The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. In 2016 CSA released ‘Treacherous 12: Top Threats to Cloud Computing + Industry Insights’ article to provide readers with a real-world glimpse into what is currently occurring in the security industry. InstaSafe has refreshed release to the 2016 article that includes new real-world anecdotes and examples of recent incidents that relate to each of the 12 cloud computing threat categories identified in the original paper.
“It’s our hope that these updates will not only provide readers with a more relevant context in which to evaluate the top threats but that the enhanced article will provide them with a real-world glimpse into what is currently occurring in the security industry.
Data breaches and enabling of attacks can occur because of a lack of scalable identity access management systems, failure to use multi-factor authentication, weak password use, and a lack of ongoing automated rotation of cryptographic keys, passwords and certificates.
Credentials and cryptographic keys must not be embedded in source code or distributed in public facing repositories such as GitHub, because there is a significant chance of discovery and misuse. Keys need to be appropriately secured and a well-secured public key infrastructure (PKI) is needed to ensure key-management activities are carried out.
Identity systems must scale to handle lifecycle management for millions of users as well as the CSPs. Identity management systems must support immediate de-provisioning of access to resources when personnel changes, such as job termination or role change, occur.
Identity systems are becoming increasingly interconnected, and federating identity with a cloud provider (e.g. SAML assertions) is becoming more prevalent to ease the burden of user maintenance. Organizations planning to federate identity with a cloud provider need to understand the security around the cloud provider’s identity solution, including processes, infrastructure, segmentation between customers (in the case of a shared identity solution), and implemented by the cloud provider.
Multi-Factor authentication systems – smart card, OTP, and phone authentication, for example – are required for users and operators of a cloud service. This form of authentication helps address password theft, where stolen passwords enable access to resources without user consent. Password theft can manifest in common network lateral movement attacks, such as “pass the hash.”
In cases where legacy systems require the use of passwords alone, the authentication system must support policy enforcement such as verification of strong password use as well as organization-defined rotation period policies.
Cryptographic keys, including TLS certificates, keys used to protect access to data and keys used to encrypt data at rest must be rotated periodically. Doing so helps address attacks where keys are accessed without authorization. When cryptographic keys are stolen, a lack of key rotation policy may dramatically increase effective elapsed breach time and scope.
Any centralized storage mechanism containing data secrets (e.g. passwords, private keys, confidential customer contact database) is an extremely high-value target for attackers. Choosing to centralize passwords and keys is a compromise that an organization must weigh the trade-off of the convenience of centralized key management against the threat presented by centralizing keys. As with any high-value asset, monitoring and protection of identity and key management systems should be a high priority.
2.2 Business Impacts
Malicious actors masquerading as legitimate users, operators or developers can read/exfiltrate, modify and delete data; issue control plane and management functions; snoop on data in transit or release malicious software that appears to originate from a legitimate source. As a result, insufficient identity, credential or key management can enable unauthorized access to data and potentially catastrophic damage to organizations or end users.
2.3 Anecdotes and Examples
One of the world’s biggest accountancy firms, Deloitte, had been hit by a cyber attack towards the end of 2017. The hackers may have gained details from the organisation’s blue-chip clients, including usernames, passwords, personal details and even confidential emails detailing private plans and documents. The attack – which could have been going on unnoticed for months – is said to have compromised Deloitte’s global email server and via an administrator’s account, granting the hackers access to restricted areas and information. It is believed that Deloitte did not have two-step verification set up, with access requiring only a single password.
1. The Treacherous 12 – Cloud Computing Top Threats in 2016
2. The most infamous data breaches