Security on the public cloud is one of the most important concerns for CIOs. Microsoft Azure cloud CTO Mark Russinovich identified ten key security risks of public cloud services, including malicious insiders, shared technology, data breaches, artificial intelligence and data loss.
He also outlined strategies and best practices for users and service providers to beat these risks.
“We are in the third era of computing – the cloud and mobile era – but security considerations on cloud are still not widely understood. It is important to address the public cloud security concerns to facilitate its adoption,” Russinovich told delegates at the annual IP Expo 2014 in London.
“This is important because there is no cloud without trust.”
Drawing from Cloud Security Alliance’s top nine cloud computing threats, Russinovich listed ten security concerns – listed below – that are typical to public cloud services and explained the measures taken by public cloud service providers, such as Microsoft Azure and AWS, to address those security risks.
1. Shared technology vulnerabilities: The cloud risk
A vulnerability in publicly accessible software enables an attacker to puncture the cloud and expose data of other customers using the same service.
Shared technology vulnerability can affect the security of enterprise datacentres too, but the cloud services are at higher risk of exploitation because data from many customers makes it a rich target and the cloud APIs are easier to access than enterprise APIs, said Russinovich.
But cloud providers are responding to these threats by automating software deployment and rolling out patches quickly and at scale.
2. Insufficient due-diligence and shadow IT
“Many companies are side-stepping IT processes and storing data on the cloud (Shadow IT), Russinovich said.
“This is happening even as IT is designing management, auditing, forensics and access control systems for on-premises servers and applications."
More on cloud security
He said enterprises must take responsibility for the risks shadow IT exposes them to on the public cloud platform.
“IT must determine how to enable business units while enforcing corporate governance and it must promote responsible adoption,” Russinovich advised delegates at IP Expo.
3. Abuse of cloud services
Some of the flagship features of cloud computing, such as agility, scalability and flexibility, are useful to attackers too, Russinovich explained. Attackers are using infrastructure as a service (IaaS) as malware platform or, for doing tasks such as mining digital currencies, and are using cloud storage to store illegal content.
“Cloud abuse is possible because of stolen credit cards, hijacked accounts and free cloud trials. Every month Azure shuts down about 70,000 virtual machines for security reasons.”
4. Malicious insiders
Showing a picture of NSA surveillance whistleblower Edward Snowden, Russinovich said cloud service provider employees who have access to cloud can be a security threat.
Malicious insiders also include developers writing cloud codes that can be exploited by outsiders, operators that deploy code less securely and those who have access to cloud datacentres.
Cloud use may result in unmanaged credentials and publicly accessible applications or services may allow for brute forcing
Some of the mitigation steps the Azure CTO outlined for enterprises included: employee background checks, and limited or monitored access to servers.
5. Denial of service (DOS)
“Cloud outages are a form of DOS, and it is a significant threat to public cloud computing,” Russinovich said.
Cloud providers such as Azure are investing heavily in DDOS prevention, he said, by isolating non-public applications from the internet and providing local resiliency against cloud outages.
6. Insecure interfaces and APIs
Cloud is new and rapidly evolving, so lots of new, insecure APIs surface, according to him. This includes weak TLS crypto or incomplete verification of encrypted content. The responsibility to address this threat lies with both cloud providers and users, Russinovich said.
“Cloud providers must follow SDL. And uustomers should validate API behavior,” he said.
7. Unauthorised access to an enterprise user’s cloud account
Explaining this threat, Russinovich blamed weak passwords, stolen passwords and password reuse as the key reason for cloud account hijacks.
Cloud providers must establish physical controls on datacentre premises
“Cloud use may result in unmanaged credentials and publicly accessible applications or services may allow for brute forcing,” he said. Russinovich advised enterprises to mitigate this risk by taking steps such as turning off unneeded endpoints, encouraging the use of strong passwords, creating two-factor authentication and detecting breach at the onset.
8. Data loss
There are multiple ways to lose cloud data, according to Russinovich: “Customer or cloud provider accidentally deletes or modifies it, or attacker deletes or modifies it, or when a natural disaster destroys the cloud datacentre."
To mitigate cloud data loss, customers must take steps such as point-in-time backups and geo-redundant storage while cloud providers must have services such as deleted resource tombstoning.
9. Data breach
This represents a collection of threats such as insider threat, vulnerability in shared technology, etc.
“Ultimately, a company’s main asset is its data,” he said. “How does a company ensure its data is protected even in the face of successful breach?”
Physical threats that result in data breach include attackers gaining access to storage devices removed from datacentre, he explained.
“Cloud providers must establish physical controls on datacentre premises and deploy audit and monitoring tools while users can encrypt data at rest and have third-party certifications," Russinovich said.
CIOs need to get past the hype and check-box mentality and have a strategy to mitigate cloud security risks
But data breaches can occur even during data transfer, he warned. To beat this risk, cloud providers must encrypts inter-datacentre links and customers must encrypt outside of cloud.
10. Self-awareness or artificial intelligence
A self-aware cloud topped Russinovich's list of public cloud security risks.
“As with any new technology, there are new risks. It is our responsibility to educate our businesses and customers and we can also develop tools and processes to mitigate risk. But it is also a shared responsibility of cloud users,” he said.
“CIOs need to get past the hype and check-box mentality and have a strategy to mitigate cloud security risks.”
“They need to come into the cloud in a responsible way.”