With more businesses realizing the benefits of cloud adoption, the demand for cloud services grows and becomes more diverse. As you diversify and extend your product/service offering to meet this demand, the challenge to secure the cloud becomes greater. Cybercriminals have proven time and time again how good they are at hacking company cloud networks and leaking confidential information. Does the most recent Ashely Madison hack ring a bell?
As a cloud service provider, when developing a cloud service and integrating it with your customer’s infrastructure/framework, you need to make sure you don’t make it vulnerable to hackers. Whether your cloud service is file sharing and storage, an advertising content delivery network, an online payment service, or a virtualized environment, it is as secure as its weakest link. While it’s up to you to identify the weak links in your service and add stronger defenses, there could be other such weak links, external to your infrastructure. These could affect the security of your customer’s cloud and, depending on your deployment model, your own or other customers’, as well.
In this context, weak links translate to cloud-specific threats and vulnerabilities affecting an infrastructure, system, application etc., and generic threats, which are not necessarily triggered by cloud computing, but could have an impact on it; for example: malicious insiders, malware infections on employee computers connected to a company cloud network. Together, they make the task of securing the cloud almost daunting.
Why is it important to make this distinction? Because putting all types of threats under the same umbrella may lead to confusion among IT leaders with regard to who’s responsible for securing the cloud. That said, in this article we’ll look at the most prevalent cloud-specific threats and vulnerabilities and generic ones separately, and ways to secure the cloud against them.
Cloud-specific security threats
In general, cloud-specific threats come from shared and/or vulnerable pieces of a cloud infrastructure. And the most prevalent, among the most dangerous threats are:
1. Hypervisor vulnerabilities.
Every day we hear about vulnerabilities in popular software and operating systems, like Adobe Flash Player and Windows. Given their widespread usage, they’re ideal targets for attackers who can exploit them. As virtualized environments are becoming widely spread, attackers are becoming more interested in them as well.
Let’s consider a virtualized environment: at the bottom layer there’s the hardware piece (the host machine), on top of which – the middle layer – we have the hypervisors running multiple virtual machines (guests), which, in turn, are running multiple applications – highest layer. Since the hypervisor resides between the host machine and the virtual machines, and is the main source for managing a virtualized platform, it is also attackers’ main target.
Although hypervisors provide a certain level of security by isolation, they can be vulnerable to attacks. Last year, Bitdefender Researcher Andrei Vlad Lutas found two vulnerabilities in the Xen hypervisor – more specifically, in the Xen x86 instruction emulator, which also affected other platforms based on it, such as XenServer (tested on XenServer 6.2, build date 2013-10-15, build number 75966c), XenClient (tested on XenClient 5.1.3), XenClient XT (tested on XenClient XT 3.2.2 Trial, build 132629), Amazon. These vulnerabilities allowed for denial of service attacks and elevation of privileges inside the guest machines.
“I would like to take this opportunity to commend the Xen team, who have acted very fast to patch the flaws”, said Lutas upon releasing his whitepaper describing the two flaws.
While, indeed, Xen team’s immediate actions are commendable, they should also be viewed as a best practice: collaborating with industry experts to improve the security of your service.
The issue remains though: with large attack surfaces and lots of entry points, hypervisors can be difficult to secure. One can say that a cloud is only as secure as the hypervisors that support its virtual machines.
2. Shared resources.
In a shared cloud environment, the resources (HDD, RAM, CPU) are owned, deployed, monitored and managed by one cloud service provider, but they are shared by multiple companies with different requirements and security practices. While the benefits are clear – cost reduction, scalability – the shared environment comes with high risks as well, like co-mingled data, inadequate client separation controls, or even cross virtual machine attacks. For example, multiple clients may be sharing the same database or web servers, and their data may get stored and backed-up together. If the provider doesn’t build strong logical separation of one client’s users from others, some clients may have visibility into others’ data. Also, if one client’s host machines get compromised due to lack of patching or hardening, attackers can take over shared virtual machines and spread their reach to other clients.
Proper logical separation between clients is mandatory. Also, coordination between clients in updating configurations, which calls for more transparency between clients and providers and clients.
3. Insecure application programming interfaces (APIs).
Cloud users connect to, interact with and manage a cloud service through APIs. These interfaces can offer attackers multiple attack vectors, such as insufficient authentication, unencrypted data transport, and username enumeration that could allow them to access user accounts. From there on, they could penetrate a website or a cloud network, and perform malicious activities. For example, in an attack dubbed the ‘Snapenning,’ hackers exploited a flaw in Snapchat’s API which allowed for leakage of private user photos.
