Any resource deployed in the Cloud is available to anyone on the Internet unless the resource is logically segregated with appropriate access restriction and permissions.
The Cloud is under continuous scrutiny – Cloud providers publish their Cloud platform public IP subnet range to enable their Cloud customer’s connectivity configuration and troubleshooting. However, this information is a treasure trove for fraudsters, bug bounty hunters and professional security research companies, who feed this information to automated BOTS, which continually scan Cloud platforms to identify resources with weak configurations, vulnerable software versions, open API and hard-coded credentials for different motives and vested interests for monitoring. Once fraudsters identify the object of interest, they attempt to gather information hosted in the Cloud resource and, based on the value of information, may choose a further course of action with the information owner.
The Cloud has zero-tolerance to errors and misconfigurations – An error or misconfiguration is what fraudsters are continuously perusing in the Cloud infrastructure. Once they find a suitable flaw, they exploit it as a passageway, resulting in a massive breach. In many data breaches, a simple misconfiguration of enabling public view in the Cloud storage has disclosed hugely sensitive information to an unauthorized entity. The administrator performing the task should be the subject matter expert in the platform and implement it as per the design. After configuration, the security analyst can use the Cloud Platform Security Risk Evaluator to check for any misconfiguration (example: Amazon AWS “Trusted Advisor” and Microsoft – “Azure Security Center”).
The Cloud is ubiquitous – Cloud technology is designed to be accessible to anyone via the Internet from any device. While designing the solution, the Security Architect should provide the highest consideration to manage this ubiquity. If not, this could prove costly later leading to security issues. Any resource deployed in the Cloud is available to anyone on the Internet unless the resource is logically segregated with appropriate access restriction and permissions.
The Cloud has inbuilt security features, sweat them all – Cloud platforms provide adequate security features. However, in several instances, administrators fail to leverage these features due to lack of awareness. Non-usage of these features could become easy access for an attack. Only after exhausting all the features and if residual risk is higher than the acceptable appetite, administrators should look for additional security solutions. For example, if the application is hosted in IAAS server and is using Cloud storage for storing images, then Cloud storage bucket should have access enabled only from the application server and restrict all other access.
Death by password – Account hijacking is one of the most prominent Cloud threats. If the Cloud resource is protected by a password alone, the data residing is highly vulnerable and could be a potential target. Identity and access control in the Cloud needs an additional layer of protection besides the traditional password-based control. The additional control could range from a simple access control to complex solutions such as Multiple Factor Adaptive Authentication.
Before deploying, know what you should be doing – The Cloud is unforgiving if the administrator uses trial and error for configuring access, connectivity, privilege, etc. A hacker needs just a small window of time and a weak configuration to make a pathway inside your Cloud resource. All required security controls should be implemented before deploying the resources.
Cloud is plug-and-play, but Cloud security is not – Application developers are spoilt for choice when it comes to the Cloud platform, components, functions from multiple providers for their requirements. However, Cloud security is not as simple plug-and-play—it is hence not necessarily considered when designing the solution, and must be incorporated ahead in the design cycle, and implemented in every individual element of the overall solution.
Cloud security gives no second chances, do it right the first-time – Cloud resources deployed without the right security configurations will be gone in 60 seconds, leaving no room for a second time. Cybercriminals have developed innovative ways to exploit any weaknesses. Early this year criminals targeted unprotected MongoDB, wherein the attacker could excavate the entire data stored in the DB and demand ransom for data restoration. Cloud security needs a different thought process from conventional security.
Don’t blink – Cloud requires deeper and broader monitoring compared to traditional IT resources. The Cloud is a very dynamic environment; constant monitoring helps in understanding the environment better and provides insights into the tenant/subscription. Cyber threats perceived in the Cloud are very different from traditional IT resources. Constant monitoring is mandatory to ensure all vital signs are healthy and no control is relaxed for convenience.
Let us make Cloud security contiguous and breach a thing of the past. To make Cloud security contiguous, security practitioners should adopt new approaches such as building a federated model for Cloud security administration, strengthening roles & responsibilities for developers, system administrators, and business analysts, continually training all stakeholders for performing security roles, and revisiting existing processes to incorporate the new set of Cloud security principles. Doing so will ensure that business innovation can be secure, and at a lightning pace.