Are the data and applications housed and deployed in your cloud environment safe? Well, the short answer, for most enterprises, is: yes, fairly. Considering just how wide the uptake of the cloud has been – with Forbes reporting 83% of enterprise workloads are to be cloud-side by 2020 – and the comparatively low number of breaches, it would be disingenuous to suggest your organization’s operations are likely just balancing on a knife edge.
However, Forbes also revealed that 66% of IT professionals say security is their most significant concern in adopting an enterprise cloud computing strategy. Simply put, cloud security is a major preoccupation for IT teams because the ramifications of a breach can be so great. Yes, major hacks are relatively infrequent and usually difficult to accomplish, but can be truly devastating when actually achieved. We all know some of the major attacks to have occurred over the last few years and the impact they’ve had: from loss of data, profit, trust, and reputation to, in some cases, the end of the company itself.
In essence then, the cost of best managing a dangerous security risk is far less than the cost of the risk materializing. So, what are some of the key cloud security threats to look out for today?
The Human Link
Safeguarding against cyber-attacks is often as much a mental battle as a technological one, since hackers will look to exploit human “vulnerabilities”. Network World summarizes the four human emotions and behaviors hackers typically manipulate as part of a social engineering campaign:
- Fear: A specific threat is aimed at the targeted recipient(s), forcing them to act quickly and avoid harmful consequences. For example, a phony email stating that your online bank account has been compromised.
- Obedience: Because we’re taught from an early age to trust authorities, some people don’t question the legitimacy of communications from attackers who have posed as, for example, the police or a company executive. This can lead to the target of the attack complying will all manner of requests and instructions.
- Greed: Network World cites a classic example to explain this, the “419 Nigerian scam”, named after cyber-criminals acting as Nigerian officials through phone or email. Substantial rewards were offered for a small action, if the target agrees to share their bank details to receive the reward.
- Helpfulness: Social engineering campaigns are often targeted at customer service departments, since the staff within are naturally inclined to be accommodating and agreeable. The targets may feel they are just doing their job by sharing certain information with the attacker. And in fairness, if suitable education and policy hasn’t been implemented by the organization, employees that unwittingly divulge sensitive information are actually just doing their jobs.
In a recent McAfee survey, 69% of respondents stated they trusted the cloud service provider (CSP) to keep their data secure, while 12% claimed the CSP is solely responsible for securing their data.
This is troubling, since CSPs are not fail-safe, nor are they wholly responsible for their customers’ security. Cloud service providers operate on a Shared Security Responsibility model, meaning Azure or Google Cloud for example, secures its own infrastructure – while the onus is on you to implement safeguards for the data and applications you store and deploy in the cloud.
The following diagram serves as a helpful reminder of how customer and vendor responsibilities are divided, for each service model:
In 2014, Microsoft Azure CTO, Mark Russinovich, identified CSP staff, who have access to a customer’s cloud, as a top security threat. Malicious insiders can include operators that deploy code less securely, those with access to cloud data centers, and developers writing cloud code. Russinovich recommended thorough employee background checks and restricted or monitored access to servers to help mitigate the threat.
That was five years ago, but the risk of having unscrupulous employees working at CSPs (or any organization) remains as immutable as human nature itself.
By default, the administrative SSH login is accessible from anywhere in AWS, meaning the entire internet has access to connect to Transmission Control Protocol port 22. It’s understandable, yet worrying, just how many new users of AWS aren’t aware of this standard configuration.
To put it simply, if anyone can access TCP port 22, anyone can theoretically be an attacker, leaving a company more vulnerable to threats such as DDoS attacks and data theft/loss.
A 2019 McAfee Cloud Adoption and Risk Report discovered that on average, enterprises using IaaS/PaaS experience an average of 2,269 misconfiguration incidents per month, with 14 misconfigured services running at any given time. The top 10 AWS misconfigurations that the security giant observes are:
- EBS data encryption is not turned on
- Unrestricted outbound access
- Access to resources is not provisioned using IAM roles
- EC2 security group port is misconfigured
- EC2 security group inbound access is misconfigured
- Unencrypted AMI discovered
- Unused security groups discovered
- VPC Flow logs are disabled
- Multi-factor authentication is not enabled for IAM users
- S3 bucket encryption is not turned on
Unused Access Keys
When an employee, who has cloud management responsibilities, leaves a company, he/she should deactivate or delete their account. It’s when old and unused access keys stay enabled in the system – perhaps after a server goes into disuse or an employee retires – that the malicious use of compromised credentials becomes a possibility.
Insufficient Inbuilt Security
When a new adopter of the cloud is navigating their recently-acquired setup, they will undoubtedly find native cloud management security in place. However, providers only offer a handful of security analyses, leaving users inadequately prepared for the slew of threats lurking in cyberspace.
This is where cloud management services (CMS) providers have stepped in, their solutions ideally comprising hundreds of best practice checks, supported by a team of cloud-certified experts. A proficient CMS provider will:
- Proactively monitor cloud security and resolve issues as a full-time job, removing the burden from internal IT staff.
- Have carved a niche in cloud security, by building a team of certified experts who constantly keep informed and abreast of the latest threats.
- Constantly monitor your environment for the SSH vulnerabilities, misconfigured services, and unused access keys we’ve mentioned in this blog.
- Perform near real-time vulnerability patching with self-healing automation and deliver details reports on the ongoing health of your cloud.
For an insightful guide to all things cloud, download our e-book today.