Cloud security, or cloud computing security, is a branch of cybersecurity that focuses on protecting cloud-based data, applications, and infrastructure from cyber threats. This includes keeping the data private and safe across cloud-based platforms. Securing such systems requires the efforts of both the cloud provider and the clients that use them.
At its heart, cloud security is a bundle of technology, protocols, and best practices that aim to protect the cloud environments, applications running in the cloud, and data held in the cloud. The very first step of understanding cloud security is to understand what exactly is protected. The following figure illustrates what resides in a typical cloud environment.
These components need to be protected, and the ownership of protection can vary. Some of these components need to be protected by the provider while the security of others needs to be managed by the client. This practice is called the shared responsibility model and it outlines the responsibilities and their owners. As it is a non-standardized model, enterprises and customers using cloud services must understand which security responsibilities are theirs, and which ones belong to the providers.
The responsibility of cloud security is shared between the provider and the customer. The most popular cloud providers are Amazon Web Services (AWS), Azure Cloud, and Google Cloud Platform (GCP), all of which follow the shared responsibility model. There are responsibilities that are always carried by the providers or customers, and some responsibilities depend on the service model. The model basically describes that while the providers are responsible for the security of the cloud, the customer is responsible for the security in the cloud.
Ensuring the safety of the infrastructure, as well as configuring and applying patches to the physical network that runs the compute instances are always the provider’s responsibility. The customers are in control of what security they choose to implement on their own systems, just like an on-site data center. Security of cloud accounts, encryption of data, identity and access management, and compliance are always the customer’s responsibility. For example, AWS has full responsibility to keep its data centers secure. Likewise, the customer is responsible for the security of their AWS EC2 instances.
To sum up, it can be concluded that providers are responsible for services that the customer cannot directly access, and the customer is responsible for the security of every other service that they use and have access to.
Cloud computing security differs based on the categories including the public, private, and hybrid cloud services and the operatorsiş
- Public cloud services operated by a public cloud provider: These include software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS).
- Private cloud services operated by a public cloud provider: These offer a computing environment dedicated to one customer. Only that customer can use the environment but it is operated by a third party.
- Private cloud services operated by internal staff: This type is the evolution of the traditional data center. The internal staff operates a virtual environment they control.
- Hybrid cloud services: In this type, the private and public cloud computing configurations are combined. It involves the internal staff, and optionally a public cloud provider.
When a public cloud provider is involved, they can act on the services they provide, but not on how the customers use it, what data they keep on it, or who has access to the resources. The practices of the customer can weaken the security. The responsibilities of parties differ in each cloud service type:
- In Software-as-a-service (SaaS), customers are responsible for securing their data and user access.
- In Platform-as-a-service (PaaS), customers are responsible for securing their data, user access, and applications.
- In Infrastructure-as-a-service (IaaS), customers are responsible for securing their data, user access, applications, operating systems, and virtual network traffic.
In all types, the customer is responsible for their own data and who can access it.
To fully benefit from what cloud computing offers, adopting appropriate security practices is crucial. All users must ensure that they have complete confidence in their cloud security, they protect their data, and they control who can access the resources. All cloud environments are susceptible to threats, and therefore as risky as traditional IT environments. They also offer all functionality of traditional IT security.
There are many benefits of implementing sufficient cloud security:
- Centralized Security: Cloud security centralizes protection. Better traffic analysis and web filtering, monitoring of network events are easier when done centrally, and results in fewer software and policy updates. Disaster recovery plans can be implemented easily.
- Reduced Costs: Cloud security eliminates the need to invest in dedicated hardware. It reduces capital expenditure and administrative overheads. Proactive security features with little or no human intervention are offered.
- Reduced Administration: All security administration happens in one place. Once configured, they are fully managed on your behalf.
- Reliability: With the right security measures implemented, availability is ensured. Users can safely access data within the cloud wherever they are or what device they are using.
As cloud adoption grows, business-critical applications and data migrate to trusted cloud service providers. Most of them offer standard cybersecurity tools, but there may be differences and cybersecurity gaps between what is offered by the tools and what the enterprise requires. This increases the risk of data theft and loss. No organization or provider can eliminate all security threats. Implementing the right cloud security mechanisms and policies is critical to prevent breaches and data loss.
Cloud security is important from the customer side. To understand why, we can look at Tesla’s case. Tesla was subject to an attack on their cloud computing resources in 2018, which the attackers used to carry out cryptojacking activities. Attackers gained access to Tesla’s Kubernetes admin console, which exposed Tesla’s AWS credentials. With those credentials, they could access non-public resources of Tesla’s cloud environment.
Kubernetes consoles were known for several vulnerabilities. Before this attack, both researchers monitoring the cloud and Tesla found out that hundreds of consoles have leaked credentials to other applications. They published findings of how some of Tesla's AWS cloud infrastructure was running mining malware. When the infection was disclosed to Tesla, the company quickly moved to act against intruders. The initial investigation says that data exposure was minimal, but the incident shows the seriousness of a dangerous security threat.
Microsoft’s Azure Cosmos DB is a NoSQL database service that was found to be vulnerable to a misconfiguration that allows hackers to download or edit data on the database, and the architecture of the database service. This flaw could grant a malicious party access keys to steal, edit or delete sensitive data. Cybersecurity company Wiz reported the issue recently. They believe the vulnerability has existed for at least several months until Microsoft responded to it. According to Wiz, Microsoft disabled the vulnerable feature within 48 hours of them reporting the issue.
The company issued a report with some details on a Cosmos DB vulnerability data visualization feature Jupyter Notebook, which gets automatically turned on for Cosmos DB users. The report states that the notebook container allowed privilege escalation into other customer notebooks. Resulting in attackers gaining access to primary keys and other sensitive information and gaining full administrative access to the data stored in the affected accounts. The attacker could control the customer Cosmos DB directly from the internet, with full read/write/delete permissions.
Microsoft Security Response Center said that their investigation indicates that no customer data was accessed because of this vulnerability by third parties or security researchers. They sent notifications to customers that could be potentially affected, advising them to regenerate their primary read-write key. Thousands of users were notified to manually rotate their keys.
ScoutSuite is an open-source multi-cloud security-auditing tool, it uses the APIs exposed by cloud providers. The tool supports AWS, Azure, and GCP. It gathers configuration data for manual inspection and highlights risk areas and presents a clear view of the attack surface. To use, the tool just needs to be installed and run via CLI with a currently online cloud account. After inspection, it produces a “.html” report that contains all findings on all services. After it is constructed, the report can be viewed offline. An example report overview is shown below:
Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report. It can scan all the policies in an AWS account or a single policy file. It helps prioritize the remediation process by flagging IAM policies that present the following risks: data exfiltration, infrastructure modification, resource exposure (the ability to modify resource-based policies), and privilege escalation.
Privilege escalation means that the policy allows IAM actions that allow the user to escalate their privileges, such as creating another access key or modifying what they can do on the account. Resource exposure means that the user can modify resource-based policies, such as AWS Resource Access Manager. Data exfiltration is the policies that can access certain read-only resources without constraints, such as Secrets Manager and S3. Credential exposure means that the users with these policies can perform actions like updating access keys.
Cloudsplaining also identifies IAM Roles that can be assumed by AWS Compute Services, as they can present greater risk than user-defined roles especially if the AWS Compute service is on an instance that is directly or indirectly exposed to the internet. Flagging these roles is particularly useful to penetration testers or attackers under various scenarios. An example summary of the report is shown below:
Cloudmapper helps us analyze AWS environments. The tool was originally used to generate network diagrams. Now, it can also be used for security auditing. It offers several commands that can be used to:
- Check for potential misconfigurations,
- Collect metadata about an account,
- Look at IAM policies to identify admin users and roles, or principles with specific privileges,
- Look for unused resources in the account,
- Prepare network visualizations,
- Find public hosts and port ranges,
- Get IP locations,
- Show counts of resources for accounts,
- Generate an HTML report,
- Generate an HTML report for the IAM information of the account.
Prowler is a CLI tool that helps with AWS security assessment. It follows the CIS AWS Foundations Benchmark, has checks covering AWS best practices, and has loads of additional regulation checks. Some examples are IAM, CIS levels 1 and 2, networking, monitoring, GDPR, HIPAA, PCI-DSS, etc. Prowler can:
- Produce reports of different color schemes,
- Produce reports in different file formats,
- Send findings directly to security hubs,
- Check multiple AWS accounts sequentially or in parallel.
In this blog post, we’ve summarized what cloud security is, what the shared responsibility model is formed of, and why we need cloud security. We also shared two different examples of cloud security cases and four useful cloud security audit and risk assessment tools with you. We hope you enjoyed it!
Check out our Cloud Security services to stay safe in the cloud!