Clearly, these interfaces must be secured from unauthorized access, by adding security features such as strong authentication and access controls, encryption and activity monitoring. Cloud service providers need to pay more attention to APIs and develop comprehensive security models from early development stages. For example, insecure implementation of APIs may result in XSS/SQL injection vulnerabilities. Since they are rather widespread and can have a major impact on security, they deserve their own space in this list of threats, so we’ll treat them separately in what follows.
4. Cross-site scripting (XSS) vulnerabilities.
Just recently, Bitdefender Researchers have found a Stored XSS vulnerability in the PayPal online payment service, which could allow attackers to upload maliciously crafted files to perform attacks on PayPal customers. According to the researchers, the problem lies in the way PayPal processes and encrypts URLs that pull uploaded files. While PayPal has fixed the issue following Bitdefender’s responsible disclosure, this example serves to show – just like the above Xen findings – how these vulnerabilities are inherent. For ways to prevent against XSS vulnerabilities, you can refer to OWASP’s XSS Prevention Cheat Sheet.
5. SQL injection flaws.
As with XSS vulnerabilities, SQL injection flaws are widespread and can trigger a very dangerous form of attack. Essentially, an attacker finds a vulnerable website area that communicates to a database, and alters a command passed through that area to get unauthorized access and steal, corrupt or even destroy database contents. User login areas are often targeted because they have a direct link to a website database.
Because of the attractiveness of the target, i.e. database that contains important data for the website, SQL injections are a very popular form of service exploit. As OWASP points out, SQL injection flaws are easy to detect and exploit, but also easy to avoid, as per their SQL Injection Prevention Cheat Sheet.
6. Denial of Service/Distributed Denial of Service (DoS/DDoS) Attacks.
This threat is as old as the hills. And yet, because of its efficiency in disrupting online services, it continues to proliferate. In a recent report, Verisign said it mitigated more DDoS attacks in Q1 2015 than any quarter in 2014, including seven percent more than Q4 2014. Also, the most frequently targeted industry in Q1 2015 was IT Services/Cloud/SaaS, representing more than one third of all mitigation activity. Akamai Technologies also reported an increase in DDoS attacks in Q1 2015, noting that attackers often used the Simple Service Discovery Protocol (SSDP), which accounted for more than 20 percent of the attack vectors used during the period analyzed. So DoS/DDoS attacks vary depending on attack vectors and methods – they can flood origin servers with fake traffic requests or exploit vulnerabilities in the target system or service – but their aim is the same: cause online services to slow down or even crash.
Since this threat can target any cloud service or website, both cloud service providers and their customers need to be prepared for it. And this translates to multi-layered protection from endpoint to company network to cloud level. Which leads us to the generic threats that could affect not only cloud environments, but also traditional IT infrastructures.
In 2014, from retail, to healthcare to entertainment, no industry was spared of data breaches. As press reports showed, the main facilitators for most of them were poor authentication used on network servers, and poor security practices and employee education, which, in some cases, allowed malware to infiltrate into corporate networks. From there on, the consequences were major data leaks, from credit card information in cases like Target and Home Depot, to company confidential information like sales projections and company budgets in the Sony case.
Generic threats like phishing, spearphishing, malware exploiting vulnerabilities in browsers and tools used by employees, or even poor password practices can enable an attacker to hijack user accounts and infiltrate networks, to steal credentials and gain unauthorized access to servers. Also, malicious insiders can enable unauthorized access, and they seem to be a rising threat within organizations.
More often than not, the weakest link in a cloud service is its weakest line of code. At the same time, poor security practices on the client side can compromise entire IT infrastructures. As computing borders become more porous, potential attacks on a company that uses a cloud service can quickly propagate and affect the provider’s infrastructure as well.
On the one hand, as a cloud service provider, it is your task to ensure that your service is highly secure. And regular audits should help maintain the secure status. You can look at your offerings, see where they lack in terms of security, and add the necessary features – these features can also be cloud-based, saving you implementation time and maintenance, and allowing you to offer it as an extra service to your customers. An example of such cloud-added feature is a URL scanner that can check for bad URLs or IP addresses.
On the other hand, organizations running their businesses in the cloud have to set up internal risk mitigation rules and processes, covering issues like: password management, identity fraud, device loss/theft prevention, data encryption, device access through secure networks, and employee education. These measures should ensure that employee bad practices, the malicious insider threat or the cloud provider’s infrastructure don’t comprise their businesses. At the same time, they should facilitate early detection and containment of potential threats.
Securing the cloud is a complex task that requires close collaboration between cloud service providers, their customers and, depending on the cloud service, related third-parties. Also, security audits leveraging expertise from within the security industry, and more transparency between cloud users and providers may prove key to accomplishing this daunting task. That said, how well are you securing the cloud?