This White Paper describes an approach for creating a secure cloud environment which helps Project Teams to deploy their projects easily in the cloud environment while not compromising the security. The document also takes you through the risks and factors involved in the cloud model and how to treat them. This document is cloud-provider agnostic, for examples and demo we have taken Microsoft Asure Cloud Service provider platform throughout the content.
Cloud Computing Basics
The Characteristics of a Cloud Service
On-Demand self-service: Getting things done just by a click, no human intervention, for example, to get a storage space consumer just have to do some simple clicks.
Broad Network Access: The capabilities of the cloud are available over the network (By accessing the Internet Can provision those on demand service).
Resource Pooling: Pooling the resource among different tenants.
Rapid elasticity: The cloud can expand and contract based on the consumer requirement.
Measured Service: It can be measured and can be charged based on how much resources consumer uses. Ex- computing power, storage, bandwidth, etc.
Understanding IaaS, PaaS, SaaS
Cloud Deployment Model
Private Cloud: The organization chooses to have their own cloud wherein the resource pooling is done by the organization itself (Single Organization cloud), it has not been shared with other organization. May be or may not be at premises.
Public Cloud: Different tenants are doing the resource pooling among the same infrastructure.
Pros: It can be easily consumable, and the consumer can provision the resource.
Cons: Consumer will not get the same level of isolation as a Private cloud.
Community Cloud: Sharing the Cloud with different organizations usually unified by the same community sharing underlined infrastructure (half way between private and public) small organizations pooling resources among others.
Hybrid: Mixture of both private and public i.e. some organization might say we would like elasticity and cost effectiveness of public cloud and we want to put certain applications in private cloud.
NIST Cloud Computing Reference Architecture
The Promise of the Cloud
Organizational Cloud Security Considerations
Application Security Risks Remains the Same
No matter how much we harden the cloud, if the application hosted is buggy, the organization vulnerable to all sorts of attack.
Data Sovereignty is the concept- that information which has been converted and stored in a binary digital form subject to the laws of the country in which it is located.
The screenshot shows how the services vary based on the continents.
The screenshot shows the restrictions based on the countries.
As consumer’s business expands all around the globe, the consumer should always give a thought on what regions which services should be given and the data which has to be stored, as various cloud services are varies based on the juridical laws of the country.
There have been cases when the country’s government has unlawfully leaked confidential data from the cloud.
Compliance on Cloud
For consumers to get the information from the cloud provider is sometimes difficult due to high competition in market and security concerns, information such as
- Physical Address of the data centers.
- Certain Internal Procedures.
- Security Defenses.
Rather cloud service providers assure themselves as compliant to various International and National certifications based on the country.
The screenshot shows the Asure cloud provider is compliant with various international and national security standards based on country INDIA.
Note: Just putting your website under PCI compliant cloud environment will not make that website PCI compliant.
Penetration Testing on Cloud
Considerations before conducting a PenTest in cloud environment refer the screen shot.
- No Dos Checks.
- Raising request to cloud provider.
- Conducting PenTest, updating vulnerabilities to the cloud provider without disclosing outside world.
Here is what Microsoft says about pentesting in cloud environment
Here is the request form to the Cloud Provider (Asure) before starting off with the pentesting.
Don’t forget to read the terms and conditions of the cloud provider (Asure in this case) before starting the PenTest.
Cloud Computing Commercial Considerations (IMPACT – HIGH)
Cloud Provider Acquisition – When a cloud provider is acquired by another organization, there are many changes which come into picture such as changed infrastructure, pricing structure changes, etc. these changes impact the services which the cloud provider is providing it may degrade or enhance. The consumer should always consider the Cloud Provider Lock-in time period for the service that they are getting.
Shadow IT (IMPACT – HIGH)
Shadow IT is an information technology systems and solutions built and used inside organizations without explicit organizational approval.
Why Impact in High?
