Cloud security

Securely Managing Cloud Credentials

Dejan Lukan
June 4, 2015 by
Dejan Lukan

Introduction

Cloud services have mushroomed in the past couple of years and are becoming widely-used by a large number of people and companies. There are many benefits when a company chooses to implement the existing or new service/application in the cloud, which is why the traditional way of building applications is no longer being widely adopted. There are many applications and systems, which companies can move to the cloud, compared to privately owned internal networks.

The following are different cloud computing service models (summarized after [1]):

Learn Cloud Security

Learn Cloud Security

Get hands-on experience with cloud service provider security, cloud penetration testing, cloud security architecture and management, and more.
  • IaaS (Infrastructure as a Service): provides the entire infrastructure including the physical and virtual machines, firewalls, load balancers, hypervisors, and other physical systems or network devices. A company can use IaaS when they need a complete IT environment hosted in the cloud, where all the hardware is provided by the infrastructure provider. The company no longer has to pay every single hardware component by itself, connect the wires together to make the devices communicate with each other and most importantly manage the systems. When a hardware component dies, it is the responsibility of the infrastructure provider to replace the failed component, usually with an extra cost, but it isn't nearly as expensive as if we had to do it ourselves.
  • PaaS (Platform as a Service): provides a platform like an operating system, a database, a web server, etc. A company usually rents an entire system, which is managed by the service provider. If we order an entire operating system, we will be given a password to the online console, which is used to manage the server instance. In most cases, we will also want to have other services like SSH running on the system, so we can access the system remotely.
  • SaaS (Software as a Service): when using SaaS services, the service provider will set everything up, and we're only given credentials to access the service. Note that the service as well as the operating system on which the service is running, is managed by the service provider itself and the customer can use the service directly.

Secure passwords

Depending on the service model, we're given certain amount of access to the service managed by the service provider. In any case, we usually have a number of passwords that we have to remember in order to access the cloud services. Since the services running in the cloud are most often accessible from anywhere in the world, an attacker knowing the password could log in and use our service, whatever it may be. Therefore, we must properly secure the passwords we use to prevent an attacker from getting his hands on it, which will consequently give him access to our cloud service. Once the attacker has gained access to the service, he might be able to steal sensitive information, modify the data, or possibly delete everything depending on the service capabilities and user role.

The best possible way to protect ourselves is to follow the best password security requirements, which will make it harder (although not impossible) for the attacker to get his hands on our password. The best security practices when setting or choosing a password are the following:

  • First-time passwords: sometimes a service provider has to choose a password when setting the services up for the customer. This happens when the process of setting up everything doesn't ask the customer for a password that will be set during the installation phase. In such cases, the service provider has to set the password to a unique value for each customer, but the customer's duty is to change it after the first use. Service providers usually notify the customers about the good practice of changing the password, but don't force them to do so. If that happens with a cloud service we're using, we should remember to change the password after it has been automatically set by the installation phase, which will increase the chance of it not being stored somewhere in a history log or cache.
  • Shared passwords: when setting the password, we have to ensure we don't use the same password for other services as well. Setting the same password for two cloud services means that if one cloud service is hacked, and if the attacker is able to get the password, we will be able to use the second cloud service, because he already knows the password. There are times when cloud services don't store passwords securely in the database, but store them unencrypted or as MD5 hashes, which can easily be compromised. To keep secure, we should choose a different password for every service that we're using, so even if the attacker gets our password or password hash, he won't be able to compromise any other services.
  • Password durability: the password should be changed every 90 days in order to ensure the attacker doesn't have continuous access to our service in case he manages to compromise the password. By changing the password, the attacker will eventually be locked out of a service and won't be able to access it in order to steal sensitive information.
  • Minimum password length: the password should be of appropriate length in order to make it very difficult for the attacker to bruteforce it. There are different recommendations on the internet about the password length, but they all agree that we should choose a password of at least eight characters in length, while some support the idea of even longer passwords.
  • Password strength: the password should not contain only letters and numbers, but should also contain special characters as well as lowercase/uppercase letters. By using such a password, there are many more combinations the attacker has to go through when trying to obtain the password via bruteforce or dictionary attacks.
  • Password history: the system should keep historic versions of passwords in order to compare them to the current password in password change functionality. This ensures the password is somewhat different from the previous passwords.

The password manager

In order to keep passwords secure, we should use a password manager, because otherwise we won't be able to remember the passwords of all of the cloud services while following the best practices already described. If we don't use the password manager, it probably means we're doing something wrong, like using multiple passwords for different services, or keeping them stored in an unencrypted text file on hard drive. A password manager is a program that stores all our passwords encrypted on disk by using a master password. Whenever we need a password, we have to invoke a password manager and provide the master password to decrypt the password that we're after. After the password has been decrypted, we can use it normally and copy-paste it into the service's login form to get access to the service.

