How do you secure the cloud? New data points a way

Reports show big differences in risk among public, private and hybrid cloud deployments. Here’s advice on the tools, information and organizational structure needed to execute a successful cloud security strategy.

keeping the cloud secure cloud security lock padlock private cloud
LordRunar / Getty Images

The march toward the cloud for data and services has many companies rethinking their approach to cyber security. Do they need a cloud security strategy? What is different about a cloud security strategy? Recent surveys have shed light on how security strategies are changing, and more important, how they should change.

Placing more IT infrastructure in the cloud is in some ways more secure than having it in house. For instance, you can be reasonably sure that the system is running the latest version with the proper patches in place. Cloud service providers are also building in new capabilities such as using machine language for anomaly detection. However, it also presents new risks, some of which is the result of misunderstanding how to manage cloud security.

It is important to know how a company’s cloud IT strategy—whether it’s hybrid, private hosted, or public—affects its cyber security strategy and the tactical execution of that strategy.

What sensitive data is in the cloud?

In October 2018, McAfee released its Cloud Adoption and Risk Report 2018. That research showed that sharing of sensitive data over the cloud increases by 53% over the previous year—a huge jump. Of all files in the cloud, 21% contain sensitive data, McAfee found, and 48% of those files are eventually shared.

That sensitive data includes company confidential data (27%), email data (20%), password-protected data (17%), personally identifiable information (PII) (16%), payment data (12%) and personal health data (9%). The risk associated with confidential data in the cloud is growing, as companies are trusting it to the cloud more. Twenty-eight% more confidential data was placed on the cloud over the previous year, according to McAfee.

With so much sensitive data in the cloud and being shared via the cloud, theft by hacking isn't the only risk. McAfee found that enterprises have an average of 14 misconfigured infrastructure-as-a-service (IaaS) instances running, resulting in an average of 2,200 misconfiguration incidents a month where data is exposed to the public.

What is the cloud security risk?

Data from cloud security provider Alert Logic shows the nature and volume of risk for each form of cloud environment as compared to an on-premises data center. For 18 months, the company analyzed 147 petabytes of data from more than 3,800 customers to quantify and categorize security incidents. During that time, it identified more than 2.2 million true positive security incidents. Key findings include:

  • Hybrid cloud environments experienced the highest average number of incidents per customer at 977, followed by hosted private cloud (684), on-premises data center (612), and public cloud (405).
  • By far, the most common type of incident was a web application attack (75%), followed by brute force attack (16%), recon (5%), and server-side ransomware (2%).
  • The most common vectors for web application attacks were SQL (47.74%), Joomla (26.11%), Apache Struts (10.11%), and Magento (6.98%).
  • Wordpress was the most common brute force target at 41%, followed by MS SQL at 19%.

Whether it’s a public, private or hybrid cloud environment, web application threats are dominant. What’s different among them is the level of risk you face. “As defenders, at Alert Logic our ability to effectively protect public cloud is higher as well, because we see a better signal-to-noise ratio and chase fewer noisy attacks,” says Misha Govshteyn, co-founder of Alert Logic. “When we see security incidents in public cloud environments, we know we have to pay attention, because they are generally quieter.” 

The data shows that some platforms are more vulnerable than others. “This increases your attack surface despite your best efforts,” says Govshteyn. As an example he notes that “despite popular belief,” the LAMP stack has been much more vulnerable than the Microsoft-based application stack. He also sees PHP applications as a hotspot.

“Content management systems, especially Wordpress, Joomla and Django, are used as platforms for web applications far more than most people realize and have numerous vulnerabilities,” says Govshteyn. “It’s possible to keep these systems secure, but only if you understand what web frameworks and platforms your development teams tend to use. Most security people barely pay attention to these details, and make decisions based on bad assumptions.”

To minimize the impact from cloud threats, Alert Logic has three primary recommendations:

  • Rely on application whitelisting and block access to unknown programs. This includes doing risk vs. value assessments for each app used in the organization.
  • Understand your own patching process and prioritize deployment of patches.
  • Restrict administrative and access privileges based on current user duties. This will require keeping privileges for both applications and operating systems up to date.

6 types of cloud threats

In April 2018, cloud security platform provider ShieldX outlined six categories of cloud security threats that it believes are likely to occur in 2018. Most organizations will have a hard time mitigating the risk of these threats because of a gap between their defenses and the nature of the threats, says Manuel Nedbal, CTO and senior vice president at ShieldX. “There is a mismatch between the physical datacenter form factor and the virtual perimeter. Traditional security controls were built to protect the physical form factor, which opens the door for security threats.”

Those controls must change as organizations transition to virtualized and containerized data centers in private and public clouds. “Security has to adapt to those new boundaries between and within virtual infrastructures,” says Nedbal. He adds that cloud security tools need to be “very small, very dynamic, placed where and when needed and at the right scale.”

1. Cross-cloud attack

With a cross-cloud attack, a hacker can for example access on-premise systems and private cloud systems through a public cloud. Workloads in a public cloud that are taken over by malicious actors could lead to spreading the attack to the private cloud.

