manage and interact with cloud services for cloud provisioning, management, orchestration, and monitoring offering.
Security and availability of cloud services from authentication and access control monitoring activity is dependent on the encryption and security of the API. The risk increases with third parties who depend on the API and interfaces, as organizations need to expose more services and credentials. Weak interfaces and APIs expose the business to security issues regarding availability, integrity, confidentiality, and accountability.
APIs and interfaces are used to interact with the cloud and the company applications and tend to be the most vulnerable part of a system, as they are accessible from the open Internet. The CSA recommends appropriate controls as the “first line of defense and detection.” Applications and Threat Modeling systems, including data streams and architecture become an important part of the development life cycle. The CSA also recommends code reviews that focus on safety and rigorous penetration tests.
Committed and broken authentication credentials
Data breaches and other attacks are the result of lax authentication, weak passwords, and poor management of passwords or certificates. Companies often struggle with access management, as they try to allocate appropriate jobs for user permissions. More importantly, they sometimes forget to remove user access when a work function changes, or a user leaves the organization.
Multifactor authentication systems such as passwords for single use phone-based authentication, and smart cards can protect cloud services as they make it more difficult for attackers to log in with stolen passwords. The ‘Anthem breach’, which exposed more than 80 million customer records was the result of stolen user credentials. Anthem had failed to implement multi-factor authentication, so that once the attackers got the credentials, they won the game.
Many developers make the mistake of embedding the credentials and encryption keys on the source code and leave repositories to the public such as GitHub. Keys must be adequately protected, and necessary infrastructure must be protected by well secured public key, says the CSA. System administrators also need to rotate the key periodically to make it difficult for attackers to use the keys that have obtained without authorization.
Organizations that plan to federate identity with a cloud provider, need to understand the security measures that the provider uses to protect the identity platform. Centralizing identity in a single repository has its risks. Organizations must weigh the balance of the desirability of centralizing identity against the danger that this repository becomes a very high value target for attackers.
System vulnerabilities exploited
System vulnerabilities or exploitable bugs in programs are not new, but they have become bigger with the advent of multi-user computing capacity in the cloud. Organizations share memory, databases and other resources in close proximity to each other, creating new areas of attack.
CSA notes that attacks on system vulnerabilities can be mitigated with basic IT processes. Some of the best practices include regular vulnerability scanning, patch management system, and minimizing fast-tracking threats.
According to the CSA, the costs to mitigate system vulnerabilities are relatively small compared to other IT expenses. IT spending put in place for processes to discover and fix vulnerabilities is also small compared to the potential damage. Regulated industries need to be repaired as soon as possible, preferably as part of an automated and repeatable process as recommended by the CSA. The change of control processes that require emergency patches ensure that remediation activities are properly documented and reviewed by the technical teams.
The internal threat has many faces such as a current or former employee, a system administrator, a contractor or business partner. The malicious agenda goes from data theft to revenge. In a scenario of cloud, an internal avenger can destroy entire infrastructure or manipulate data. Systems that rely solely on the company’s cloud services for security, such as encryption, are at greater risk.
The CSA recommends that organizations control the process of encryption and key, segregation of functions and minimizing user access. They must also execute critical active registration, monitoring, and auditing of administrator activities.
It is easy to misinterpret a clumsy attempt to perform routine work as internal malicious activity. An example might be a manager who accidentally copies a confidential database of their customers on a publicly accessible server. Training and proper management to prevent such errors becomes more critical in the cloud, because of the greater potential exposure.
The account hijacking
The phishing, fraud, and software holes continue to succeed, and cloud services add a new dimension to the threat because attackers can spy activities, manipulate transactions, and modify data. Attackers may also be able to use the application in the cloud to launch other attacks.
Organizations should prohibit shared account credentials between users and services as well as allow multifactor authentication schemes where available. Accounts, including service accounts, must be controlled so that each transaction can be traced to a human owner. The key is to protect the account credentials that are not stolen, according to the CSA.
