As enterprises race to adopt cloud technology, they also encounter a combination of new possible threats from the rapid and frequently unorganized deployment of different cloud-based technologies. Particular concerns surround the adoption of so-called hybrid cloud technologies, Sean Metcalf, founder of cloud security advisory company Trimark Technologies told the attendees of DEF CON Safe Mode last week.
The hybrid cloud is a blend of on-premises infrastructure combined with cloud-hosted infrastructure (infrastructure-as-a-service, or IaaS) and services (software-as-a-service, or SaaS). The IaaS providers are usually giants such as Amazon’s AWS, Microsoft’s Azure or Google’s Cloud Platform. Extending on-premises data centers into the cloud basically means the cloud is effectively operating as a virtualization host like VMware or Microsoft Hyper V, Metcalf said.
Because of this effective virtualization, any attacks that are associated with those cloud data center elements are similar to how you would attack VMware and Hyper V “but with the additional overhead of ‘well, it’s hosted by Microsoft or it’s hosted by Amazon, or it’s hosted Google,’” Metcalf tells CSO.
Each of those hosting giants have different capabilities and configurations, which makes securing them even more complicated for companies. These complexities are especially true for larger organizations, which often have virtual machine (VM) instances that are installed across multiple cloud servers, Metcalf says. The use of multiple cloud providers is common for organizations because “anyone with a credit card can sign up for a cloud subscription or cloud account, which means any of the business units can set up their own subscription or their own account or tenant,” Metcalf says.
The challenges grow when factoring in the other elements of the hybrid cloud, the SaaS applications such as Salesforce or Workday or Office 365. Each of these SaaS elements have their own requirements and use their own synchronization tools that are configured in the on-premises environment. An extensive amount of information from the on-premises infrastructure, typically active directory, a directory service for Windows domain networks, often ends up in the cloud environment.
“It makes sense that it’s there, but these connection points often have some interesting security tradeoffs, which are not often or well understood,” Metcalf says. For example, attackers could compromise Active Directory to main controllers, which are the servers that host the active directory identity and authentication system. “That’s a prime target for attackers.”
Rush to cloud stresses security, IT teams
The pace at which business decision-makers push their organizations to the cloud adds to the burden of security teams. “Very often the operations teams, the security teams are kind of dragged along in this approach,” Metcalf says. Business leaders say, “’This is where we’re headed.’ So, the operations teams and the security teams are the ones that have to play catch-up.”
Another big problem in the hybrid cloud environment is identity and access management (IAM), making sure users have access to only those system elements that they should have access to, which is a chronic challenge for all organizations even under the best circumstances. “The other thing that people often don’t realize is when they are hosting these VM instances, that whoever first created that tenant or subscription or account with that cloud provider typically retains admin rights,” Metcalf says.
“When they’re initially spinning everything up and standing up this environment, the server admins typically get full rights to everything. There’s often this rush to ‘let’s get it done because we have a timeline and we need to get it done,’” he adds, explaining that AWS, Azure and Google Cloud Platform each manage access roles differently. “There’s opportunity for mistakes with that because typically those roles will be over permissioned.”
Technical teams need support to understand hybrid cloud
In addition to all these potential security pitfalls is the fact that so few people really understand the cloud environment. “When we’re talking about cloud and moving to the cloud, it’s first of all a very complicated thing because the cloud is new for a lot of people,” Metcalf says. “It changes every week or every month. Keeping up with it is quite an extensive job in and of itself, or at least it can be.”
That’s why Metcalf recommends that organizations ensure that the staff, the technical staff, both operations and security, get the support they need to better understand the cloud environment. In tandem with providing this support, “Make sure all admin accounts have a multi-factor authentication configured through the cloud provider” or whatever system is relevant, Metcalf suggests. He points to data he collected in 2019 showing that less than 8% of all admins were using multi-factor authentication for cloud access. “If it’s not available, strongly request from the vendor that it be available because that is a great way to mitigate the potential of an attacker taking control of that account.”
Keep cloud administration off production workstations
Another key piece of advice is to ensure that any administrative activities or tasks are not performed using a regular user workstation in the environment. “That way it’s more difficult for an attacker to potentially extract or compromise that identity that’s being used to form the administration. Typical workstations that are configured in most companies are not protected well enough against an attacker compromising it. We have to make sure that those privileged credentials are well-protected and isolated off of the normal way that users do activities on their systems.”
Management of the cloud often involves the web browser. “We know the web browser is not the most secure application on most systems.,” Metcalfe says. “But often the administrators are using these web portals, which means that they are likely to just be opening up Firefox or Chrome and the doing the administration and it’s right next to Facebook, right next to Google. There’s a huge risk in that.”
Although most of the risks in the hybrid cloud environment flow from the complex technical challenges organizations face, cloud providers themselves are not immune from security risks. While he was reviewing the managed Active Directory environments for the big three cloud providers [Amazon, Microsoft and Google], Metcalf discovered a vulnerability in one of them. “It’s still in process,” he said, meaning that the unnamed provider is fixing it.
Finally, the speed of change in the cloud environment argues strongly for constant diligence to thwart malicious actors. “One of the things that’s interesting about the cloud from a security perspective is that as these new features get added, oftentimes the customer doesn’t know, but the attackers will very likely be the first ones to identify that and start leveraging it,” Metcalf says. “There are definitely things that provide capability that attackers love and could be very useful for users or the organization through their IT workflows. Inevitably any of that power can go both ways if there’s not proper control or management.”