A False Sense of Security: 10 Controls That May Be Missing in Your Cloud Architecture
By Shawna McAlearney
Cloud services offer numerous cost benefits, business efficiencies and competitive advantages to organizations of all sizes. Despite advances, the cloud remains vulnerable to a host of security issues, most particularly data breaches and denial of service attacks. Fortunately, measures can be taken to set a foundation for a zero-trust implementation.
Predrag “Pez” Zivic, CISSP, recently discussed 10 controls to architect strong security. They are identification, authentication, authorization, vulnerability, antivirus, advanced persistent threat detection, denial of service and data protection, visibility with analytics and security system automation.
“These are the things you need to assign to your users, applications and data,” Zivic said in an (ISC)² webcast. “If the user moves from one place to another, the security service follows. If the application moves, security services follow. If I need to move the data, security services must follow. The security services have to follow that piece of information, that application, or that service and that user.”
How do you identify your data? How do you know your data is secure? “You might put some sort of steganography in the data,” Zivic said. “That might be excessive, but for certain critical information it might be something that you need to look at when deploying the application in the cloud.”
Passwords are no longer sufficient for user authentication. Zivic recommends using CASBs, tokens, OTP, OAuth, OpenAM and FIDO, etc. To authenticate applications, he suggests using cloud built-in IAM services, certificates and Kerberos. And for data, certificates, steganography and code words.
Classify data for authorization and define what applications can access what types of information that you store in the cloud. Then delineate user access to application functions and data. This will create a matrix personalized to your organization’s needs. Zivic strongly advocates mandatory access control. “People may say that’s impossible because they have to define everything,” he said, “but in the cloud you are usually deploying applications that are micro-services based.”
Authorization should apply to every session, every user, every time. Some authorization tools can be integrated fairly easily, Zivic said, including OpenAM, Shiro, OAuth 2.0 and native AWS.
Focus on application vulnerabilities; make sure you implement automated scans. Block! Don’t just alert. Remember to patch. And consider data vulnerabilities and what type of information the data exposes. Does your data show the structure of your database? That’s a vulnerability. If the data shows how you treat access, that’s a vulnerability. Open source tools that may help include:
- Iron Bee
- Bro IDS
- Security Onion
Antivirus (and Anti-malware, Ransomware)
Zivic recommends application code inspections, checks and updates. File protection is extremely important; block files and inspect those with many layers of compression. Use a cloud sandbox service to inspect files, links and DNS requests. Monitor user behavioral analytics and use the information to set policy. He also suggests using WAF, an advanced intrusion prevention system and a next-gen firewall. The same open source tools suggested for managing vulnerabilities also help block malware.
Advanced Persistent Threat Detection (APT) and Zero-day Attacks
Use cloud-based deception and/or sandbox threat intelligence. Check files—all files—whether compressed or encrypted. Double check unknown links, scripts, unknown patterns and communications. Create automated signatures. For example, Zivic said, if you have the capability to deny service to the /bin directory, it doesn't matter if an attacker attempts to use that vulnerability because they cannot gain access when you block it.
Denial of Service
Many people don’t consider denial of service threats. Zivic noted four different types in the webcast: volumetric, vulnerability, memory and computational. For volumetric, you must implement a cloud DoS service; for memory, monitor idle application connections; and for computational, watch for users requesting multiple sessions, which can cause an avalanche in background micro-services. For vulnerability-based DoS, refer to the Vulnerability section above.
Log all actions and all events in addition to your audit logs and collect them in a centralized location for analysis and event correlation. Apply artificial intelligence (AI). Encrypt data in transit and storage.
“One important point for the cloud: A bigger key does not equal bigger security,” Zivic said. “Symmetrical key 256 and asymmetric RSA 2048 or ECXXX 256 are sufficient.” Even though key rollover is not a simple task, he says it is vital to change your keys at least every three weeks. Use native cloud encryption AWS or build your own service. He also suggested looking at the open source SIEM solutions to build something that you can control. These include SIEMonster, OSSIM and ElasticSearch.
Visibility With Analytics
You can create your own artificial intelligence and implement machine learning on top of your data. It is all about building distributed capabilities on top of distributed data that you get from the logs across all of your applications within the cloud. AI tools Zivic recommends include:
- Apache PredictionIO
- Apache Mahout
- OpenNN (C++)
Security System Automation
Effort you put in upfront can help you reap unexpected benefits. By mapping your security tools with your log information, you boost your cloud security. For instance, if you’re running the same services on a private cloud and on a public cloud, you can apply AI to learn how a particular service behaves in a public cloud versus in a private cloud, and then correlate.
With so many vectors to protect, Zivic advocates for services that are automated, distributed, stateless and scalable; declarative versus imperative; nimble and easily accessed; plug-in-like and dynamic. “It’s like cherry-picking controls and applying them to a workload. It’s very important that whenever that workload moves, those services move also,” he concluded. “You will lose on security in the cloud if you don’t focus on building nimble, agile, distributed, stateless, dynamic services.”
Shawna McAlearney is a freelance writer based in Las Vegas and past contributor to Cloud Security Insights.