By Stefan Jakoubi, Philipp Reisinger, SBA Research
Since its inception in 2006, we have to ask continuously if cloud computing is actually secure. It is a controversial topic which causes vivid debates and led to a divide between proponents and critics, whereby both sides bring valid arguments and points to the table. Discover CEE asked Stefan Jakoubi and Philipp Reisinger from SBA Research to explain the benefits and risks, the shared responsibility model and their top three takeaways.
Shared responsibility model
A useful first step to approach cloud security is to have a look at the shared responsibility models which were created by various cloud providers like AWS or Microsoft, delegating the security responsibilities to both cloud providers and -customers. Such models take on common misconceptions – like “As the cloud customer I don’t have to think about security because my cloud provider takes care of it.” – and highlight the range of security responsibilities (which depend on the different cloud service models, from IaaS to PaaS and SaaS) that can’t be covered by the cloud provider alone.
For organizations leveraging the cloud it is crucial to understand the difference between Security of the cloud and security in the cloud as well as that the responsibility and accountability ultimately always lies with the cloud customer. Security of the cloud covers typical issues of datacenter hosting from power- and internet supply to cooling to physical and infrastructure security. Security in the cloud addresses diverse topics ranging from the secure configuration (whereby leaks due to misconfigurations in cloud services are ever increasing) and usage of the acquired cloud services to “high level aspects” like data governance, i.a. comprising the following aspects:
- what kind of data is authorized for usage and processing in the cloud;
- which security measures do I want to implement;
- which compliance and privacy requirements do I have to adhere to;
- how can we avoid Shadow-IT.
Cloud security – benefits and risks
Beside the benefits of cloud computing discussed by David Zeller in a prior post, it has to be noted that from a technological and security perspective large public cloud providers are benefitting from the economies of scale. This allows them to specialize and hire experts for niche topics, thereby achieving high maturity levels in operations, engineering and security in a very cost-efficient way. By using cloud services, we can benefit from the providers’ knowledge and capabilities which are far beyond what most SMEs and small financial institutions could achieve using in-house IT.
When looking at the challenges and risks, there are obviously far more issues than we can discuss in this blog post; thus, we want to highlight some of the most interesting aspects.
A noteworthy challenge is the power asymmetry between the cloud provider and the customer, including the usually very limited negotiation power. If hosting applications on your own in-house infrastructure and with your own teams, there is much more direct control, flexibility and the possibility to implement “special” demands and wishes. Power asymmetry is furthermore tightly related to the topic of vendor lock-in, a risk which always exists in cloud environments and has the potential to make switching the provider or exiting the cloud prohibitively expensive or outright impossible.
In this context, we have to point out that exit strategies are oftentimes overlooked resp. ignored in willful blindness. There are multiple scenarios involving cloud provider outages, failures (see for example Lloyd’s Emerging Risk Report 2018 – Cloud Down Impacts on the US economy – Appendix A. Historical cloud events) or insolvencies in which such a strategy proves to be very valuable. Another critical scenario which is rarely considered despite incidents in the past are ongoing attacks due to which a cloud customer could become a liability for the cloud provider, causing them to discontinue their service. On a similar note, compliance issues – for instance in the case of economic sanctions against specific countries – may also cause disruptions in cloud services.
There has always been debate whether centralization or decentralization is the better approach to tackle security challenges. While centralization enables easier system management and oversight, it does create a “single point of failure/attack”. Decentralization is much “messier” and harder to handle from a cooperation- and communication perspective, but since the term resilience is now being used almost ubiquitously, we might recall that the Internet was founded on the ideas of the decentralization of power and avoidance of monopolies.
Contrary to this, most of today’s cloud market is composed of just a few very big players; from a societal point of view, their power and market dominance is cause for great concern. In the supply chains of financial institutions and enterprises in all verticals, there is a big and continuously increasing dependence on these quasi-monopolists. In acknowledging the importance of this topic, the Financial Stability Board issued a report investigating the potential financial stability risks caused by third-party dependencies in cloud services. In addition, Zurich Insurance took a look at the systemic risks and potential for cascading failures caused by this concentration and interconnectedness back in 2014.
Discussions regarding the cloud providers’ capabilities to isolate customers from each other when hosting them on the same infrastructure are taking place since the beginning of cloud computing. However, they gained considerable momentum with the discovery of microprocessor level vulnerabilities like Meltdown and Spectre in 2017, urgently highlighting the impact of isolation failures in multi-tenant environments.