The risk is minimized if the right lateral defenses are in place, but by moving to public clouds organizations often overlook the fact that the security perimeter extends into the new environment. Yet public clouds don’t offer the same security controls compared to on-premise defenses and it is hard to move traditional security. “The amount of attacks against the cloud is increasing,” says Nedbal. Hackers monitor for new cloud instances. “As soon as there’s a workload exposing services publicly, it will be attacked and the defenses in public clouds are weaker than traditional on-premise controls.” Further, if an organization has different sets of controls for its on-premise and cloud systems, it could leave gaps that hackers exploit.

2. Cross-data-center attack

Once a hacker breaches a data center location, the next step for them is to spread laterally. The reason this is possible, is that the connections between the points of delivery (PoDs) in a data center are considered trusted zones. If an attacker compromises one PoD it can spread to other connected data centers.

In a blog post, Nedbal advised sending all traffic through a multi-layered defense system with a similar set of security controls as found on the perimeter.

3. Cross-tenant attacks

In a multi-tenant environment, hackers can exploit the network traffic among cloud tenants. Tenants might assume that the provider has secured their assets in the cloud, but in fact they are responsible for implementing much of the defenses. Again, sending traffic through a multi-layered defense system with the appropriate controls will mitigate the risk of this cloud threat but it requires the ability to place those controls at the right scale where and when needed.

4. Cross-workload attack

Cloud-based and virtualized workloads as well as containers can easily connect with others. Compromise one workload and an attacker can access others whether it occurs on a virtual desktop, virtual web server, or database. Defending against cross-workload attacks, especially if they run on the same tenant, is difficult. “If you just seal off all workloads from each other, then they are secure, but won’t be able to perform the function they are designed for.” says Nedbal. In a blog post, he advised that workloads with similar security requirements should be placed in a zone that has appropriate controls to monitor traffic in addition to basic segmentation.

5. Orchestration attacks

Cloud orchestration enables many key tasks including provisioning, server deployment, storage and network management, identity and privilege management, and workload creation. Hackers typically execute orchestration attacks to steal account logins or private cryptography keys. With those, the attacker can perform orchestration tasks to essentially gain control and access. “Once in, [an attacker] can create additional workloads for their own purposes like crypto-mining or remove workloads,” says Nedbal. The higher privilege they can steal, the more damage they can do.

The way to defend against orchestration attacks, Nedbal says, is through monitoring admin behavior. “[The orchestration threat] needs a new type of security monitoring not part of traditional network security systems that looks for unusual patterns of accounts behaving anomalously,” he says.

6. Serverless attacks

Serverless applications allow organizations to rapidly spin up cloud-based functions without having to build or extend infrastructure. Realized through so-called functions as a service (FaaS), they present new opportunities for hackers and new challenges for network defenders. A new function might have access to sensitive assets like a database. If the privileges for that function are set up incorrectly, an attacker might be able to perform a number of tasks through the function. This includes accessing data or creating new accounts. As with orchestration attacks, the best way to detect a serverless attack is by monitoring account behaviors but to be effective, it must be combined with network traffic inspection.

How to secure the cloud

According to a survey by market researcher VansonBourne and sponsored by network monitoring solutions provider Gigamon, 73% of respondents expect the majority of their application workloads to be in the public or private cloud. Yet, 35% of those respondents expect to handle network security in “exactly the same manner” as they do for their on-premises operations. The remainder, while reluctant to change, believe they have no choice but to change their security strategy for the cloud.

Granted, not every company is migrating sensitive or critical data to the cloud, so for them there is less reason to change strategy. However, most companies are migrating critical and proprietary company information (56%) or marketing assets (53%). Forty-seven percent expect to have personally identifiable information in the cloud, which has implications due to new privacy regulations such as the EU’s GDPR.

Companies should focus on three main areas for their cloud security strategy, according to Govshteyn:

  1. Tools. The security tools you deploy in cloud environments must be native to the cloud and able to protect web applications and cloud workloads. “Security technologies formulated for endpoint protection are focused on a set of attack vectors not commonly seen in the cloud, and are ill equipped to deal with OWASP Top 10 threats, which constitute 75% of all cloud attacks,” says Govshteyn. He notes that endpoint threats target web browsers and client software, while infrastructure threats target servers and application frameworks.
  2. Architecture. Define your architecture around the security and management benefits offered by the cloud, not the same architecture you use in your traditional data centers. “We now have data showing that pure public environments allow enterprises to experience lower incident rates, but this is only achievable if you use cloud capabilities to design more secure infrastructure,” says Govshteyn. He recommends that you isolate each application or micro-service in its own virtual private cloud, which reduces the blast radius of any intrusion. “Major breaches such as Yahoo began with trivial web applications as the initial entry vector, so the least important applications often become your biggest problem.” Also, don’t patch vulnerabilities in your cloud deployments. Instead, deploy new cloud infrastructure running the most recent code and decommission your old infrastructure. “You can only do this if you automate your deployments, but you will gain the level of control over your infrastructure you could never achieve in traditional data centers,” says Govshteyn.
  3. Connection points. Identify points where your cloud deployments are interconnected to traditional data centers running legacy code. “Those are likely to be your biggest source of problems, as we see a clear trend that hybrid cloud deployments tend to see most security incidents,” he says.
1 2 Page 1
Page 1 of 2
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!