A lack of understanding about security risks is one of the key factors holding back cloud computing.
Report after report after report harps on security as the main speed bump slowing the pace of cloud adoption. But what tends to be overlooked, even by cloud advocates, is that overall security threats are changing as organizations move from physical environments to virtual ones and on to cloud-based ones.
Viruses, malware and phishing are still concerns, but issues like virtual-machine-launched attacks, multi-tenancy risks and hypervisor vulnerabilities will challenge even the most up-to-date security administrator. Here are 5 overlooked threats that could put your cloud computing efforts at risk.
1. DIY Security.
The days of security through obscurity are over. In the past, if you were an anonymous SMB, the threats you worried about were the typical consumer ones: viruses, phishing and, say, Nigerian 419 scams. Hackers didn’t have enough to gain to focus their energy on penetrating your network, and you didn’t have to worry about things like DDoS attacks – those were a service provider problem.
Remember the old New Yorker cartoon: “on the Internet no one knows you’re a dog”? Well, in the cloud, no one knows you’re an SMB.
“Being a small site no longer protects you,” said Marisa S. Viveros, VP of IBM Security Services. “Threats come from everywhere. Being in the U.S. doesn’t mean you’ll only be exposed to U.S.-based attacks. You – and everyone – are threatened from attackers from everywhere, China, Russia, Somalia.”
To a degree, that’s been the case for a while, but even targeted attacks are global now, and if you share an infrastructure with a higher-profile organization, you may also be seen as the beachhead that attackers can use to go after your bigger neighbors.
In other words, the next time China or Russia hacks a major cloud provider, you may end up as collateral damage. What this all adds up to is that in the cloud, DIY security no longer cuts it. Also, having an overworked general IT person coordinating your security efforts is a terrible idea.
As more and more companies move to cloud-based infrastructure, only the biggest companies with the deepest pockets will be able to handle security on their own. Everyone else will need to start thinking of security as a service, and, perhaps, eventually even a utility.
2. Private clouds that aren’t.
One way that security-wary companies get their feet wet in the cloud is by adopting private clouds. It’s not uncommon for enterprises to deploy private clouds to try to have it both ways. They get the cost and efficiency benefits of the cloud but avoid the perceived security risks of public cloud projects.
Plenty of private clouds, though, aren’t all that private. “Many ‘private’ cloud infrastructures are actually hosted by third parties, which still leaves them open to concerns of privileged insider access from the provider and a lack of transparency to security practices and risks,” said Geoff Webb, Director of Product Marketing for CREDANT Technologies, a data protection vendor.
Much of what you read about cloud security still treats it in outdated ways. At the recent RSA conference, I can’t tell you how many times people told me that the key to cloud security was to nail down solid SLAs that cover security in detail. If you delineate responsibilities and hold service providers accountable, you’re good to go.
There is some truth to that, but simply trusting a vendor to live up to SLAs is a sucker’s game. You – not the service provider – will be the one who gets blamed by your board or your customers when sensitive IP is stolen or customer records are exposed.
A service provider touting its security standards may not have paid very close attention to security. This is high-tech, after all, where security is almost always an afterthought.
3. Multi-tenancy risks in private and hybrid clouds.
Many companies, when building out their private or hybrid clouds, are hitting walls. The easy stuff has been virtualized, things like test development and file printing.
“A lot of companies have about 30 percent of their infrastructure virtualized. They’d like to get to 60-70 percent, but the low-hanging fruit has all been picked. They’re trying to hit mission-critical and compliance workloads, but that’s where security becomes a serious roadblock,” said Eric Chiu, President of virtualization and cloud security company HyTrust.
Multi-tenancy isn’t strictly a public cloud issue. Different business units – often with different security practices – may occupy the same infrastructure in private and hybrid clouds.
“The risk to systems owned by one business unit with good security practices may be undermined by the poor security practices of a sister business unit. Such things are extremely difficult to measure and account for, especially in large, multinational organizations,” Webb said.
Another issue is application tiers. In poorly designed private clouds, non-mission critical-apps often share the same resources as mission-critical ones. “How do most companies separate those?” asked Chiu.
“They air-gap it, so the biggest threat for most virtualization and private cloud environments is misconfiguration,” he said. “Eighty percent of downtime is caused by inappropriate administrative changes.”
4. Poorly secured hypervisors and overstressed IPS.
Every new technology brings with it new vulnerabilities, and a gaping cloud/virtualization vulnerability is the hypervisor.
“Many people are doing nothing at all to secure virtualized infrastructures. The hypervisor is essentially a network. You have whole network running inside these machines, yet most people have no idea what sort of traffic is in there,” Anthony said.
Buffer overflow attacks have been successful against hypervisors, and hypervisors are popping up in all sorts of devices that people wouldn’t think of as having them, including Xbox 360s.
Even when organizations believe that they have a handle on the traffic within their cloud environments, they may be fooling themselves, especially if they are relying on legacy security tools. Everyone knows that they need an IPS solution to protect their cloud deployments, but they have no idea what the actual scale of the problem is.
Moreover, many of these appliances have packet inspection settings that by default fail on. In other words, if the device is overwhelmed with, say, video traffic, the majority of traffic passes through as safe and only small samples are inspected for threats.
The IPS will typically trigger a low-level alarm or record this spike in a log, but how many IT units have time to look at logs unless they know they have a problem? Organizations are also slow to realize that they need an array of different protection in virtualized cloud environments than they had in traditional on-premise settings. Or they do realize this and are choosing to ignore it due to budget and time constraints.
The IBM security executives I talked to at RSA ticked off a number of security solutions they would recommend to better protect cloud environments, including IPS solutions with 20 GBps capabilities, DLP and application security. Much of what their advice boiled down to (see item #1 again) is that security is becoming too big of a problem to tackle for most organizations on their own.
5. Insider threats.
Are insider threats keeping you up at night now? Unfortunately, virtualization and the cloud ramp up the risk of insider threats – at least for the time being.
“A smaller number of administrators are now likely to have access to a greater amount of hosted data and systems than ever before, as the cloud systems are managed by a cloud infrastructure management team. This can leave sensitive data open to access by individuals who previously did not have access to it, eroding separation of duties and practices and raising the risk of insider attacks,” Webb said. The ability to walk off with key assets is also simply much easier to do, rights or not, in a virtualized environment than a physical one.
“When the banking restrictions came out, people were worried about someone walking into the physical data center and grabbing a rack of tapes and walking off with it,” Chiu said. Those fears spurred the much higher frequency of encrypting of data at rest.
How do you steal those same assets in a virtual environment, where data encryption is often still an oversight?
“If you have administrative credentials, you pick the virtual machine you want, right click and copy it,” Chiu said. It’s not that hard to spot someone walking out of the building with a box of tapes. A virtual machine on a USB drive isn’t going to raise a single eyebrow.