Cybersecurity with Cloud Computing — Notes

Photo by Sigmund on Unsplash

Today’s article is a collection of my notes while attending the LinkedIn course entitled “Cybersecurity with Cloud Computing”. It is the 6th of 12 course courses in the “Become an IT Security Specialist” learning path. The course is divided into 6 sections which are:

• Cloud Foundations.
• Looking at the Clouds.
• Cloud Flaws, Incidents and Failures.
• Hands-on With Cloud Flaws.
• Cloud Security Management.
• Cloud Security Capabilities.

Cloud Foundations

Well known and trusted organizations related to Cloud Security are:

• The Cloud Security Alliance CSA — offering the CCSK certificate in cloud security.
• The European Network and Information Security Agency ENISA.
• National Institute of Standards and Technology NIST.

Cloud is a set of pooled resources delivered over the internet. Cloud allows you to deliver services globally to your customers at the least cost, and with the ability to service a variable workload by scaling the underlying resources up and down, to meet the needs of the moment and at the cost only of the resources consumed. The essential characteristics of Cloud Computing are: on-demand self-service, broad network access, rapid elasticity, resource pooling, measured services and the pay as you go model.

Cloud benefits are:

• Save capital expenditure.
• Reduce need for IT staff.
• Reduces software maintenance.
• Scalability.

Cloud Architecture

The Cloud has 3 main service layers:

• Infrastructure as a Service IaaS: the customer will be provided with virtual hardware to manage (install OS, applications,…)
• Platform as a Service Paas: the customer will have system administrators to manage OS and the applications.
• Software as a Service: the customer needs to only manage the application itself.

The cloud then evolved to include:

• Network as a Service NaaS.
• Storage as a Service SaaS → Backup as a Service BaaS
• Security as a Service SecaaS.
• Mobile Backend as a Service MBaaS.
• Function as a Service FaaS → closely related to serverless computing.

Infrastructure as a Service (IaaS) is a business model in which an organization outsources the equipment used to support operations, including storage, hardware, servers, and the networking components. The service provider owns the equipment and is responsible for housing, running, and maintaining it. IaaS consists facilities (data centers) , hardware , abstraction ( virtualization and operating systems), connectivity (internet access ..) and APIs ( interfaces into the the service capabilities). The characteristics of IaaS are:

• Ubiquitous access utility style.
• Pay as you go billing model.
• Offloading technology administration.
• Rapid provisioning.
• Dynamic scaling.
• Virtualization and multi-tenacy.

Platform as a Service (PaaS) builds upon IaaS by adding OS, integration services and middleware. PaaS main characteristics are:

• Removes administrative complexity.
• Rapid deployments of applications.
• Integrated development environment.
• Full lifecycle of a project in one environment.

Software as a Service (SaaS) serves an application from the cloud. Applications are served via internet and content delivery network with no interest from the customer to maintain the underlying infrastructure. Software as a Service includes the applications and their associated APIs, data and content. There are key benefits of SaaS:

• Avoid capital expenditure.
• Customers are not responsible for managing hardware and software.

There are deployments model for the Cloud:

• Public: owned and managed by a third party entity. It’s located with the third party and consumed by untrusted users as it’s open to everyone.
• Private / community: managed and owned by a third party or the business. Located on-premises or off premises. Consumed by trusted users.
• Hybrid: owned and managed by a third party and the business. Located on and off-premises. Consumed by trusted and untrusted users.

Virtualization is the heart of cloud computing. But it has its own issues such as:

• Hypervisor-specif threats.
• Intervirtual machine attacks.
• Virtual machine sprawl.
• Instant- on gaps.
• Commingling.
• Residual data destruction.

The evolution of virtualization revolves around software known as the hypervisor. There are two forms of hypervisor:

• Type 1: Bare metal. Runs at a hardware level and is used for production instances.
• Type 2: hosted. Runs at a software level and is used for development and test environments.

