Depending on your familiarity with the Cloud Security Alliance (CSA) publications, part one of this blog was intended as either an introduction or a nagging reminder of the ‘Egregious Eleven’ security threats to cloud computing. It also hopefully made some helpful observations about the first six items on the list. Part two now looks at the remaining five threats, starting with:
7 – Insecure APIs
Application programming interfaces (APIs) constitute the unseen fulcrums for much of the usability and functionality found in the cloud. They help create fresh digital models by leveraging and re-purposing of existing resources as well as acting as the gateway to brand new services. But messily constructed, layered interfaces that use unverified and sometimes poorly written third-party APIs may end up delivering some unintended and wholly unwelcome consequences. Whilst dropping their ranking from third in the ‘Treacherous Twelve’ to seventh in the Egregious Eleven, insecure interfaces and APIs still registered as the single biggest vulnerability to cloud security among 42 percent of respondents to the 2019 (ISC)² cloud security report.
To help address this threat, formal vetting and approval processes should be applied to external APIs in a similar manner as they are to other software components in use by your business. Wider considerations should also be given to the securing of different types of APIs. As one simple example here, whilst ‘REpresenational State Transfer’ or REST can offer a more efficient and lightweight format to SOAP, it lacks native encryption and the addition of TLS should be considered.
8 – Weak Control Plane
Explained in refreshingly plain English by this helpful meta-analysis, a weak ‘control plane’ in this particular context is where “a cloud service does not provide adequate or sufficient security controls to meet the security requirements of the customer.” The most commonly referenced example is multi-factor authentication (MFA) which may be provided only at an additional cost by some cloud providers and not at all by others.
Interestingly, the guidance itself flags this threat area as being primarily a customer security responsibility, as it is for the customer to conduct the necessary due diligence before entrusting their data and processes to any cloud service. Fair play, although cloud providers who fail to provide adequate controls may soon start to fall to services that offer better-secured control plane measures.
9 – Metastructure and Applistructure Failures
Cloud uses its own ever-evolving parlance and terms to describe the key components and concepts which make its services work. An understanding of various logical models and how they are described is therefore necessary for differentiating the ‘waterlines’ or demarcation points between CSP and customer security responsibility. That being said, under a service model such as IaaS, there will often be a certain degree of ‘doubling up’ in security responsibility by both CSP and customer. The former is responsible for the physical and logical infrastructure on which the underlying service offering is built, while the customer is responsible for the purely virtual infrastructure which they themselves build and run ‘on top’ of that.
Whilst the guide clearly advises against a ‘lift and shift’ approach to moving business applications into the ‘Applistructure,’ many recognized security disciplines will still map quite literally and effectively to their respective logical layers in the cloud. Application security focuses on the ‘Applistructure,’ for example, while more traditional information and data security look not surprisingly on the ‘Infostructure’ and IT infrastructure security on, you guessed it, ‘Infrastructure.’ The ‘Metastructure,’ however, is one of the key differentiating characteristics of cloud, one which the CSA describes as:
“The protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enables management and configuration.”
This will include factoring in the management plane and a plethora of security considerations. Jumping back in the egregious list briefly to items 4 and 7, (Many off the threat areas inevitably crossover.) APIs are fundamental to the connectivity of the Metastructure, and if poorly implemented, they may well undermine the whole operation. Likewise, IAM failings stressed under item 4 are also cited as one of the most frequent causes of Metastructure security issues. Netflix and other giants that utilize the cloud have therefore apparently implemented specific, advanced Metastructure access compromise detection.
10 – Limited Cloud Usage Visibility
Visibility remains paramount to any type of security. After all, you can only secure and protect what you know of and can reliably ‘see.’ So this area of threat concerns itself with the implications of both sanctioned and unsanctioned use of cloud applications and services.
Sanctioned cloud service and applications may not always be used in the ways in which they were intended; they may lead to data exposures or malware infection, for example. But for the sake of brevity here, let’s take a closer look at the often bigger problem of unsanctioned use.
For some years now, cloud has taken the whole concept of ‘shadow IT’ to potentially perilous levels. Enterprise services supporting core business processes or processing critical data can, in theory, be purchased, configured and launched without any engagement let alone assurance or sanction from an organisation’s corporate IT department and specialists. That is until some integration with an existing system or data set is required or the business owners hit some key technical snag which the CSP or cloud broker cannot or will not help with. At that point, the unsanctioned system starts to become the problem of others in the organization, and the IT department may well find itself forced to step and rescue a possibly unfit or incompatible system.
Worse still, the core ‘broad network access’ from anywhere that’s characteristic of the cloud when combined with poorly controlled use of BYOD may force more nuanced areas of system use and data processing to move far beyond any notion of central visibility and governance altogether. This is all before you even start to consider the possibility of how much of your organization’s data may have ended up in the personal cloud storage or messaging systems of your users and third parties. It is no wonder then that Gartner predicted that by 2020, “one-third of all successful security attacks on companies will come through shadow IT systems and resources.”
This threat reminds us that having good cloud architecture and strategy can help to alleviate the need for unsanctioned cloud services in the first place. Business users may well procure such solutions out of necessity and frustration with corporate IT services which no longer meet their needs. Having good engagement with your business stakeholders and regularly reviewing their requirements could, therefore, make for a safer, more financially economical and compliant use of cloud.
Likewise, joined-up processes with finance and procurement departments can help identify and alert IT to proposed or suspect expenditure associated with the introduction of rogue services. Failing that, there are also many technical controls and services including those provided by cloud access security brokers (CASB) or software-defined gateways (SDG) which can help gain lost visibility and control. Such services, as well as more traditional tools such as IDS and WAF, may of course equally be applied to legitimate and sanctioned cloud services to strengthen their security.
11 – Abuse and Nefarious Use of Cloud Services
Whilst many enterprises and individuals now readily harness pooled resources through the cloud which at one time would have been far beyond their reach, so do criminals, hacktivists and all of other manner of cyber miscreant. Employing the elasticity of such resources to launch DDoS attacks is an obvious, prolific and often damaging example.
The use of familiar cloud platforms and domains to conduct other malicious activity such as the distribution of malware or phishing attacks can add an additional air of misleading legitimacy to such acts, particularly when it comes with the added insult of using a compromised customer account to deliver the campaign. The guide cites attacks that specifically leverage bona fide cloud services and functions to spread themselves and deliver payloads such as the Zepto variant of the Locky ransomware and CloudSquirrel.
Turning this thinking back on itself, cybersecurity solutions for the cloud need to ‘fight fire with fire.’ By that, I’m not talking about ‘offensive’ or retaliatory security techniques here; I’m talking about the need to adapt, innovate and leverage what the cloud can offer and do well in terms of protection with the same forward-thinking as some of our adversaries. Let’s also not forget the economies of scale and investment which the large CSPs and tech giants have when it comes to trailblazing such developments. To conclude this often daunting look at threat, therefore, we should remind ourselves that when approached correctly, creatively and with due consideration to models such as the CSA defined ‘Trusted Cloud Initiative,’ cloud computing can still offer us the path to a more, rather than less secure future. The choice is ours.
About the Author: Angus Macrae is a CISSP (Certified Information Systems Security Professional) in good standing, a CCP (NCSC Certified Professional for the IT Security Officer role at Senior Practitioner level) and PCIP (PCI SSC Payment Card Industry Professional.) He is currently the IT security lead for King’s Service Centre supporting the services of King’s College London, one of the worlds’ top 20 universities
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.