The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. In 2016 CSA released ‘Treacherous 12: Top Threats to Cloud Computing + Industry Insights’ article to provide readers with a real-world glimpse into what is currently occurring in the security industry. InstaSafe has refreshed release to the 2016 article that includes new real-world anecdotes and examples of recent incidents that relate to each of the 12 cloud computing threat categories identified in the original paper.
“It’s our hope that these updates will not only provide readers with a more relevant context in which to evaluate the top threats but that the enhanced article will provide them with a real-world glimpse into what is currently occurring in the security industry.
Cloud computing providers expose a set of software user interfaces (UIs) or application programming interfaces (APIs) that customers use to manage and interact with cloud services. Provisioning, management, orchestration and monitoring are all performed with these interfaces. APIs could be used, for example, to gather logs from an application, to provide integration with databases and storage components, or to control specific cloud resources. APIs are also often the way that a mobile application can interact with a website or back-end services, and can provide the ability to authenticate users, as well as query information.
So why are APIs a security challenge in the cloud? As mentioned above, they are the public front door to your application, and by default need to be accessible externally. The security and availability of general cloud services is dependent on the security of these basic APIs. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy.
Furthermore, organizations and third parties may build on these interfaces to offer value-added services to their customers. This introduces the complexity of the new layered API; it also increases risk, because organizations may be required to relinquish their credentials to third parties in order to enable their agency. APIs and UIs are generally the most exposed part of a system, perhaps the only asset with an IP address available outside the trusted organizational boundary. These assets will be the target of a heavy attack, and adequate controls protecting them from the Internet are the first line of defense and detection.
3.2 Business Impacts
While most providers strive to ensure that security is well integrated into their service models, it is critical for consumers of those services to understand the security implications associated with the use, management, orchestration and monitoring of cloud services. Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability and accountability.
Threat modelling applications and systems, including data flow and architecture/design, become important regular parts of the development lifecycle. In addition to security-specific code reviews, rigorous penetration testing becomes a requirement. The following include some of the major areas customers should be focused on:
Transport security: Most APIs are intended to be offered via a variety of channels, but any APIs that will interact with or carry sensitive data should be protected within a secure channel, such as SSL/TLS or IPSec.
Authentication and authorization: Many cloud APIs are focused on authentication and authorization, so these will be key areas of focus for many customers. Questions to ask CSPs include: Can APIs manage the encryption of usernames and passwords? Is it possible to manage two-factor authentication attributes? Can fine-grained authorization policies be created and maintained, and is there continuity between internal identity management systems and attributes, and those extended by APIs from cloud providers?
Code and development practices: Any APIs that pass JSON and XML messages or accept input from users and applications must be adequately tested for standard injection flaws and cross-site request forgery (CSRF) attacks, schema validation, encoding for both input and output, and so on.
Message protection: Beyond ensuring that general coding best practices are followed, other key considerations for APIs include message structure, integrity validation, and encryption or encoding.
3.3 Anecdotes and Examples
High profile users of the popular social media platform Instagram were alerted late August after the company discovered that hackers had gained access to specific users’ contact information. Instagram confirmed that the hackers managed to obtain email addresses and phone numbers of some prominent users by exploiting a bug in the app’s API. On August 31, it was reported that the hackers actually collected the stolen information and created a searchable database dubbed “Diagram”. Currently, they are charging the US $10 per search.
A security researcher has disclosed critical issues in the processes and third-party API used by Symantec certificate resellers to deliver and manage Symantec SSL certificates. The flaw allowed an unauthenticated attacker to retrieve other persons’ SSL certificates, including public and private keys, as well as to reissue or revoke those certificates.
1. The Treacherous 12 – Cloud Computing Top Threats in 2016
2. Cloud Security Threats – Insecure APIs
3. Cloud API security risks: How to assess cloud service provider APIs
4. Hackers Exploit Instagram API Flaw to Steal Information from Verified Users
5. Symantec API Flaws reportedly let attackers steal Private SSL Keys and Certificates