Despite all of the hand wringing over cloud security, major cloud security breaches haven't been grabbing headlines. The past year has seen major breaches, such as the ones that hit Sony and Epsilon, but we haven't heard much of an emphasis about the cloud being a weakness.
Part of this, of course, could be a simple matter of semantics. Some have emphasized Epsilon's role as a provider of email marketing services -- in other words, it's a SaaS company -- but the breach was a traditional spear-phishing attack used to gain access to email servers, not, say, an assault on hypervisor vulnerabilities.
Cloud providers, such as Dropbox and Google, have had their issues, but the major cloud-related problems have involved outages, not data being breached.
As more enterprise resources move to the cloud, it's inevitable that we will start hearing more about cloud incidents. Minor breaches have already hit GoGrid and the Microsoft Business Productivity Online Suite, but we've yet to see anything on the scale of TJX, the VA, RSA or any number of other on-premise breaches.
That doesn't mean that cloud-invested businesses can breathe easily. "Attacks that work now work so well that you don't have to come up with a new, complex attack methodology," says Chris Eng, vice president of research for Veracode, a provider of cloud-based application security testing services. "Cyber-criminals aren't going to spend a lot of time to come up with a new zero-day attack if they can just use the same old SQL injection attacks that have worked for years."
Hackers Set Sights on Cloud, But Not as a Target
One troubling trend uncovered in the Sony breach is that hackers view the cloud not necessarily as a target, but as a resource. Hackers used stolen credit cards to rent Amazon EC2 servers and launch the crippling attack on Sony.
"Everything the cloud offers to legitimate businesses it offers to criminals as well," says Scott Roberts, senior intelligence specialist at Vigilant, a security monitoring company. "It's becoming common for cyber-criminals to rent cloud infrastructure to set up spambots or to build out a malware command and control infrastructure. At $50 or $60 a month, attackers can take advantage of resources that a few years ago would be too difficult and too expensive to build on their own."
Add cheap infrastructure to low-cost, automated malware kits, botnets that can be rented for a single attack and the ability to outsource such things as the decoding of CAPTCHAS for spammers, and you have a toxic arsenal that can make even simpleton hackers highly dangerous.
Yet, even if hackers aren't specifically targeting the cloud right now, most experts believe that they will start to soon, if for no other reason than the fact that more and more resources are being moved to the cloud. "The cloud is already a tempting target," Eng said. "Data is centralized and you can target one provider to attack multiple companies."
When asked why he robbed banks, Willie Sutton once supposedly said (although he later disavowed this quote), "Because that's where the money is." Today, the most important corporate assets still reside behind the firewall. Tomorrow? The "money" may well be in the cloud.
Why the Cloud Is Vulnerable
One advantage of the cloud is that for the major providers it is in their interest to secure their environments. If Amazon or Google is responsible for the next Heartland-scale data breach, their business will suffer.
Major providers know this and are taking steps to prevent it.
"Networks long ago ceased to be isolated physical islands. As companies found the need to connect to other companies, and then the Internet, their networks became connected with public infrastructure," says Amazon Web Services spokeswoman Rena Lunak.
To mitigate the risks, many organizations took steps to isolate their traffic, such as using Multi-Protocol Label Switching (MPLS) links and encryption. "Amazon's approach to networking in its cloud is the same: We maintain packet-level isolation of network traffic and support industry-standard encryption," she says. "Because Amazon Web Services' Virtual Private Cloud allows a customer to establish their own IP address space, customers can use the same tools and software infrastructure they're already familiar with to monitor and control their cloud networks."
That's all well and good, but common mistakes, such as weak authentication methods or an open management port can undo all of the work providers did to secure those infrastructures.
"One problem with moving to the cloud is that you have to manage your resources remotely," said Carson Sweet, CEO of CloudPassage, a cloud security provider. "Many, many companies leave management ports open to the world. Fraudsters are waking up to this."
How the Cloud Could Infect Your Internal Network?
The big worry Sweet discussed was that poor security practices in the cloud could lead to infections back in the on-premise network. Many companies, wary of cloud threats, simply will not move the most sensitive data into the cloud.
While 82 percent of companies surveyed by CompTIA believe in cloud providers' capability to deliver a secure environment, 58 percent will not put confidential corporate financial information in the cloud. 56 percent keep credit card data out of the cloud, and nearly half refuse to put sensitive intellectual property, trade secrets or HR records in the cloud.
The logic is clear: keep sensitive data behind the corporate firewall where it is more secure.
Unfortunately, that logic has a fatal flaw.
Sweet discussed a client CloudPassage worked with (who prefers to remain anonymous) who had development servers in the cloud. A hacker placed a rootkit onto one of the virtual servers. When the developers noticed something was off with their servers, they brought them back behind the corporate firewall to re-image them. Unfortunately, they brought the rootkit in with them, infecting their entire network.
"Virtual machines can server as Trojan horses if you're not careful," Sweet said.
Be Sure to Secure Those API Keys
The most common cloud worry I heard from security professionals, one repeated over and over again, was about API keys. Most organizations use API keys to access their cloud services, and they represent the keys to the kingdom.
"API keys are a huge issue," Sweet said. "If I know where to look on the server for your API keys, and I manage to get them, I own your cloud deployment."
API keys must be protected. It's not uncommon for IT administrators to do such risky things as email them to one another or store them in a configuration file that's not terribly difficult to uncover.
API keys must be protected, kept in a secure, encrypted location, inventoried regularly and must only be given out to those who have a valid reason to access them. Alternatively, Cloud Brokers can handle API keys for you, but just be aware that you are outsourcing a critical piece of your cloud security to a third-party.
10 Things to Ask Cloud Providers
When it's time to evaluate cloud service providers, be sure to ask these ten security questions:
1. Were your services developed using a secure development lifecycle?
2. Can you prove it and provide, say, penetration testing overviews?
3. What data protection policies do you have in place?
4. What are your data privacy policies?
5. How do you enforce those various policies?
6. Is security covered in your SLAs? If not, why not?
7. How do you back up and recover data?
8. How do you encrypt data, both in motion and at rest?
9. How do you segregate my data from others?
10. What kind of visibility will I have into your logs?
Jeff Vance is a Los Angeles-based freelance writer who focuses on next-generation technology trends. Follow him on Twitter @ JWVance.