Enterprises can be devastated by security-related weaknesses or flaws in their cloud environments. Find out where you are most vulnerable before an attacker comes knocking.
Businesses make a big mistake when they assume the cloud will automatically keep their workloads and data safe from attack, theft and other malfeasance. Even in the cloud, vulnerabilities and the potential for exploitation are inevitable.
Cloud platforms are multi-tenant environments that share infrastructure and resources across countless global customers. A provider must work diligently to maintain the integrity of its shared infrastructure. At the same time, the cloud is a self-service platform, and each customer must carefully define the specific controls for each of its workloads and resources.
Before we delve into these cloud security challenges and how to protect against them, enterprises must understand the differences among the three major types of dangers: threats, vulnerabilities and risks. These terms are often used interchangeably, but they carry different meanings for IT security professionals.
- A threat is something that is actually happening — an action or behavior — that the organization must defend against, such as a denial-of-service (DoS) attack, human error or natural disasters.
- A vulnerability is an oversight, gap, weakness or other flaw in the organization’s security posture. This could include an improperly configured firewall, an unpatched OS or unencrypted data.
- A risk is the careful assessment of potential threats against the organization’s vulnerabilities. For example, someone stores unencrypted data in the public cloud and human error could allow the data to be accessed or changed. This could be perceived as a significant risk for the business that must be addressed.
When users understand public cloud vulnerabilities, they can then identify potential security gaps and common mistakes. An IT team needs to recognize and address each type to prevent its system from being exploited. Below are six of the most common areas of focus.
1. Misconfigurations
Users are responsible for configurations, so your IT team needs to prioritize mastery of the various settings and options. Cloud resources are guarded by an array of configuration settings that detail which users can access applications and data. Configuration errors and oversights can expose data and allow for misuse or alteration of that data.
Every cloud provider uses different configuration options and parameters. The onus is on users to learn and understand how the platforms that host their workloads apply these settings.
IT teams can mitigate configuration mistakes in several ways.
- Adopt and enforce policies of least privilege or zero trust to block access to all cloud resources and services unless such access is required for specific business or application tasks.
- Employ cloud service policies to ensure resources are private by default.
- Create and use clear business policies and guidelines that outline the required configuration settings for cloud resources and services.
- Be a student of the cloud provider’s configuration and security settings. Consider provider-specific courses and certifications.
- Use encryption as a default to guard data at rest and in flight where possible.
- Use tools, such as Intruder and Open Raven, to check configuration errors and audit logs.
2. Poor access control
Unauthorized users take advantage of poor access control to get around weak or absent authentication or authorization methods.
For example, malicious actors take advantage of weak passwords to guess credentials. Strong access controls implement additional requirements, such as minimum password length, mixing upper and lower cases, the inclusion of punctuation or symbols and frequent password changes.
Access control security can be enhanced through several common tactics.
- Enforce strong passwords and require regular resets.
- Use multifactor authentication techniques.
- Require regular reauthentications for users.
- Adopt policies of least privilege or zero trust.
- Avoid the use of third-party access controls and employ cloud-based access controls for services and resources within the cloud.
3. Shadow IT
Anyone can create a public cloud account, which they can then use to provision services and migrate workloads and data. But those not well-versed in security standards will often misconfigure the security options — leaving exploitable cloud vulnerabilities. In many cases, such “shadow IT” deployments may never even recognize or report exploits. This denies the business any opportunity to mitigate the problem until long after the damage is done.
Businesses make a big mistake when they assume the cloud will automatically keep their workloads and data safe from attack, theft and other malfeasance. Even in the cloud, vulnerabilities and the potential for exploitation are inevitable.
Cloud platforms are multi-tenant environments that share infrastructure and resources across countless global customers. A provider must work diligently to maintain the integrity of its shared infrastructure. At the same time, the cloud is a self-service platform, and each customer must carefully define the specific controls for each of its workloads and resources.
Before we delve into these cloud security challenges and how to protect against them, enterprises must understand the differences among the three major types of dangers: threats, vulnerabilities and risks. These terms are often used interchangeably, but they carry different meanings for IT security professionals.
- A threat is something that is actually happening — an action or behavior — that the organization must defend against, such as a denial-of-service (DoS) attack, human error or natural disasters.
- A vulnerability is an oversight, gap, weakness or other flaw in the organization’s security posture. This could include an improperly configured firewall, an unpatched OS or unencrypted data.
- A risk is the careful assessment of potential threats against the organization’s vulnerabilities. For example, someone stores unencrypted data in the public cloud and human error could allow the data to be accessed or changed. This could be perceived as a significant risk for the business that must be addressed.
When users understand public cloud vulnerabilities, they can then identify potential security gaps and common mistakes. An IT team needs to recognize and address each type to prevent its system from being exploited. Below are six of the most common areas of focus.
1. Misconfigurations
Users are responsible for configurations, so your IT team needs to prioritize mastery of the various settings and options. Cloud resources are guarded by an array of configuration settings that detail which users can access applications and data. Configuration errors and oversights can expose data and allow for misuse or alteration of that data.
Every cloud provider uses different configuration options and parameters. The onus is on users to learn and understand how the platforms that host their workloads apply these settings.
IT teams can mitigate configuration mistakes in several ways.
- Adopt and enforce policies of least privilege or zero trust to block access to all cloud resources and services unless such access is required for specific business or application tasks.
- Employ cloud service policies to ensure resources are private by default.
- Create and use clear business policies and guidelines that outline the required configuration settings for cloud resources and services.
- Be a student of the cloud provider’s configuration and security settings. Consider provider-specific courses and certifications.
- Use encryption as a default to guard data at rest and in flight where possible.
- Use tools, such as Intruder and Open Raven, to check configuration errors and audit logs.
2. Poor access control
Unauthorized users take advantage of poor access control to get around weak or absent authentication or authorization methods.
For example, malicious actors take advantage of weak passwords to guess credentials. Strong access controls implement additional requirements, such as minimum password length, mixing upper and lower cases, the inclusion of punctuation or symbols and frequent password changes.
Access control security can be enhanced through several common tactics.
- Enforce strong passwords and require regular resets.
- Use multifactor authentication techniques.
- Require regular reauthentications for users.
- Adopt policies of least privilege or zero trust.
- Avoid the use of third-party access controls and employ cloud-based access controls for services and resources within the cloud.
3. Shadow IT
Anyone can create a public cloud account, which they can then use to provision services and migrate workloads and data. But those not well-versed in security standards will often misconfigure the security options — leaving exploitable cloud vulnerabilities. In many cases, such “shadow IT” deployments may never even recognize or report exploits. This denies the business any opportunity to mitigate the problem until long after the damage is done.
When a threat successfully exploits a vulnerability and accesses data without a proper business purpose, the business is solely responsible for that breach and any subsequent consequences. Consider several common examples:
- Sensitive customer data is stolen, which puts the business in violation of prevailing regulatory obligations and damages its reputation.
- Important data is stolen, which causes a loss of intellectual property, compromises the organization’s competitive position and jeopardizes the investment that yielded that data.
- Internal business data is altered or erased, which creates a raft of potential impacts such as production problems.
Breaches usually carry penalties for the business. For example, breaches that violate regulatory obligations may result in significant fines and penalties. Breaches that involve data stored for clients or customers may result in contractual violations that lead to time-consuming litigation and costly remedy.
Ensure proper configurations and follow other precautions outlined in this piece to mitigate any regulatory or legal exposures.
6. Outages
Cloud infrastructures are vast, but failures do occur — usually resulting in highly publicized cloud outages. Such outages are caused by hardware problems and configuration oversights, precisely the same issues that plague traditional local data centers.
A cloud can also be attacked through distributed denial of service and other malicious mechanisms intended to impair the availability of cloud resources and services. If an attacker can render any public cloud resources or services unavailable, it will impact every business or cloud user that employs those resources and services. Cloud providers are adept at handling attacks, and support teams can help when specific business workloads are attacked.
While businesses and other public cloud users cannot prevent cloud outages and attacks, consider the impact of such disruptions on cloud workloads and data sources, and plan for such events as part of your disaster recovery strategy.
Given the vast nature of public clouds, disaster recovery can usually be addressed through high availability architectures implemented across cloud regions or zones. Still, such postures are not automatic, and you must design them carefully and test regularly to ensure the business will be as unaffected as possible.
Source: SearchCloudComputing