Cloud computing has ushered in a new paradigm and way of doing business. Rather than hosting all data storage and applications on-premises, organisations can rent space on the cloud. By using third-parties, organisations are assured of the quality and level of service that they require (due to Service Level Agreements) without having to install, operate, and maintain that infrastructure themselves. The cloud also provides organisations and individuals with a greater level of flexibility since resources can be rented and released at need to meet the waxing and waning of the organisation’s infrastructure needs.
When dealing with the cloud, cloud security is a significant concern. In fact, 44% of security professionals believe that it’s the riskiest emerging technology (even ahead of Internet of Things). Organisations routinely put their applications, sensitive data, etc. on the cloud where it is outside of their organisation’s perimeter defences and largely outside of their control. If an organisation doesn’t know how to properly secure their cloud deployment (and the number of cloud-related breaches seem to indicate that many don’t), the price of the cloud’s convenience may be the security of their sensitive data.
Hacking the Cloud
The cloud is a wonderful resource, but it presents very different security problems from on-prem deployments. With the cloud, you’re trusting your Cloud Services Provider (CSP) to properly secure the environment that you are leasing from them. Some of the security issues experienced when working on the cloud involve mismanaged permissions, social engineering, and vulnerabilities created by sharing a cloud environment.
Amazon S3 buckets are a popular way to store data. They’re reasonably priced, scalable, and easily accessible; all of which are desirable to an organisation. Unfortunately, their popularity has also meant a lot of S3-related data breaches have occurred since laziness or lack of understanding causes people to improperly secure them.
In general, cloud data storage has two main privacy options: public and private. The private option is fairly self-explanatory. You can only access data stored in a private bucket if you’re invited. One example of this is the link sharing that you use with Google Drive.
The concept of public buckets seems (and is) simple, but obviously is a bit harder to grasp. With a public bucket, anyone who knows the URL of the bucket can access this. While it may seem unlikely that an unauthorised party would ever find your public bucket, tools exist for scanning specifically for them.
And many organisations have had buckets that were set to public when they shouldn’t have been. These organisations have had to report data breaches of customer PII, intelligence data, voter data, etc. Even crazier, buckets are private by default, so someone had to make the decision to make them public (probably because it takes work to explicitly invite each person). As a result, 70 million sensitive records were leaked in 2018 due to poor security configuration of cloud storage.
Social engineering is one of the most common ways that the cloud is used to compromise organisations. In general, instead of using this attack vector to steal peoples’ data directly, the cloud is used as a stepping stone toward a larger goal.
In many cases, these attacks use the same link sharing functionality that makes services like Google Drive so convenient. You get an email from Google saying that someone wants to share a document with you. You click on it, get that page where it says that “Google Docs” will need certain permissions, and you grant them because the permissions make sense. End result, you’ve just compromised your login credentials since Google has no rule against web app creators using the same name as legitimate services.
This is only one example of a way that cloud services are involved in cybersecurity incidents. Some malware uses Google services for malware delivery and command and control since the google.com domain is so commonly visited and widely trusted. People have been desensitised to the message saying that Google cannot virus scan certain large files and download them without question. The cloud is useful to us, but it’s also useful to hackers.
Spectre and Meltdown
If you’ve been following cybersecurity news in the last year or so, you may have heard of the chip vulnerabilities Spectre and Meltdown (the best known of several that have been discovered). These vulnerabilities take advantage of an optimisation used in chips called speculative execution, where the chip does something before it knows if it’s needed in order to avoid delays. Attackers exploit speculative execution to gain access to memory locations that are usually unreachable.
Chip vulnerabilities are an issue for cloud security since, while different cloud instances on a server have their own virtual processors, they share the same pool of memory on the host. Exploitation of a speculative execution vulnerability could allow a malicious cloud instance to read sensitive data stored on another one.
Securing Your Cloud
The cloud is an extremely convenient and valuable resource; however, threats do exist for it that are not mirrored in on-premises deployments. When moving to the cloud, it’s important to take additional steps to secure your cloud-based resources.
One of the major security issues when dealing with the cloud is limited visibility and control over your operating environment. Deploying cloud and data security solutions is a good idea to help with centralising management, monitoring cloud-based databases, and protecting your web applications from attack.