Cloud computing continues to transform the way organizations use, store, and share data, applications, and workloads. It has also introduced a host of new security threats and challenges. With so much data going into the cloud—and into public cloud services in particular—these resources become natural targets for bad actors.
“The volume of public cloud utilization is growing rapidly, so that inevitably leads to a greater body of sensitive stuff that is potentially at risk,” says Jay Heiser, vice president and cloud security lead at Gartner, Inc.
Contrary to what many might think, the main responsibility for protecting corporate data in the cloud lies not with the service provider but with the cloud customer. “We are in a cloud security transition period in which focus is shifting from the provider to the customer,” Heiser says. “Enterprises are learning that huge amounts of time spent trying to figure out if any particular cloud service provider is ‘secure’ or not has virtually no payback.”
To provide organizations with an up-to-date understanding of cloud security concerns so they can make educated decisions regarding cloud adoption strategies, the Cloud Security Alliance (CSA) has created the latest version of its Treacherous 12 Top Threats to Cloud Computing Plus: Industry Insights report.
The report reflects the current consensus among security experts in the CSA community about the most significant security issues in the cloud. While there are many security concerns in the cloud, CSA says, this list focuses on 12 specifically related to the shared, on-demand nature of cloud computing. A follow-up report, Top Threats to Cloud Computing: Deep Dive, explores case studies for most of the 12 threats.
To identify the top concerns, CSA conducted a survey of industry experts to compile professional opinions on the greatest security issues within cloud computing. Here are the top cloud security issues (ranked in order of severity per survey results):
1. Data breaches
A data breach might be the primary objective of a targeted attack or simply the result of human error, application vulnerabilities, or poor security practices, CSA says. It might involve any kind of information that was not intended for public release, including personal health information, financial information, personally identifiable information, trade secrets, and intellectual property. An organization’s cloud-based data may have value to different parties for different reasons. The risk of data breach is not unique to cloud computing, but it consistently ranks as a top concern for cloud customers.
The Deep Dive report cites the LinkedIn password hack of 2012 as a prime example of a breach. The attacker was able to steal 167 million passwords because LinkedIn did not salt the password database. The key takeaways from this breach, according to the report, is that organizations should always hash and salt databases containing user credentials, and implement proper logging and behavior anomaly analysis.
2. Insufficient identity, credential, and access management
Bad actors masquerading as legitimate users, operators, or developers can read, modify, and delete data; issue control plane and management functions; snoop on data in transit or release malicious software that appears to originate from a legitimate source, CSA says. As a result, insufficient identity, credential, or key management can enable unauthorized access to data and potentially catastrophic damage to organizations or end users.
An example of insufficient access management, according to the Deep Dive report, is the discovery of unprotected default installations of the MongoDB database. That default implementation left a port open that allowed access without authentication. The report recommends preventative controls be in place across all perimeters, and that organizations scan managed, shared and public environments for vulnerabilities.
3. Insecure interfaces and application programming interfaces (APIs)
Cloud providers expose a set of software user interfaces (UIs) or APIs that customers use to manage and interact with cloud services. Provisioning, management, and monitoring are all performed with these interfaces, and the security and availability of general cloud services depends on the security of APIs, CSA says. They need to be designed to protect against accidental and malicious attempts to circumvent policy.
4. System vulnerabilities
System vulnerabilities are exploitable bugs in programs that attackers can use to infiltrate a system to steal data, taking control of the system or disrupting service operations. Vulnerabilities within the components of the operating system put the security of all services and data at significant risk, CSA says. With the advent of multi-tenancy in the cloud, systems from various organizations are placed close to each other and given access to shared memory and resources, creating a new attack surface.
5. Account hijacking
Account or service hijacking is not new, CSA notes, but cloud services add a new threat to the landscape. If attackers gain access to a user’s credentials, they can eavesdrop on activities and transactions, manipulate data, return falsified information and redirect clients to illegitimate sites. Account or service instances might become a new base for attackers. With stolen credentials, attackers can often access critical areas of cloud computing services, allowing them to compromise the confidentiality, integrity, and availability of those services.
An example from the Deep Dive report: The Dirty Cow advanced persistent threat (APT) group was able to gain root level control of systems by taking over an existing account through weak vetting or social engineering. The report recommends a need-to-know, need-to-access policy on access rights and social engineering training on account takeover tactics.
