Frequently Asked Questions
Cloud security refers to the measures that organizations take as they integrate the public cloud more into their business operations. At a rudimentary level, cloud security is concerned with securing data both in transit across networks and while stored in data centers, then, further securing access controls to that data.
No one solution that can wholly protect systems against all cyber threats, and as organizational networks become more virtualized and dependent on the public Internet, so too will the threat surface increase. Companies that deploy to the cloud face three main risks:
Data Exposure
Data exposure is heightened in the cloud today, as companies are relying more on the public Internet to access services and communicate between distributed systems. Data exposures stem from breaches of confidentiality, integrity, or availability, resulting in unauthorized or accidental access, alteration, or loss of sensitive data. These forms of exposure may result from malicious actors, however, misconfigurations can do as much damage by leaving open doors to the system, or incorrectly serving unauthorized user’s information from wrongly linked databases.
Unauthorized or Over-authorized Users
Unauthorized or over-authorized users can stem from many issues, including poorly configured systems, and malicious actors. Cybersecurity measures must be taken against malicious actors, but adhering to the Least Privilege cloud security principle is one way to stave off poor security designs. The Least Privilege principle states that users should be given the minimum permission necessary to do their jobs. Configure permissions accordingly.
Malicious Actors
Malicious actors are the boogie men of cloud security. While it is never pleasant to have an unauthorized guest plunder company data stores, to be targeted by hackers means they value the data inside enough to put their resources toward getting it. This is in contrast to suffering from weak configurations that happen to open up the system to passersbys
Hackers sometimes deploy sophisticated cybersecurity attacks to gain access to high-value targets that can be worth millions.
- DoS or DDoS Attack — Characteristically a brute force assault, Denial of Service (DoS) attacks aim at reducing or crippling the servers and services under attack, while Distributed Denial of Service (DDoS) attack uses multiple computers at the same time to each launch DoS attacks against a target or set of targets for a multiplier effect. These attacks are perpetrated for several reasons, the least of which is to cause annoyance. More resolute hackers have found that DoS attacks can open up opportunities to penetrate the target in other ways, gaining access to sensitive, valued data. When they’re large enough, these kinds of attacks can have dramatic financial and political ramifications. DoS attacks are brute force strategies requiring resources to sustain until the system under attack collapses.
- Man-in-the-Middle (MitM) Attack — Man-in-the-Middle attacks are sly methods by hackers to step in-between client and server communications and obtain controls reserved for trusted entities. Hackers can use session hijacking to obtain a client’s IP address after it has initiated a session with a server (the hacker had previously infiltrated the client via malware or other methods), and then quickly assume the client IP and controls, and then simply discarding the client, ultimately gaining access to the server. IP spoofing also attempts to gain access—instead of infiltrating a client, the hacker simply sends an access request with a fake IP address in hopes that it will be granted. Another similar method is replay attacks, a hacker will attempt to impersonate a trusted system by sending older, intercepted messages. MitM attacks are sophisticated, and require the use of multiple technologies to triangulate vulnerabilities.
- Phishing Attack — Phishing attacks are attempts on users rather than systems by impersonating trusted sources to coax sensitive information out of a person. A common method is email impersonation—a hacker will send a legitimate-looking email asking to follow a link to a seemingly reputable website, and in the process capture sensitive information or load malware. Hackers won’t stop there if the data to be captured is valuable enough. Even more, targeted is spear phishing, where hackers perform due diligence on their mark to create a stronger illusion of credibility. The target may receive emails with doctored headers that look real and be presented with fully functional websites that represent reputable brands. Phishing attacks rely on social psychology and technology, making them very sophisticated and difficult to automate.
- Malware Attack — Malware, or malicious software, is software, non-consentingly installed on computer systems, that perform malicious tasks by stealing data, replicating, propagating, hiding, lurking, or destroying files. Malware encompasses many feared agents: Trojans, Worms, Macro Viruses, File Infectors, Boot Record Infectors, Polymorphic Viruses, Stealth Viruses, Logic Bombs, Droppers, and Ransomware. In combination with other attacks, malware is used to steal passwords, data, and wreak havoc on systems, some of the most notorious malwares have been very small in size belying their impact, like the Sasser worm, only 15.8 KB, causing an estimated $18.1 billion in damages.
In the cloud, providers and consumers act more like partners rather than vendors and buyers, in this way, they share responsibility for security. Because it is fair that a CSP should give their best effort to secure their client’s data, they are responsible for data inside their domain and potentially how it is encrypted leaving its domain. But that effort does have a limit, which typically begins where the client’s systems start. This is the premise of shared responsibility.
Shared responsibility encompasses both cloud management and security. For each cloud service, a certain level of responsibility falls on the vendor, and a certain amount falls on the consumer. The Center for Internet Security models such a shared responsibility agreement.
