The Hidden Risks of Cloud Computing: Amplifying cloud security concepts

The Hidden Risks of Cloud Computing: Amplifying cloud security concepts

It's time to start looking into secure cloud models. Previous articles - Is Cloud computing a technology or a Business Enabler?, Cloud Computing Architecture & service models will give you a fair idea on cloud computing basics and working models. In general view, Cloud is dangerous from a security perspective. There were multiple things that we had to deal with- like not having direct access, dependent on a third party, perhaps, it was a mess. Now the world is moving towards Cloud technologies to enhance and optimize their resource handling and OpEx. This article flow goes with What, Why ,How etc of Cloud security. Here we go..

What is Cloud Security?

It's a practice or a discipline of protecting cloud-based data, applications and infrastructure involved in cloud services and cloud computing from cyber attacks and cyber threats. In short, it is a whole bundle of protocols, best practices and technology.

Why Cloud Security is important?

Breach attempts are increasing day by day and cloud security professionals are obliged to play 'Whac-A-Mole' with attacks. As more companies continue to migrate to the cloud, security threats are becoming more commonplace, with malicious actors building and using software specifically for cloud applications and services. In one of the recent research papers, it was mentioned that "By 2025, 95% of all public, private and hybrid workloads run in cloud" . How companies are going to handle the security aspect of Cloud? Below image give us the stats of cyberattacks and it's impact: image.png

Also there were multiple instances of high-profile hacks. One such example in 2012, when cloud was in its early stages, file-sharing site Dropbox announced data breach where hackers successfully stolen 68 million passwords and sold them on the dark web. Since then, cloud computing security has advanced rapidly, but risks remain as cybercriminals develop new forms of attacks. In addition to this, a huge scarcity of qualified personnel has led to breaches, as well as insider leaks due to poor governance.

image.png Above stats from S&P shows that primary attack targets are cloud storage, applications and databases.

What are the security centric challenges in Cloud Computing?

Cloud computing changed multiple business operational models. There has been a sudden spike in cloud deployments and usage during pandemic. We have witnessed a tremendous growth in cloud computing usage which is linked to online classes, virtual office meetings and conferences, on-demand streaming apps. Security and privacy became more challenging part when dealing with this huge usage rates. Hybrid working model ,cloud first initiatives and benefits led to increased attack surface & risk.

Here are the new world challenges we often see in the Cloud Computing

  • Employees/users can work from anywhere
  • Ever expanding apps/services etc

image.png

If above mentioned cloud security challenges are not taken into account, hackers can access and misuse the cloud data using below loopholes in Cloud ecosystem:

  • Enterprise and Client Data Breaches
  • Customer Data Loss
  • Lack of Planning Strategy and Secured Cloud Architecture
  • Lack of Cloud Usage tracking and Cloud Visibility
  • Insecure Protocols, Interfaces and APIs
  • Insider Threat Risk
  • Distributed Denial of Service (DDoS)
  • Account Take overs and Hijacking
  • Improper Identity and Access Management
  • Cloud Misconfigs
  • Cryptojacking

What are the different Cloud vulnerabilities we often hear about?

Cloud computing adoption comes with multiple advantages and benefits however it also comes with a certain amount of risk for an organization. National Security Agency (NSA) of the United States Department of Defense categorized cloud vulnerabilities into four classes:

Misconfiguration:

In Cloud, users will be given certain privileges based on their responsibilities in the organization. If these entitlements or privileges are configured incorrectly, user accounts may have access to information they're not supposed to have access to. These misconfiguration of entitlements, especially access privileges, pose the risk to company sensitive data being exposed to public . To prevent users from exposing organization's sensitive information publicly, companies can implement cloud service policies. Apart from applying cloud service policies, organizations should also continuously monitor all security events, cloud resources and configuration changes to detect any misconfigured access or misuse of access. image.png

Poor access control:

Authentication is a absolute security layer that prevents hackers from getting inside an environment. If this access control mechanism gets compromised, the consequences can be disastrous. Poor access control mechanisms allow attackers to change permissions and wreak havoc inside an organization by giving them easy access to critical client and organizational data.

To stop security breaches, a solid authentication model is essential. To make sure that only authorized users have access to a network, multi-factor authentication can also be used. In addition to rigorous authentication protocols, reviewing access logs, and login attempts may reveal indications of a breach or other anomalies.

image.png

Shared tenancy flaws:

Cloud infrastructure environment involve the use of numerous hardware and software components which are often sourced from multiple vendors. With such a complex setup, there is a risk of one or more of these components contains vulnerabilities. Any attacker who knows well about these components used in a particular cloud environment can easily exploit the vulnerabilities of those components. These 2 vulnerabilities that fall under this category are:

  • Hypervisor vulnerability: Hypervisor is software launchpad responsible for creating and running virtual machines. Cloud computing environments heavily relies on virtualization, that makes any hypervisor vulnerability critical.
  • Containerization vulnerability: Containerization technology involves deployment of applications in multiple environments without rewriting the code, which means encapsulating all the necessary components to run an application independently on suitable hardware. Containerization vulnerabilities may give attackers access to critical code or sensitive data, which can be misused. To mitigate these type of vulnerabilities, it is advised to run sensitive workloads on private clouds/bare-metal or dedicated virtual machines so that there are no other tenants in that instance that can access your information through an exploit. Strong encryption techniques can also be used to encrypt data. Monitoring the network carefully always help in early breach detection and mitigation.

