Posted on by Cloud Computingin
by Timothy Morrow Security Solutions Engineer CERT Division
This blog post is coauthored by Donald Faatz.
Organizations continue to develop new applications in or migrate existing applications to cloud-based services. The federal government recently made cloud-adoption a central tenet of its IT modernization strategy. An organization that adopts cloud technologies and/or chooses cloud service providers (CSP)s and services or applications without becoming fully informed of the risks involved exposes itself to a myriad of commercial, financial, technical, legal, and compliance risks. In this blog post, we outline 12 risks, threats, and vulnerabilities that organizations face when moving application or data to the cloud. In our follow-up post, Best Practices for Cloud Security, we explore a series of best practices aimed at helping organizations securely move data and applications to the cloud.
We would like to note that the threats and vulnerabilities involved in migrating to the cloud are ever-evolving, and the ones listed here are by no means exhaustive. It is important to consider other challenges and risks associated with cloud adoption specific to their missions, systems, and data.
The National Institute of Standards and Technology (NIST) cloud model provides a definition of cloud computing and how it can be used and deployed.
NIST identifies the following characteristics and models for cloud computing:
Cloud Computing Threats, Risks, and Vulnerabilities
Cloud environments experience--at a high level--the same threats as traditional data center environments; the threat picture is the same. That is, cloud computing runs software, software has vulnerabilities, and adversaries try to exploit those vulnerabilities. However, unlike information technology systems in a traditional data center, in cloud computing, responsibility for mitigating the risks that result from these software vulnerabilities is shared between the CSP and the cloud consumer. As a result, consumers must understand the division of responsibilities and trust that the CSP meets their responsibilities. Based on our literature searches and analysis efforts, the following list of cloud-unique and shared cloud/on-premise vulnerabilities and threats were identified. The figure below also details the threat picture for cloud computing platforms.
Cloud-Unique Threats and Risks
The following vulnerabilities are a result of a CSP's implementation of the five cloud computing characteristics. These vulnerabilities do not exist in classic IT data centers.
#1 Consumers Have Reduced Visibility and Control. When transitioning assets/operations to the cloud, organizations lose some visibility and control over those assets/operations. When using external cloud services, the responsibility for some of the policies and infrastructure moves to the CSP.
The actual shift of responsibility depends on the cloud service model(s) used, leading to a paradigm shift for agencies in relation to security monitoring and logging. Organizations need to perform monitoring and analysis of information about applications, services, data, and users, without using network-based monitoring and logging, which is available for on-premises IT.
#2 On-Demand Self Service Simplifies Unauthorized Use. CSPs make it very easy to provision new services. The on-demand self-service provisioning features of the cloud enable an organization's personnel to provision additional services from the agency's CSP without IT consent. The practice of using software in an organization that is not supported by the organization's IT department is commonly referred to as shadow IT.
Due to the lower costs and ease of implementing PaaS and SaaS products, the probability of unauthorized use of cloud services increases. However, services provisioned or used without IT's knowledge present risks to an organization. The use of unauthorized cloud services could result in an increase in malware infections or data exfiltration since the organization is unable to protect resources it does not know about. The use of unauthorized cloud services also decreases an organization's visibility and control of its network and data.
#3 Internet-Accessible Management APIs can be Compromised. CSPs expose a set of application programming interfaces (APIs) that customers use to manage and interact with cloud services (also known as the management plane). Organizations use these APIs to provision, manage, orchestrate, and monitor their assets and users. These APIs can contain the same software vulnerabilities as an API for an operating system, library, etc. Unlike management APIs for on-premises computing, CSP APIs are accessible via the Internet exposing them more broadly to potential exploitation.
Threat actors look for vulnerabilities in management APIs. If discovered, these vulnerabilities can be turned into successful attacks, and organization cloud assets can be compromised. From there, attackers can use organization assets to perpetrate further attacks against other CSP customers.
#4 Separation Among Multiple Tenants Fails. Exploitation of system and software vulnerabilities within a CSP's infrastructure, platforms, or applications that support multi-tenancy can lead to a failure to maintain separation among tenants. This failure can be used by an attacker to gain access from one organization's resource to another user's or organization's assets or data. Multi-tenancy increases the attack surface, leading to an increased chance of data leakage if the separation controls fail.
This attack can be accomplished by exploiting vulnerabilities in the CSP's applications, hypervisor, or hardware, subverting logical isolation controls or attacks on the CSP's management API. To date, there has not been a documented security failure of a CSP's SaaS platform that resulted in an external attacker gaining access to tenants' data.
No reports of an attack based on logical separation failure were identified; however, proof-of-concept exploits have been demonstrated.
#5 Data Deletion is Incomplete. Threats associated with data deletion exist because the consumer has reduced visibility into where their data is physically stored in the cloud and a reduced ability to verify the secure deletion of their data. This risk is concerning because the data is spread over a number of different storage devices within the CSP's infrastructure in a multi-tenancy environment. In addition, deletion procedures may differ from provider to provider. Organizations may not be able to verify that their data was securely deleted and that remnants of the data are not available to attackers. This threat increases as an agency uses more CSP services.
