Building a new cloud security model
Users need to realise that cloud services can be more secure, not less, but it is a new security model where we need to be clear what we want to do and how we plan to do it says Russell Spitler.
Building a new cloud security model
Despite the numerous advantages presented by cloud computing, security is still the biggest factor holding back more widespread adoption by businesses. A recent survey by AlienVault found that an overwhelming 90 percent of organisations are still concerned about cloud security.
But many people don't realise that the cloud also presents a great opportunity for security. The automation and scale provided by the cloud gives us a platform that we can secure far better than any in the past. The cloud is not an inherently insecure environment. Rather, it is an environment with a new security model. It comes with new responsibilities and new trust relationships that need to be established to properly secure your environment. These environments have the opportunity to be far more secure than even traditional data centres. Security is like anything else, there are economies of scale that come into play. However, where we stand with security in the cloud is early in the game and many issues remain to be sorted out.
Often confusion starts early with security in the cloud, because key terms can mean different things with confused dialogue leading to an early disconnect at best or a fundamental misunderstanding at worst. This causes hesitance to leverage the various form of cloud services to their fullest potential. To be explicit, “cloud security” can mean three very different things:
– A SaaS (software as a service) offering that provides a security service
– An offering that helps you monitor SaaS services (note that this has no bearing on its delivery form – SaaS, on premise software or appliance)
– The set of tools/features required to secure an IaaS (infrastructure as a service) environment.
Understanding these three variants of ‘cloud security' is important to then realise the promise and the risk of your own use of the cloud.
Today the risk we run with the cloud largely depends on the nature of our use. However, since cloud services have proven to be viral in nature most organisations make use of both SaaS as well as IaaS whether or not it is in line with corporate policy. Recent research has shown SaaS offerings being leveraged as points of data ex-filtration and used as command and control (C&C) channels. This is an ingenious way to side-step traditional perimeter based detection technologies.
By leveraging a SaaS service in an attack, the controls traditionally used to detect large-scale data loss and C&C traffic are rendered useless as the malicious activity now blends with the benign. This integration of SaaS into the methods used by attackers is a sure sign of widespread cloud adoption. There has also been research about attacks targeting IaaS environments and leveraging components of the IaaS service as a mechanism for privilege escalation or to pivot in the environment, reflecting increased understanding of the nature of IaaS by attackers and the need for users to properly monitor and secure such environments.
Even with a current understanding of the risks related to use of IaaS and SaaS we need to remind ourselves of the potential for causalities. Attackers target and leverage these services because that is where our data is stored. They will not stop if we are not using the cloud; they will simply leverage other techniques when attacking us. Currently the majority of broad-based attacks still target traditional environments, thus, avoiding the use of the cloud is not an action that will make us inherently more secure. As with the adoption of any other technology, we must understand the cost and weigh it against the benefits of use.
When working with cloud providers it is important to establish what responsibilities you retain for security and what is managed by the provider. Dependent on the nature of the service, the line of responsibility shifts. For IaaS providers, the customer is responsible for the operating system up; however, for SaaS providers, the customer is responsible for privileged users. This has a major impact on the security controls we implement to shore up our end of the bargain.
With IaaS providers, we need to start at the OS level and take full advantage of the automation and configuration tools provided. Beautifully segmented networks with fully encrypted network connections and hardened systems are now scriptable features of our data centres. With both IaaS and SaaS providers, we need to take a close eye to the administrative audit logs to monitor privileged user access and ensure appropriate use of the features in the environment. Automated analysis and monitoring of these logs is critical to identify the difference between a development engineer spinning up a new server and an attacker taking advantage of compromised credentials.
The cloud holds great promise, and there is no end of opportunity for creating some of the most secure environments we have ever designed. However, there is a new game we have to play and a new teammate to work with. Understanding the risks involved in leveraging the cloud, the nature of securing it and how to best work with our chosen providers are the critical first steps towards realising the potential of this new opportunity.
Contributed by Russell Spitler, vice president, product strategy, AlienVault