As the needle cloud attacks more and more, business users must assess their cloud security controls ahead of time. In this article, Dave Shackleford provides some best practices for defending against cloud attacks.
Alert Logic recently released a 2014 cloud security report showing a significant increase in the number of attacks against the cloud recently. But are corporate cloud infrastructures ready to fight cloud attacks?
Given the increasing number of attacks against the cloud, all organizations using cloud computing services should assess the state of the security controls they have implemented.
The types of available controls that apply to customer configuration and control depend on the cloud service pattern used. For Software as a service (SaaS), the only possible configuration is in the context of the cloud application. This configuration can include logging and access control (such as password policy and multifactor authentication, MFA, and so on), as well as roles and permissions assignments within the application. For platform-Service (PaaS) deployments, management control is implemented through the service console, which focuses on access control and user roles and permissions. Most PAAs environments also provide access to a large number of application programming interfaces (APIs) that require careful evaluation of potential security issues.
In this article, we will discuss the best practices that enterprise organizations should follow in assessing cloud security controls.
Vulnerability scanning and Penetration testing
Vulnerability scanning and penetration testing must be performed by all PAAs and infrastructure-service (IaaS) cloud services. Whether they are hosting applications in the cloud or running servers and storage infrastructures, users must evaluate the security status of systems exposed to the Internet. Most cloud vendors agree to perform such scans and tests, but this requires that they fully communicate and coordinate with customers and/or testers in advance to ensure that other tenants (users) do not experience disruptions or performance effects.
For the integration of test APIs and applications in a PAAs and IAAS environment, organizations that collaborate with cloud vendors should focus on data in transit and potentially illegal access to applications and data by bypassing identity authentication or injection attacks.
Configuration Management
The most important element of cloud security is configuration management, which includes patch management.
In a SaaS environment, configuration management is handled entirely by the cloud vendor. Where possible, customers can provide some patch management and configuration management practices to vendors through the Certification Business Guidelines Bulletin (SSAE) 16th, the Service organization Control (SOC) report or ISO certification, and the security, trust, and Assurance registration certificate of the Cloud Security alliance.
In a PAAs environment, the development and maintenance of the platform is the responsibility of the supplier. The libraries and tools for application configuration and development may be managed by enterprise users, so security configuration standards still fall within the scope of internal definition. These standards should then be applied and monitored in the PAAs environment.
For IAAS environments, cloud providers should demonstrate the viability of their in-house practices, but their customers also manage their own virtual machines (VMS). Given the degree of openness in the cloud environment, these elements should be protected as securely as possible. From the security configuration of the Internet Security Center, Microsoft and other operating system and application providers are a reliable way, but enterprise users should not be satisfied with the internal operation of the security configuration, because the cloud is inherently more open. Turn off all unnecessary services, remove all unwanted applications and code, restrict access to users and groups to the minimum necessary, and always ensure real-time patching of the system.
For users running a private cloud implementation of the IAAS environment, this requires a variety of network control measures are also configurable. For example, a virtual private cloud in an Amazon Network Service (AWS) can support a dedicated VPN connection through IPSec. Ensure that IPSec-related parameters are configured correctly, and that all other network facilities, such as firewalls and intrusion detection and prevention systems, are set up and protected.
Security Control for cloud vendors
Where is the entry point for cloud vendors into the security configuration process? The cloud vendor is responsible for all infrastructure operations, including virtualization technologies, networking, and storage. It is also responsible for its related code, including the management interface and APIs, so it is necessary to evaluate its development practices and system development lifecycle. Only IaaS customers have real control over the entire system specification; If the virtual machine is deployed based on a vendor-supplied template, such as Amazon's virtual machine image, then the virtual machines should be carefully studied and secured before they are actually used.
Conclusion
How does an organization determine how much time, effort and money should be invested in strengthening its preparedness to respond to cloud attacks? The answer depends on the sensitivity of the enterprise's hosted systems and data in the cloud.
Regardless of their sensitivity, all enterprises should invest the necessary time in assessing the security features and controls of the cloud vendor to determine whether they are satisfied. The Cloud Security Alliance's consensus Assessment Questionnaire (CAIQ) is a good starting point for asking cloud vendors. Companies should ensure that their audit and security teams are able to periodically review feedback and audit and validation reports such as Soc 2. For systems and applications deployed in the cloud, patching, configuration management, and application security, including development and evaluation, are important areas for investment. User access control and role and privilege assignment are also critical.
Before an attack or incident occurs in a cloud environment, it is critical that the organization understand as much as possible about the security controls maintained by the vendor and the security controls that are used by the user, as this will help the decision makers to make more comprehensive and informed risk decisions.