Security: The Basics #1
Welcome back my Security concerned Reader,
This is our first and opening Article in the field of Cloud Security: long promised it, more than a year after starting our Blog, we’ve articulated a few chaptered introduction to the world of Security, as applied to Cloud Technologies and Network Topologies. Often times talking about Security today is a tautologism and indeed so, because there are countless Security aspects to consider, the most dangerous whose not even virtual.
Security as applied to the human being working for you, supposed to stick to your Security Practices is easily overlooked upon, although “leaks” most easily happen at this stage. We aren’t going to touch Social Security as a whole , my Dear Reader, as it would be worth a book of its own. Likewise, we aren’t going to cover Security Aspects in a Client to Client environment: shared WANs, LANs, Wireless Hacking, Wardriving and many more all-time favourites of ours fall into this Category and we’d love to tell you about them; then again, this isn’t strictly speaking our Field of Operations.
The Network Topologies and respective threats we’ll endeavour to cover into our MiniSeries will therefore be:
A) One Client to One Server
B) One Client to Many Servers
C) Many Clients to Many Servers
D) Many Clients to One Server
Before the Cloud “happened”, and we’d dare estimate that around the first Decade of this Century, relationship A above was the privileged way of communication in the World Wide Web; it still is the foremostly relevant one in the grander scheme of things. As you will notice though, nowadays as opposed to back in 2001 we’ve moved to the Cloud, and the Cloud means that there are constantly more intertwined Networks communicating, like tens of thousands of End Users hitting one same Server to receive viral content (in the best case scenario) to tens of different remote Network Addresses communicating with your own and only favourite mobile device. All of this, both because of the utterly slow 56k Modem connections, and because of the low Internet penetration worldwide, weren’t to be imaginable back in 2001.
So let me welcome you back to 2015, the Cloud Security Era, and promise you that we’ll – as always – strive to scrape this Subject’ssurface, rouse your interest for more and most importantly, shed some light with you on what do our Operations have to do with Security in general. This first Article is about basic concepts and notions on the Cloud and its most dangerous angles as a whole.
Every day, fresh news, blogs, and other writings warn us about Cloud computing security threats and dangers; most frequently, security is referred to as the most significant obstruction for cloud computing uptake. However, this talk about Cloud security makes it hard to form an assessment of the real security impact for two particular reasons. First, in a large portion of these discussions about vulnerabilities, fundamental vocabulary terms – including vulnerability, threat and risk – are regularly used interchangeably, disregarding their particular definitions. Second, not every threat raised is distinctive to Cloud computing.
To accomplish a profound understanding of the diversity that Cloud computing add to security threats, we must understand how Cloud computing affects established security issues. A key element here is security vulnerabilities – Cloud computing makes certain vulnerabilities more important and additionally adds new ones to the blend. But before we introduce Cloud-specific vulnerabilities, we should first clarify what a ”vulnerability” truly is.
Understanding the Vocabulary terms
Before continuing, we are going to introduce you with definitions of basic Cloud security terms. It’s very important to know the difference between vulnerability and a threat, because vulnerabilities can be patched, while threats are something you can’t predict. Mixing these terms can cause confusion between a client and the Cloud service provider, making it harder to get a good security assessment.
Vulnerability is a weakness that can be abused by the crook for his own personal gain. Vulnerability can be found in software, systems, network, developer’s environments, etc. Threat is a person who wants to assault resources in the Cloud at a specific time with a specific objective, usually to administer to his own monetary gain and substantial monetary loss of a victim.
According to the US National Institute of Standards and Technology (NIST) main Cloud characteristics are:
Users can use services without human contact with the service provider. They can use Website or some kind of management interface to order and manage services.
Universal network access.
Cloud services can be easily accessed by the network (mainly the Internet), using all standard protocols and mechanisms-
Computing resources used to create the Cloud are part of a homogeneous infrastructure which is shared among all Cloud users.
Resources can be expanded and reduces very quickly and elastically.
Resource usage is regularly measured, making the optimization of resource usage possible as well as use of more flexible business models.
Cloud Security Vulnerabilities
Most of the vulnerabilities in Cloud security have their root in one of the main Cloud characteristics. Let’s introduce you to some of the most common vulnerabilities present in Cloud computing.
