Keeping One Step Ahead of Cloud Hackers
A number of high-profile security breaches in cloud systems (such as what recently occurred with Lowe's) have reinforced the idea that the cloud is no more secure than any other computer network or system—and may be even more vulnerable.
Cloud systems are also tempting targets for hackers because a single successful breach can steal information from multiple companies or organizations. Today's key security issues that are actively exploited by hackers can be grouped into the following three categories.
Cloud access key leakage: In the context of infrastructure as a service and platform as a service, clients are often provided access keys. Hackers can identify central developers or stakeholders, invite them to a special website through social engineering, and then break into their desktops and steal access keys. Once that access key is identified by a hacker, they have a pathway to all corresponding cloud accounts.
Zero-day vulnerabilities: A zero-day vulnerability is merely a software hole unknown to the vendor or developer. There is sometimes a race between hackers who try to exploit the hole and vendors who want to patch the hole.
Lost systems: Projects in development generate a fair amount of incomplete and insecure drafts. These drafts aren't necessarily destroyed—they can be left unmonitored, unmaintained, and, perhaps more importantly, unpatched within the final cloud environment. These relatively unprotected project components are sweet targets for hackers to enter the rest of the system.
Maintaining and monitoring these drafts is impractical. However, utilizing a central storage system for all log files and keeping them in a protected environment can cut down on a significant security weakness.
To keep one step ahead of hackers, you need to understand what you can protect, where you might lose visibility, and where you need to apply extra security assurance.
As such, not all recommendations are suited for every organization, but these are some controls everyone can and should implement.
- Secure your cloud access with two-factor authentication. This adds an extra step to basic log-in procedures.
- Apply an IDS/IPS solution to your cloud infrastructure. Intrusion detection systems and intrusion prevention systems offer critical components to commercial cloud security.
- Auditing and monitoring is a vital element. Check your systems on a regular, scheduled basis to evaluate their security.
- Keep your eggs (projects) in separate baskets, including billing accounts.
- Make common passwords uncommon by generating random values when they are stored.
- To keep your environment secure and simple, use a virtual private cloud. This allows different organizations using the same cloud environment to be isolated from each other.
- Utilize the development cycle as opposed to legacy systems and frameworks. In other words, build new rather than recycle old systems.
For more ideas, the Cloud Security Alliance has a Security, Trust and Assurance Registry (STAR) program that offers a comprehensive set of offerings for cloud provider trust and assurance.
Stay alert, maintain your cloud security, and send me an email or leave a comment if you have any questions.