There are many password managers out there, so it is a matter of choice about which we want to use. The link [2] specifies the best password managers for 2015, which are listed below among other password managers:

  • Gpass
  • Keepass
  • LastPass
  • Revelation
  • Gorrilla
  • KeePassX
    PasswordSafe
  • Dashlane
  • LastPass
  • Sticky Password Premium
  • Intuitive Password
  • Keeper Password Manager
  • RoboForm Desktop 7
  • 1Password for Windows
  • LogMeOnce Password Manager
  • Password Genie

I have used KeepPassX password manager in the past, which is really a great password manager if you want a graphical user interface program. Lately I have been using the pass command-line alternative, which is the most useful piece of software I have come along regarding password management. The reason I'm mentioning it is because you can easily use it in a cloud system via SSH session. Because it's a command-line program and doesn't have a graphical user interface, which makes it an ideal password manager to use on remote systems that don't have X sessions.

The pass password manager can be found in default Linux repositories, so we can easily install it by using apt-get, yum, emerge or any other package manager. After the pass password manager has been installed, we can create a new GPG key, which will be used to encrypt all the passwords. We can do that by running the command below:

[plain]

# gpg --gen-key

[/plain]

After that we have to initialize a new password store by specifying the init command when calling the pass password manager. This will initialize the password store, which will be kept under ~/.password-store/ in your user's home directory.

[plain]

# pass init <gpg-id>

[/plain]

To add a password to the password store, you have to run the insert command. Optionally, you can specify the -m option, which will enable to add extra lines to the password entry, like the cloud service name, the accompanying username, etc. Usually we also want to group the passwords into logical categories, which we can do by specifying the category when naming the password item, which will cause a new directory to be created under the ~/.password-store/.

[plain]

# pass insert -m category/item

[/plain]

To edit the password, we can use the edit command:

[plain]

# pass edit category/item

[/plain]

To generate a random password of length 15 we can use the generate command:

[plain]

# pass generate category/item 15

[/plain]

To remove the password, we can use the rm command:

[plain]

# pass rm category/item

[/plain]

After storing some passwords to the password store, we can visit the cloud service and open the login functionality. At this point, the cloud service will ask us for a password at which time, we have to invoke the password manager by using the -c parameter, which will copy the password to clipboard. At that time, we should only copy-paste the password to the input form field in the cloud service and login.

[plain]

# pass -c category/item

[/plain]

Also note that the passwords stored in the clipboard are automatically removed from clipboard after 45 seconds to avoid attackers from stealing the password by reading the contents of the clipboard. This is a great and important security measure provided automatically by pass password manager in order not to keep copy of passwords stored in a clipboard.

Conclusion

In this article, we've seen that there are many passwords that we have to use on a daily basis to get access to our cloud services. If the passwords are generated by following the best password security guidelines, we certainly won't be able to keep all of the passwords stored safely in our head; it's just too much information. This is the primary reason why we start setting repetitive passwords and disregarding the best security practices, but there is a better way. By using a password manager, you don't have to remember any of your passwords, but your own master password that is used by the password manager. That way, all of the passwords are encrypted and stored securely on the hard drive and it is only by knowing the master password that we can access them.

We've also introduced a pass password manager, which is an ideal password manager to use in the cloud, because it is a command-line program and doesn't need X interface. Additionally it provides additional functionalities like automatically generating a random password, so we don't have to use an external program to generate random passwords.

Remember that passwords, although not a perfect solution, are widely used today, which is why we have to follow the best password guidelines when setting the passwords. One of the best ways of doing that is using a password manager, which greatly simplifies and secures password management.

References

[1] Cloud computing, Wikipedia,
https://en.wikipedia.org/wiki/Cloud_computing.

Learn Cloud Security

Learn Cloud Security

Get hands-on experience with cloud service provider security, cloud penetration testing, cloud security architecture and management, and more.

[2] The Best Password Managers for 2015,
http://www.pcmag.com/article2/0,2817,2407168,00.asp.

Dejan Lukan
Dejan Lukan

Dejan Lukan is a security researcher for InfoSec Institute and penetration tester from Slovenia. He is very interested in finding new bugs in real world software products with source code analysis, fuzzing and reverse engineering. He also has a great passion for developing his own simple scripts for security related problems and learning about new hacking techniques. He knows a great deal about programming languages, as he can write in couple of dozen of them. His passion is also Antivirus bypassing techniques, malware research and operating systems, mainly Linux, Windows and BSD. He also has his own blog available here: http://www.proteansec.com/.