Security is still a thorn in the side of cloud computing. Despite the ability of the cloud to inspire new ways of thinking – free of the limitations of infrastructure, scaling or logistics – a recent survey found that an overwhelming 90% of organisations are still concerned about cloud security. But in truth, most of these concerns are just an unrealised opportunity.
The cloud is not an inherently insecure environment, it just has a different security model which needs to be established. It comes with new responsibilities and new trust relationships that need to be established to properly secure your environment.
These environments have the opportunity to be far more secure than even traditional data centers, but they need to be approached in the right way.
Confusion usually starts early with security in the cloud, because key terms can mean different things. Our dialogue related to this is topic is often confused and leads to an early disconnect at best or a fundamental misunderstanding at worst.
The confusion related to security in the cloud causes hesitance to leverage the various form of cloud services to their fullest potential. To be very explicit, 'cloud security' can mean three very different things:
A SaaS (software as a service) offering that provides a security service
An offering that helps you monitor SaaS services (note that this has no bearing on its delivery form – SaaS, on premise software or appliance)
The set of tools/features required to secure an IaaS (infrastructure as a service) environment.
Understanding these three variants of ‘cloud security’ is important to then realise the promise and the risk of your own use of the cloud.
The risk we run with the cloud largely depends on the nature of our use. However, since cloud services have proven to be viral in nature most organisations make use of both SaaS as well as IaaS whether or not it is inline with corporate policy.
Recent research has shown SaaS offerings being leveraged as points of data ex-filtration and used as command and control (C&C) channels. This is an ingenious way to side-step traditional perimeter based detection technologies.
By leveraging a SaaS service in an attack, the controls traditionally used to detect large-scale data loss and C&C traffic are rendered useless as the malicious activity now blends with the benign.
This integration of SaaS into the methods used by attackers is a sure sign of widespread cloud adoption. In a similar vein there has been research published about attacks targeting IaaS environments and leveraging components of the IaaS service as a mechanism for privilege escalation or to pivot in the environment.
This again reflects an increased understanding of the nature of IaaS by attackers and increases the responsibility of users to properly monitor and secure such environments.
Even with a current understanding of the risks related to use of IaaS and SaaS we need to remind ourselves of the potential for causalities. Attackers target and leverage these services because that is where our data is stored.
An attacker who is targeting us will not simply stop if we are not using the cloud; they will simply leverage other techniques when attacking us. A similar point can be made for broad-based attacks. If the broad based attacks we face today only targeted cloud environments we might have a case against using such environments.
However, at this point the majority of broad-based attacks still target traditional environments.
Thus, avoiding the use of the cloud is not an action that will make us inherently more secure. Just as with the adoption of any other technology, we must understand the cost and weigh it against the benefits of use.
When working with cloud providers it is important to establish what responsibilities you retain for security and what is managed by the provider. Dependent on the nature of the service, the line of responsibility shifts.
For IaaS providers, the customer is responsible for the operating system up; however, for SaaS providers, the customer is responsible for privileged users. This has a major impact on the security controls we implement to shore up our end of the bargain.
With IaaS providers, we need to start at the OS level and take full advantage of the automation and configuration tools provided. Beautifully segmented networks with fully encrypted network connections and hardened systems are now scriptable features of our data centers.
With both IaaS and SaaS providers, we need to take a close eye to the administrative audit logs to monitor privileged user access and ensure appropriate use of the features in the environment.
Automated analysis and monitoring of these logs is critical to identify the difference between a devop engineer spinning up a new server and an attacker taking advantage of compromised credentials.
In order to fully realise the potential offered by the cloud, we need to understand the risks. Critical first steps include understanding the new security landscape it offers, and working out how best to work with our chosen cloud providers.
Once these are considered, the cloud holds great promise, and there is no limit to its potential and the secure environment it can provide. But it’s essential to adopt a new mindset which appreciates that it is a new game to be played and a new set of teammates to work with.
Sourced from Russell Spitler, Vice President, Product Strategy, AlienVault