What you really need to know about Cloud security

As more enterprise resources move to the Cloud, it's inevitable that we will start hearing more about Cloud incidents

Despite all of the hand wringing over Cloud security, major Cloud security breaches haven't been grabbing headlines. The past year has seen major breaches, such as the ones that hit Sony and Epsilon, but we haven't heard much of an emphasis about the Cloud being a weakness.

Part of this, of course, could be a simple matter of semantics. Some have emphasized Epsilon's role as a provider of email marketing services -- in other words, it's a SaaS company -- but the breach was a traditional spear-phishing attack used to gain access to email servers, not, say, an assault on hypervisor vulnerabilities.

Cloud providers, such as Dropbox and Google, have had their issues, but the major Cloud-related problems have involved outages, not data being breached.

[Infographic: How Secure Is the Cloud? IT Pros Speak Up]

As more enterprise resources move to the Cloud, it's inevitable that we will start hearing more about Cloud incidents. Minor breaches have already hit GoGrid and the Microsoft Business Productivity Online Suite, but we've yet to see anything on the scale of TJX, the VA, RSA or any number of other on-premise breaches.

That doesn't mean that Cloud-invested businesses can breathe easily. "Attacks that work now work so well that you don't have to come up with a new, complex attack methodology," says Chris Eng, vice president of research for Veracode, a provider of Cloud-based application security testing services. "Cyber-criminals aren't going to spend a lot of time to come up with a new zero-day attack if they can just use the same old SQL injection attacks that have worked for years."

Hackers Set Sights on Cloud, But Not as a Target

One troubling trend uncovered in the Sony breach is that hackers view the Cloud not necessarily as a target, but as a resource. Hackers used stolen credit cards to rent Amazon EC2 servers and launch the crippling attack on Sony.

"Everything the Cloud offers to legitimate businesses it offers to criminals as well," says Scott Roberts, senior intelligence specialist at Vigilant, a security monitoring company. "It's becoming common for cyber-criminals to rent Cloud infrastructure to set up spambots or to build out a malware command and control infrastructure. At $50 or $60 a month, attackers can take advantage of resources that a few years ago would be too difficult and too expensive to build on their own."

Add cheap infrastructure to low-cost, automated malware kits, botnets that can be rented for a single attack and the ability to outsource such things as the decoding of CAPTCHAS for spammers, and you have a toxic arsenal that can make even simpleton hackers highly dangerous.

Yet, even if hackers aren't specifically targeting the Cloud right now, most experts believe that they will start to soon, if for no other reason than the fact that more and more resources are being moved to the Cloud. "The Cloud is already a tempting target," Eng said. "Data is centralized and you can target one provider to attack multiple companies."

When asked why he robbed banks, Willie Sutton once supposedly said (although he later disavowed this quote), "Because that's where the money is." Today, the most important corporate assets still reside behind the firewall. Tomorrow? The "money" may well be in the Cloud.

Why the Cloud Is Vulnerable

One advantage of the Cloud is that for the major providers it is in their interest to secure their environments. If Amazon or Google is responsible for the next Heartland-scale data breach, their business will suffer.

Major providers know this and are taking steps to prevent it.

"Networks long ago ceased to be isolated physical islands. As companies found the need to connect to other companies, and then the Internet, their networks became connected with public infrastructure," says Amazon Web Services spokeswoman Rena Lunak.

To mitigate the risks, many organizations took steps to isolate their traffic, such as using Multi-Protocol Label Switching (MPLS) links and encryption. "Amazon's approach to networking in its Cloud is the same: We maintain packet-level isolation of network traffic and support industry-standard encryption," she says. "Because Amazon Web Services' Virtual Private Cloud allows a customer to establish their own IP address space, customers can use the same tools and software infrastructure they're already familiar with to monitor and control their Cloud networks."

That's all well and good, but common mistakes, such as weak authentication methods or an open management port can undo all of the work providers did to secure those infrastructures.

"One problem with moving to the Cloud is that you have to manage your resources remotely," said Carson Sweet, CEO of CloudPassage, a Cloud security provider. "Many, many companies leave management ports open to the world. Fraudsters are waking up to this."

How the Cloud Could Infect Your Internal Network?

The big worry Sweet discussed was that poor security practices in the Cloud could lead to infections back in the on-premise network. Many companies, wary of Cloud threats, simply will not move the most sensitive data into the Cloud.

While 82 percent of companies surveyed by CompTIA believe in Cloud providers' capability to deliver a secure environment, 58 percent will not put confidential corporate financial information in the Cloud. 56 percent keep credit card data out of the Cloud, and nearly half refuse to put sensitive intellectual property, trade secrets or HR records in the Cloud.

The logic is clear: keep sensitive data behind the corporate firewall where it is more secure.

Unfortunately, that logic has a fatal flaw.

Sweet discussed a client CloudPassage worked with (who prefers to remain anonymous) who had development servers in the Cloud. A hacker placed a rootkit onto one of the virtual servers. When the developers noticed something was off with their servers, they brought them back behind the corporate firewall to re-image them. Unfortunately, they brought the rootkit in with them, infecting their entire network.

"Virtual machines can server as Trojan horses if you're not careful," Sweet said.

Be Sure to Secure Those API Keys

The most common Cloud worry I heard from security professionals, one repeated over and over again, was about API keys. Most organizations use API keys to access their Cloud services, and they represent the keys to the kingdom.

"API keys are a huge issue," Sweet said. "If I know where to look on the server for your API keys, and I manage to get them, I own your Cloud deployment."

API keys must be protected. It's not uncommon for IT administrators to do such risky things as email them to one another or store them in a configuration file that's not terribly difficult to uncover.

API keys must be protected, kept in a secure, encrypted location, inventoried regularly and must only be given out to those who have a valid reason to access them. Alternatively, Cloud Brokers can handle API keys for you, but just be aware that you are outsourcing a critical piece of your Cloud security to a third-party.

10 Things to Ask Cloud Providers

When it's time to evaluate Cloud service providers, be sure to ask these ten security questions:

1. Were your services developed using a secure development lifecycle?

2. Can you prove it and provide, say, penetration testing overviews?

3. What data protection policies do you have in place?

4. What are your data privacy policies?

5. How do you enforce those various policies?

6. Is security covered in your SLAs? If not, why not?

7. How do you back up and recover data?

8. How do you encrypt data, both in motion and at rest?

9. How do you segregate my data from others?

10. What kind of visibility will I have into your logs?

Jeff Vance is a Los Angeles-based freelance writer who focuses on next-generation technology trends. Follow him on Twitter @ JWVance.

Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.

Join the CSO newsletter!

Error: Please check your email address.

More about Amazon Web ServicesC2CompTIADropboxEpsilon InteractiveetworkFacebookGoogleMicrosoftRSAScott CorporationSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeff Vance

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place