NIST identifies five business functions and three sources of threats. The business functions are:

1. VM isolation.
2. Device mediation.
3. Direct commands.
4. VM lifecycle management.
5. Platform management.

and the 3 threats are:

1. Threats emerging from enterprise network.
2. Rogue or compromised VMs.
3. Threats coming from web portals.

Looking at the Clouds

When the cloud emerged there were concerns on how to secure it. Now Security is being delivered as a service through:

• Identity as a Service (IdaaS)
• Cloud delivered security (access management, web and email filtering, intrusion detection,…)

There are huge benefits if SECaaS like:

• The usual cloud benefits (elasticity, pay as you go,…)
• The cloud providers have skilled security teams.
• Threat intelligence from many customers.
• Easily adjusted to business evolving.
• Cloud boundary protection.

Rapid7 is a security company which focuses on visibility and analysis of threats and automation of threat detection and response. Rapid7 offer a cloud-based solution for cybersecurity defense, the Insight cloud. The core components of Insight cloud are:

1. Insight Vulnerability Management (InsightVM).
2. InsightAppSec.
3. Insight Incident Detection and Response (InsightIDR).
4. InsightConnect.
5. InsightOps.

Cloud Flaws, Incidents and Failures

The cloud, although it provides multiple benefits, it has flaws and things can go wrong. The four significant incidents are: Data exposure, Malware infection, Account compromise and Exploitation of vulnerabilities. Other incidents include: Service disruption, data loss, government seizure of data, business failure, …

An example of service failure mentioned in the course is when Google faced an error in configuration that caused Google services to be unavailable for almost 4 hours. The routing was impacted which de-scheduled clusters in multiple locations, leaving the users unable to use the services.

An example of business failure is when Code Space was under a DDoS attack. The intruders had obtained the login credentials to the company’s Amazon EC2 management console. The way the company handled the attack resulted on the attackers deleting all records and backups of the company. Code Space then decided that all attempts to recovery were hopeless and the company ceased trading.

Incident response is one of the most critical areas of information security. NIST has published a standard of instant response frameworks called SP 800–61. The nature of cloud means that it can be difficult to respond to incidents. Resource pooling and elasticity may substantially complicate the technical activities of instant response and forensics. The NIST incident response model has four stages. Preparation, detection and analysis, containment, and eradication and recovery.

Microsoft recommends a six-step process for establishing an Azure centric incident response approach:

1. Create an incident response guide.
2. Create an incident scoring and prioritization process.
3. Test security response procedures.
4. Provide security incident contact details and configure alert notification for security incidents.
5. Incorporate security alerts into the security response system.
6. Automate the response to security alerts.

Hands-on With Cloud Flaws

Scott Piper of Summit Route Consultants has developed a testing site to get hands on with understanding common mistakes in cloud deployments. The website is http://www.flaws.cloud

Cloud Security Management

Corporate governance is the set of processes, technologies, culture, and external mandates. There are many models of governance but all adhere to five basic principles:

1. Auditing supply chain.
2. Board and management.
3. Corporate responsibility.
4. Financial transparency.
5. Ownership structure and control.

he focus of enterprise risk management is to protect the value of the enterprise for stakeholders. Enterprise risk management means identifying the risks and the opportunities, managing the risks, and taking advantage of the opportunities within the risk appetite of the shareholders. There are four key risk strategies: avoidance, mitigation, transfer, acceptance.

Both public and private organizations are subject to legislation, regulations, contracts and other mandates, which contains security obligations. Courts rely heavily on documents and legal adversaries may have the right to demand all documents that pertain to a case. Careful planning is required to ensure cloud-based electronic documents are discoverable. Further, data may need to be forensically authenticated to ensure that it’s legitimate when it appears as evidence. Compliance and audit are standard enterprise governance processes. They exist to ensure adherence by the organization to regulatory, social and contractual obligations and provide guidance in prioritizing corrective action.

The latest CSA guidance has renamed domain five as information governance. This is defined as ensuring the use of data and information complies with organizational policies, standards, and strategy, and covers, regulatory, contractual, and business requirements for data stored in whatever form in the cloud. There were some key concerns to address when exercising governance over cloud data:

• Multi-tenacy.
• Protection of data is a shared responsibility.
• Data storage location.
• Regulatory compliance and privacy.
• Data destruction.