Cloud and On-Premise Threats and Risks
The following are risks that apply to both cloud and on-premise IT data centers that organizations need to address.
#6 Credentials are Stolen. If , the attacker can have access to the CSP's services to provision additional resources (if credentials allowed access to provisioning), as well as target the organization's assets. The attacker could leverage cloud computing resources to target the organization's administrative users, other organizations using the same CSP, or the CSP's administrators. An attacker who gains access to a CSP administrator's cloud credentials may be able to use those credentials to access the agency's systems and data.
Administrator roles vary between a CSP and an organization. The CSP administrator has access to the CSP network, systems, and applications (depending on the service) of the CSP's infrastructure, whereas the consumer's administrators have access only to the organization's cloud implementations. In essence, the CSP administrator has administration rights over more than one customer and supports multiple services.
#7 Vendor Lock-In Complicates Moving to Other CSPs. Vendor lock-in becomes an issue when an organization considers moving its assets/operations from one CSP to another. The organization discovers the cost/effort/schedule time necessary for the move is much higher than initially considered due to factors such as non-standard data formats, non-standard APIs, and reliance on one CSP's proprietary tools and unique APIs.
This issue increases in service models where the CSP takes more responsibility. As an agency uses more features, services, or APIs, the exposure to a CSP's unique implementations increases. These unique implementations require changes when a capability is moved to a different CSP. If a selected CSP goes out of business, it becomes a major problem since data can be lost or cannot be transferred to another CSP in a timely manner.
#8 Increased Complexity Strains IT Staff. Migrating to the cloud can introduce complexity into IT operations. Managing, integrating, and operating in the cloud may require that the agency's existing IT staff learn a new model. IT staff must have the capacity and skill level to manage, integrate, and maintain the migration of assets and data to the cloud in addition to their current responsibilities for on-premises IT.
Key management and encryption services become more complex in the cloud. The services, techniques, and tools available to log and monitor cloud services typically vary across CSPs, further increasing complexity. There may also be emergent threats/risks in hybrid cloud implementations due to technology, policies, and implementation methods, which add complexity. This added complexity leads to an increased potential for security gaps in an agency's cloud and on-premises implementations.
#9 Insiders Abuse Authorized Access. Insiders, such as staff and administrators for both organizations and CSPs, who abuse their authorized access to the organization's or CSP's networks, systems, and data are uniquely positioned to cause damage or exfiltrate information.
The impact is most likely worse when using IaaS due to an insider's ability to provision resources or perform nefarious activities that require forensics for detection. These forensic capabilities may not be available with cloud resources.
#10 Stored Data is Lost. Data stored in the cloud can be lost for reasons other than malicious attacks. Accidental deletion of data by the cloud service provider or a physical catastrophe, such as a fire or earthquake, can lead to the permanent loss of customer data. The burden of avoiding data loss does not fall solely on the provider's shoulders. If a customer encrypts its data before uploading it to the cloud but loses the encryption key, the data will be lost. In addition, inadequate understanding of a CSP's storage model may result in data loss. Agencies must consider data recovery and be prepared for the possibility of their CSP being acquired, changing service offerings, or going bankrupt.
This threat increases as an agency uses more CSP services. Recovering data on a CSP may be easier than recovering it at an agency because an SLA designates availability/uptime percentages. These percentages should be investigated when the agency selects a CSP.
#11 CSP Supply Chain is Compromised. If the CSP outsources parts of its infrastructure, operations, or maintenance, these third parties may not satisfy/support the requirements that the CSP is contracted to provide with an organization. An organization needs to evaluate how the CSP enforces compliance and check to see if the CSP flows its own requirements down to third parties. If the requirements are not being levied on the supply chain, then the threat to the agency increases.
This threat increases as an organization uses more CSP services and is dependent on individual CSPs and their supply chain policies.
#12 Insufficient Due Diligence Increases Cybersecurity Risk. Organizations migrating to the cloud often perform insufficient due diligence. They move data to the cloud without understanding the full scope of doing so, the security measures used by the CSP, and their own responsibility to provide security measures. They make decisions to use cloud services without fully understanding how those services must be secured.
Wrapping Up and Looking Ahead
It is important to remember that CSPs use a shared responsibility model for security. The CSP accepts responsibility for some aspects of security. Other aspects of security are shared between the CSP and the consumer. Finally, some aspects of security remain the sole responsibility of the consumer. Effective cloud security depends on knowing and meeting all consumer responsibilities. Consumers' failure to understand or meet their responsibilities is a leading cause of security incidents in cloud-based systems.
In this blog post, we have identified five cloud-unique and seven cloud and on-premises threats that organizations face as they consider migrating their data and assets to the cloud. In the next post in this series, we will explore a series of best practices aimed at helping organizations securely move data and applications to the cloud.
Read the next post in this series, Best Practices for Cloud Security.
For more information about cloud computing security, please visit the following sites:
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
The Cloud Security Alliance works to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing