Cloud providers and their enterprise customers must take steps to ensure that an attacker who breaks into one customer’s environment cannot compromise another customer, according to a white paper by the Cloud Security Alliance, a leading security industry group. Enterprise security managers also must commit to a strong overall security program, according to the report, ‘The Treacherous Twelve’ Cloud Computing Top Threats in 2016.1 “A single vulnerability or misconfiguration can lead to a compromise across (all customers in) an entire provider’s cloud,” the paper said.
Shared technology—whether a hypervisor, application (SaaS), infrastructure (IaaS), or platform (PaaS)—has been a top concern for the Cloud Security Alliance (CSA) since it published its first such cloud security list in 2010.
“The compromise of an integral piece of shared technology such as the hypervisor, a shared platform component, or an application in a SaaS environment exposes more than just the compromised customer; rather, it exposes the entire environment to a potential of compromise and breach. This vulnerability is dangerous because it potentially can affect an entire cloud at once,” the paper explained. Even if taking every precaution, enterprises should not rely on shared technology for highly sensitive workloads.
CONSIDER VARIOUS DEPLOYMENT MODELS
Cloud technologies are simply applications, infrastructures, and platforms accessed over the Internet. Let’s consider the top cloud deployment models:
Public Cloud
- Highest risk comparison
- Lowest cost comparison
Cloud solutions for multiple customers are housed within the same public cloud infrastructure or on the same server. Some resources such as storage are shared between customers.
Hybrid Cloud
- Middle risk comparison
- Cost comparison depends on solution
A hybrid cloud solution actually relies on multiple interconnected clouds, both private and public. This means that some resources are shared, though there are likely fewer shared resources than for a public cloud solution.
Private Cloud
- Lowest risk comparison
- Highest cost comparison
A private cloud solution is either internally hosted on enterprise-controlled hardware at an enterprise data center or externally hosted on hardware dedicated solely to the enterprise at a provider data center. Technically a private cloud should not share resources with another customer; however, this should be confirmed for hosted private clouds.
Risk exists whenever multiple customers share a resource, such as a service, hardware, or data storage. However, public cloud solutions continue to gain momentum because they can be implemented quickly, are less costly than private clouds, and require minimal support from the enterprise IT staff.
To determine the best deployment model for an enterprise, security managers should examine the project budget, inventory data types and define the security requirements for each data type, and compare the security of available solutions. After identifying which types of information can be appropriately stored in a public cloud, managers can determine whether a provider can adequately separate customer data and systems within a public cloud.
ISOLATE CUSTOMER DATA AND SYSTEMS
A cloud provider must carefully isolate data and systems for each customer at the infrastructure level. In a multitenant environment, a provider must ensure that an attacker cannot escape an instance of an operating system, gain administrative-level rights on the server, and access another customer’s instance on that server.
Because most of these weaknesses are limited to a specific platform or non-default configuration, multi-tenant vulnerabilities usually have limited reach. However, in 2015, a researcher from security technology firm, CrowdStrike, discovered a vulnerability with broader impact. The VENOM vulnerability affects the default configurations of a wide array of virtualization platforms and allows an attacker to use root-level privileges to execute code in a victim’s hypervisor or virtual machine instance. “Exploitation of the VENOM vulnerability can expose access to corporate intellectual property, in addition to sensitive and personally identifiable information,” CrowdStrike reported.2 The bug was patched with a software update.
It is suspected that some of the thousands of organizations that use the impacted technology were victimized, but none disclosed a breach publicly. Enterprises often handle breaches quietly to protect their reputation and retain customer confidence.
Attacks on multi-tenant environments might begin in a guest environment, as with VENOM, or might focus on shared elements that were not originally designed for strong compartmentalization. These include disk partitions, GPUs, and CPU caches.
RECOMMENDATION: FOCUS ON LOGICAL SEGREGATION
The Open Web Application Security Project (OWASP) notes in its own Cloud Top Ten Security Risks3 that security for shared technology and multi-tenant environments should focus primarily on the logical segregation of customer environments. For instance, security managers should:
- Identify if enterprise data is mingled with data from other customers in tables or backups, making it difficult or impossible to properly archive or destroy.
- Ask the provider to ensure that all customers hosted on the same physical server maintain a similar security posture, so attackers can’t enter through the weaker customer’s cloud and leak into the more secure enterprise’s cloud.
RECOMMENDATION: PERFORM A SECURITY AUDIT
OWASP recommends that enterprise security managers perform a security audit or assessment of its cloud environment, in part covering administrative access to all layers (operating system, networking, application, databases). The audit should also cover architecture, data encryption, and change management. If the provider won’t allow the enterprise to conduct an audit, OWASP suggests the enterprise should request security testing by an independent third party.
