In March the Cloud Security Alliance published “Top Threats to Cloud Computing V 1.0” to help organizations better understand the risks of cloud computing and to consequently make more informed risk management decisions when adopting cloud strategies. In that document the CSA outlined seven threats and suggested steps for remediation.
At Trend we have traditionally embraced a layered approach to security, and cloud security is no different. Each layer alone is valuable but not impenetrable; together the layers form effective protection. Mimicking this traditional layered approach for cloud security can help minimize the top threats identified by the CSA…
Any layers provided by the cloud vendor are a good thing but, we believe, should not be exclusively relied upon. Doing that sees many customers with completely homogenous security which provides an attractive attack surface and one with which the bad guys can easily experiment. It also makes change management very difficult – your cloud vendor can’t get sign-off from all their customers before making a change (in the way good practice would dictate you do with key stakeholders for your internal security solutions). Vendor switching becomes harder as well because, important internal and external audits require renewing for the new vendor – they are time consuming and expensive. So we recommend that customers provide their own layers of security in addition to whatever their cloud provider brings to the table.
- Encrypt all sensitive data – the information that is exclusive to, and owned by, your organization. The operating system and applications are less important here – typically in the cloud they are standard images that are simply recycled back to a master image on shutdown. It’s the information proprietary to you, or that you have collected from customers and business partners, which you generally have a legal obligation to protect.
- Ensure that your Firewall, IPS, and IDS protect each of your virtual machines separately. Particularly in a Public Cloud environment the other virtual machines running on the same physical hardware as you should be considered hostile. The firewall at the cloud providers’ perimeter can’t help you here.
- Only decrypt your data within that secure container you’ve established for your virtual machine. Be sure you check for tampering and data stealing malware before decrypting your data.
- Make sure that you are in control of the encryption keys – it’s your data!
Here’s how the layered approach could help mitigate the top threats identified by CSA:
Abuse and Nefarious Use of Cloud Computing
(Cybercriminals using the cloud to do bad things like create and spread botnets)
This isn’t a specific threat to cloud computing as it applies equally to physical servers in a data centre so the approach outlined isn’t targeted at this solving this. However a security solution which combines web, email, and file reputation with correlation and behavior analysis would be able to identify usage patterns and block IP addresses. We would consider this a necessary component of modern malware protection that applies equally for all devices from cloud based virtual servers through to netbooks and smartphones.
Insecure Application Programming Interfaces
(Cybercriminals gaining access to your virtual image)
By encrypting your data cybercriminals are unable to access your information because you haven’t authorised the release of keys. They may be able, for example, to use an insecure API to start up a copy of your machine within their user space but no key = no value – the advantage of layers.
(Employees who intentionally steal data or information for their own purposes or to sell to others)
You could be forgiven for wondering how much power internal administrators at a cloud provider have to access and manipulate your machines and data. Certainly there are some strong technical support arguments for that being a good idea. It’s one key driver for suggesting that an organization provides their own security independent of the cloud provider. That security then protects against the malicious insider.
Shared Technology Issues
(Shared infrastructure can result in flaws opening the platform to intrusion)
Firewalling machines protects them from network attacks and encryption protects your data on the SAN and machines. The perimeter firewall becomes an extra layer removing some of threats before they hit your machine. The shared internal network isn’t an issue because you have a second layer of defence around your virtual server that you control. Nothing can protect the RAM on your server from being read if someone manages to breach the hypervisor because you have to get the data into memory in the clear at some point to use it. So far we aren’t aware of that being possible outside the lab and it’s something that is being very closely monitored by a lot of people. Having your own firewall protecting your own machine creates a tight perimeter around your stuff that keeps threats from elsewhere within the data centre at bay.
Data Loss or Leakage
(Unintentional data compromise)
By protecting the data at rest and in motion using encryption, and then decrypting it only inside a carefully secured container at the point of use, we have ensured that the threat of data loss or leakage from the public cloud is tantamount to that in a traditional physical data centre. We still cannot prevent, for example, an unsecured web application from leaking customer data, but we have leveled the playing field from a security perspective while allowing you to take advantage of the cost benefits of the cloud.
Account or Service Hijacking
(Compromise of accounts or services)
To get access to sensitive data under the model proposed someone would need to hijack both your account with the cloud service provider and also your user account to approve release of encryption keys. Since these accounts should really be managed by different users with different passwords (separation of duties), it is much more difficult to simultaneously compromise both. Obviously dual factor authentication for each of these accounts is another sensible layer which we would recommend.
Unknown Risk Profile
(Exposure to others who are sharing your cloud vendor’s resources as well as hardware/software version and software updates now being managed by the cloud vendor)
By giving the enterprise the tools to control their own security in a public cloud environment we remove the uncertainty the provider introduces and protects against threats from other customers within the data centre. It also gives the enterprise the ability to move between providers keeping their security (and any compliance / audits that depend on it) intact.
So we believe with the right approach and security solutions you can make the public cloud just as secure as a typical traditional corporate data centre. For projects and organisations with the right profile we are hearing some dramatic cost saving stories and we see it as our job to ensure that security becomes a facilitator not a barrier. At Trend Micro we have two products – Deep SecurityTM and SecureCloudTM which when layered together can achieve the four recommendations above and counter the threats identified. Deep Security is available and already in widespread use today and SecureCloud enters public beta over the summer following successful pilot trials.