UNFORTUNATELY, an organisation’s ability to meet compliance requirements and protect sensitive data by thwarting the likes of Advanced Persistent Threats (APTs), malicious insiders and other attacks becomes inevitably more complex in the cloud. These deployments represent multi-tenant environments with characteristics that create efficiency and flexibility, but also result in additional risk in the form of centralised administrative roles, shared memory, shared storage, shared network and compute resources. At the same time, most cloud environments are run by third-party organisations that may — or may not — have the proper data security safeguards in place. Enterprises need the ability to maintain the same, if not better, control over sensitive data in the cloud as they do in traditional on-premise environments. Essentially, they need to be able to establish trust in an untrusted environment.
What level of access do users actually need?
Privileged users typically have complete blanket access to all data. In cloud environments, this could mean that an administrator has unfettered access to all cloud-hosted data and systems as part of maintaining and supporting those using the environment. Unsurprisingly, this model presents an attractive target for cybercriminals looking to gain access to a company network, and with that the privileged user brings a whole new element of risk to enterprise customers beyond the risks posed by their traditional privileged users, and outside of the enterprise’s control.
Traditional privileged users - system, network and domain administrators - can pose a significant threat to mission-critical systems or ones holding highly sensitive data. In fact, the consequences of a disruption in service or stolen confidential information can be severe enough to ruin a business. Revocation of certifications, loss of critical intellectual property, and exposure to
the consequences of a data breach disclosure are some considerations to bear in mind.
To prevent falling foul of such penalties, organisations have already put in place controls that manage the risk associated with these types of threats in their on-premise environments but, as new cloud solutions are embraced, enterprises open themselves up to significant new risks and attack vectors.
Once a system is up and running, privileged users often have complete access to everything; this is a fundamental risk for every single cloud service provider. In cloud environments, another element of risk is created – privileged cloud administrators. Cloud admins need access to cloud-hosted data and systems as part of maintaining and supporting users of the cloud services, and present a data breach risk if they are successfully targeted by cybercriminals, make administrative mistakes, or simply perform actions that they should not.
To mitigate the risks of these privileged users, enterprises must enforce a separation of duties policy and deploy technologies that restrict privileged users from being able to actually read data. This is the only way that organisations can provide users and applications with the ability to see sensitive data based on policy, while at the same time shielding that information from the administrators managing their infrastructure and systems.
Controlling access permissions across your environment
As an example, let’s take a spreadsheet with sensitive financial numbers that is hosted in the cloud. The CFO should have access to the data, but a system administrator with root access to the system holding this spreadsheet should not. The system admin should be able to copy or backup the spreadsheet, but should never be able to see the financial data itself.
If a rogue administrator, or an APT malware component that has obtained root access (one of the most common actions for an APT), is in a cloud environment, the best way to protect the sensitive financial data in that spreadsheet is to reduce the attack surface by putting in place encryption, fine-grained access controls and detailed auditing and reporting of access attempts to that spreadsheet.
By doing this, the rogue administrator or APT might be able to perform system management operations and even alter permission on the local operating system, but would never have access to any sensitive data. To privileged users, sensitive data like this spreadsheet is only visible as a “data block” of nonsense information, as access control prevents decryption of the data for their usage.
Now, taking a data-centric security approach to locking down data doesn’t completely stop the bad guys; one attack vector that would work in this instance is to compromise the CFO’s account. But, with detailed reporting of access attempts to protected information, and pattern recognition based on typical access profiles, abnormal use by that CFO could also be highlighted, and the CFO would be alerted that their account may have been compromised.
The combination of access controls, encrypted data and information on data access attempts – a data firewall – dramatically reduces the attack surface available to hackers and insider threats. This approach also provides the ability for data to move freely across multiple untrusted environments. Administrators and other privileged users can safely copy and move the files and database tables, but not decrypt them. In fact, since data can only be viewed when an authorised user has properly authenticated, the payload can move through a cloud environment — and even over to other cloud environments — while remaining secure (even without network SSL overhead).
To maintain protection of data no matter where it lives, it is important to tie controls back to a set of individuals within an organisation. This also leads to certain implications around data destruction in that if all enterprise users are revoked access (by modifying policy and deleting keys) to certain data, regardless of where copies of that data may live, it is rendered completely inaccessible and useless.
Cloud working brings added security requirements
In multi-tenant environments, both cloud service providers and enterprises have the absolute requirement that co-mingled data should only be accessible by the organisation that owns that data. By taking a data-centric approach to security in the cloud organisations benefit from protection against the risk of rogue applications crossing the security boundaries as defined by cloud providers and the underlying hypervisor technologies. Even if a rogue application is able to cross boundaries, by allowing only specific authorised users to access sensitive data, the attack surface can be reduced.
An additional common attack vector in the cloud is through a privileged user attempting to view memory and information for another virtual machine running in the same cloud environment. While it may not be possible to completely prevent such occurrences, it is possible to significantly reduce the likelihood of data being compromised by reducing the attack surface and limiting which applications and users can see the data.
Gathering security intelligence is also crucial for any organisation embracing cloud technologies as it is important to understand which users and applications are accessing sensitive data. Attempted access by unauthorised users, access location, time of day, and even the rate at which data is being retrieved can prove critical to understanding whether an enterprise is under attack or has already been breached.
If audit information from a series of events points to the presence of an APT, or unusual activity suggests the risk of a breach, the organisation in question may want to temporarily tighten the controls around its sensitive data. Examples of tightened controls include restricting access to the data in question to a much smaller subset of users and increasing the amount of auditing being performed.
While taking such measures could have an impact on business operations, eliminating the risk that privileged root users may steal sensitive data and locking out previously authorised users who may have been compromised can dramatically mitigate an enterprise’s exposure and reduce any attacker’s chance of success.
In summary, there are five key benefits to taking a data-centric approach to securing sensitive information in the cloud:
£ Keep/prevent privileged users, including
root users and cloud administrators, from
viewing sensitive data
£ Enable the data to move safely across
multiple on-premise and cloud
environments while still maintaining its
protection profile
£ Be able to easily destroy data, even if
protected copies live in the cloud
£ Ensure that data is protected from
malicious users and APTs attempting
to steal information by crossing
security boundaries in multi-tenant cloud
environments
£ Identify when an APT may be present so
you can quickly take the necessary steps
to tighten security
Cloud security continues to be a growing issue as more enterprises look to the cloud for cost savings and the ability to create entirely new business models. Given that cloud service providers are a prime target for cyber attacks, enterprises wanting to embrace the cloud but also protect what matters must take a data-centric security approach, protecting their sensitive data from the inside-out.