An audit determines whether the provider is following industry best practices, such as patching and updating operating systems and applications. An audit might reveal surprising areas where the cloud provider has security controls that the enterprise lacks. For instance, many popular cloud providers offer state-of-the-art backup and disaster recovery options. In addition, many guarantee uptime with a partial refund in case of failure. Even without a formal audit, many enterprises require cloud vendors to complete extensive security and privacy questionnaires during the procurement process.
By holding cloud providers accountable, enterprise security managers can manage the risk that someone can interfere with its cloud or network operations. To further protect enterprise systems, enterprises should follow security best practices to protect both cloud and onsite information.
SECURING A MULTI-TENANT ENVIRONMENT
Multi-tenant environments must be designed, developed, deployed, and configured so that user access by providers and customers (tenants) is appropriately segmented from other tenant users, according to recommended CSA controls. Business critical assets and sensitive user data must be isolated, and sessions must be properly managed.
In the white paper, ‘The Treacherous Twelve’ Cloud Computing Top Threats in 2016, CSA recommends the following best practices:
- Restrict user access based on minimum access needs for a role
- Employ multi-factor authentication on all hosts
- Implement host-based intrusion detection systems (HIDS)
- Use network-based intrusion detection systems (NIDS)
- Establish excellent segmentation of the enterprise network
- Enforce the change management process specified in Service Level Agreements for vendor—or provider— released patches and configuration changes
Enterprises should demand strong encryption and customer-owned encryption key management, OWASP notes. In other words, the provider should not own encryption key management. In addition, CSA recommends in its control documentation that providers and customers should establish policies and procedures to:
- Label, handle, and secure data and data containers
- Use encryption protocols to protect sensitive data in storage and data in transmission
- Manage user access to ensure appropriate identity, entitlement, and access management. Areas of focus should include account provisioning, access segmentation, identity trust verification, account credential lifecycle management, authentication, authorization, accounting, and multi-tenant standards.
- Protect, retain, and manage the lifecycle of audit logs
- Monitor user access to detect potentially suspicious network behaviors and/or file integrity anomalies, and to support forensic investigation in the event of a security breach
- Detect security weaknesses in a timely fashion for applications, networks, and system components through measures such as vulnerability assessments and penetration testing
- Formally manage changes including vendor-supplied patches, configuration changes, or changes to the organization’s internally developed software
GENERAL SECURITY CONTROLS HELP SECURE SHARED TECHNOLOGY
Cloud services face many of the same threats as traditional onsite technology. These risks include phishing, a scheme by which an attacker poses as a trusted party to entice an enterprise user to open a malicious website or attachment. The bad link or attachment opens on the user’s desktop rather than in the cloud application, which puts the enterprise network at risk.
Therefore, some multi-tenant recommendations are not only relevant for multi-tenant environments. Practices such as network segmentation improve an organization’s overall security posture by hindering an attacker’s mobility within the network once inside.
CONSIDER A PRIVATE CLOUD FOR HIGHLY SENSITIVE WORKFLOWS
Security researchers warn that public clouds are not appropriate for highly sensitive data and workflows, even if all best practices are followed. For these situations, Security Researcher Dan Kaminski recommends a private cloud. “If you have this sort of bug that can jump from their little piece of a server to your little piece of a server, the best way to avoid that is to not have anyone else on your server,” Kaminksy said. “It costs more, but you’re basically outbidding your attackers.”
CONCLUSION
To best protect data and workflows, security managers must weigh the security needs for each type of data against the security capabilities of various deployment models and solutions while recognizing that risk accompanies even the safest technology. Here are a few takeaways:
- Cloud providers and enterprise security managers should ensure that a customer’s data and systems are isolated at the infrastructure level.
- Security managers should ask providers for a security audit or have the provider complete security and privacy questionnaires during the vendor selection process or as part of a regular contract review.
- Both the provider and the enterprise must develop and follow comprehensive security policies and procedures. Because the cloud service is used from the user’s enterprise laptop or machine, practices that improve the enterprise’s general security posture will help protect it from additional cloud risks as well.
- For highly-sensitive workflows, a private cloud on a server dedicated to a single enterprise is a safer option than a public or hybrid cloud.
Security managers can safely deliver vital business solutions by understanding the risk and selecting the best option to achieve project goals.
Sources
1. ‘The Treacherous Twelve’ Cloud Computing Top Threats in 2 016. Cloud Security Alliance 2016. https://cloudsecurityalliance.org/download/the-treacherous-twelvecloud-computing-top-threats-in-2016/.
2. Virtualized Environment Neglected Operations Manipulation. Jason Geffner, CrowdStrike Senior Security Researcher. http://venom.crowdstrike.com/.
3. Cloud-10 Multi Tenancy and Physical Security. Open Web Application Security Project. https://www.owasp.org/index.php/Cloud-10_Multi_Tenancy_and_Physical_ Security