Session riding happens when a crook steals a victim’s cookie in order to use the application in the name of the victim. Hacker can also use CSRF assaults with specific goal to trick the victim into sending validated requests to arbitrary sites to accomplish different things.
Cryptography algorithms typically require random number generators, which often use unpredictable sources of information have to generate genuine random numbers, meaning that they need to have a large entropy pool. If the entropy pool is too small, the numbers can be guessed by using brute force. Since the virtual machines do not have a lot of user interaction, they must use available sources, which could result in numbers who are easy to guess, making cryptography algorithms unsafe.
Data protection and portability
When deciding to switch the Cloud service provider for another one, we must address the problem of data portability and deletion. The old Cloud provider needs to erase all the data we had stored at his Cloud, and make sure that there is no valuable data lying around. Also, the Cloud provider that goes out of the business should give the data to the clients, so they can move to another Cloud service and afterwards delete all the data. Of course, regular backups and reliable Cloud service providers are always recommended, because some providers do not provide clients with data after their company goes out of the business.
By using the Cloud services, we are dependent upon the Internet connection, so if the Internet temporarily goes down because of a lightning strike or regular maintenance, we would not be able to connect to the Cloud. Consequently, the business will gradually lose money, because the clients would not be able to use the service that’s needed for the business operations. Not to mention the 24/7 services, like hospital Cloud, where human lives are at stake.
Cloud Security Threats
Before deciding to move to the Cloud, we have to take a look at the panorama of Cloud threats and vulnerabilities to determine if the Cloud service is worth the risk because of the numerous advantages it provides. We are now going to introduce the top security threats in a Cloud service.
Easy to use
The Cloud can be easily used by malicious users, since a registration procedure is very simple and only requires having a valid credit card. In some cases it’s even possible to pay for the service with PayPal, Western Union and Bitcoin, in which case crooks can stay absolutely anonymous. The Cloud can be used maliciously for different purposes like spamming, botnet servers, malware distribution, DDoS attacks as well as many other things.
Secure data transmission
When exchanging the data between clients and the Cloud, the data need to be exchanged by using an encrypted secure channel. Otherwise, there is a possibility of MITM attacks, where the data can be stolen by hacker catching our communication.
Employees working at Cloud service provider could have full access to the company assets. Therefore Cloud service providers must have legitimate security measures in place to track employee activities such as viewing a client’s data. Since Cloud service providers frequently do not apply security policies, employees can get classified data from arbitrary clients without detected.
The data kept in the Cloud could be lost because of some hard drive malfunctioning. A Cloud service provider could accidentally erase the data, a hacker could modify the data, etc. So, the best way to secure the data from possible loss is by making regular backups, which are the best possible prevention of the data loss problems. Data loss can have big impact to the business, and it could even end up in business bankruptcy.
When a virtual machine has the ability to access the data from another virtual machine on the same host, a data breach can happen – the problem is considerably more complicated when the “occupants” of the two virtual machines are different clients. The side-channel attacks happen when a virtual machine can use a shared component such as processor’s cache to get the data of another virtual machine running on the same host.
It’s frequently the case that just a password is needed to access an account in the Cloud and control the data, which is why the use of two-factor authentication is advised. In any case, a hacker gaining access to the account can change the data and make the data untrustworthy. Also, attackers can add malicious code into the web page which will attack any visitors of the website – this is known as the watering hole attack.
Many Cloud services online are exposed by application programming interfaces. Since the APIs are accessible from anywhere on the Internet and share many vulnerabilities with web applications, hackers can use them to compromise the integrity and confidentiality of the clients. A hacker can get a token used by a client to access the service through API and then use it to control victim’s data. This means that you should always use services with secure APIs, rendering these attacks worthless.
We hope that this article brought Cloud security basics closer to you. If you are planning to move your current operation to the Cloud, you must understand the Cloud-specific threats if you want the move to be successful. You shouldn’t rely just on the Cloud service provider to take care of security for you, but instead, you should understand the risks and before moving your business to the Cloud, ask the right questions such as – how do they (Cloud service provider) address certain security threats, and then take it from there.
Also, you should always make remote backups of your data, even if the provider is already making backups for you – it’s always better to have multiple backups than to learn that data was not backed up when the need to restore it appears.
If you have any questions about Basics of Cloud Security, do not hesitate to ask, we’re here for you. Share your story in the comments or consult us if you found this article relevant to your Business or daily operations.