(Source: Center for Internet Security, Shared Responsibility for Cloud Security: What You Need to Know )
Cloud security architectures are the designs and blueprints of how an organization will implement and manage its cloud security.
- Data Security — Data security addresses security measures that protect data traversing a network, and when that data comes to rest in storage. Several controls can be deployed in security data, including encryption, public key infrastructure, deployment of encryption and tunneling protocols, use of block and streaming ciphers, and using granular storage resource controls.
- Network Security — While data can be encrypted before transit, network security is concerned with controls on the pathways between systems. Companies can deploy several network/security controls to further protect their systems, including network segmentation, firewalls, DDoS protection, packet capture, intrusion prevention/detection systems (IPS/IDS), packet brokers, network access controls (NAC), and APIs.
- Endpoint Protection — Endpoints provide logical places for security measures, like bouncers at clubs. These measures include host-based firewalls screen received data (standard firewalls are usually Internet, perimeter defenses), antivirus/anti-malware software, endpoint detection and response (EDR) systems provide real-time awareness, use of data loss and prevention (DLP) systems to enforce data flows, harden systems, blacklist and whitelist applications.
- Access Control — Access controls ensure those privileges are granted only to those who need them. Poor access control management can lead to difficulty to prevent threat opportunities. Consider these measures: identification, authentication, and authorization systems; multi-factor authentication, or single sign-on (SSO).
Cloud security is paramount for organizations dealing in sensitive data. When data is breached, compliance and client protection can devastate a company’s prospects faster than many technical blunders. Besides the routine benefits of security, the following are several additional benefits.
- Centralized Security — Cloud security can centralize protection, bringing a holistic sense of the entirety, protecting the company from malicious actors, uncovering shadow IT, and optimizing performance.
- Reduced Costs — Securing data in the cloud can reduce capital costs, and turn them into operational costs, effectively reducing them to a line item.
- Reduced Administration — CSP reduces company administration load the same way they reduce costs, by offloading those tasks from clients. Now, staff can be utilized more effectively.
- Reliability — Cloud service providers offer their consumers virtually unlimited resources, with guaranteed uptimes.
The landscape that cloud deployments operate in is accelerating in complexity as innovative technologies vie for resources. Technologies like the Internet of Things are adding millions of new devices, and more companies are moving their IT support to the cloud. Given this backdrop, companies are challenged to manage this complexity and gain greater visibility and insights into their cloud networks.
Manage Intensifying Cloud Complexity
Cloud deployments cannot be secured the same way that on-premises infrastructures are. Creating cohesive security must grapple with the fact that in the cloud data exposure is the norm, and that it should be assumed that someone is always listening. Coupled with a thorough security risk assessment, one that highlights how company data will flow across systems, cloud complexity can be mitigated.
Gain Greater Cloud Network Visibility
Network visibility is more challenging today because of virtualization, and distributed system complexities. Data centers can be in different geographic locations, and data can traverse multiple fabrics, all complicating how networking data is retrieved and analyzed. Today, sophisticated network monitoring platforms can replace the myriad of networking tools that companies use to produce visual analytics of their networks.
Companies securing their part of cloud operations need to consider four areas of concern, how the cloud security approach is designed, how security will be implemented and governed, how to protect the property and data, and how to respond when attacks are successful.
- Cloud Security Engineering — Cloud security engineering attempts to design and develop systems that protect the reliability, integrity, usability, and safety of cloud data, and protect users legitimately accessing those systems. In this pursuit, engineers deploy layered security, protection against availability attacks (e.g. DDoS, ping of death, etc.), least privilege security principles, separation of duties, and security automation.
- Security Governance — Technology is not enough to prevent attacks, or secure data, which affect security governance is a company culture must. Practices to consider are: developing company-wide security policies, documenting security procedures, performing routine assessments and audits, developing account management policies, leveraging industry standards, using platform-specific security standards, assigning roles and responsibilities, keeping software tools up to date, and classifying data.
- Vulnerability Management — More than ever, vulnerability testing and management are necessary. The cloud has stretched the threat surface, so that extensive testing methods need to be explored, including black-box, gray-box, and white-box testing. A constant vulnerability scanning must be diligently adhered to, which reveals weaknesses in configurations, or application design. Many of these tasks can be automated.
- Incident Response — Incident response covers when a cybersecurity incident occurs. The event happens, the damage is done, and now the company must mitigate the damage and respond and fix the issue. Contrary to the name, incident response is best prepared beforehand through contingencies and self-healing systems. These contingencies need to respond to different incident types, internal vs external, whether it is a data breach, criminal act, denial of service, or malware attempt.