IaaS Security: Threats and Protection Methodologies
Cloud infrastructure services face unique security threats that require a variety of different protection methodologies.
By Maxim Sovetkin, Itransition
Cloud services are becoming the main part of the infrastructure for many companies. Enterprises should pay maximum attention to security issues, moving away from typical approaches used in physical infrastructures, which are often insufficient in an atmosphere of constantly changing business requirements. Although cloud providers do all they can to guarantee infrastructure reliability, some of them limit their services to standard security measures, which can and should be significantly expanded.
Typical Cloud Information Security Threats
According to the Cloud Security Alliance the list of the main cloud security threats includes the following:
Data in the cloud is exposed to the same threats as traditional infrastructures. Due to the large amount of data, platforms of cloud providers become an attractive target for attackers. Data leaks can lead to a chain of unfortunate events for IT companies and infrastructure as a service (IaaS) providers.
Compromising Accounts and Authentication Bypass
Data leaks often result from insufficient attention to authentication verification. More often than not, weak passwords in conjunction with poor management of encryption keys and certificates are to blame. In addition, IT organizations are faced with problems of managing rights and permissions when users are assigned with much greater powers than they actually need. The problem can also occur when a user takes another position or leaves the company: no one is in a rush to update permissions under the new user roles. As a result, the account has rights to more features than necessary.
Moreover, cloud environments are often prone to use of all kinds of phishing, scams, exploits and various attempts to manipulate data.
The threat may also come from current or former employees, system administrators, contractors or business partners. Insiders may have different motives, ranging from data theft to simple revenge. In the case of IaaS, the consequences of such actions can even take the form of full or partial infrastructure destruction, data access or even data destruction.
Interface and API Hacking
Today, it is impossible to imagine cloud services and applications without friendly user interfaces (UIs) and application program interfaces (APIs). The security and availability of cloud services depends on reliable mechanisms of data access control and encryption. Weak interfaces become bottlenecks in matters of availability, confidentiality, integrity and security of systems and data.
Targeted cyberattacks are common in our times. An experienced attacker, who has secured his presence in a target infrastructure, is not so easy to detect. Remote network attacks may have significant impact on the availability of infrastructure in general.
Despite the fact that denial-of-service (DoS) attacks have a long history, the development of cloud computing has made them more common. DoS attacks can cause business critical services to slow down or even stop. DoS attacks consume a large amount of computing power that comes with a hefty bill. Despite the fact that the principles of DoS attacks are simple at first glance, you need to understand their characteristics at the application level: the focus on the vulnerability of web servers, databases and applications.
Permanent Data Loss
Data loss due to malicious acts or accidents at the provider’s end is no less critical than a leak. Daily backups and their storage on external protected alternative platforms are particularly important for cloud environments.
In addition, if you are using encryption before moving data to the cloud, it is necessary to take care of secure storage for encryption keys. As soon as keys fall into the wrong hands, data itself becomes available to attackers, the loss of which can wreak havoc on any organization.
A common mistake when using cloud-based solutions in the IaaS model is paying too little attention to the security of applications, which are placed in the secure infrastructure of the cloud provider. And the vulnerability of applications becomes a bottleneck in enterprise infrastructure security.
Lack of Awareness
Organizations moving to the cloud without understanding the capabilities the cloud has to offer are faced with many problems. If a team of specialists is not very familiar with the features of cloud technologies and principles of deploying cloud-based applications, operational and architectural issues arise that can lead not only to downtime but also to much more serious problems.
Abuse of Cloud Services
The cloud can be used by legal and illegal businesses. The purpose of the latter is to use cloud resources for criminal activity: launching DoS attacks, sending spam, distributing malicious content, etc. It is extremely important for suppliers and service users to be able to detect such activities. To do this, detailed traffic inspections and cloud monitoring tools are recommended.
In order to reduce risks associated with information security, it is necessary to determine and identify the levels of infrastructure that require attention and protection. For example, the computing level (hypervisors), the data storage level, the network level, the UI and API level, and so on.
Next you need to define protection methods at each level, distinguish the perimeter and cloud infrastructure security zones, and select monitoring and audit tools.
Enterprises should develop an information security strategy that includes the following, at the very least:
- Regular software update scheduling
- Patching procedures
- Monitoring and audit requirements
- Regular testing and vulnerability analysis
IaaS Information Security Measures
Some IaaS providers already boast advanced security features. It is necessary to carefully examine the services and systems service providers offer at their own level, as well as conditions and guarantees of these offerings. Alternatively, consider implementing and utilizing them on your own.
Encryption is the main and also the most popular method of data protection. Meticulously managing security and encryption key storage control is an essential condition of using any data encryption method.
It is worth noting that the IaaS provider must never be able to gain access to virtual machines and customer data.
It is mandatory also to encrypt network connections, which is already a gold standard for cloud infrastructure.
Attention must also be paid to access control, for example, by using the concept of federated cloud. With the help of federated services, it’s easy to organize a flexible and convenient authentication system of internal and external users. The use of multi-factor authentication, including OTP, tokens, smart cards, etc., will significantly reduce the risks of unauthorized access to the infrastructure.
Be sure not to forget hardware and virtual firewalls as a means of providing network access control.
Cloud Access Security Broker (CASB)
A CASB is a unified security tool that allows administrators to identify potential data loss risks and ensure a high level of protection. The solution works in conjunction with the IaaS provider's cloud infrastructure by enabling users to monitor shared files and prevent data leakage. This way, administrators know where important content is stored and who has access to the data.
Implementing and using vulnerability control, together with regular software updates, can significantly reduce the risks associated with information security, and it is an absolute must for both the IaaS provider and its clients.
Monitor, Audit and Identify Anomalies
Monitoring and auditing systems allow you to track standard indicators of infrastructure performance and identify abnormalities related to system and service security. Using deep packet inspection (DPI) or intrusion detection and prevention solutions (IDS/IPS) helps detect network anomalies and attacks.
Conducting specialized training and adopting a general attitude of focused attention to the technical competence of staff that have access to the virtual infrastructure will enhance the overall level of information security.
Don't Let Cloud Security Concerns Hold You Back
In conclusion, it is worth noting that cloud computing, despite obvious concerns about security that often occur because of ignorance and lack of knowledge about cloud capabilities, is increasingly used for solving serious problems. With proper attention to information security, the cloud can bring substantial economic and technical benefits to IT companies.
Maxim Sovetkin, lead system engineer, joined Itransition in 2010. He has broad experience in system and network administration and engineering, hardware evaluation, internal project management, systems and network security, incident analysis and recovery. His technical interests are in automation, hardware, *nix, networking, SAN, security, system integration, planning and design, virtualization, VoIP, wireless technologies, Windows and workforce management. Sovetkin graduated from Belarusian State University with a degree in mathematics, system analysis and IT systems modeling.