Will We Really Be Secure in the Cloud?
This article focuses on cloud security, which is definitely one of the top areas of concern for companies considering a move to the cloud. Do a quick online search of “cloud security survey,” and you’ll find some recurring themes:
- A majority of those surveyed state security is their main concern with cloud computing.
- Some still fear a loss of physical control over their data.
- Most of them are moving workloads to the cloud anyway.
Obviously, this is a hot topic. But it’s also a massive and complex topic. As such, I’m going to focus on high-value targets, such as dispelling common misperceptions and recommending various security options and best practices.
Fear and trust
People tend to fear what they don’t understand, and many people simply don't understand in detail how public clouds work. As an analogy, do you understand in detail how your bank keeps your money safe? Most likely, you feel pretty confident given what you’ve seen on TV: bank vaults, security guards, emergency buttons under the tellers' counter, etc. And you also feel good when you see “FDIC Insured” on your bank’s office or website.
Let’s take the bank analogy further. A bank is a multitenant environment; you store your money there, along with many others. Your bank account is like a public cloud account or subscription. You access and control your bank account over the internet, just like your cloud resources.
Hackers have repeatedly and successfully targeted banks and stolen plenty of money, just as hackers have successfully targeted other online properties. Yet, the vast majority of people trust that banks are secure. But many have doubts about security in the public cloud. As you’ll see throughout this blog post, I contend we all have good reason to trust the public cloud providers — at least as much as we trust our banks.
The important distinction between banks and the public cloud is that if the bank is robbed or hacked, your money will most likely be safe because it’s insured. And, after the robbery, you can go on with life without concern for ongoing harm related to the theft — your account balance is unchanged.
What we store in the public cloud, however, is data. And herein lies the important distinction: Data is much more complex than money. If a hacker steals your data, you can never get back the hacker’s copy of that data. What’s the value of that data? How much harm could be caused by hackers using that data? How many people or customers would be impacted, and for how long? Will your business survive the theft? Those are scary questions, so no wonder people are concerned about cloud security.
It only makes sense why these people are worried about putting their data in the public cloud. As the surveys mentioned above reported, many people think it’s safer keeping their data on premises in their own data center. But, if your data center isn’t thoroughly locked down, or if your security practices are lax, keeping your data on premises is probably no safer than keeping your life savings under your mattress. Is that where you keep your money?
Common security breaches
It’s worth asking, "What are the most common causes of security breaches?" An authoritative answer can be found in the Open Web Application Security Project (OWASP) Top 10. For the sake of brevity, here’s the top half of the list:
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
Or look at a few of the top 6 causes of security incidents from another source:
- Phishing, hacking or malware (31%)
- Employee action or mistake (24%)
- External theft (17%)
We could keep going, but are you seeing anything about the cloud in these lists? The point is, not a single one of the causes of security breaches has anything to do with the cloud. Rather, most of them can quite simply be classified as lax security practices. Either these companies aren’t aware of security best practices or they aren’t diligent in following them.
OK, so let’s take a different tact and focus specifically on the cloud. In an article from CSO about the Cloud Security Alliance’s “Treacherous 12” cloud computing threats, here are the top five from the list:
- Data breaches
- Compromised credentials and broken authentication
- Hacked interfaces and APIs
- Exploited system vulnerabilities
- Account hijacking
To summarize at a high level, the article states that the cloud offers some new potential attack vectors and that if a public cloud was hacked, it could cause serious damage. That’s completely true, and scary.
But I also agree 100% with an InfoWorld article entitled “For Cloud Security, It’s Not the Hackers You Should Fear.” You should fear businesses that don’t take the time and effort to secure their applications, whether they’re in the cloud or not. The point is clear: Wherever you host your applications and data, on premises or in the cloud, you need to follow security best practices in order to protect your data.
Let’s take a closer look at security in the cloud.
Does your data center have physical security measures that are comparable to well-established hosting providers, or to the public cloud providers? Are armed guards at your data center? Does your data center pass all of its physical intrusion tests? Does your company even do physical intrusion tests? Can your employees easily access data within the data center, or is access restricted?
I’ve toured an Azure data center in person, and you can tour one online. The facility was totally locked down and run by a skeleton crew of very well trained staff for their respective jobs. They said there were only around 10 to 12 employees there, and the majority were armed security people.
There were only a few employees monitoring the data center infrastructure, and none of them had access to any data stored in the facility. The workers can’t even get access to data unless a customer explicitly grants them access for troubleshooting purposes, and the duration of that access is very short-lived.
Microsoft takes securing data so seriously that they don’t even allow hard disks to leave the facility. Instead they grind them into dust on-site, and only their dusty remains leave the data center.
In short, public cloud data centers are quite secure. But practically speaking, that’s the easy part of securing the public cloud.
Other security factors
Obviously, the public cloud is a massive target for hackers, and it’s a safe bet they’re constantly trying to break in. But lots of sites are getting hacked all the time, so what makes the cloud so special? Is it easier to hack into the public cloud than other sites?
Public cloud providers such as Amazon Web Services (AWS) and Azure invest heavily in securing their respective clouds. Their very existence depends on it. Just imagine the ramifications if there was a security breach in the public cloud whose root cause was lax security by the cloud provider. Such an incident would crush everyone’s confidence in that provider, and there would be a mass exodus. It might even have a ripple effect that would impact other cloud providers as well.
