Security in the Cloud

The increasing popularity of cloud services and applications, with servers handling millions of queries a minute and hosting vast stores of customer data, has led to a number of security concerns in this vast and rapidly changing landscape. Cloud services work in multi-tenant environments, sharing the underlying resources with multiple other applications, creating a new attack surface. Moreover, the high concentration of data and operations in one place makes a data breach or account hijacking especially costly to a company.

This is part of a series covering topics in Information Security:

1. Introduction to Information Security
2. Security in the Cloud (this post)
3. Challenges in Mobile Security

As a Cloud Service Provider, the following challenges must be kept in mind while creating a secure platform:
(Ensuring Confidentiality, Integrity and Availability (CIA) of systems — as explained in the previous post)

1. Protecting applications against unauthorized access using robust Identity and Access management
2. Designing Secure APIs and preventing malicious attacks against them
   - These APIs are used to provision, manage and monitor applications or machines in the cloud and could have disastrous consequences if hijacked
3. Ensure Resource Availability and monitor/repair services (such as networking etc)
4. Ensure Data Privacy and Security
5. Provide Separation of Resources among multiple clients

Amazon Web Services (AWS), for example, follows a Shared Security Responsibility Model where AWS takes care of the security of underlying cloud infrastructure and the customer is responsible for securing workloads and applications deployed in the cloud.

Possible attacks

Note: Precautions help in avoiding such scenarios, however, they are not foolproof

Account or Service Traffic hijacking

In this attack, an organisation or individual’s cloud account is hijacked or stolen by an attacker. If attackers get access to critical infrastructure in a cloud service, the confidentiality, integrity and availability of the system are at risk. They can extract sensitive data, modify transactions, redirect users to phishing sites and so on.

Precautions

• Multi-factor authentication: Require users to sign in with a static password plus a dynamic one-time-password (typically sent over SMS or email)
• Use intrusion detection systems
• Encrypt sensitive data and securely back up all data

Advanced Persistent Threats (APT)

This is usually a complex, well-funded cyberattack undertaken by an intruder or team of intruders to infiltrate in the system and remain undetected over a long period of time. The attacker generally gains a foothold in the system through an SQL injection, trojans, spear-phishing etc and installs a backdoor in the system. Over time, data is collected across the system and more areas of the system are compromised (the malware could move laterally through the data center). Following this, attackers can perform complete site takeovers, damage major critical infrastructure and extract large amounts of data from the system.

Precautions

• Whitelist applications and domains which interact with the service
• Monitor access given to employees through behaviour analytics and routine checks to detect hijacked accounts or anomalous behaviour
• Monitor traffic going in and out of the system through firewalls to detect payloads for backdoor shells, data extraction over the network, and anomalous network traffic

Meltdown and Spectre vulnerabilities

This was discovered in January, 2018 and is basically a microprocessor vulnerability which allows data to be read from memory using malicious Javascript code. For an in-depth analysis of this vulnerability — checkout this article from CSO.
The vulnerability could lead to side-channel attacks where an actor in the cloud could view data being used by other applications sharing the system.

Precautions

• Ensure that servers are updated with the latest software patches to make it harder to execute the attack

Cloud Security Best Practices

by Cloud Standards Customer Council

1. Ensure effective governance, risk and compliance processes exist
2. Audit operational and business processes
3. Manage people, roles and identities
4. Ensure proper protection of data and information
5. Enforce privacy policies
6. Assess the security provisions for cloud applications
7. Ensure cloud networks and connections are secure
8. Evaluate security controls on physical infrastructure and facilities
9. Manage security terms in the cloud service agreement
10. Understand the security requirements of the exit process

More about these practices can be found here.

Note: This post has been made with reference to slides used in Information Security lectures by Mr Prasad Honnavalli and various online sources