One of the resilience technologies used in cloud is data dispersion. An Information Dispersion Algorithm, IDA, is used to split data into fragments or slices and store them on separate cloud service. A single fragment by itself is meaningless. However, a legitimate user can access the fragments, which reintegrates them and presents the result back as a coherent data source. IDA may also encrypt data to provide more security.

Controls are used to restrict the list of all possible actions down to those allowed by user for each type of data:

• Information classification.
• Information management policies.
• Location and jurisdictional policies.
• Authorizations.
• Ownership.
• Custodianship.

When using the cloud it’s important that we control what data is transferred out of the enterprise into the cloud environments to make sure that the appropriate controls are in place:

• Detecting and preventing data migrating to the cloud.
• Protecting data moving to and within the cloud.
• Protecting data in the cloud.
• Data loss prevention (DLP).
• Privacy preserving storage.
• Digital rights management.

Benefits of Cloud for application include:

• Higher baseline security.
• APIs and automation deliver flexibility and unified interface.
• Use of cloud-based hyper-segregation networks for isolation.
• Low microservice attack surface.
• Elasticity allows the application to grow with cost in line with cost.
• DevOps provides automated hardening.

The main challenges that applications face on the cloud are:

• Limited visibility.
• Management plane threats.
• Shared responsibilities.
• Reduced transparency.

Cloud Design and Development

To improve security you can:

• Create immutable infrastructure.
• Disable remote logins.
• Add file integrity monitoring.
• Integrate immutable techniques into incident recovery plans.
• Use the concept of least privileged.
• Use segregation of duties.
• Keep designs simple.
• Enforce access controls.

Cloud Security Capabilities

Although encryption is heavily used when it comes to cloud security, there are other ways to ensure data confidentiality like replacing sensitive data with a token or fully anonymizing the information by stripping the confidential elements. Encryption algorithms can be either recognized public domain or vendor propriety. There are 2 types of encryption systems:

• Content-aware: produces an unstructured blob of cipher text, which the decryption system can recover, as it is also content-aware.
• Format preserving: encryption algorithm in such a way that the cipher text reflects the structure of the original plain text.

The multi-tenant model of public cloud solutions means that any individual virtual machine which uses keys internally is potentially subject to exposure of those keys through inter-VM attacks. To protect the keys there are multiple approaches to follow like:

• The keys reside in the enterprise and never go to the cloud.
• Have a cryptographic engine in which each key is generated when required and used once.
• Create the symmetric key when required and to provide it to the sender in real time.

A key consideration when running Cloud deployments, is how to make sure inappropriate, sensitive information, doesn’t get accidentally uploaded. To achieve that goal:

• Data filtering controls can be used in conjunction with information labeling, to monitor the sensitivity of traffic being uploaded.
• Use the cloud provider data migration mechanisms.
• Use access controls: management console, data sharing, application access,…
• De-perimeterization: setting boundaries for the extent to which data can travel across the internet.
• Encryption offered by the cloud provider.
• Key management.

It’s generally considered best practice to externalize the identity into an identity management system such as active directory, enabling enterprise-wide use of the identity. A system user has privileges or entitlements which specify what functions they can perform on objects in the system. Applications introduce a new set of identity challenges with application-level roles, identities, and entitlements. Which may or may not be associated with a system-level identity. Application identities fall into 4 classes:

1. Fully integrated into central identity and entitlement services.
2. Integrated into central identity services but with local entitlement management.
3. Stand alone with local identity and entitlement management.
4. Fully application management.

Cloud deployments need the ability to control access by users to infrastructure platforms, and software applications, and to the resources used in the applications. There are a number of authorization models such as mandatory access control, role based access control, discretionary access control, and rule-based access control.

Security, logging and monitoring are the major services used in operational cloud defenses. Much of this is done by the cloud provider, but to protect their cloud, not customer systems. It’s important for cloud customers to understand their share of operational security responsibilities. Logs can be:

• downloaded to the on-premises SIEM.
• Uploaded to the cloud SIEM services.