Cloud providers simply must invest heavily in hiring top security talent to secure their clouds. Still, I don’t envy those security experts who are busy securing the public cloud. Talk about a tough job that could keep you awake at night.
If you take a step back and think about it, there are only a few things that make the public cloud a larger attack vector than on-premise or private hosting options.
- One longstanding attack vector is using someone else’s credentials to gain access to various resources on the network. Although that approach is nothing new, the public cloud introduces some new wrinkles. Some companies allow access to their public cloud resources via non-corporate accounts. That means if a hacker steals a user’s personal credentials, those credentials may be sufficient to access corporate cloud resources.
For example, I can log in to some of my clients’ Azure subscriptions using my Microsoft account, which means they’re trusting that I’ll secure my account. That’s why I’ve set up multifactor authentication on my Microsoft account, and why I recommend multifactor authentication to all of my Azure clients. It's also a best practice to follow the least privilege principle, locking down your cloud resources, especially production resources, and any sensitive data.
- Another wrinkle related to stealing someone’s credentials is that users access public cloud resources via well-known public websites and APIs, such as the AWS and Azure portals and their associated APIs. So if a hacker hijacks a user account, the hacker may be very familiar with navigating the cloud portal or using that cloud’s APIs to wreak havoc.
- Still another wrinkle related to stolen credentials: What if someone actually did hijack a public cloud account? He or she would then have the ability to leverage the vast computing resources of the cloud to do his or her bidding.
This happened to one of my clients whose employee checked in his or her credentials to a public repository. An unkind troll wreaked havoc by using those credentials to run a script that stood up a huge number of cloud Virtual Machines (VMs), which was very costly. (Should have used multifactor authentication.) Fortunately, the cloud provider forgave the costs, but the result could have been much worse.
- Another potential security risk has to do with the complexity of cloud computing and the learning curve associated with mastering that complexity. It's critical to have a solid understanding of security-related cloud best practices, but unfortunately, that’s not always the case.
I could share still more examples of some of my clients’ past security woes that were caused by a lack of awareness of cloud security best practices, but those clients have suffered enough already. Just be sure to engage some experts to help with your cloud deployments. Also, the public cloud providers are constantly introducing new features to improve their respective clouds, including security-related improvements. Be sure to stay up to date with your cloud provider’s improvements and take advantage of them.
- Still another potential security risk is related to the fact that all cloud resources run on top of the cloud provider’s hypervisor. A common concern is that a hacker might access a guest VM legitimately and then somehow break out of that VM to directly access the host machine, or the cloud hypervisor.
This is the same concern people have had for years with technologies such as Hyper-V, VMware and Docker. In the end, however, this is simply out of our control, and we must all rely on our cloud providers to prevent such a breach.
For a more complete perspective, let’s contrast those potential attack vectors with some areas where the cloud providers try hard to reduce security risks.
- It’s well-known that unpatched servers are a common attack vector, and the cloud can help here. Some cloud providers, such as Azure, keep their host machines up to date with the latest security patches. Also, most guest VMs are configured by default to install security patches automatically. But you should really orchestrate patching your guest VMs on your own, using tools such as Windows Server Update Services (WSUS).
- Most cloud providers allow you to lock down your resources much like you would on premises, with virtual networks, subnets, IP ranges, policies, ports, etc. Some also offer third-party virtual appliances like you'd use on premises, such as Cisco, F5 and Palo Alto.
- Some cloud providers offer easy access to third-party security services, such as virus scanners, Distributed Denial of Service (DDOS) protection, etc. There may be additional costs with these services, but they're often very easy to add to your VMs.
- I've repeatedly mentioned how important it is to follow security-related best practices in the cloud. To help you with that, cloud providers such as AWS and Azure have websites that document in detail how to secure your cloud resources. For example, AWS offers its cloud security site, and Azure offers its Trust Center.
- Some cloud providers even offer more proactive services that encourage cloud security best practices by scanning your cloud resources for weaknesses, suggesting improvements, detecting issues and suggesting remediations. For example, Azure offers its Security Center, which does all of the aforementioned.
When all is said and done, your cloud resources will only be secure if both you and your cloud provider follow all security-related best practices. The cloud provider must secure its data centers, its cloud infrastructure, its cloud fabric, and its cloud services and APIs. On top of that, you must secure your cloud networking, storage, compute resources, applications, data and identity. If you both do your part, you’ll make it tough for the hackers.
So do your part. Read your cloud provider’s security recommendations and follow them. Use the tools and technologies available to you to secure your cloud resources. Secure your user accounts with multifactor authentication. Lock down your networks, subnets and ports, and leverage firewalls. Grant minimal access to cloud resources, etc. Bring in experts to help you migrate to the cloud, or to review your cloud implementation. In short, take the time and effort and spend the money to protect your data and avoid becoming the next hack.
Cloud security remains a hot topic and a big concern for those considering a move to the cloud. And so the question remains: “Will we really be secure in the cloud?” The answer is it all depends on you. From a security perspective, deploying your applications to the cloud is no riskier than deploying them on premises. You just need to follow all of your cloud provider’s best practices, and then you can safely enjoy all of the advantages of moving to the cloud.