As more and more organizations are pushing their operations to the cloud, it's vital that you understand how threats could compromise those operations. We will focus on the aspect of the cloud security computing threats and countermeasure.
On-premise (on-prem) computing is a type of computing in which all the computing resources are accessed and managed by or from the premises. If you're running an application infrastructure that is on-premise, all of your applications and all the servers are going to be running in your data center inside your building, and you have complete control over everything that happens with those systems. Cloud computing is a pool of resources, which can be accessed online.
Cloud computing services are platform independent; they are accessible across many devices with an Internet connection. In the NIST definition stated, cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management eﬀort or service provider interaction.
NIST identifies five characteristics that a Cloud Computing environment must include to implement ‘true’ Cloud Computing. The five characteristics are:
• On-Demand, Self-Service (Provisioning of services on Demand)
• Resource Pooling (Sharing of resources such as Memory, Bandwidth, etc.)
• Measured Service (Metering the usage, pay-as-you-go)
• Rapid Elasticity (Scale-out, Scale-in)
• Broad Network Access (Resources and apps available over the network)
Moving to the cloud will not stop attackers from attempting to break in. The cloud is susceptible to the same attacks as on-prem, but they are more exposed to the Internet attacks. Internet-related risks can be malware; a man in the middle attacks and eavesdropping can be experienced. However, attacks can vary, they can be on the client side or the cloud service provider (CSP) side; both are dangerous and the availability of information can be breached when using cloud computing and client data can be accessed by unauthorized entities or even modified.
The vast amount of data stored in the cloud from many different users makes cloud service providers (CSP) an attractive target for attacks. While cloud providers are responsible for providing security controls, clients are responsible for using those measures and protecting their own data. For instance, cloud providers would offer data encryption at rest, but clients are responsible for incorporating encryption in the cloud model deployment.
Cloud Computing Security Threats and Attacks
Many enterprises are looking to adopt cloud services instead of on-prem computing, but most cannot afford the risk of compromising the security of their data. Security is the greatest challenge of cloud computing. It's clear that there are a lot of challenges with how we secure applications with a number of challenges that are unique to the cloud.
The most important classes of cloud-specific risks are (ENISA - Cloud Computing: Benefits, risks, and recommendations for information security):
• Loss of governance: CSP does not commit to the necessary task
• Vendor lock-in: poorly crafted contract can lead to vendor lock-in
• Isolation failure: one tenant influences another.
• Compliance risks: i.e. Audit impossible, or no evidence
• Management interface compromise
• Data protection: protection cannot be demonstrated
• Insecure or incomplete data deletion
• Malicious insider
Security breaches happen daily, if you're looking at the news these days you'll find, every other week, an article about a company that was compromised or lost data. According to the latest reported incidents breaches, the following security issues been reported to include, but not be limited to, the following: exposed cloud storage, Bitcoin botnet, sensitive data loss due to the unencrypted storage volume, outages due to API, key leakage, etc. In the most recent edition of the report Cloud Security Alliance (CSA Top Threats research - The Treacherous 12) experts identified the following 12 critical issues to cloud security:
• Data Breaches
• Weak Identity, Credential, and Access Management
• Insecure APIs
• System and Application Vulnerabilities
• Account Hijacking
• Malicious Insiders
• Advanced Persistent Threats (APTs)
• Data Loss
• Insufficient Due Diligence
• Abuse and Nefarious Use of Cloud Services
• Denial of Service
• Shared Technology Issues
Cloud Security is the Responsibility of both Cloud Provider and Consumer
Cloud computing security is the responsibility of both provider CSP and consumer/client. Few points to be considered from CSP-side:
• Enforce data protection and backup
• Enforce legal contracts with employees
• Strong triple A’s (authentication, authorization, audit)
• Strong key generation
• Client traffic monitoring for malicious activities
• Ensure physical security
• Enforce secure standards for new installations and configurations
• Isolate memory, storage, and management network
• Implement multifactor authentication
Few points to be considered from Client-side:
• Prohibit user credential sharing
• Use encryption to transmit and store data
• Enforce SLAs for patching and vulnerability remediation
• Analyze cloud provider security design and service level agreement (SLA)
• Assess security of APIs
• Use Multiple factor authentication
• Perform risk assessment
• Create process from breach notification
• Consider a DRP/BCP
Best Practices for Securing Cloud
Here are few important conditions to ensure security on cloud systems:
• Perform risk assessment and understand your security responsibilities.
• Analyze deployment model and align your cloud security architecture to the business.
• Apply security at all layers data, application and infrastructure.
• Implement security procedure to identify information risks associated with the cloud, assess, treat, monitor the situation and handle any changes.
• Perform your due diligence.
• Data stored in the cloud should be stored in an encrypted form to ensure confidentiality. Only users who have permission to access the data should have decryption permission.
• Incorporate identity and access management (IAM).
• Consider encryption key ownership. Rotating the keys and setting a standard password expiration policy helps prevent access due to a lost or stolen key.
• Apply multifactor authentication MFA for all critical operations.
• Enable logging will allow you to track and identify potential attempts at unauthorized access.
• Use security information and event management (SIEM) to monitor configurations, looking for an anomaly, correlating and provide alerts when a misconfiguration is identified.
• Apply web application firewall (WAF) solutions.
• The CSP platform should apply for the compliance program.
• Incorporate a patch management system to identify misconfigurations, identify missing security patches or critical updates and quickly apply to update.
• Ensure the configurations are set up securely.
• Conduct security testing such as vulnerability assessment and penetration test to identify and remediate possible vulnerabilities, and taking a closer look at overall security.
• Apply Secure DevOps, which opens up many opportunities for security to improve code hardening, change management, and production application security.
• Plan exit strategy.
• Security Awareness Training for Cloud Users.
Four aspects that are important to consider in deploying or using cloud services: the first aspect is to make sure security or privacy breaches in a cloud deployment are correctly addressed. Second is having a cloud computing solution that enables the enterprise to know that they deploy cloud computing platform based on proven industry frameworks. A third aspect is meeting compliance requirements including general legislation, organization policies, and contractual obligations. Finally, maintain transparency in the cloud deployment, so that the operation of a cloud deployment is sufficiently clear to all stakeholders and CSP.