Because your company has probably moved to the cloud, either through planned action or because of shadow IT, app security should be your major concern. There are some things you are going to worry about, but shouldn't: the cloud operator stealing your data at rest, bad actors intercepting and reading your data in flight, bad actors "hacking the cloud" and stealing everything. When you eliminate these things, then you get back to the things that really matter.
5 MIN. READ
Almost every company is moving to the cloud in some way, whether through planned action or because employees are adopting unsanctioned cloud services. Workers typically adopt cloud services to more efficiently do their job, but they do it without considering the security implications—a concern for business management.
Unfortunately, companies often worry about the wrong issues when it comes to cloud security. Cloud providers, on the whole, do a much better job of securing their services than the average business, so you should not be overly worried about cloud provider security or whether your cloud provider will be hacked.
The most worrisome threat to cloud infrastructure are breaches, which have a variety of causes.
Instead, you should worry about the parts of the cloud that you control. Those concerns will differ depending on which type of cloud your company deploys. Infrastructure as a Service (IaaS) gives you much more control over security but also much more responsibility for it. Software as a Service (SaaS) gives you the least amount of control over security and transfers much of that responsibility to your service provider. Platform as a Service (PaaS) is a mixture of the two.
For these reasons, the model of cloud service you adopt will determine the level of your provider’s responsibility when it comes to security. Here’s what you need to know.
The most worrisome threat to cloud infrastructure is the same as with any other infrastructure: breaches, which have a variety of causes. It is important to recognize that there are different levels of breaches; an attacker who gains access to an administrator account has far more control than one who accesses a limited user account.
For that reason, you should worry more about the administrative and privileged users, and monitor those accounts beyond what is normal for all user accounts. This security threat applies to all types of clouds, since company employees maintain some form of administrator access for SaaS, PaaS, and IaaS infrastructure.
By extension, you should give special attention to the importance of identity and access to securing cloud services. The store for identity and access data should be protected and monitored closely. However, with the average company having to deal with 1,031 cloud applications used by its employees, this cannot be accomplished without having a federated identity management or single sign-on infrastructure.
Distributed denial-of-service (DDoS) attacks have become more sophisticated and easier to launch. DDoS-for-hire services, also known as booters or stressers, are readily available to take down networks or websites. And with cloud services becoming more popular, DDoS attacks have become more impactful as well, because the attackers can disrupt critical business services to many companies with a single attack.
In October 2016, for example, a large DDoS attack powered by tens of thousands of digital video recorders, cameras, and home routers targeted DNS provider Dyn, whose customers rely on the service to direct online users to their sites. As a result, many Internet services—including Netflix, Twitter, and PayPal—were disrupted.
You’ll need to determine whether your provider is elastic enough to weather an attack. While many cloud infrastructure providers offer capabilities to increase bandwidth, they often charge for that extra bandwidth during an attack, costing your business enormously. You need to assess at what point it costs too much to keep up with the level of attack and makes more sense to hire a DDoS mitigation service to intercept bad traffic before it gets to your apps.
In 2015, a hacker used a vulnerability in antivirus firm BitDefender’s public cloud to steal an unknown number of unencrypted usernames and passwords. Vulnerabilities are no less a threat to cloud infrastructure than they are to on-premises devices and appliances.
Companies must be able to patch in an agile way, which means that operations teams need to know which infrastructure components are vulnerable and have options for managing that vulnerability. Fast patch deployment should be a priority, but virtual patching should also be available to give security teams enough time to fix problems without causing more issues.
Overall, cloud services and platforms tend to be more secure than the average company’s infrastructure owing to service-level agreements and regular updating and patching, so businesses should focus on the aspects of cloud within their control. Companies will find the cloud a much more secure option if they focus on controlling access and credentials, keeping services available, and managing vulnerabilities in the parts of the cloud infrastructure that are under their control.
As a Senior Security Solutions Architect at F5 Networks, Brian McHenry focuses on web application and network security. McHenry acts as a liaison between customers and the F5 product teams, providing a hands-on, real-world perspective. He is a regular contributor on InformationSecurityBuzz.com, a co-founder of BSidesNYC, and a speaker at AppSecUSA, BC Aware Day, GoSec Montreal, and the Central Ohio Infosec Summit, among others. Prior to joining F5 in 2008, McHenry, a self-described IT generalist, held leadership positions within a variety of technology organizations, ranging from startups to major financial services firms.