Cloud computing is rapidly becoming a must-have for organizations of all shapes and sizes, making hybrid cloud security a big concern—and often a big question mark—for IT security professionals.
A recent IDC report predicted that cloud adoption in organizations will grow 45% by 2018. This prediction is not lost on cyber-attackers, who are constantly adapting their attack methods and devising new ways to target threat surfaces and vulnerabilities in the cloud.
To deal with security challenges in the cloud as you do (or should do) in your on-premises environments, you must consider how the threat landscape changes as you move from the data center to the cloud. You must also consider the security resources provided by cloud service providers and how they can augment your own security tools and measures to deliver complete hybrid cloud security.
In this blog series, we will explore the security challenges that impact cloud and hybrid cloud infrastructure environments, and discuss the best methods of detecting them. The blog series will cover three main areas of focus:
- Part One: How security challenges persist, or are amplified or are mitigated in public cloud and hybrid cloud environments
- Part Two: New security challenges that are introduced by cloud environments
- Part Three: Best practices for securing your hybrid cloud environment
Cloud Security Is a Shared Responsibility
Any discussion on hybrid cloud security requires a fundamental understanding of the shared responsibility model and how it applies to cloud infrastructure as a service (IaaS) security concerns. In short, under the shared responsibility model, the cloud service provider (CSP) is generally responsible for ensuring the physical security of its data center, from building access to the securing of network and server hardware, and including oversight of the hypervisor hosting virtual machines. On top of that, the user is responsible for securing the operating systems, applications and data running on cloud accounts.
While you are responsible for securing anything that you deploy on the cloud, cloud service providers have a shared interest in your security and provide services to help you more easily implement security best practices for controlling access and limiting network exposures. In fact, many cloud services provide a level of visibility into the cloud environment that IT managers can only dream of from their on-premises infrastructure.
Cloud service providers supply tools to help you better defend your virtual environments. For example, leveraging cloud environment logging and monitoring capabilities like AWS CloudTrail provides you with the ability to see the actions being taken by both legitimate users and bad actors operating in your cloud environment.
These services are designed to work in conjunction with your cloud-based security management tools. While many traditional security tools, such as firewalls, file integrity monitoring, and centralized logging, remain effective as you expand your perimeter and move data into the cloud, adding layers of security measures that are purpose-built for the cloud can help you to better secure and monitor the full environment. We’ll look at this more closely in part three of this series.
Common Attack Strategies and the Cloud
Cloud environments face many of the same security challenges as on-premises deployments, including familiar attack strategies. Many of the attack strategies that target on-premises infrastructure, such as code injection and cross-site scripting (XSS), persist in the cloud and can be dealt with using traditional tools like firewalls and proxy servers.
However, attack strategies manifest in the cloud somewhat differently than in on-premises environments, thanks to the separation of security concerns in the cloud as well as the unique architecture and scalability of cloud environments.
Let’s look at four well-known types of attacks and consider how they manifest in cloud environments.
Distributed Denial of Service (DDoS)
DDoS attacks work on a simple premise: flood a service or website with so much network traffic that it effectively crashes the service or site. DDoS attackers orchestrate a horde of botnet hosts to send requests repeatedly to a target at the same time. Because the hosts are distributed across many locations—or IoT devices, as witnessed in the recent Mirai botnet attacks—traditional defense tactics like blocking a particular domain or IP range are not effective.
This attack strategy remains the same whether the service is hosted on-premises or in the cloud.
DDoS is a numbers game between an attacker’s resources and a victim’s computing and networking capabilities. In the cloud, your resources are elastic, so you can dynamically add more resources to meet a sudden spike in demand. This provides some built-in DDoS resilience, but it comes at a cost. As you spin up additional cloud computing resources, you can quickly drive up your monthly bill to your cloud service provider.
Another consideration in cloud environments is that some resources are shared, so a DDoS attack against another user’s system has the potential to drain resources from your workloads and cause your services to become slow or unavailable. However, cloud service providers take responsibility for mitigating and protecting against DDoS attacks on shared infrastructure. In addition, cloud service providers protect against low-level network attacks to the cloud infrastructure (e.g. SYN Flood, malformed packets, etc.) as part of the shared responsibility model.
The beginning of a malware infection typically starts by an attacker finding a vulnerability in an OS or application and exploiting it to download malware and gain control of the system. This could be on something as incidental as a corporate printer. Once the attacker has a foothold inside your environment, he can move around laterally to find targeted data.
A strong vulnerability management program is essential to minimizing the attack surface of your network environment. By proactively finding and fixing your vulnerabilities, you reduce the likelihood of attackers exploiting them for harm. The same is true in cloud environments.
Cloud providers do provide some vulnerability management support. For example, they typically supply users with libraries of up-to-date patched OS instances that users can deploy into their environments. This is a good starting point, but in the shared responsibility model, automated patching stops at the point of deployment.
Ultimately, cloud users are responsible for identifying and managing vulnerabilities and patching above the hypervisor layer. For example, Amazon Web Services recommends that you map all of your assets to threats and then, conduct vulnerability assessment and impact analysis on those assets to get a complete picture of your threat posture. This requires a comprehensive hybrid security management solution that can bring together asset inventory, vulnerability assessment, and threat intelligence into a unified view.
Another point to consider is that many of the services that cloud providers offer to IaaS customers are managed and protected by the cloud providers, for example, AWS S3 (storage) and RDS (database). When you use these services, you are only responsible for protecting your data, not the service itself. So, any patch management work falls on the cloud service provider, saving you time and effort.
Brute Force Attacks (Password Cracking)
Why pick the lock if you can kick in the door? That’s the logic behind the brute force attack, one of the most common security exploits. The idea behind the brute force attack is to try all possible combinations of passwords until an attacker finds the one that works. These attacks persist in part because there are many automated tools are available (e.g., John the Ripper, Brutus, Wfuzz) and pre-built digests help them crack accounts. In addition, users continue to be a weak link, often choosing simple, easy-to-crack passwords.
So, does the cloud inherently improve defenses against password compromise? Arguably, readily available services like AWS Identity and Access Management (IAM) and Azure Active Directory (free tier) provide better password security and enable extra security measures like multi-factor authentication (MFA). However, the only real defense against password compromise is to apply good password hygiene, and hygiene applies equally in the cloud as it does on-premises.
One element that is unique to cloud is that root account credentials, if not handled properly, can be publicly accessible from the internet. A compromise of this credential gives attackers “the key to the kingdom,” giving them control over your cloud environment and the ability to spin up cloud resources (perhaps while you’re asleep), leaving you with the bill. There’s no direct parallel of this type of compromise in your on-premises environment, since the resources in your data center are likely owned, static, and finite.
Web Application Attacks
Securing applications from attacks is clearly the responsibility of cloud users in the cloud security shared responsibility model. Web application attacks can usually be mitigated with better coding practices or supplemented with security technologies like web application firewalls (WAF) and proxy servers. Today, most security vendors offer licensed products for the cloud similar to the products they provide for on-premises environments. Some cloud vendors have also added free tools to their offerings (e.g. AWS WAF for CloudFront) that defend against common attacks like cross-site scripting and code injection.
So far, we have looked at how a few of the most common attack strategies persist, are amplified, or are mitigated as you move from the data center to the cloud. There are certainly others to be aware of, especially as attackers become more proficient at attacking cloud environments.
In part two of this series, we will identify new security challenges that are unique or of special concern in cloud environments and what impact that has on traditional security measures and tools.