Arm yourself against cloud attacks
Stormy Weather
If your clients lose confidence in your ability to operate a system well and securely, you can experience considerable financial losses, especially after a successful large-scale attack. In the worst case, you could find yourself on the wrong end of a lawsuit if the question of gross negligence is raised.
None of that changes in the cloud. Admittedly, unlike conventional setups, the challenge is no longer unique to the provider. All stakeholders share the responsibility for security: From the perspective of the platform, admins ensure that standards (e.g., meaningful network segmentation, software-defined networking (SDN), security policy enforcement, and other functions) are implemented and work as desired to provide security at the platform level. When rolling out their own applications in the cloud, customers and external service providers also ensure that they comply with security best practices.
However, what are these best practices in the context of the cloud? How do customers and external service providers protect their virtual environments from the vast array of attacks that can occur? How do they even find out that something is wrong? Many conventional solutions from the past no longer work in clouds, so the question arises: Which approaches and tools are available to let admins thumb their noses from the outset at potential crooks? In this article, I slip into the perspective of a cloud customer and investigate precisely these questions.
What Is the Threat Scenario?
If you are familiar with security in the IT context, you will be aware that the first relevant question always relates to the threat scenario you want to counter. The answers result in individual safety solutions which, in the worst case, do not share any common components. If you want comprehensive security, you can't avoid this groundwork. Cloud customers have more than enough threat scenarios with which to deal.
This process starts with the choice of platform. Where does the company to which one entrusts one's own data have its registered office, and to whom does it have to grant access to its customer data by law? Does the vendor follow current best practices at the hardware level, and can they prove it (e.g., with corresponding certificates)? Which cloud software does the provider use? Does the provider keep it up to date?
Once the customer has chosen a vendor, the next question is what features they are offered in their platform to enhance security. Do they have an option for installing firewall rules at the platform level? Do they have features like VPN as a Service or other solutions with security relevance? Can they encrypt volumes?
Next is the huge selection of software which the admin can install directly at the virtual machine (VM) level: Classic honeypots are just one example. Finally, another type of threat can also be a real problem: manipulated billing data. How can a customer measure what they are actually using to have a remedy against apparently false invoices?
Protecting Critical Data
One crucial question on the way to the cloud is the question of trust in the provider. It is particularly convenient to simply lease resources from one of the major providers – AWS, Azure, and Google's cloud platform. One of the largest slices of the global cloud cake is currently in the hands of Amazon AWS, and every single day, Amazon expands its portfolio, adding several more as-a-service features.
For years, AWS customers have not operated components such as databases or load balancers themselves; rather, they use as-a-service applications. AWS is comfortable, AWS is stable and reliable, and, moreover, AWS is comparatively inexpensive – so you might think everything is okay.
However, it's not that easy after all. Amazon, Microsoft, and Google are US companies that are primarily governed by US law. Assurances that data are not released on servers in other countries do not help. If the FBI or the CIA knock on the doors at company headquarters, US companies will usually (have to) cooperate. Microsoft actually went to court several times in the US and was forced to cooperate [1].
Moreover, as a cloud customer of AWS and like services, you effectively have no chance to defend yourself against data sniffing by third parties because it is difficult, or even impossible, to provide meaningful protection for a system to which a potential attacker has physical access in the event of an attack. Although encrypted volumes are a tool of choice, they hardly help. As long as they are active and mounted, anyone with access to the hardware can read them without the customer noticing.
If you put your data in the hands of cloud services, you are forced to play the game by their rules. At least for critical data, such as trade secrets, use is therefore forbidden – you simply have no way to protect yourself effectively.
What Is a Good Provider?
Fortunately, AWS, Azure, and Google are not the only active providers of public clouds. T-Systems, with its Open Telekom Cloud, operates its cloud exclusively in Germany and is therefore only subject to German data protection guidelines. Other providers also vie for the favor of users. The only question is: How does a customer know that their cloud is well maintained? The somewhat sobering answer is: They cannot. That said, indicators exist from which conclusions can be drawn.
If you are a customer of a cloud platform yourself, you need to pay meticulous attention to the certificates the provider presents. However, certificates usually don't say anything about whether a cloud is genuinely secure; they just state the extent to which the provider's processes are standardized and documented and reflect the best practices of the respective certifier.
ISO 27001, which provides the "requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization" [2] may be familiar to many people from their own business experience. SOC2 C5 [3] from the German Federal Office for Information Security (BSI) also demonstrates fundamental processes. The Payment Card Industry Data Security Standard (PCI DSS) [4] is far more extensive, with certification correspondingly more difficult to achieve.
The usual provisos apply: If a vendor can provide any certificates at all, in each case, they have had their platform audited in line with the applicable rules and passed the audit. When in search of a cloud provider, such certificates are a useful indicator (Figure 1).
Buy this article as PDF
(incl. VAT)