Will We Really Be Secure in the Cloud?
This post is the second in a series that answers tough questions regarding the cloud that people have asked me repeatedly over the years. The prior post discussed cost. It was the first in this series and provides a lot of background and context for the series. Please read that post first if you haven’t already.
This post focuses on cloud security, which is definitely one of the top areas of concern for companies considering a move to the cloud. Do a quick online search of “cloud security survey.” You’ll find some recurring themes:
- A majority of those surveyed state that security is their main concern with cloud computing (here, here, and here, but not here)
- Some still fear a loss of physical control over their data (here)
- Most of them are moving workloads to the cloud anyway! (here)
- Confidence in public cloud security is growing (read here)
Obviously this is a hot topic. But it’s also a massive and complex topic. As such I’m going to focus on high value targets, such as dispelling common misperceptions, and recommending various security options and best practices.
Fear and Trust
People tend to fear what they don’t understand, and many people simply do not understand in detail how public clouds work. As an analogy, do you understand in detail how your bank keeps your money safe? Most likely you feel pretty confident given what you’ve seen on TV: bank vaults, security guards, emergency buttons under the teller’s counter, etc. And you also feel good when you see “FDIC Insured” on your bank’s office, or website.
Let’s take the bank analogy further. Banks are a multitenant environment; you store your money there along with many others. Your bank account is like a public cloud account or subscription. You access and control your bank account over the internet, just like your cloud resources. Hackers have targeted banks repeatedly and successfully, and stolen plenty of money (read here), just like hackers have successfully targeted other online properties. And yet the vast majority of people trust that banks are secure, but many have doubts about security in the public cloud. As you’ll see throughout this blog post, I contend that we all have good reason to trust the public cloud providers at least as much as we trust our banks.
The important distinction between banks and the public cloud is that if the bank is robbed or hacked, most likely your money will be safe because it’s insured. And after the robbery you can go on with life without concern for any ongoing harm related to the theft – your account balance is unchanged. What we store in the public cloud, however, is data. And herein lies the important distinction: *data is much more complex than money*. If a hacker steals your data, you can never get back the hacker’s copy of that data. What’s the value of that data? How much harm could be caused by hackers using that data? How many people or customers would be impacted, and for how long? Will your business survive the theft? Those are scary questions, so no doubt people are concerned about cloud security.
It’s no wonder these people are concerned about putting their data in the public cloud. As per the surveys mentioned above, many people think it’s safer keeping their data on-prem in their own data center. But if your data center isn’t thoroughly locked down, or if your security practices are lax, keeping your data on-prem is probably no safer than keeping your life savings under your mattress. Is that where you keep your money?
Common Security Breaches
It’s worth asking what are the most common causes of security breaches. An authoritative answer can be found in the OWASP Top 10. The detailed results can be found here, but for the sake of brevity, here’s the top half of the list:
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
Or look at a few of the top 6 causes of security incidents from another source:
- Phishing, hacking or malware (31%)
- Employee action or mistake (24%)
- External theft (17%)
Or a few from still another source’s top 8 causes of data breaches:
- Weak and Stolen Credentials, a.k.a. Passwords
- Back Doors, Application Vulnerabilities
We could keep going on and on, but are you seeing anything about the cloud in these lists? The point is, not a single one of these causes of security breaches has anything to do with the cloud. Rather, most of them can quite simply be classified as lax security practices. Either these companies aren’t aware of security best practices, or aren’t diligent in following them.
Okay, so let’s take a different tact and focus specifically on the cloud. Here’s an article from InfoWorld about the Cloud Security Alliance’s “Treacherous 12” cloud computing threats. Here’s the top 5 from the list.
- Data breaches
- Compromised credentials and broken authentication
- Hacked interfaces and APIs
- Exploited system vulnerabilities
- Account hijacking
The InfoWorld article is a pretty quick read, but to summarize at a high level it states that the cloud offers some new potential attack vectors, and that if a public cloud was hacked it could cause serious damage. That’s completely true, and scary. But I also agree 100% with this InfoWorld article, entitled “For cloud security, it’s not the hackers you should fear.” You should fear businesses who don’t take the time and effort to secure their applications, whether they’re in the cloud or not. The point is clear: wherever you host your applications and data, whether on-prem or in the cloud, you need to follow security best practices in order to protect your data.
Let’s take a closer look at security in the cloud.
Does your data center have physical security measures that are comparable to well-established hosting providers, or to the public cloud providers? Are there armed guards at your data center? Does your data center pass all of its physical intrusion tests? Does your company even do physical intrusion tests? Can your employees easily access data within the data center, or is access restricted?
I’ve toured an Azure data center in person, and you can tour one online. The facility was totally locked down and run by a skeleton crew who are very well trained for their respective jobs. They said there were only around 10 to 12 employees there, and the majority were armed security people. There were only a few employees monitoring the data center infrastructure, and they have no access to any data stored in the facility. The can’t even get access to data unless a customer explicitly grants them access for troubleshooting purposes, and the duration of that access is very short-lived.
Microsoft takes securing data so seriously that they don’t even allow hard disks to leave the facility. Instead they grind them into dust onsite, and only their dusty remains leave the data center.
In short, public cloud data centers are quite secure. But practically speaking, that’s the easy part of securing the public cloud.
Other Security Factors
Obviously, the public cloud is a massive target for hackers, and it’s a safe bet they’re trying to break in all the time. But lots of sites are getting hacked all the time, so what makes the cloud so special? Is it easier to hack into the public cloud than other sites?
