While the utilization of Cloud computing can enhance your overall secure posture, it is also important to mention that the weaponization of the Cloud to gain access to resources is also something that is taking place in many situations and in many different types of attacks.
The diagram that you see represents an attacker gaining access to VMs located in the Cloud provider. It could be any Cloud provider. By leveraging computer resources from VMs that are hosting this Cloud provider they can attack on premises resources. So, the advantage of that attack is that you use the power of Cloud computing resources to send an attack to the limited amount of power that you have on premises. This is one typical scenario. Another one is DDoS attack. Many DDOS distributed denial services attacks are leveraging Cloud resources.
Another potential attack that it happens is also taking advantage of failures in configuration. There was a flaw in the configurations, a failure in the DevOps process. Public keys, were not stored securely in a Cloud. This event took place in 2015 and there were bots scanning GitHub to steal Amazon EC2 keys. Problem is that those keys were stored in a public Cloud provider and those keys were not encrypted, and were widely open. It was definitely a failure in configuration.
Nowadays, attackers are shifting the efforts to evade detection controls that are provided by Cloud Workload Protection Platforms. Most of the Cloud Workload Protection Platforms utilize agent installed on their ISVM. And one way to evade detection is to kill the agents. Hackers trying to compromise the agent so you don’t have that sensor running. The first occurrence of this type of attack took place in January 2019 and it was reported by Palo Alto networks. It was malware called Rocke, which was uninstalling the agents from CWPP.
It is imperative that before adopting any Cloud computing solution, organizations understand the general security considerations that are already held by the Cloud computing model you should have a Cloud Workload Protection in place as part of your design, it should be part of your design considerations for not only Cloud workloads, but hybrid scenarios as well. Sometimes, customers are not fully aware that if you have a hybrid scenario, it means that you have some sort of computing power running in the Cloud, and you have interaction between you public Cloud provider and computer infrastructure on premises. When thinking about Cloud security considerations, you should think of the following items:
- Risk management
- Identity and access management
- operational security
- Endpoint protection
- Data protection.
When the subject is compliance, you should think of the migration process. Organizations need to retain their own compliance obligations and they need to dictate how those resources that are going to be migrated to the Cloud need to be compliant. Some workloads might need to be PCI compliant. Some other workloads might need to be NIST compliant, HIPAA compliant. You need to evaluate this from different angles from the Cloud workload migration process. Different Cloud workloads might require different compliance mechanisms and you need to take those in to consideration. Usually, most of the cloud solutions provider will give you more details about their compliance platform.
The second consideration is risk management. Customers must be able to trust their Cloud solution providers. Cloud runs on trust, basically. And that’s something that Microsoft says a lot, that Microsoft runs on trust. Cloud solution providers, in general, should have policy and programs in place to manage online security risks. These policy and programs may vary depending on how dynamic the environment is. And customers should work very closely with their Cloud solution providers to demand full transparency to understand the risk decisions.
In regards to identity and access management, this is a very important subject because identity management is a pivotal point in today’s security. It allows you manage not only your access to the portal for the Cloud provider, but also your entire identity perspective to access resources in the Cloud. So, make sure that your Cloud provider offer different options and also use multi factor authentication which is very important now a days.
Operational security, when you are migrating to the Cloud, you should adjust your internal processes to the Cloud. Do not bring old processes from on premises scenario and try to just fit it into your Cloud deployment. Make sure that your secure monitoring, your auditing, instant response, your forensics, everything is adapted to the Cloud environment. And when I say adapt to the Cloud environment, many times it means re-engineering some of the aspects. For example, forensics in the Cloud is different from forensic on premises.
Endpoint protection. Endpoint protection is about how you gonna access those Cloud resources because, in a share responsibility model, which is what the Cloud providers will always tell you, the endpoint, the machine that is accessing the Cloud resource might be compromised. And that’s not up to the Cloud provider to secure. That’s your responsibility to secure. So you are going to continue to monitor your endpoint solution to not compromise your Cloud resources. You must ensure that you have that in place. You need to ensure that you have some sort of EDR (endpoint detection and response) in place.
And last but not least, data protection which is very important. Most of the attacks, most of the threat actors, are going after the data itself. So, you need to ensure that you have protection for data at rest on the user device, which is very common in BYOD scenarios that user is accessing a Cloud data from their mobile device. You need to make sure the data is secure at rest. In other words, that you have encryption at rest on the user’s device. You have to be sure that the data is encrypted in transit between the user device and the Cloud provider. The data is encrypted at rest from the Cloud provided data center itself. So, you need to have fully awareness of how this process work. You must think about data entrance points between the Cloud and on computers premises. All these points have to be encrypted
*This article is based on Microsoft Press media, Pearson Education materials and Yury Doigines lectures