6. Malicious insiders
While the level of threat is open to debate, the fact that insider threat is a real adversary is not, CSA says. A malicious insider such as a system administrator can access potentially sensitive information, and can have increasing levels of access to more critical systems and eventually to data. Systems that depend solely on cloud service providers for security are at greater risk.
The report cites the example of a disgruntled Zynga employee who downloaded and exfiltrated confidential business data from the company. No loss-prevention controls were in place at the time. The Deep Dive report recommends that data loss prevention (DLP) controls be in place and that security and privacy awareness programs be in place to improve recognition and reporting of suspicious activity.
7. Advanced persistent threats (APTs)
APTs are a parasitical form of cyber attack that infiltrates systems to establish a foothold in the IT infrastructure of target companies, from which they steal data. APTs pursue their goals stealthily over extended periods of time, often adapting to the security measures intended to defend against them. Once in place, APTs can move laterally through data center networks and blend in with normal network traffic to achieve their objectives, CSA says.
8. Data loss
Data stored in the cloud can be lost for reasons other than malicious attacks, CSA says. An accidental deletion by the cloud service provider, or a physical catastrophe such as a fire or earthquake, can lead to the permanent loss of customer data unless the provider or cloud consumer takes adequate measures to back up data, following best practices in business continuity and disaster recovery.
9. Insufficient due diligence
When executives create business strategies, cloud technologies and service providers must be considered, CSA says. Developing a good roadmap and checklist for due diligence when evaluating technologies and providers is essential for the greatest chance of success. Organizations that rush to adopt cloud technologies and choose providers without performing due diligence expose themselves to a number of risks.
10. Abuse and nefarious use of cloud services
Poorly secured cloud service deployments, free cloud service trials, and fraudulent account sign-ups via payment instrument fraud expose cloud computing models to malicious attacks, CSA says. Bad actors might leverage cloud computing resources to target users, organizations, or other cloud providers. Examples of misuse of cloud-based resources include launching distributed denial-of-service attacks, email spam, and phishing campaigns.
11. Denial of service (DoS)
DoS attacks are designed to prevent users of a service from being able to access their data or applications. By forcing the targeted cloud service to consume inordinate amounts of finite system resources such as processor power, memory, disk space, or network bandwidth, attackers can cause a system slowdown and leave all legitimate service users without access to services.
DNS provider Dyn is a key example of a DoS attack in the Deep Dive report. An external group commandeered IoT devices to launch a distributed denial of service (DDoS) on Dyn using the Mirai malware. They were successful because the compromised IoT devices used default credentials. The report recommends analyzing network traffic for anomalies and to review and test business continuity plans.
12. Shared technology vulnerabilities
Cloud service providers deliver their services scalably by sharing infrastructure, platforms or applications, CSA notes. Cloud technology divides the “as-a-service” offering without substantially changing the off-the-shelf hardware/software—sometimes at the expense of security. Underlying components that comprise the infrastructure supporting cloud services deployment may not have been designed to offer strong isolation properties for a multi-tenant architecture or multi-customer applications. This can lead to shared technology vulnerabilities that can potentially be exploited in all delivery models.
An example from the Deep Dive report is the Cloudbleed vulnerability, where an exeternal malicious actor was able to steal API keys, passwords and other credentials from security services provider Cloudflare by leveraging a vulnerability in its software. The report recommends that all sensitive data should be encrypted and that data be segmented according to sensitivity levels.
13. Bonus cloud threat: Spectre and Meltdown
Both Spectre and Meltdown permit side-channel attacks because they break down the isolation between applications. An attacker that is able to access a system through unprivileged log in can read information from the kernel, or attackers can read the host kernel if they are a root user on a guest virtual machine (VM).
This is a huge issue for cloud service providers. While patches are becoming available, they only make it harder to execute an attack. The patches might also degrade performance, so some businesses might choose to leave their systems unpatched. The CERT Advisory is recommending the replacement of all affected processors—tough to do when replacements don’t yet exist.
So far, there are no known exploits that have taken advantage of Meltdown or Spectre, but experts agree that they are likely and relatively soon. The best advice for cloud providers to guard against them is to make sure all the latest patches are in place. Customers should demand information on how their cloud providers are responding to Meltdown and Spectre.