5 (more) key Cloud security issues

Five security-related issues with Cloud computing that are critical to the success and security of a Cloud-based project

As we're adopting Cloud computing, we're more aware of the security concerns it raises than we were of issues created by other large-scale technologies we adopted in the past. This is a wonderful thing! But security nirvana has yet not been achieved. While there's still plenty of room for Cloud providers to improve, many aspects of cloud security must be the responsibility of the consumer.

In particular, I see five security-related issues with Cloud computing that are critical to the success and security of a Cloud-based project -- and that are not always getting the full consideration they deserve.

[Get highlights of these 5 challenges in cloud security in PowerPoint .ppt format]

1. Internal Clouds are not inherently secure

In the past year, many organizations have foregone using public clouds, choosing instead to build private clouds behind their firewalls. This may be the best solution for risk-averse groups.

These teams, though, need to understand that just because they've built a cloud inside their firewall doesn't mean that their solution is safe. It still takes just one bad apple to spoil the barrel--a single department, user or application that is not behaving as it should.

An organization that is risk-averse enough to avoid the public cloud should be building a secure cloud--possibly the company should be building its dream cloud, which contains all the security controls that it thinks are missing from a public environment. Since the company physically owns the private cloud, incident response can be very swift. Detection capabilities need to be cloud-specific (for example, sensors need to monitor inside the cloud, not just at its perimeter) and operational capabilities such as patch management must be sharp. A vulnerable service that's in a cloud might have greater exposure and risk than the same service in a standard server farm thanks to the shared nature of cloud resources.

Several vendors are now able to sell spare resources from a private cloud to other organizations. Imagine: A risk-averse company builds an internal cloud, firewalled from the public Internet. They've taken basic precautions, but haven't really built security into their playbook. The following year, the organization's budget shrinks, and management hears it can cover costs by renting part of the company's cloud when it's not in use. Maybe they understand the risk involved, but decide to mitigate it at a contractual level.

This is not a farfetched scenario, and if I were looking for malicious entertainment, buying a few hours' time in an organization's internal cloud could provide interesting results.

2. Companies lack security visibility and risk awareness

The paucity of security visibility that most providers offer their customers is itself getting plenty of visibility. Obviously, when using a public cloud service, companies must balance the competing factors of control, visibility and cost. This can be a significant issue--reduced visibility results in diminished situational awareness and a questionable understanding of risk. When planning a move to the cloud, an organization needs to recognize this lack of visibility and determine how to best leverage what insight they can get their hands on. Really, this means designing mitigating controls.

[Also read SaaS, PaaS and IaaS: A security checklist for cloud models]

At the infrastructure and platform levels, this is straightforward: Log more information in your applications and set systems up to generate alerts when signs of compromise or malicious use are spotted (for example, when files are modified, records are changed more frequently than usual, or resource usage is abnormally high). For software as a service (SaaS), though, these precautions will require more thought.

SaaS providers are beginning to distinguish themselves via security features. Organizations vetting SaaS providers should consider how they will handle risk awareness--does the provider offer usage data that is granular enough to recognize changes in usage? (Monthly billing doesn't really cut it, unless the risk scenario is a malefactor who only attacks on the 29th of the month.)

If a malicious user attempts to access data stored in the cloud, how will the company learn of this? If sensitive data is modified or destroyed, is there a way for you to be notified quickly? Frequently, providers will offer a wider variety of information via an API than they do in their dashboard. While this does require that you get code written that can leverage the API, modern APIs are usually easy to work with, and the information you gain as a result will be valuable to risk-sensitive organizations.

It would be great to have a standardized API for gathering security information from a provider, but as far as I know, no one is developing one right now.

3. Sensitive information needs safer storage

Safely storing sensitive information is one of the toughest problems in cloud computing. The solution is to encrypt data, but the critical questions are where to encrypt, and how.

The first requirement of successful encryption in the cloud, which some providers do not yet understand (or at least don't practice), is: Do not store the encryption key with the encrypted data. Doing so more or less negates any value gained from encrypting the data.

[Also read Cloud computing tools: improving security through visibility and automation]

However, the solution is fairly simple, and there's no excuse for not implementing it.

In current shared environments, nobody is yet offering a virtual-machine solution that guarantees the integrity of the guest environment. This means that a malicious program could be monitoring the guest's encryption-decryption logic, capturing both plain-text data and the encryption key.

If the application receives plain-text data and encrypts it in the cloud, there's no easy fix for this right now, other than running on bare metal--installing applications directly on the hard drive, not in the OS.

Some businesses, though, don't encrypt in the cloud, but encode it before it reaches the cloud service. This works in cases such as a company using a customer resource management system only from its offices, or a business where all users either are at headquarters or VPN into headquarters before connecting to the cloud service.

Several companies make appliances (virtual or physical) that proxy data leaving an office on the way to a cloud service and encrypt or tokenize it before sending it to the cloud. This allows them to use a cloud service without worrying about data loss--as long as they only intend to access the cloud service from behind that appliance.

4. Apps aren't secure

Application security has been getting attention for years. In my mind, its importance increases when an application is deployed to a cloud environment, as the application is more exposed.

One of the biggest mistakes an organization can make is to take an existing application and simply deploy it to a cloud without first considering what new attack vectors this move opens up.

[Also read Securing cloud apps at Genomic Health]

When possible, an application should be re-architected for cloud deployment--this allows parts of the application to scale independently, and to be more distributed and resilient. It's really an opportunity to make an application more secure than ever. Forcing a development team to not use the corporate firewall as a crutch will result in a solid application.

Application security can be a complicated topic, but here are my crib notes: Never trust user input, and always encode output back to the user. Getting those two things right will remove about 80 percent of application security issues.

After input and output are taken care of, next up is proper authentication and authorization. These should be checked on every page or service request, not just at initial login. Ideally, any administrative functions are run through a separate application, so if a malicious user does compromise an account, the most he can get is a single user's data, not admin access.

The last big thing to consider is data encryption: For performance reasons, most organizations don't want to encrypt all data, so the trick is to find the balance of encrypting enough sensitive information so that if you get compromised, data cannot be pieced together to provide useful identification.

Crib notes, though, are for barely passing, and we want to implement solid cloud security, not just meet minimum certification levels, so go read more at the Open Web Security Application Project website.

5. Authentication and authorisation must be more robust

Of all the problems covered in this article, cloud authentication and authorization has the greatest number of commercial solutions available. This does not mean the issue is easily solved, however. Every organization has its own way to manage authentication and authorization.

First, it must determine if its current authentication system could also work in a secure and reliable way for users in a cloud environment. If the answer is yes, the follow-up question is whether that is also the best way to authenticate cloud services.

Also worth considering: Does every cloud service the organization uses need to be authenticated by the same system?

There is a lot of policy that a company must define to settle the cloud authentication and authorization issue.

Policy aside, any authentication system must be very flexible--whether it integrates with an enterprise's active directory or is standalone, security administrators must be able to easily add support for new services, which may have different authentication schemes and group memberships.

It is crucial that the authentication system fits into the company's aforementioned visibility plan. There's no reason not to know very quickly of a series of failed authentication attempts.

Discussing how to respond to those failures will be left for another day.

John Kinsella is founder of security consultancy Protected Industries.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Kinsella

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place