Security is a big topic that requires more than a single post. Yet, let’s start by saying that professional clouds are very secure. More than your data center. In the first place because it is the business of the service providers. If these clouds did not offer a very high level of security, they would have no customers. Then because they have tools to analyze and prevent attacks well above the average. Their exposure is such that they are the target of permanent attacks. They are better prepared for all contingencies.
Basic Security Concepts
To enjoy the safety of cloud services, it seems essential to know what we’re talking about. Three main concepts define information security: privacy, integrity, and availability. Non-repudiation is sometimes added.
As per ISO / IEC 27001, privacy is defined as the “right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom the information may be disclosed”. The identification of the users, the rights they have and the encryption of information play a major role in protecting the access to information.
Integrity means that the information is complete and accurate. This also indicates that it cannot be modified by chance, unexpectedly or maliciously. Generally, the traceability of changes, the continuous backup of previous versions and control sums are there to guaranty the information integrity.
Availability defines that access to information is available within the limits defined by its owner. In the case of the cloud, we have seen that availability was the subject of a precise classification. To this, access time may be added, which may be defined according to the type of information (data archived may require more time to be retrieved for instance than “live” data).
This is a legal feature, generally a subset of integrity. It means first that the sender and receiver of information are who they claim to be. Second, that the information sent is consistent with the information received, and has thus not been altered. The mechanism of digital certificates is generally used and accepted by justice to prove non-repudiation. You must be able to guarantee the security (integrity, confidentiality, and availability) of its private key. This is where logical mechanisms as smart cards play a major role.
What are we protecting us from? Usually, the first answer that comes to mind is data theft. For an organization, this may mean intellectual property theft, theft of customer or loss of reputation. For an individual, it’s access to his bank accounts, usurpation of her identity or publication of confidential information to harm the individual.
As Eric Schmidt, former CEO of Google, said: “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” Easy to say, especially when it concerns confidential information which is not intended to be broadcast. Beyond the question of the storage of information, the question is: are they safer in the cloud, on a server of the company or on my personal computer? We will come back to this question.
The other threat is the destruction of information. This is the case of some viruses which ‘just’ destroy everything with the intent to harm. It is in these moments that one realizes that the backups that were made are not comprehensive or accessible. Famous Murphy’s law!
Finally, in recent years, a growing threat is ransomware. This practice consists of stealing data or to encrypting them, then asking to their owners a ransom to get them back or get the encryption key. This type of attack is growing from year to year. According to Kaspersky Lab, twenty percent of victims who pay do not recover their files. So, the question is: should we pay?
What do we need to do to protect ourselves from these threats? Computer security experts and publishers of security solution recommended several actions:
Protect yourselves. This seems common sense, but easier said than done. While the attack surface increases, threats evolve and user awareness lags, putting the entire system in danger.
Assess the risks and the costs. Security has costs and consequences. It is not possible to protect everything unless you live in a total vacuum. You should assess the risk of data loss or theft, and take appropriate measures.
Classify information. I dig deeper into this topic in Chapter 4. Legislation. Classify data allows you to know what is public, what isn’t, what is confidential and what is less. This allows implementing security rules based on the processed data.
Put in place best practices. Human beings are often the weakest links. Identity theft is more and more the entry point to information theft. To limit these risks, an identity protection policy needs to be set up through strong passwords or multi-factor authentication.
What about the data center in all this?
Now that we have defined the basic concepts and have a sense of the threats that target our information, let’s see what is the security of the data center. If we want to protect our information and ensure maximum security, we must first look at the attack surface of our system.
The Attack Surface
The collection of all points of entry and points of communication with the outside world defines the attack surface of a computer system. On any accessible system, it is generally important and must be known. There are generally four types of attack surface:
The network attack surface: open ports on routers and firewalls, IP public addresses, used and available network protocols…
The software attack surface: entry form, operating system, services on the servers, administration interfaces…
The human attack surface: the reaction of the user to all solicitations that require an answer, by clicking on a link, opening an attachment or clicking on a button. Phishing or social engineering requires these actions, for instance.
The physical attack surface: do not forget that a data center is a physical place. Do not overlook the physical theft of data. Is physical access to the system restricted, as well as the use of hardware like USB or DVD? It is also noted that according to the McAfee company more than 40 percent of data theft is still done by physical means.
It is accepted that the bigger the attack surface, the bigger the risk. One of the accountabilities of your Security Department should be to reduce this surface to a minimum. It is essential to draw up a precise mapping of this attack surface to protect all points of entry.
An article from Microsoft sheds some light on the attack surface and the ways of reducing it. A point that seems important concerns what is behind an entry point. Indeed, an open port, for instance, can sometimes be useful. Behind this port, we may find services like web servers or applications like WordPress or SharePoint. Each page of these applications can be an entry point for a code injection. A detailed understanding of each of these points of entry and their potential vulnerabilities is crucial.
The concept of “defense in depth” becomes sensible. Indeed, why protecting the physical and logical perimeter of the data center, if the applications that are running inside are not protected? I do not intend here to address in detail the security of information systems and software, but to make you realize that security is neither an empty word nor a simple notion. It requires real skills. An outside organization should audit it to ensure its quality.
