Achieving true 100% cybersecurity coverage is difficult for anyone, but especially for cloud providers. As Varun Carlay, CISSP, CCSP explains, their own experience has demonstrated that the very nature of cloud business models adds to the challenge.

Varun Carlay, CISSP, CCSPThe pace at which cloud service providers innovate to protect their customers from a cyberattack is unprecedented. Still, it's highly challenging for any cloud service provider to prevent disruptors, 24x7x365, from launching attacks. Perhaps that's why I often sense audience apprehension while presenting cloud security controls and mechanisms to prospective customers - and rightly so, as I work mainly with government departments and agencies invariably entrusted with highly sensitive and critical data.

Their primary concerns generally center around cloud multi-tenancy models and the implementation of isolation mechanisms – reasonable and fair concerns that cloud customers should be cognizant of. One of the reasons behind their apprehension might be anxiety about imminent changes to the world architecture. As the world’s major economies compete to establish supremacy, conventional war and military interventions are not the only disruptive considerations in this multipolar world. Cyberwarfare is likely to continue to be a source of digital disruption and economic unrest across economies.

The precursor to causing a disruption is, first, to identify critical and sensitive workloads – essentially, applications and data. So, where could highly motivated, state-sponsored attackers find the aggregated and majority of their target workloads? Public cloud, perhaps? Oh yes.

The Interconnected World of Public Cloud

As public cloud adoption continues to grow exponentially, shouldn't we be concerned about the core architecture model of the public cloud – specifically, multi-tenancy? However, decisions are often dictated by the financial model, especially in the case of the public cloud. The monetary benefits of 'economies of scale' serve as a key business driver for many enterprise organizations and even government agencies. Ideally, we should all strive to maintain a balance with security requirements and core business objectives.

Multi-tenancy involves consolidating numerous workloads on a shared underlying hardware infrastructure and interconnecting hundreds of thousands of servers that need to communicate with each other for smooth data flow. This includes both legitimate data and, unfortunately, in some cases, 'impermissible data'.

So, for a moment, let’s try to think from the lens of a highly skilled and well-funded cybercriminal (rather, a cybercrime group) who needs only one entry point to inject malware or other bad software to launch an advanced persistent threat (APT) in the multi-tenant, interconnected world of public cloud. It would only take just one device for a cybercriminal to embark on an exploitation journey. By gaining access to and infecting a single device, and if the underlying security controls and mechanisms are not robust enough, the cybercriminal may find a way to move laterally and exploit other connected devices as well as several other customers workloads.

Elements That Can Potentially Increase The Attack Vector In Public Cloud Environments

Now, let's corroborate the above by reflecting on concerns raised by researchers regarding the increase in attack surface area due to virtualization – technology highly prevalent in the multi-tenant, public cloud world. Here are extracts from a couple of NIST Special Publications in this regard:

NIST SP 800-144: Overview of public cloud computing and the security and privacy challenges involved:

"Attack Vectors. Multi-tenancy in virtual machine-based cloud infrastructures, together with the subtleties in the way physical resources are shared between guest virtual machines, can give rise to new sources of threat. The most serious threat is that malicious code can escape the confines of its virtual machine and interfere with the hypervisor or other guest virtual machines. Live migration, the ability to transition a virtual machine between hypervisors on different host computers without halting the guest operating system, and other features provided by virtual machine monitor environments to facilitate systems management, also increase software size and complexity and potentially add other areas to target in an attack."

NIST SP 800-125: Discuss the security concerns associated with full virtualization technologies:

"Attackers may attempt to break out of a guest OS so that they can access the hypervisor, other guest OSs, or the underlying host OS. Breaking out of a guest OS is also known as escape. If an attacker successfully escapes a guest OS and gains access to the hypervisor, the attacker might be able to compromise the hypervisor and gain control over all of its guest OSs. So, the hypervisor provides a single point of security failure for all the guest OSs; a single breach of the hypervisor places all the guest OSs at high risk."

What Does This Mean for Us?

Security establishments across the world understand the precarious nature of multi-tenant architecture coupled with potentially vulnerable commercial off-the-shelf technologies that might be exploited by those highly skilled and well-funded army of state-sponsored attackers. The interconnected world of the public cloud is one of the most coveted platforms for state-sponsored actors tasked with compromising the sovereignty of targeted nations, on which they can launch advanced persistent attack(s) for catastrophic outcomes. And then they might stay undetected for a long period of time, while continuously exfiltrating precious, sensitive, and critical data (think SolarWinds).

The rapid emergence of ransomware attacks also should be a reason for us to evaluate deeply the generally opaque security control mechanisms implemented by cloud service providers (CSPs) at an underlying cloud infrastructure layer.

Perhaps it’s time for us, the customers of public cloud, to ask even tougher questions.

Isolation Is Key in Public Cloud - Both Physical and Logical

The efficacy of any technology product that provides cloud security or other cloud services depends predominantly on two things:

  • The security control mechanisms of an underlying cloud infrastructure (primarily, compute, storage & networking solutions); and
  • The implementation of control mechanisms on hardware and its software that is being used to offer those cloud services

In the context of multi-tenant, public cloud, isolation is the key. If we think about underlying cloud infrastructure strictly from a virtualization and isolation perspective, hypervisor manages both server and network virtualization. Therefore, it’s essential to check what additional controls have been implemented to isolate network virtualization (either by decoupling of network virtualization or by using some other mechanism to control VM escape proliferation) that would stop the malware in its tracks, and NOT allow lateral movement across different physical rack(s) and connected datacenter(s). A potent zero day with the capability to come out of the confines of hypervisor should not be given a free pass to cause ruckus across connected datacenters of a cloud service provider.

Ask Challenging Questions During the CSP Evaluation Phase

Of course, the full list will be much more exhaustive, but – as someone who frequently presents cloud security controls and mechanisms to prospective customers – let me suggest a few questions from the perspective of the topic being discussed here:

  • Check for isolation control mechanisms implemented by the cloud service provider at the underlying infrastructure layer that provide cloud services based on virtualization, if any. Ensure your workloads are not impacted by potential security gaps on the side of other customer workloads
  • Seek tangible assurances from your cloud service provider that you will receive an 'immaculate' machine every time you spin up a 'new' VM or Server. Check how your CSP would guard you against firmware or hardware rootkits, as these are the most difficult ones to detect and remove. Specifically, how the technology components like secure boot (Unified Extensible Firmware Interface) and Trusted Platform Module (TPM) are being leveraged to achieve desired protection against the sophisticated firmware or hardware rootkit attacks
  • Trusted Execution Environment (TEE): check the availability of confidential computing options like Software Guard Extensions (Intel SGX) or AMD's SEV (Secure Encrypted Virtualization). Keep an eye on potential performance downside of these options and seek relevant implementation details from your cloud service provider
  • Gain visibility into how your data will be processed by the CSP by requesting a data processing agreement in advance

The journey to the cloud is a strategic and long-term decision, necessitating thorough research, analysis, and assessment before migrating to or adopting cloud services. Well-informed decision-making – including consideration of various factors such as security, industry standards & compliance (HIPAA, PCI DSS, HITRUST, ISO 27001, FedRAMP, CJIS etc.), costs, and performance – is essential for a successful transition to the world of public cloud.

Varun Carlay, CISSP, CCSP, is a management and information technology professional with more than 20 years of experience in enterprise cloud solutions, data engineering, cloud security, compliance and privacy. In his current role as a Master Principal Enterprise Cloud Architect, he works closely with several U.S. government departments and agencies running sensitive and critical workloads.