The organizations which have implemented cloud in their environment they always suffer shadow IT, the information technology systems and solutions may be infected with malware, viruses or may have a Zero day through which an adversary can take an advantage and can cause data leak, system shutdown, DDoS, etc. following are the examples of causing SHADOW IT
- Connecting physical devices, like USB sticks and external hard drives, directly to the corporate network, and using them to transfer sensitive information in BYOD environment.
- Downloading instant messaging applications, like BBM and WhatsApp, onto corporate smartphones and tablets in BYOD environment.
- Installing Skype and other forms of VOIP software to communicate with colleagues and clients.
- Downloading and accessing social media applications.
- Developing, using and sharing self-developed Excel spreadsheets, macros and productivity apps.
How to manage Shadow IT
Cloud Risks & Hardening
Internet Exposed Administration Consoles Compromise
Threat – If admin consoles are compromised
- An attacker can see the app services running; can modify all the application hosted.
- An attacker can take control of Connection Strings to the database.
- An attacker can cause Cost escalation out of control by increasing the resources.
Cause of Administration Facility Compromise
- Credentials Reuse- If the credentials are compromised by another service and the victim still using it.
- Brut forcing.
- Session Hijacking- Cookies are not secure & Http only, the website hosted have XSS vulnerability.
- Exposed API keys.
- Social Engineering.
- Implementing multistep verification for login.
- Implementing role-based accesses controls.
- Implementing CAPTCHA after certain wrong login attempts.
Economic Denial of Sustainability (EDoS)
Malicious manipulation of traffic patterns to cloud resource that cause costs to escalate to the point that is economically unsustainable.
- Auto Scale option is enabled on the cloud – Attacker sending bulk traffic to the victim cloud implementation causing the environment to auto scale hence causing economic damage.
- Attacking the Bandwidth- Attacker setting up his own cloud, downloads bulk data from the victim’s cloud (here its Egress Data which has cost), but here the attacker has IN-gress data which has no cost hence causing the overhead on the cloud infrastructure proportionally increasing the cost.
- Disable autoscaling which is enabled by default.
Implementing Hardware Security Module (HSM)
A hardware security module is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing.
Below is Asure’s key vault management system.
Ethical Hacking Training – Resources (InfoSec)
Here is how the whole process works
Hardening the Configuration
Following are the checks that should be taken into account during cloud implementation.
Business Continuity and Disaster Recovery
During a catastrophic disaster, how should the data be secured, stored and retrieved? There is always a question. Here we have taken an example of Microsoft Asure platform to show the settings how the replication of data should be done.
There are four options
- Zone-redundant Storage (ZRS) – Microsoft will store the data in different data center.
- Local-redundant storage (LRS) – Microsoft will have three replications of data at the same data center.
- Geo-redundant storage (GRS) – Microsoft will store the data in a different data center at a different geo-location.
- Read-access geo-redundant storage (RA-GRS) – None of the above have read access to data if the consumer select this option they will have read access to data stored in geo-location. (Recommended)
Implementing Security as a Service
There are varied cloud security solutions which protect the cloud from various attacks like DDoS, Application Security Vulnerabilities, Traffic Monitoring, Malware Detection, etc. Cloud flare is one such solution and has a large customer database.
Many cloud providers also provide security as a service, here is an example of Microsoft Asure’s security as a service.
As we have noted throughout this document, cloud computing has the potential to be a disruptive force by affecting the deployment and use of technology. The cloud could be the next evolution in the history of computing, following in the footsteps of mainframes, minicomputers, PCs, servers, smartphones, and so on, and radically changing the way enterprises manage IT. Yes, plenty of questions are still left to be answered regarding security within the cloud and how customers and cloud service providers (CSPs) will manage issues and expectations, but it would be a severe understatement to say simply that cloud computing has generated interest in the marketplace.
The hype regarding cloud computing is unavoidable. It has caught the imagination of consumers, businesses, financial analysts, and of course, the CSPs themselves. Search for “cloud computing” on the Internet, and you will uncover thousands of articles defining it, praising it, ridiculing it, and selling it.