Business trends and changing technologies continue to present both challenges and opportunities for information security professionals and cyber-criminals alike. As enterprises and organizations in other sectors increasingly turn to on-demand resources, multi-tenant architectures, and distributed infrastructure to manage their operational and staffing needs, the cloud is emerging as a new frontier in the ongoing battle to ensure data integrity and security.
The web-connected, virtualized and centrally managed environment offers a contrast to traditional methods of maintaining corporate security, which had a more localized and device or system-specific focus. And the fact that there are so many avenues for connecting to cloud-based services means that security professionals now have multiple factors to consider – just as those seeking to gain access to valued assets are being presented with many more ways of doing so.
Even as cloud adoption increases, many organizations are still reliant on outdated methods of network defense, put together over the years in direct response to the prevailing threat of the moment – but with little thought to how the tools and policies might integrate together, and be proof against the threats of the future.
The traditional approach of addressing individual security threats with device or process-specific tools, manual routines, threat management gateways etc., breaks down in the face of evolving technologies like mobile, cloud, IoT, and their associated threat vectors.
Cloud security demands a wide-ranging strategy – one that takes in both internal and external network infrastructures, and views them as a single ecosystem, with an attack surface that’s extensive and diverse. Threats may originate from any point: Local networks, the larger cloud infrastructure, insiders, endpoint devices, data repositories, and all. So security policies, analysis, and controls must encompass the entire system.
The multi-tenant nature of the cloud environment naturally offers a multitude of vectors for the potential assailant. Banks of file servers distributed across the globe, virtual machines, virtual desktops, software repositories (many of which host code and applications from third-party suppliers who may not have been properly vetted) – all of these contribute to the attack surface.
The dangers of multi-tenancy rate high on the list of top threats for 2016identified by the Cloud Security Alliance (CSA). Among their concerns are the increased exposure to interference or snooping as organizations share memory, data storage facilities, and infrastructure in close proximity to other clients of the same service.
Having so many targets effectively in one place allows cyber-attackers a choice of methods including malware exploits of vulnerable systems, Denial of Service, and the harvesting of information for strategic phishing and socially engineered schemes to gain access to networks, hijack user accounts, or recruit willing and/or unwitting accomplices within client organizations.
There are concerns too about the integrity and internal security of cloud service providers themselves, whose employees may be able to gain access to corporate networks and their sensitive data. Contractors, partners, and other third parties associated with a cloud service are another source of potential threat – and it’s for this reason that enterprises should be advised to seek assurances from providers about their internal access controls and security contracts with third parties, before entering into any Service Level Agreement.
Today’s enterprise networks go beyond the data center to the extended campus of branch offices, remote sites, remote workers, removable storage media, and mobile. For much of this activity, cloud deployments are the backbone – and the network perimeter now includes distributed infrastructure and multi-tenant architectures. It also embraces data in transit, and those communications between workloads which may not even cross the network boundaries.
Good housekeeping remains a strong defense, and enterprises should be advised to maintain firewalls, anti-malware programs, Intrusion Prevention Systems, and rationalized security policies that allow for monitoring and real-time alerts of network activity, data traffic, and user activity on all devices in the corporate net.
The protection of information moving across and beyond the network also requires a comprehensive and consistent approach to data encryption, which may be achieved through a combination of asymmetric and symmetric cryptography techniques.
Cloud services typically make Application Programming Interfaces (APIs) available to clients, whose in-house IT staff may use them to develop organization and application-specific tweaks that streamline a cloud deployment to better suit a company’s needs. Individual user interfaces may also be tweaked to customize the administration console software that allows access and account management.
Much of this software is shipped across the public internet, and is an open invitation for hackers and the introduction of malware. Unsecured and out of date operating systems, network and security software remain vulnerable to exploits, with zero-day attack vulnerability especially relevant to organizations whose security patching and updating policies may have fallen behind.
In production environments, secure software development for the cloud and mobile era demands the consideration of an application’s attack surface, throughout its development cycle. This approach requires developers to view applications from an attacker’s perspective, and may involve stress testing and attack simulations to determine the integrity or otherwise of: