Surviving the cloud security minefield
Moving to the cloud can seem like a security minefield, but it may actually be more secure, according to Bernie Bengler, Kaspersky Lab Asia-Pacific director of cloud services/software as a service.
(Military Starling on Mine Field Fencepost image by Chris Pearson, CC2.0)
According to Bengler, analysts — whether they are from Gartner, IDC or Forrester — all state that security is one of the biggest concerns for businesses when it comes to cloud, and that security in the cloud can be significantly higher than if done on-premise by the business. Meanwhile, CIOs think twice before moving important information to the cloud.
"The question is what's wrong here? Do the analysts not get it, or do the CIOs miss something?"
Bengler stated that CIOs should consider the additional security benefits that cloud services might bring over building traditional systems.
In terms of security basics, he pointed to how cloud providers have to stay up to date with patching their systems if they wanted to stay in business.
"If a cloud provider has patch management and stuff under control, it will be very essential for his business. That differentiates ... the very good cloud provider from the ones that have room for improvement."
But trusting a provider to keep patches up to date isn't the only advantage. In the case of public clouds, Bengler said that any temporary stopgaps to prevent zero-day vulnerabilities — those that are exploited before a patch has been developed — can be applied by a provider to protect all of its clients. In effect, a zero-day incident affecting one customer could bring immunity benefits to everyone else before they are affected.
That didn't necessarily mean that businesses wanted highly targeted customers being served by the same cloud provider. Bengler said that knowing who your "neighbours" were in the same datacentre would be beneficial to avoid any collateral damage that might occur from an attack on them.
"You could be a victim of an assault just because of the fact that you were in the wrong spot at the wrong time."
However, it is unlikely that this is an issue that businesses could ever plan for or address. Datacentre operators typically maintain strict confidentiality over who the majority of their customers are, and they are often unaware of what their customers may be doing.
"I've raised this question on different occasions and ... I saw interested eyes, but I did not get any answers. I've contacted datacentre providers as well to see their approach and how they want to fix that. You could probably force datacentre providers ... to ensure through a contract that if any suspicious or exposed client moves in that they get your approval."
ZDNet Australia's inquiries to several prominent Australian datacentre providers regarding the effect of client confidentiality on the overall security of customers has historically been met with silence or off-the-record discussions to avoid the possibility of becoming a target for cyber attacks.
Pure Hacking chief technical officer, Ty Miller, also agreed that this may be an issue, which in some cases will never be solved and that businesses would simply have to trust their chosen cloud provider.
"There are major issues with not fully understanding who is also in your cloud environment. There are considerations of ethics, safety, security and there is nothing that you can do about this in some instances.
"The associated risk will depend upon the security controls in place, and the type of cloud service that has been purchased. For cloud-based hosting, an attacker is able to purchase a virtual host within the hosting provider environment. If your systems are hosted on a shared virtual server or within a virtual environment with insecure network access controls, then the attacker is able to start directly attacking your system behind the firewall.
"More advanced attacks include exploiting 'hypervisor' vulnerabilities that allow an attacker to read shared memory between virtual machines, or break through to the underlying host operating system to gain full access to all virtual machines," said Miller.
But, according to Miller, moving infrastructure physically off premises can also help guard against internally initiated incidents.
"The physically closer you are to your target, the more control over its environment you have. This is why internal security attacks can be so devastating," Miller said.
"The only solution to this type of malicious attack is to undertake internal penetration tests with a third party posing as a disgruntled employee. Usually within 24 hours the entire corporate network and systems can be compromised."
However, organisations often don't have a choice as to whether they moved to the cloud or not, especially those that have smaller IT departments, if one at all, or lack the capital to invest in their own infrastructure.
"If I am a start-up and I have a brilliant idea, or a breathtaking, world-changing, Steve Jobs type of product ... I probably have no other choice to move to the cloud just because of savings in capital expenses. That could basically balance or shift your pros and cons. With [a start-up] business I'm taking a risk anyway, so why not move it into cloud and make it faster?"
For organisations that want to take it slowly and have the luxury of moving parts of their business to the cloud, Bengler said that first moving infrastructure like web and email communications is a good trial.
Miller agreed that the need to scope exactly what is going to the cloud is a key step for organisations.
"If you are considering moving applications and services to the cloud, the first step would be to identify and then move non-sensitive systems to the cloud hosting environment. This will be dependent on the type of organisation that you are," Miller said.
"For example, one organisation's CRM system may not be considered sensitive and therefore is suited to the cloud environment; however, another ... organisation may consider its CRM data to be highly valuable and therefore not suitable for the cloud."
Things like file storage, though, are more complex and have more challenges as it is not as easy to reverse the process, according to Bengler. Such complexities included considering the risk that the organisation has attached to the data.
"If I look at myself, am I using online storage? No I don't. It probably comes with the industry that I work in that you're extra paranoid. But am I using the cloud? Of course," Bengler said.
Miller agreed that storage considerations depended on their environment.
"Some organisations may believe that their file system or database contains no sensitive information, but a government department may consider its data to be highly sensitive and confidential."
"Moving systems that store confidential or sensitive data, including encrypted credit card details, carries an increased element of risk. Over the last year we have seen a number of hosting providers compromised, which allows an attacker to gain full control over other organisation's systems and data. This includes the ability to actually download a copy of your virtual servers to attack or analyse offline."