In the third blog on our series on ‘cloud’ technologies, our Head of Cyber Information Services, Chris Cobb, points out some key threats and considerations that need to be considered by individuals and organisations.
Security in the cloud
The data centres and facilities that we rely upon to deliver services and applications all have to interface with the wider internet. There are now very few ‘air gapped’ platforms that are wholly disconnected. The challenge for cloud service architects and designers is really about how to build security in from the beginning of the design process. The next security measure is to establish good baseline management and to ensure that configurations and patching are in good order and well documented.
Some of the issues and treatments we have seen can readily be treated. We set out a few key factors below for consideration.
Threats: Malware can introduce problems such as data loss, loss of control of devices, operational disruption.
- Host and network-based anti-malware applications deployed to specific hosts and virtualised systems.
- Staff Training on how malware is introduced.
- Continuous monitoring of network traffic and baseline configurations.
- Regular updates and patching including the introduction of new VM process and at boot cycles where possible.
Internal and Insider
Threats: The result of accidental or malicious configuration from internal staff or contractors with access to critical systems.
- Additional Back ground checks on privileged users.
- Solid workflows for regular processes, including separation of duties and least privilege.
- Active surveillance and monitoring systems, both physical and electronic.
- Obfuscation and policy management of critical data.
- Egress monitoring.
Threats: Hacking – financial gain, hacktivism, political goals, perceived grievances, etc. These threat vectors manifest themselves in many forms including denial of service (DDOS), compliance and regulatory breaches, data loss and reputational damage.
- Hardening of systems, devices, hypervisors, virtual machines, with solid baseline configurations.
- Good change controls practices.
- Use of strong access control mechanisms and cloud access security brokers.
- Up to date threat intelligence information.
‘Man in the Middle’ attacks
Threats: Eaves-dropping of data transmissions that can modify, control or access data during transit for malicious purposes (affecting integrity of data).
- Encrypt data in transit.
- Encrypt authentication activity.
- Use secure session technologies.
Threats: User password reset is common in cloud or remote systems. Social engineering can also exploit social media sites and online profiles. Attacks of this nature are reliant on communication systems but are also highly distributable. This approach flourishes in cloud and internet facing systems, data and people.
- Training of staff and administrators to identify these types of attack.
- Use of incentive programmes to encourage good staff behaviours.
Theft/Loss of User Access Devices, computers or mobile platforms
Threats: Remote access to cloud solutions introduces concept like Bring Your Own Device (BYOD) for flexibility but can increase data loss risk. Theft of these devices leads to unauthorised access to cloud systems and data. Having a mixed portfolio of tools and platforms that are largely user-specified needs a security framework in place to maximise flexibility (for users) whilst harden the IT platform.
- End-point encryption.
- Strict physical access control.
- Limited USB functionality.
- Comprehensive inventory of devices approved and otherwise.
- Comprehensive assets monitoring.
- Remote ‘wipe’ and ‘kill’ capabilities.
Whilst the above lists are not a full list of threats and counter measures for cloud environments, it is intended to inform the users and generate sensible discussion about security posture, threats and exposure. As an IT security focused company, we come across a range of threats and mitigations that our clients encounter. We have used the Cyber Essentials and ISO27001 frameworks to guide our customers and we would be more than happy to field your enquiries and concerns on any of the items we have cited. For further information on our products and services please refer to the security pages on the Xpertex site.