So, you’ve decided to move to the cloud. It’s an exciting time for IT departments and businesses who stand to gain many advantages from a cloud solution. However, you don’t want to stumble blindly into it without understanding some of the cloud web security risks, and preparing for them with the appropriate technologies and techniques.
Companies can take various routes to cloud computing. They can use infrastructure as a service (IaaS), which gives them command line access to virtual machines in the cloud that they can then configure themselves. Many companies will use IaaS on their own premises, combining virtualization with workload management technology to produce in effect a private cloud. Some jump straight to a third-party, hosted IaaS provider.
Others will want to avoid the IT administration and simply use a cloud-based software-as-a-service (SaaS) model, which delivers applications in a users’ browser. The model you use will affect the kind of security measures you take, and who is responsible for them.
The most common threats in the cloud
What security threats are most prominent in the cloud? The Cloud Security Alliance, a non-profit industry group, published a report on the top threats in February 2016. At the very top of its list was data breaches.
Losing data to online thieves is a big worry for companies shifting their applications to a public cloud service. What can they do to help avoid it?
Encryption is one answer. By encrypting data in the cloud, companies can render it useless to any intruder organized enough to steal it from a third-party cloud service provider.
Some SaaS applications tailored specifically for businesses come with encryption capabilities, but there are caveats. The encryption keys may be held by the same cloud service provider holding the data. This can, in some cases, render it vulnerable to rogue employees, highly motivated intruders, or perhaps even government agencies.
A cloud access security broker (CASB) can help solve the encryption problem. This service sits between the cloud user and service provider, enforcing security policies on any data passing between them. These policies can include not only encryption, but also user authentication and device profiling.
The CASB will encrypt data en route to the cloud application where it is stored, and then decrypt the information on the way back to the user’s machine when it is accessed.
Companies dealing with sensitive data may feel uncomfortable trusting it to a SaaS application at all, even in encrypted form, or may be forbidden to by regulators. Tokenization may be the answer here. The tokenization system stores a digital token representing the information in the cloud that serves as a pointer to the real data, which is stored on the user’s own on-premises systems. When the SaaS application displays a token, a software agent on a local computer uses it to reference data stored locally. This requires the user to maintain their own infrastructure though.
Protecting user accounts in the cloud
The second gravest danger facing enterprise cloud users is weak credential and access management. This, combined with another threat, account hijacking, can turn a convenient cloud computing service into an attack vector and render a company vulnerable.
A good example of this was Code Spaces, a company that provided digital storage and project management services for developers. An attacker gained access to its Amazon Web Services™ dashboard and almost all its data—which was then deleted, effectively leaving the company without an operating business, and causing it to shut down.
Code Spaces died for two reasons. Firstly, someone managed to access the master account for the company on its Amazon® cloud service.
Protecting accounts on a cloud service is key. Passwords are simply not adequate today, and companies should complement them with a second layer of protection.
Two factor authentication (2FA) can help protect your employees’ cloud accounts. It is based on using something you have (typically your smart phone, but also sometimes a hardware token), in addition to the password that you know.
Smartphones using an app such as Google® Authenticator are sent a code that must be typed in to the cloud-based service. That way, even if an attacker steals an employee’s password, they still won’t be able to access the service. Some cloud services send a code in a text message.
Secondly, Code Spaces hadn’t made any backups. Companies putting sensitive data in the cloud should always maintain a backup of that data. Business-grade SaaS accounts may offer this. Any company using IaaS in the cloud can manage this on their own by using the appropriate tools.
Evaluating your cloud provider
Understanding whether your cloud service provider backs up data properly is just one part of a far broader evaluation process. When moving your data to a third-party provider, companies should quiz that provider on these key issues:
Data jurisdiction is a legal minefield at present thanks to shifting laws on both sides of the Atlantic. It is important to understand where your data will be stored, and to get a guarantee that it won’t be moved to a region that will make you vulnerable to privacy protection laws.
Will your application and data be stored on a single-tenant or a multi-tenant solution? A multi-tenant account means that a single instance of a SaaS application serves multiple customers. Conversely, a single-tenant option provides a single instance of the software and its supporting infrastructure for your company alone.
Single-tenant systems can be easier to backup and restore, and are often more reliable. They can be more secure, because your data is truly segmented from others rather than simply being tagged as yours and stored on the same system as everyone else.
If someone decides to hit another of your cloud service provider’s customers with a distributed denial of service (DDoS) attack, it could bring down not only their service but yours too. Ask your cloud service provider what it is doing to help prepare for these increasingly common attacks. There are services that can be paid for at the hosting level. You may also have to invest in your own DDoS protection service for extra resilience.
Managing insider threats
Let’s not assume that all threats will come from outside your organization. Insider threats are plaguing more companies, as employees, contractors, or business partners damage the company either maliciously or by accident.
Some insiders compromise the company by mistake—either uploading sensitive data to unauthorized cloud services or inadvertently giving up account information, typically thanks to a phishing email or malware. Others deliberately use their cloud services accounts to steal data or otherwise damage the company. You can help stop the use of unauthorized cloud services (typically known as ‘shadow IT’), by employing a combination of end-user training and security systems that limit access to certain URLs based on usage policies.
Cloud-based email protection is also an important part of a multi-layered defense strategy. We discuss antivirus protection elsewhere, but let’s not forget anti-spam and anti-phishing protection in the cloud. By filtering out emails that try to dupe employees into giving away their information, companies can reduce the risk of compromise.
Setting roles and responsibilities
Dealing with malicious insiders is a more complex problem. Companies need to watch for anomalous behavior (such as someone logging in at strange times from home and downloading large amounts of data), which requires some logging and auditing capability in the cloud-based service. Identity and Access Management is an important tool here, and this implementation will depend on a company’s existing directory systems.
Cloud-based web security is a two-way street
Responsibility for cloud-based web security rests with both the service provider and the customer. At the very least, the customer must conduct due diligence when choosing the service provider, and understand which data is appropriate to store in the cloud. The closer that the customer gets to the raw infrastructure via IaaS, the more options and responsibilities they have in managing security for themselves.
While the security considerations associated with a cloud migration might seem daunting, they are also necessary from a data protection and governance perspective. Skipping them could result in headaches further down the line.
The potential benefits of a cloud-based solution in terms of cost savings and system flexibility often make the upfront planning overhead well worth it. Will it be worth it for you? Understanding your goals for a cloud migration and setting some quantifiable targets will help you find out, as will a pilot project to assess the benefits.
Danny Bradbury has been a technology journalist since 1989. He writes for titles including the Guardian newspaper, and Canada’s National Post. Danny specialises in areas including cybersecurity, and also cryptocurrency. He authors the About Bitcoin website, and also writes a regular blog on technology for children called Kids Tech News. You can follow Danny on Twitter® at @DannyBradbury
To find out more about how MSP Web Protection, which uses 2FA, can help your business, click here.