Public cloud providers like AWS and Azure invest heavily in securing their respective clouds. Their very existence depends on it. Just imagine the ramifications if there was a security breach in the public cloud whose root cause was lax security by the cloud provider. Such an incident would crush everyone’s confidence in that provider, and there would be a mass exodus! It might even have a ripple effect that would impact other cloud providers as well. Cloud providers simply must invest heavily in hiring top security talent to secure their clouds. Still, I don’t envy those security experts who are busy securing the public cloud. Talk about a tough job that could keep you awake at night!
If you take a step back and think about it, there are only a few things that make the public cloud a larger attack vector than on-prem or private hosting options.
- One long-standing attack vector is using someone else’s credentials to gain access to various resources on the network. While that approach is nothing new, the public cloud introduces some new wrinkles. Some companies allow access to their public cloud resources via non-corporate accounts. That means if a hacker steals a user’s personal credentials, those credentials may be sufficient to access corporate cloud resources. For example, I can log into some of my clients’ Azure subscriptions using my Microsoft account, which means they’re trusting that I’ll secure my account. That’s why I’ve setup multifactor authentication on my Microsoft account, and why I recommend multifactor authentication to all of my Azure clients. It is also a best practice to follow the least privilege principal, locking down your cloud resources, especially production resources and any sensitive data.
- Another “wrinkle” related to stealing someone’s credentials is that users access public cloud resources via well-known public websites & APIs, such as the AWS and Azure portals, and their associated APIs. So if a hacker hijacks a user account, the hacker may be very familiar with navigating the cloud portal or using that cloud’s APIs to wreak havoc.
- Still another “wrinkle” related to stolen credentials: what if someone actually did hijack a public cloud account? They would then have the ability to leverage the vast computing resources of the cloud to do their bidding. This happened to one of my clients whose employee checked in his/her credentials to a public repository. An unkind troll wreaked havoc by using those credentials to run a script that stood up a huge number of cloud VMs, which was very costly. (Should have used multifactor authentication!) Fortunately, the cloud provider forgave the costs, but the result could have been much worse.
- Another potential security risk has to do with the complexity of cloud computing, and the learning curve associated with mastering that complexity. It is critical to have a solid understanding of security-related cloud best practices, but unfortunately that’s not always the case. I could share still more examples of some of my clients’ past security woes that were caused by a lack of awareness of cloud security best practices, but those clients have suffered enough already. Just be sure to engage some experts to help with your cloud deployments. Also, the public cloud providers are constantly introducing new features to improve their respective clouds, including security related improvements. Be sure to stay up to date with your cloud provider’s improvements, and take advantage of them.
- Still another potential security risk is related to the fact that all cloud resources run on top of the cloud provider’s hypervisor. A common concern is that a hacker might access a guest VM legitimately, and then somehow break out of that VM to directly access the host machine, or the cloud hypervisor. This is the same concern people have had for years with technologies like Hyper-V, VMWare, and Docker. However, in the end this is simply out of our control, and we must all rely on our cloud providers to prevent such a breach.
For a more complete perspective, let’s contrast those potential attack vectors with some areas where the cloud providers try hard to reduce security risks.
- It’s well known that unpatched servers are a common attack vector, and the cloud can help here. Some cloud providers, like Azure, keep their *host* machines up to date with the latest security patches. Also, most guest VMs are configured by default to install security patches automatically. But you should really orchestrate patching your guest VMs on your own, using tools such as Windows Service Update Services (WSUS).
- Most cloud providers allow you to lock down your resources very much like you would on-prem, with virtual networks, subnets, IP ranges, policies, ports, etc. Some also offer third party virtual appliances like you would use on-prem, like Cisco, F5, and Palo Alto.
- Some cloud providers offer easy access to third party security services, such as virus scanners, DDOS protection, etc. There may be additional costs with these services, but they are often very easy to add to your VMs.
- I have repeatedly mentioned how important it is to follow security related best practices in the cloud. To help you with that, cloud providers like AWS and Azure have websites that document in detail how to secure your cloud resources. For example, AWS offers its cloud security site, and Azure offers its Trust Center.
- Some cloud providers even offer more proactive services that encourage cloud security best practices by scanning your cloud resources looking for weaknesses, suggesting improvements, and even detecting issues and suggesting remediating actions. For example, Azure offers its Security Center, which does all of the aforementioned.
When all is said and done, your cloud resources will only be secure if both you and your cloud provider follow all security related best practices. The cloud provider must secure its data centers, its cloud infrastructure, its cloud fabric, its cloud services and APIs. On top of that, you must secure your cloud networking, storage, compute resources, applications, data and identity. If you both do your part, you’ll make it tough for the hackers.
So do your part! Read your cloud provider’s security recommendations and follow them. Use the tools and technologies available to you to secure your cloud resources. Secure your user accounts with multifactor authentication. Lock down your networks, subnets & ports, and leverage firewalls. Grant minimal access to cloud resources, etc., etc. Bring in experts to help you migrate to the cloud, or to review your cloud implementation. In short, take the time and effort and spend the money to protect your data and avoid becoming the next hack.
Cloud security remains a hot topic and a big concern for those considering a move to the cloud. And so the question remains: “Will we really be secure in the cloud?” The answer is that it all depends on you. From a security perspective, deploying your applications to the cloud is no riskier than deploying them on-prem. You just need to follow all of your cloud provider’s best practices and then you can safely enjoy all of the advantages of moving to the cloud.
Cloud on, and be safe & secure!