There’s been a lot of FUD spread around in recent years on the subject of the public cloud. But as often happens in technology, convenience trumps security as far as users are concerned, and cloud services are just too convenient to turn down. Whether it’s to access your work files from home, to speed up departmental service procurement and bypass a cautious (read: slow) IT department, or to improve an organization’s agility and save CapEx by using infrastructure-as-a-service (IaaS), cloud services are now deeply embedded in the enterprise.
One result of this is that, where the early FUD was anecdotal and hypothetical, there are now enough enterprises using the public cloud to get solid evidence of the real scale of the risks involved. Just how big the problem is and where the main risks lie was mapped out recently in a report from cloud security specialist Alert Logic (www.alertlogic.com). Normally, you take reports like this with a pinch of salt and a dose of “Well, they would say that, wouldn’t they?”
This one was different though: the company has been able to analyze almost a quarter of a million real attacks, spread across 2200 of its customers. Top of the bill come Web application attacks and brute force attacks, the latter often coupled with or preceded by the inevitable vulnerability scans. So if your organization is among the many now hosting applications or data in the cloud, whether public-facing or for internal use, here’s the vital evidence you need in order to understand what the dangers are, what the attackers are hoping to achieve, and of course what you can do in defense.
Can security be shared?
The other aspect that too many people don’t get is the shared security model that exists between you and your cloud provider. Sure, your provider is responsible for securing the infrastructure – the power, data storage, infrastructure hardening, blocking DDoS attacks, and so on. The services – and the actual data – will be your responsibility though, along with aspects such as network threat detection, security monitoring and logging, access management, patch management, and configuration hardening.
Of course you can outsource these to a security-as-a-service provider (which is Alert Logic’s business), although even then you can’t outsource the responsibility for legal and regulatory compliance.
With that in mind, here are some key best practices for safe use of the public cloud, whether that’s to sell over the Web, to host applications or as IaaS. A lot will naturally overlap with on-premise IT, which reminds us that cloud is in many ways just the same technology, delivered differently.
1) Understand who is responsible for what in the cloud: Your cloud service provider’s responsibility for only goes so far – make sure you understand how far.
2) Secure your code: Hackers are constantly looking for ways to break your applications, whether it be buffer overflows, SQL injections, or whatever, and Web apps are a lot easier for them to get at. Ensure that your code is fully tested and secure, and that security is an integral part of your development cycle, not bolted on as an afterthought. Employing professional penetration testers (i.e. white-hat hackers) can be a very revealing and worthwhile investment.
3) Build an access management policy: The lack of a physical perimeter in the cloud means thinking differently about access management, and of course if the bad guys get your keys, all bets are off. Do you have a strong access management policy in place, including centralized authentication and two-factor security where appropriate – and of course not forgetting consultants and other temporary users?
4) Manage your patching: Unpatched software is one of the first things a hacker looks for, yet too many users postpone or ignore patches. You need a process – perhaps via a third-party patch management specialist – to check regularly for updates for all your software (not just applications and operating systems), test them to ensure they don’t cause new problems, and finally roll them out.
5) Discover, classify and control your data: Your data is the property at risk, so you need to know who is accessing it, how, when and where, and take control of that. New tools, such as Whitebox’s WhiteOps (www.whiteboxsecurity.com), let you both run usage analysis and forensics, and apply access policies. And data leakage prevention (DLP) tools can be used to prevent sensitive data from leaving the organization via the cloud, email and so on.
6) Log management and forensics: There is a huge amount of useful data hidden in your log files, so managing and analyzing these is essential. A range of tools exist to help mine details of suspicious or malicious activity, or to conduct forensics once a breach has occurred.
7) Implement defense in depth: No security control is 100% perfect. That means you need a layered security model, incorporating several independent technologies and techniques, so that if one fails or is exploited then the others should cover for it.
8) Keep up to date: There is a huge amount of information out there on the vulnerabilities, exploits and breaches that could affect your organization in the cloud – and of course on new techniques for protecting your cloud presence or IaaS. The Internet not only make it easier for you to search for this and stay up to date yourself, it can also connect you to companies and professional communities or social networks that aggregate and share this kind of information.
Image credit: FutUndBeidl (flickr) / CC-BY