Below image shows various attacks targeting these vulnerabilities. image.png

Supply chain vulnerabilities:

Supply chain vulnerabilities often occur due to the cloud design itself: i.e, multiple sources of hardware and software components. It is a challenging task for Cloud Service providers to monitor a wide network of resources, they might miss some vulnerabilities. Observability and Monitoring plays a key role here as well. Monitoring sensitive resources helps with detecting unusual activity or unusual behavior across cloud environments.

image.png Businesses experience vulnerability situations in their supply chain when they are exposed to the blind risks of both internal and external supply chain disruptions.

Source: NSA website

Cloud Shared responsibility model

Cloud Security Providers(CSP's) like AWS, Azure, GCP etc. Operate under a shared responsibility model. To ensure that your migration is secure, you need to be aware of who is responsible for which aspect of the migration plan.

Traditionally when you deploy an application you have the entire data center, the servers that you run - you're responsible for all of it. In the cloud model that's a shared responsibility between consumer and the cloud provider. In a shared responsibility model you need to rethink security on "what your responsibility is" and "what the cloud provider's responsibility is". Below image gives a clear understanding on this model.

image.png

Let's take platform-as-a-service (PaaS) as an example. When we look at PaaS, we are building applications, migrating data to the cloud and building applications running them on the cloud. So, we are responsible for securing the applications, workloads and the data while the Cloud Service Provider is responsible for managing the security of the platform. So that it's compliant, it's secured from the perspective of network, the platform (managing the containers and the runtime and isolation), so that consumer have their own space within the platform.

Now lets begin to demystify the security aspect of Cloud Service Provider relationship with consumer. Before doing that, I'm going to use a example scenario to make you understand about the different responsibilities the Consumer and Cloud Service Provider . And how they are going choose between multiple service models like IAAS,PAAS,SAAS that were discussed in previous blog. The best way to imagine that you want a pizza for dinner. There are multiple options that are available to you i.e.

  • Do you want to make a pizza with all ingredients prepared at home? or
  • Do you want to just take a pizza(base, toppings etc.) and bake at home? or
  • Do you want to order a pizza which will be delivered to home? or
  • Do you want to go a restaurant(Dining out)?

In the similar ways, Cloud shared responsibility highlights as below:

Traditional On-prem is nothing but making pizza at home (toss the dough, toppings ,bake etc). In same pattern , we are going to secure all the phases of design, configure and deploy services, hardware, datacenters by ourselves(company) in traditional On-prem.

Infrastructure as a Service(IAAS) security is analogues to "Take and Bake" pizza concept. We manage the dining table, the soda gas and the oven but we actually buy the dough, tomato sauce, toppings and cheese from market. In IAAS, the physical datacenters and virtualization is managed and secured by Cloud Service provider. All other aspects comes under consumer responsibility.

Platform as a Service(PAAS) is just like Dominos delivering pizza to our home and we are going to eat using our dining table, Soda. So in PAAS the cloud security responsibility is quite less compared to IAAS.

Software as a service(SAAS) means that we're outsourcing everything to somebody who can provide us the end-to-end solution. The Cloud service provider manages all the applications, underlying operating hardware or software , the security offered and you worry about the data that you bring in and plan accordingly. We don’t even have to manage the . In the pizza world, all you need to do is go to restaurant, order pizza and ready to eat.

Visualizing above Cloud shared responsibility concepts with "Pizza as a Service :): image.png

Security in Cloud Shared responsibility model

image.png

Above shared responsibility model defines a cloud security framework that dictates the security obligations of a cloud computing service provider and its consumers/users to ensure accountability. Along with this cloud service providers like AWS , GCP , Azure etc. provide their native toolset to identify and mitigate various rapidly evolving threats.

Here are the security solutions or services each Cloud service provider offers:

AWS: Security, Identity, and Compliance solutions

AWS recommend to use below services to secure workloads and applications in the cloud. AWS allows users to automate manual security tasks so they can shift focus to scaling and developing business. image.png Source:AWS security products

Microsoft Azure: Security solutions

Azure native tools help identify and protect against rapidly evolving threats. Azure have a wide range of security production which can be reffere image.png Source:Azure security products

No Cybersecurity or cloud security concepts measure is ever enough. Security is one field that will constantly evolve. As this is a introduction article on Cloud security, I limit myself to basic topics. See you on next blog.

For complete course details, Click here

Community and Social Footprints :

Chandrasekhar Kesavarapu

GitHub

Twitter

YouTube Cloud DevOps Free Trainings

Linkedin Page

Linkedin Group

Discord Channel

Dev

The CloudnLoud community is a non-profit open source tech community, volunteer-run event presented by members of the CloudnLoud Community.

Did you find this article valuable?

Support Cloudnloud Tech Community by becoming a sponsor. Any amount is appreciated!