Cloud Security Assessment
Secure Cloud Computing
Cloud computing has brought with it a gold rush of sorts, with many organizations rushing into the promise of cost reductions, operational efficiencies and improved security. While these can be realistic goals for organizations that have the resources to adopt cloud technologies properly, too many enterprises jump into the cloud without understanding the full scope of the undertaking.
Without a complete understanding of the CSP environment, applications or services are pushed to the cloud, and operational responsibilities such as incident response, encryption, and security monitoring are never given a priority. In a bid to help organizations Bunifu technologies seeks to find suitable cloud service providers and packages that suit their requirements without compromising quality and also cost efficient. For those already using this services we assess their security posture and help them enforce appropriate security measures.
The CCM (Cloud control matrix) policies and requirements by the cloud security alliance are some of the guidelines we use in order to help your organizations stay safe and fully utilize this service.
1. Data Breaches
It’s every CIO’s worst nightmare: the organization’s sensitive internal data falls into the hands of their competitors. While this scenario has kept executives awake at night long before the advent of computing, cloud computing introduces significant new avenues of attack. Areas of concern in mitigating this include:
- Information Management and Data Security
- Application Security
- Identity, Entitlement and Access Management
Unfortunately, while data loss and data leakage are both serious threats to cloud computing, the measures you put in place to mitigate one of these threats can exacerbate the other. You may be able to encrypt your data to reduce the impact of a data breach, but if you lose your encryption key, you’ll lose your data as well. Conversely, you may decide to keep offline backups of your data to reduce the impact of a catastrophic data loss, but this increases your exposure to data breaches.
2. Data Loss
Data loss can be a result of a malicious hacker, loss of encryption key for encrypted data, physical catastrophes such as earthquake or accidental deletion by service provider or the user. All these are threats which need to be mitigated. Among the measures needed include:
- Maintaining an audit trail or documentation
- Offline backups
- Compliance to existing cloud service policies.
3. Account Hijacking
Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Credentials and passwords are often reused, which amplifies the impact of such attacks. Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites. Your account or service instances may become a new base for the attacker. From here, they may leverage the power of your reputation to launch subsequent attacks.
Organizations should be aware of these techniques as well as common defense in depth protection strategies to contain the damage (and possible litigation) resulting from a breach. Organizations should look to prohibit the sharing of account credentials between users and services, and leverage strong two-factor authentication techniques where possible.
4. Insecure interfaces/ APIs
Cloud service providers use APIs or software interfaces for users that provide interaction with their services. Provisioning, management, orchestration, and monitoring are all performed using these interfaces. The security and availability of general cloud services is dependent upon the security of these basic APIs
Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability and accountability.
- User Access Restriction/Authorization
- Security Architecture – Data Security/Integrity
- Security Architecture – Application Security
5. Denial of Service
This vulnerability denies users access to service By forcing the victim cloud service to consume inordinate amounts of finite system resources such as processor power, memory, disk space or network bandwidth, the attacker (or attackers, as is the case in distributed denial-of-service (DDoS) attacks) causes an intolerable system slowdown and leaves all of the legitimate service users confused and angry as to why the service isn’t responding.
Asymmetric application-level DoS attacks take advantage of vulnerabilities in web servers, databases, or other cloud resources, allowing a malicious individual to take out an application using a single extremely small attack payload – in some cases less than 100 bytes long.
- Information Security – Baseline Requirements
- Operations Management – Capacity/Resource Planning
- Resiliency – Equipment Power Failures
- Security Architecture – Application Security
6. Malicious Insiders
CERN defines an insider threat as such:
A malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.
Implications: From IaaS to PaaS and SaaS, the malicious insider has increasing levels of access to more critical systems, and eventually to data. Systems that depend solely on the cloud service provider (CSP) for security are at great risk here. Even if encryption is implemented, if the keys are not kept with the customer and are only available at data-usage time, the system is still vulnerable to malicious insider attack.
7. Abuse of Cloud Services
This involves use of array of cloud servers to stage a DDoS attack, serve malware or distribute pirated software. Such activities constitute abuse.
This is more of a provider problem and he needs to find ways to prevent, detect and eliminate such threats.
- Information Security – Incident Response Legal Preparation
- Information Security – Acceptable Use
8. Insufficient Due Diligence
An organization that rushes to adopt cloud technologies subjects itself to a number of issues. Contractual issues arise over obligations on liability, response, or transparency by creating mismatched expectations between the CSP and the customer. Pushing applications that are dependent on “internal” network-level security controls to the cloud is dangerous when those controls disappear or do not match the customer’s expectation. Unknown operational and architectural issues arise when designers and architects unfamiliar with cloud technologies are designing applications being pushed to the cloud.
The bottom line for enterprises and organizations moving to a cloud technology model is that they must have capable resources, and perform extensive internal and CSP due-diligence to understand the risks it assumes by adopting this new technology model.
9. Shared Technology Issues
Cloud service providers deliver their services in a scalable way by sharing infrastructure, platforms, and applications. Whether it’s the underlying components that make up this infrastructure (e.g. CPU caches, GPUs, etc.) that were not designed to offer strong isolation properties for a multi-tenant architecture (IaaS), re-deployable platforms (PaaS), or multi-customer applications (SaaS), the threat of shared vulnerabilities exists in all delivery models. A defensive in-depth strategy is recommended and should include compute, storage, network, application and user security enforcement, and monitoring, whether the service model is IaaS, PaaS, or SaaS. The key is that a single vulnerability or isconfiguration can lead to a compromise across an entire provider’s cloud.
A compromise of an integral piece of shared technology such as the hypervisor, a shared platform component, or an application in a SaaS environment exposes more than just the compromised customer; rather, it exposes the entire environment to a potential of compromise and breach. This vulnerability is dangerous because it potentially can affect an entire cloud
Based on your interest in Red Team Testing, you might also be interested in:
- Penetration Testing
- Red Team Assessment
- Web Application Security Assessment
- Other Targeted Threat Services