According to Gartner, most enterprises these days are using more than one public cloud service, and in many cases organizations are increasingly invested in using container-based and cloud-native applications. The move to cloud computing brings significant benefits to the enterprise, but it also adds new risk factors that may be outside the scope of your usual cybersecurity practices. Securing virtual machines, containers, Kubernetes and serverless workloads whether in public, private or hybrid clouds means developing an effective understanding of the security issues affecting cloud workloads. In this post, we explain the challenges and solutions to effective cloud security.
What is cloud security?
Cloud security can be thought of as an element of cybersecurity that pertains specifically to maintaining the confidentiality, integrity and availability of data, applications and services located on servers controlled partially or entirely by one or more third parties.
In order to secure your data, services and business continuity when using cloud providers and/or cloud services, it is vital to understand that the nature of the risk is quite unlike managing data that is held on a traditional, on-premises server, which is typically maintained, controlled and secured by the business owner.
With cloud computing, crucially, the main difference is that whenever using any kind of cloud architecture that contains some element of a public cloud service, the data owner has neither physical control of, nor physical access to, the underlying hardware. In addition, the data owner typically needs to communicate with the cloud provider or service across the public internet, rather than having traffic protected within the perimeter of a local intranet and firewall. Finally, the containers themselves, Docker images, Kubernetes clusters and such, also present unique security challenges.
Given these architectural differences, organizations need to think about a range of issues that broadly fall into four categories: namely, security issues that affect:
- The cloud provider
- The data owner (or client/user)
- Communication and transmission of data between 1 and 2
- The container software stack
What are the challenges of cloud security?
We can start to get an idea of the challenges that cloud security presents by looking at some recent examples of what happens when things go wrong.
Let’s suppose your data is hosted on multiple servers outside of your control. Typically, public cloud providers host multiple “tenants” on the same server. Although you can expect any reputable provider to maintain good data isolation between different tenants, perhaps a vulnerability in the computing stack used by your cloud provider has been discovered that allows an attacker to compromise private clouds managed by that provider, such as CVE-2020-3056.
Supposing such a bug was exploited on a remote server belonging to your cloud provider. The question for your security team in such a scenario is this: What visibility do you currently have into what is happening on your workloads? What tools do you have in place that would alert you to unauthorized access or allow you to threat-hunt across your containers after such a vulnerability came to light?
Other considerations for cloud security are thrown up by the sustained hacking campaign dubbed Cloud Hopper. Multiple top-tier organizations including such big names as Philips and Rio Tinto lost intellectual property to Chinese-backed APT actor APT10, which penetrated at least a dozen different cloud service providers, including Hewlett-Packard and IBM. The hackers dropped “bespoke malware”, leveraged dynamic-DNS and exfiltrated large amounts of data. Deploying EPP solutions designed primarily for protecting end-user devices like laptops and desktop computers isn’t going to help here: In fact, using solutions designed for endpoints on cloud instances is said to put enterprise data and applications at even greater risk.
Cloud security issues don’t end there, either. Gartner has stated that perhaps the biggest threat to cloud security in the next few years is likely to come from “mismanagement of identities, access and privilege”, with at least half of all cloud security incidents coming from such problems by 2023. Weak access controls due to misconfiguration can be exploited by external actors or by insiders or can lead to unintentional but nevertheless damaging data leaks.
Finally, vulnerabilities or misconfiguration in the container stack itself, such as container escapes, represent a challenging technical problem for security teams whose members may have limited experience in Docker and Kubernetes technology.
Solving the cloud security problem
The kind of problems we noted in the previous section with bugs, misconfigured Docker images and attacks on MSPs—i.e., provider-side security issues—can only be managed through proper visibility and control over your containerized workloads.
Pre-runtime protections that scan both the host and ensure that it and the container image are infection-free are important, but they are not enough, as they will not protect the container against attacks once it is in use or offer any ability for your SOC team to threat hunt or do incident response.
A better solution is to use something like an Application Control Engine, which does away with the need for “Allow-Lists” (aka “Whitelists”) and protects cloud-native workloads with advanced “lockdown” capabilities that guarantee the immutable state of containerized workloads, protecting your workloads against the unauthorized installation and subsequent abuse of legitimate tools like Weave Scope.
Bugs that allow Linux container escapes are best addressed by deploying behavioral detection capabilities on the workloads themselves. To that end, Workload Protection that can provide EDR and runtime protection for your cloud servers is essential.
Such a solution needs to be lightweight so that it does not impact performance, and ideally it should offer functionality such as a secure remote shell, node firewall control, network isolation and file fetching. With a capable Workload Protection solution, you can gain both visibility and control over your containerized workloads.
In terms of securing the client—i.e., data owners—side of the equation, apart from having trusted endpoint security on communicating devices, it is essential that user access is properly managed and locked down. Allowing admins or other users excess access to critical data on cloud platforms is a data breach waiting to happen. Identity and access management (IAM) will help you to define and manage the correct roles and access privileges of individual users. Role-based access control (RBAC) should be implemented with Kubernetes clusters. Having Workload Protection with EDR will help your SOC team hunt for abuses of user privileges, be they insider threats or external attacks conducted through credential theft.
With regard to protecting communication between the cloud and the client, there are at least two considerations to bear in mind. First, ensure that all data is encrypted both at rest and in transit. That way, even if a data leakage occurs, the information should be unusable to the attackers. Second, in the event of a denial of service attack, it is vital that you have a business continuity plan in place. This might include redundant capacity to cope with extra network traffic (easier in public or hybrid cloud situations) or engaging a DDoS mitigation service, both of which your cloud provider may offer.
Cloud security requires a different approach to endpoint security, as you are faced with the added burden of protecting both the devices you control and those that you don’t. Servers outside of your control can be running a software stack with vulnerabilities that you can not see or patch, and these servers may be managed by an unknown number of people who are equally outside of your control.
Of course, you can expect any reputable cloud provider to take their own security responsibilities seriously, but the core of the issue is that your threat surface is increased once you are dealing with third-party devices and staff. Moreover, the containers that you deploy can themselves contain bugs or misconfigurations. In order to ensure the security of your cloud workloads, apprise your security team of the points noted above and deploy a capable Workload Protection solution to your container workloads.
Chris Bates, Chief Information Security Officer, SentinelOne
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/
UK +44 20 8089 9944