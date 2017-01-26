What You Need to Know About Hybrid Cloud Security

Thanks to its many business benefits, cloud computing is becoming commonplace within organizations of all sizes. Historically, companies have struggled to determine which model - public or private - best met their needs. But of late, IT professionals are increasingly starting to realize that both public and private clouds can exist harmoniously within the same organization, and that, in many instances, a hybrid cloud model can actually be the most effective approach.

RightScale's "2016 State of the Cloud Survey" found that hybrid cloud adoption increased from 58 percent to 71 percent year-over-year. The uptick in hybrid cloud computing has not been overlooked by cybercriminals, who have been busy adapting traditional attack methods and devising new ways to target threat surfaces and vulnerabilities in the cloud.

In order to manage cloud security with the same effectiveness as on-premises environments, it's important to consider how the threat landscape changes as assets move from a data center to the cloud. It's also crucial to determine which security resources are offered by cloud service providers (CSPs) and understand how these can augment your own security tools and measures to deliver complete hybrid cloud security.

To help address the aforementioned points, we're kicking off a three-part series focused specifically on managing hybrid cloud security. In this first post, we'll explain the basics of the shared security model and explore how security challenges persist, are amplified, or are mitigated in public cloud and hybrid cloud environments. Read on.

Understanding the Shared Responsibility Model

Any discussion of hybrid cloud security requires a fundamental understanding of the shared responsibility model and how it applies to cloud infrastructure as a service (IaaS) security concerns. Under the shared responsibility model, a CSP is generally responsible for ensuring the physical security of its data center - from managing building access, to securing network and server hardware, to overseeing hypervisor-hosting virtual machines. Users of cloud services, on the other hand, are usually responsible for securing the operating systems, applications and data running on cloud accounts.

While you are responsible for securing anything that you deploy in the cloud, CSPs also have a shared interest in making sure your data is secure. For example, they will typically provide services to help you implement best practices for controlling access and limiting network exposures. Many also supply tools to help you better defend your virtual environments. The services and tools provided by CSPs are designed to work in conjunction with your own cloud-based security management tools.

Traditional security solutions, such as firewalls, file integrity monitoring and centralized logging, remain effective as you expand your perimeter and move data into the cloud. Adding additional security measures that are purpose-built for the cloud, however, can help you to better secure and monitor your full environment.

Common Attack Strategies in the Cloud

Many of the common attack strategies cybercriminals use to target on-premises infrastructure are also used to hit cloud environments, and they can be dealt with using traditional tools, such as firewalls and proxy servers. However, it's important to note that attack strategies manifest in the cloud somewhat differently than they do on-premises. Here's a look at how four well-known types of attacks are affected by cloud environments.

1. Distributed Denial of Service (DDoS) Attacks

DDoS attacks work on a simple premise: flood a service or website with so much network traffic that it effectively crashes the service or site. DDoS attackers command a horde of botnet hosts, which send repeated requests to a target site at the same time. Because these hosts consist of thousands or even millions of internet-connected computers - and can include IoT devices, as the recent Mirai botnet attacks demonstrated - traditional defense tactics, such as blocking a particular domain or IP range, will not be effective.

The strategy behind this type of attack remains the same whether the service is hosted on-premises or in the cloud. DDoS is a numbers game between an attacker's resources and a victim's computing and networking capabilities. In the cloud, your resources are elastic, so you can dynamically add more resources to meet a sudden spike in demand. While this provides some built-in DDoS resilience, it comes at a price since these additional cloud computing resources will quickly drive up your monthly cost.

Another consideration in cloud environments is that because some resources are shared, a DDoS attack against another user's system could drain resources from your own workloads and cause your services to become slow or unavailable. However, in the shared model, CSPs are responsible for mitigating and protecting against DDoS attacks on shared infrastructure. They also protect against low-level network attacks on the cloud infrastructure as part of the shared responsibility model.

2. Exploiting Vulnerabilities

Malware infections typically start when attackers find vulnerabilities in an organization's operating systems or applications, and then exploit them to download malware and gain control of corporate networks.

A strong vulnerability management program is an essential part of minimizing the attack surface of your network environment. By proactively identifying and fixing your vulnerabilities, you can reduce the likelihood of attackers exploiting them for malicious purposes. The same is true in cloud environments.

CSPs usually provide some vulnerability management support. For example, they will typically supply libraries of up-to-date, patched operating system (OS) instances that users can deploy into their environments. This is a good starting point, but in the shared responsibility model, automated patching generally stops at the point of deployment. Ultimately, it's the cloud service users who are responsible for identifying and managing vulnerabilities and patching above the hypervisor layer.

3. Brute Force Attacks (Password Cracking)

The idea behind brute force attacks is to try all possible combinations of passwords until an attacker finds the one that works. These attacks persist, in part, because there are many automated tools available and pre-built digests that help attackers crack accounts. In addition, users continue to be a weak link, because they often choose simple, easy-to-guess passwords.

One can argue that readily available services like Amazon Web Services Identity and Access Management (IAM) and Azure Active Directory (free tier) provide decent password security and enable extra security measures like multi-factor authentication (MFA). However, the only real defense against password compromise is to always apply good password hygiene, and good hygiene in the cloud is just as important as it is on-premises.

One element that is unique to cloud computing is that root account credentials, if not handled properly, can be publicly accessible from the internet. A compromise of this credential would give attackers "the key to the kingdom," granting them control over your cloud environment and the ability to spin up cloud resources indefinitely - leaving you stuck paying the bill. There's no parallel for this type of compromise in your on-premises environment, since the resources in your data center are likely owned, static and finite.

4. Web Application Attacks

Securing applications from attacks is clearly the responsibility of cloud users in the shared responsibility model. Web application attacks can usually be mitigated with better coding practices, or supplemented with security technologies, such as web application firewalls (WAF) and proxy servers. Today, most security vendors offer licensed products for the cloud, which are similar to the products they provide for on-premises environments. Some cloud vendors have also added free tools to their offerings that defend against common attacks, such as cross-site scripting and code injection.

A Look Ahead

In Part 1, we looked at how a few of the most common attack strategies persist, are amplified, or are mitigated as assets move from the data center to the cloud. In the next installment of this three-part series on hybrid cloud security, we will examine new security challenges that are unique to cloud environments and look at what impact they have on traditional security measures and tools. Stay tuned.