A further interesting challenge is related to the well-known fact that the cloud is attractive because it provides computing resources as a commodity. This is not only appreciated by business- and private customers but also cyber criminals and botnet operators who are leveraging cloud services and may even benefit from the trust which is put into certain IP addresses and networks. For example, in early 2020 a DDoS Service operator leaked the credentials of half a million IoT devices; when asked about it, he stated that his model relies on renting high-output servers from reputable cloud service providers.
Our responsibility: How can each individual contribute to cloud security?
By using the appropriate technologies and their expertise, our IT departments can secure data and cloud environments to a certain extent. However, technology has its limits; it is up to us to act responsibly and in a security-aware way.
Even in 2020, passwords are still a huge issue. They grant access to our digital identities and, thus, to our digital crown jewels: our (secret) data. Weak passwords (less than 10 characters, low complexity) are quite easy to crack, leading i.a. to compromised or leaked data. Also, using the same password for multiple (web) applications enables attackers to easily ‘travel’ within your systems. A password manager (such as KeePass, a freely available tool) helps to generate and use multiple strong passwords.
Furthermore, awareness regarding social engineering, e.g. Spear Phishing, is crucial. If somebody asks you for your password or to follow a link to re-enter your credentials, your alarm should go off immediately. First make a sanity check yourself (Is the e-mail content meaningful? Are the links suspicious?), and if you are still unsure, contact your support- or security team on a different channel than outlined in the suspicious e-mail.
Multi-factor-authentication (MFA) is nowadays crucial for securing your credentials. It should be as common for all logins etc. as in the case of e-banking transactions (e.g. receiving token via SMS or using an authenticator app). If your credentials have been stolen, the attacker is still missing this second factor; moreover, in some cases you might be alerted of the breach through e.g. receiving an SMS token you obviously did not request.
The sharing of data and/or links can become a boomerang in cloud environments. Sometimes, we might be feeling “patronized” by our IT department regarding if and how we are allowed to share data with third parties. Here, it might help to better understand the mindset of IT- and security professionals:
In traditional non-cloud-environments, the unintentional sharing of a link to internal data usually had no impact. In the worst-case scenario, an external party received a link to an internal resource (e. g. a Word file), but could not connect to the company’s network due to technical access restrictions. In cloud-environments, this game has changed dramatically and opened a wide range of entry points for malicious attackers. In such situations, i. e. when we feel that we cannot control an issue, we generally tend to impose limitations in order to reduce the (residual) risk. While users might feel hindered in their work, security professionals and other persons responsible are just seeking to comply with policies and regulations (e. g. EU’s GDPR). Although there are concepts like “data governance” or “cloud access security brokers” in place, we must admit that even in 2020 we are still not where we should be with respect to a balance between security (awareness) and usability.
When we feel hindered in our daily work, we understandably tend to search for alternatives to make our lives easier. In what is called “Shadow IT”, we bypass managed and/or approved IT infrastructure. In the cloud context, this means using unapproved cloud services which might lead to compliance violations when it comes to classified information. The potential impacts might be massive, e. g. EU GDPR violations when not adequately protecting personal identifiable information (PII) or transferring personal data outside of the EU. From an information security perspective, it is totally unclear whether unapproved cloud service providers fulfill all security requirements to protect the classified data.
Let us ask again: Is cloud computing secure? As it is so often the case, there are no simple answers; the real world is volatile, uncertain, complex and ambiguous. From our perspective and experience as a research center, it is essential to approach cloud computing and its opportunities in an open-minded and pragmatic way, while at the same time being aware of its unique challenges and risks. For each and every one of us, it is paramount to embrace our own security responsibilities and accountability.
Our top three takeaways:
- Be clear about (shared) responsibilities. At least you are responsible how you handle data in the cloud.
- Be aware of today’s security risks. Spear Phishing, the risk of data sharing and other scenarios should be permanently kept at the back of your mind.
- Adhere to basic security measures. Strong passwords, multi-factor-authentication (MFA) and the usage of a password manager should be normal.
Stefan Jakoubi is part of the Management Board at SBA Research. As head of Professional Services, he is responsible for all consulting related activities within SBA Research.
Philipp Reisinger is information security consultant at SBA Research and lecturer at FH St. Pölten.
SBA Research is a research center for Information Security located in Vienna and funded partly by the national initiative for COMET Competence Centers for Excellent Technologies.