Software security flaws
All human work has errors and flaws. No software is free from those errors and flaws. A simple search on the internet about software security flaws brings back thousands of links. Looking for “security update” on the Microsoft, Oracle and Red Hat websites return several hundred articles. No vendor is immune, same for Open Source, despite often contradictory position from proponents of free software. My point is not to oppose open source to proprietary, but to draw attention to good practices about management of software security vulnerabilities.
Do you remember Heartbleed, back in 2014? This breach of the OpenSSL Protocol affected millions of web servers, including those of service providers like Facebook, Google or Dropbox. Any user identified on a compromised server was unknowingly at risk because the exploitation of software was undetectable. Once servers have been corrected, users should have proceeded to change their passwords to avoid identity theft.
So is the cloud secure?
It is obvious that WikiLeaks, Russian online involvement in the American presidential campaign and many other stories does not help the impression that the cloud is secure. Now, of course, media are not interested in the billions of transactions happening safely every day, but only by the ones that will create a great cover story. Where does come from this feeling that the cloud is not secure and that, de facto, my data is safer when stored locally?
Let’s start with some statistics to support this feeling. According to a June 2016 study from IBM and the Ponemon Institute:
The average cost of data theft is four million dollars.
This cost is increasing by 29% compared to 2013.
48% of data thefts are pirate’s work – 37% in South Africa – the rest is due either to human errors or to system errors.
Let’s add more!
According to NetIQ, 70% of companies interviewed have been the victims of a cyber-attack in 2014.
According to Verizon, 80% of successful attacks involves a server or a personal computer.
Still, according to Verizon, the intrusion time in the network is only a few minutes and the actual data last a few days.
Shall I stop? You’ll find tons and tons of other stories and statistics on the internet. So, what is the result? Lock you up in your house, pull the curtains, disconnect from the internet and wait for the end of the world… Of course, impossible and not desirable! Finally, one last statistic, mine: 100% of the clients who were certain to be safe, had one or more exploitable flaws. No one, I say it well and I repeat, no one is safe from a security breach.
In order to almost definitively get rid of this urban legend, let’s go back to the base of an open systems interconnection, the OSI model.
OSI and TCP-IP models
The OSI model (Open Systems Interconnection) describes the required functionalities to communicate between computers. Supplanted in the eighties by the TCP/IP model, the foundation of the Internet, it always serves as a reference to discussions about communication between computers. We should also extrapolate the word computer to any connected object. With the Internet of Things (IoT), we cannot compare a connected object to computer-, although its connection to the Internet or to a private network uses the same technological bricks.
Why returning to these basic elements? To bring the concept of defense in depth to the front of the scene, consisting in securing all components of a system. Let’s consider a few common-sense questions:
Why bothering installing a firewall that filters network access if passwords are not the subject of any policy?
Why bothering securing physical access to the data center if data are stored in plaintext, without encryption, on hard disks?
Why bothering implementing two-factor authentication if the Web servers are not patched and allow SQL code to be injected into the database?
Why bothering adding anti-virus and anti-malware if mobile devices that access applications from the Internet are not subject to security policy forcing them to use the latest security patches?
I could go on, but you should understand the purpose of defense in depth. I usually summarize it in the following way: why bothering installing a reinforced door, adding an alarm and putting your precious effects in a safe, if you leave a window open while going on vacation? Its weakest link defines the security of a network and a data center, as is the strength of a steel chain!
Now that we have asked these few common-sense questions and put back on the table the OSI and TCP/IP models, can you make an honest assessment of your data center to each layer of the model and compare it to that of your potential cloud service provider’s data center?
I can bet that you will not be able to match the security level of the service provider. Start by looking at the certifications that the provider is complying with. I am proposing the following seven elements to make an objective comparison:
Physical access to the data center: access control, monitoring, alarm…
Physical protection of data: resistance to disasters (water, fire…), data redundancy, response procedure in case of theft…
Logical access to the network: password policy, access control, access rights, filtering (user, application, hardware), logging…
Monitoring, protection, and detection: intrusion detection, intrusion prevention, and intrusion response systems, packet monitoring firewall, anti-virus, anti-malware update…
Independent Audit and Certification: annual security audit by a trusted third party, attempted intrusion (white hacking)…
Business continuity procedures: hot and cold recovery sites, recovery or business continuity plan, software update procedures…
End-to-end encryption: encryption of communications and stored data, the introduction of digital certificates…
You can make a two-column table for each of the previous items by listing what you have in local and what the provider offers you as standard or optional. These lists are generally rich in learning and will help you to decide in all honesty which of your data center or that of your provider is the most secure. The best is often the enemy of the good, as loved to repeat my physics teacher, but no one is no longer immune to information piracy. Whatever the industry in which you work, your customers will never like that information you store about them are exposed to the public, and you will never like to expose your company’s information to the public, whatever they may be.
So is the cloud secure? The word of the end comes back to the CEO of a bank on his way out of the Microsoft data center visit of Quincy, one of the world’s largest: “I now understand why the bank’s data may be safer here than the gold in our safe”.