Advanced Persistent Threats
The CSA rightly called advanced persistent threats (APT) as attacks by ‘parasitic’. The APT infiltrates systems to establish a foothold, then quietly filtered data and intellectual property for an extended period of time.
APTs function is to move across the network mixed with regular traffic, so they are difficult to detect. Most of the major cloud providers maintained advanced techniques to prevent ATPs infiltrating their infrastructure. But customers have to be as diligent in identifying the commitments of the APTs.
The common points of APT contamination include phishing, direct attacks, USB drives preloaded with malicious software, and committed third party networks. In particular, the CSA recommends users should be trained so they can recognize phishing techniques.
The awareness programs regularly reinforced users keep alert and less likely to be fooled by an ATP. IT departments need to stay informed about the latest attacks. Advanced security controls, process management, incident response plans and trained staff leads to increased IT security budgets. Organizations must weigh these costs against the potential economic damage from successful attacks of APTs.
Permanent data loss
As the cloud matures, reports of permanent data loss due to provider error, have become exceedingly rare. But it is known that malicious hackers can permanently delete data from the cloud to harm companies, and data centers in the cloud are so vulnerable to natural disasters.
Cloud providers distribute data and applications across multiple areas for increased protection. Appropriate data backup measures and adherence to best practices in business continuity and disaster recovery are essential. The daily backup and offsite storage remain relevant in cloud environments.
The cost of preventing data loss is not the only role of the cloud service provider. If a client encrypts data before uploading to the cloud, then the customer must take care to protect the encryption key.
Compliance policies often stipulate how organizations must maintain audit records and other documents. The loss of this data can have serious regulatory consequences. The European Union new data protection rules also treat corruption of personal data and data destruction as data breaches. Companies should know the rules to avoid getting into trouble.
Organizations that embrace the cloud without fully understanding the environment and its associated risks may encounter “a large number of commercial, financial, technical, legal and compliance risks,” warns the CSA. Due diligence applies if the organization is trying to migrate to the cloud or to merge with another company in the cloud. For example, organizations that do not scrutinize a contract may not be aware of the provider’s liability in the event of data loss or breach.
Operational and architectural issues arise if the development team of the company lacks familiarity with cloud technologies as applications are deployed in a private cloud. The CSA reminds organizations must perform due diligence to understand the risks they take when subscribing to each service in the cloud.
Abuse use of cloud services
Cloud services can be requisitioned to support nefarious, such as the use of computing resources to break an encryption key to launch an attack activity. Other examples include launching DDoS attacks, sending spam and phishing, and hosting malicious content.
Providers need to recognize the types of abuse such as DDoS traffic scrutinize to identify attacks and provide tools for customers. Customers must ensure that suppliers provide a mechanism to report abuse. Although customers may not be direct prey to malicious actions, abuse of cloud service can still lead to problems of availability of services and data loss.
The denial of service attacks
The denial of service attacks has been around for years but have gained prominence again thanks to cloud computing. The denial of service attacks can make systems to slow down to a crawl or simply hang.
DDoS attacks consume significant amounts of processing power. While large volume DDoS attacks are very frequent, organizations should be aware of the denial of service and level of asymmetric application, which targets vulnerabilities in web servers and databases.
Cloud providers tend to handle denial of service of the customers in a better way, says the CSA. The important aspect is to have a plan to mitigate the attack before it occurs, so that administrators have access to these resources when they need them.
Shared technology vulnerabilities
Vulnerabilities in the exchange of technologies represent a significant threat to cloud computing. Service providers share cloud infrastructure, platforms, and applications, and if a vulnerability occurs in any of these layers, it affects everyone. “A single vulnerability or misconfiguration can compromise an entire company through the cloud,” CSA report said.
If an integral component is compromised such as a hypervisor, a shared platform component, or application, entire environment is exposed to potential compromise. The CSA recommends a strategy of defense in depth, including multifactor authentication on all hosts, intrusion detection systems, applying the concept of least privilege, network segmentation, and patching shared resources.