In the early years of computing, security was relatively simple and primarily involved restricting physical access to infrastructure. Mainframes were guarded behind locked doors, and keys were only given to trusted personnel. The introduction of computer networks and the internet meant that additional measures were needed to prevent intrusion and secure IT infrastructure. Most threats could still be contained through appropriate access control and properly configured network firewall devices. The advent of virtualisation and cloud computing has eliminated physical bonds between users and IT infrastructure, leading to an entirely new set of IT security challenges for the enterprise. The Cloud Security Alliance, an industry group promoting cloud computing security best practices and standards, has identified seven areas of security risk impacting cloud environments.
Cloud service abuse
For commercial reasons, infrastructure-as-a-service (IaaS) providers typically make it easy for users to register and begin using cloud services immediately. These cloud services providers are active targets for cybercriminals conducting nefarious activities such as spamming and malware distribution, due in part to relatively weak registration systems and limited fraud-detection capabilities. This type of threat can be remediated through stringent initial registration and validation processes, fraud monitoring, and subsequent authentication of clients accessing the service.
Fundamental tenets of modern software architecture, application programming interfaces (APIs) are widely used to expose, consume, or aggregate cloud services. All major cloud ecosystems provide client APIs that facilitate the creation and destruction of virtual machines (VMs), orchestration and integration, and management of storage, networking, and access control policies. These interfaces form important application-layer control points for protecting against data loss, threat protection, and other content-delivered attacks. A combination of on-premises edge API gateways and cloud-delivered API portals are emerging design patterns for enterprise control and enforcement.
Cloud technology is capable of providing virtual infrastructure for multiple tenants, whether those tenants are business groups within the same organisation or completely different entities. Some of the underlying hardware resources such as CPU caches, graphics processing units (GPUs), disk partitions, and system memory were not originally designed for strong compartmentalisation. There are concerns that attackers can gain unauthorised access and control of the underlying platform with software-only isolation mechanisms, despite the presence of a virtualisation hypervisor to mediate access between guest operating systems and physical resources. Compromise of the hypervisor layer opens the potential for compromise of all of the shared physical resources of the server, as well as virtual machines running on that server. Intel has been developing hardware-assisted security technologies in its CPUs to combat and mitigate the risk of multi-tenancy attacks.
Protecting corporate data can be a difficult task, given the number of ways it can be compromised. Confidential and commercially sensitive information such as customer, employee, or financial records must be carefully isolated and protected from unauthorised access. In a broader scope, data can also be maliciously deleted or altered, either intentionally or inadvertently. Loss of data not only impacts business operations, but can also damage corporate reputation, reduce customer and employee trust, and incur regulatory compliance consequences.
Social engineering attacks such as phishing and identity fraud are becoming increasingly prevalent and sophisticated. Stolen credentials provide hackers with the ability to impersonate legitimate users and access critical areas of your cloud to observe transactions, manipulate or falsify data, and initiate unauthorised activities. Preventative measures can be implemented to enable strong identity and access management, including strict password requirements, two-factor authentication, and proactive monitoring to prevent unauthorised activity.
Security threats from employees or associates harbouring malicious intent are well documented. The use of cloud services within an organisation can exacerbate the issue where operating processes and procedures of third-party providers are not transparent. It is important to define measurable standards for hiring staff, implement policies for granting access to physical and virtual resources, and continuously monitor for compliance.
There are important security ramifications when relinquishing control of infrastructure and data to a cloud service provider. Public cloud providers are often reluctant to document their compliance or internal security policies, and will rarely provide specific details surrounding configuration, patching, auditing, and logging procedures. Without having a clear understanding of the service provider's operating procedures and security practices, your enterprise may be open to hidden vulnerabilities and unknown threats.