Dissecting the “Treacherous Twelve” Cloud Computing Threats in 2016, Part 1
Though more businesses than ever moving to the cloud, the space is still not completely devoid of risk. To address some of these threats, the Cloud Security Alliance developed the“Treacherous Twelve” report. While these are certainly plausible threats, there are ways to limit your exposure to harmful effects.
In the first of a two-part series, we’re going to break down six of these threats. What are they? What kind of harmful effects can they have on a business? How can you stop them? We’ll start with one of the more well-known threats out there.
A data breach can happen in both a cloud environment and a more traditional on-prem network. Your company’s data may have different value to certain parties. For example, organized crime will likely go after financial, health, or personal information to aid in fraudulent activities. Meanwhile, competitors might want to get proprietary information or intellectual property. Or you may run into someone that simply wants to expose an embarrassing or damaging secret. When a data breach occurs, companies may incur large fines, and may be subject to civil lawsuits and criminal charges in some cases.
Cloud providers have strong security protocols for certain aspects, but, ultimately, a business is responsible for protecting its own data in the cloud. The best first step is installing an effective security program. Adopt multifactor authentication and encryption, and you can reduce the likelihood of a breach.
Insufficient Identity, Credential and Access Management
According to the CSA report, “data breaches and enabling of attacks can occur because of a lack of scalable identity access management systems, failure to use multifactor authentication, weak password use, and a lack of ongoing automated rotation of cryptographic keys, passwords, and certificates.” Consider that identity systems must be scalable in order to handle lifecycle management for millions of users, as well as managed service providers. If an employee leaves the company for any reason, or even changes roles within the company, identity management systems need to immediately update that level of access.
Malicious actors pretending to be legitimate users, operators or developers can extract, modify, and delete data. Any centralized storage mechanism containing data secrets — including passwords, private keys, and customer databases — is a valuable target for attackers. Centralizing passwords and keys is convenient, but it’s not the most secure. Monitoring and protecting identity and key management systems should be a major priority for any business. As these systems become more interconnected, MSPs can help reduce the need for user maintenance.
Insecure Interfaces and APIs
Cloud providers expose a set of software user interfaces (UIs) or application programming interfaces (APIs) for customers to use. These interfaces have to be designed to protect against both accidental and intentional attempts to get around policies. APIs and UIs are typically the most exposed part of a system, and as organizations and third parties build on these interfaces to offer value-added services to their customers, it can increase risk.
A business must understand the security implications around using, managing, orchestrating, and monitoring cloud services. Threat modeling applications and systems, including data flows and architecture, are crucial parts of the development lifecycle. Beyond just conducting security-specific code reviews, penetration testing goes from optional to mandatory.
System vulnerabilities are “exploitable bugs in programs that attackers can use to infiltrate a computer system for the purpose of stealing data, taking control of the system, or disrupting service operations.” Bugs aren’t anything new, but became exploitable remotely when networks were created. And as systems from different organizations are placed in close proximity, shared memory and resources have created a new attack surface.
Fortunately, basic IT processes can reduce these attacks: consistent vulnerability scanning, reporting system threats, and installing security patches and upgrades help tremendously. Unpatched system vulnerabilities are extensive and expensive — the cost of putting IT processes in place in order to discover and repair any vulnerabilities pales in comparison to the potential damage they’re capable of. This is particularly important for highly-regulated organizations, like banks or government institutions. Vulnerability scenarios must be created to ensure all activities are properly documented and reviewed before being validated and closed out. If an alternative method of handling a threat is used, including elimination, transference or acceptance, that method must be documented and tracked as well.
Phishing, fraud, and exploitation of software vulnerabilities continue to be an effective method of obtaining sensitive data. Cloud platforms, including AWS and Azure, only add a new wrinkle to things: “if an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites.” Especially if you’ve built up a reputation of trust, an attack or two like this can really damage your credibility.
With stolen credentials, attackers can access critical areas of the cloud, stealing data, impacting services, harming reputations, and a whole lot more. To avoid this, organizations should refrain from sharing account credentials among users and services. Embracing strong two-factor authentication is a good move, too. As is keeping track of all accounts and account activities. If it can’t be traced back to a human owner, that’s a red flag.
The European Organization for Nuclear Research defines an insider threat thusly:
“A malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.”
This is one of the areas where cloud providers can struggle. Encrypted implementations can still be vulnerable to attack. But with constant monitoring, auditing, and logging of activities, an organization can avoid insider threats. A company can also control access and the keys themselves — our DACMA offering is one such tool for this — in order to assign duties and restrict access by role.
A good reminder, as well: an “Insider Threat” doesn’t necessarily mean someone is acting maliciously. An employee could simply upload sensitive data in a public forum by accident, for example.
These six threats can be damaging to your company, but by taking the steps discussed here, you’ll be ahead of the game. Check back on the blog soon as we cover the remaining six threats to look out for in the cloud, and how you can best combat them. In the meantime, feel free to check out the Cloud Security Alliance site for more information and upcoming events. As a CSA member, we’re well-positioned to report on these threats, and are happy to help answer any additional questions, as well.