Thinking that you have left no stone unturned when it comes to cloud security is clearly a mistake. Not only has the cloud always been a theatre for never-ending threats, but also it has become a popular business model for cybercriminals, who use it as a vector and a tool for their attacks. This leaves legitimate cloud clients no option of keeping close tabs on their information assets in the cloud, both organisationally and technically.
The cloud: a sharing of risks to be weighed carefully
Whatever the technical option chosen, the cloud, often preferred because it represents a substantial savings, amounts to the analogy of going to “somebody else’s place” to deposit a little or a lot of one’s digital assets, and having more or less autonomy on “that somebody’s computer.”
If a client company outsources a service using applications enabling, for example, collaborative work (Office 365 or a different application) or customer relationship management (CRM), in what is called SaaS mode, then it is responsible for less maintenance, since the supplier is responsible for maintaining infrastructure and associated resources (e.g. software updates). If the client even outsources its hardware infrastructure such as servers, processing capacity, data storage capacity, network components and middleware, in what is known as IaaS mode, then it is responsible for controlling operating systems, databases and applications. Finally, PaaS mode, which is firmly dedicated to application development, enables companies to develop their own applications. The company does not control infrastructure but is responsible for configuring and securing application hosting.
Each of these models carries risks as cybercriminals have a voracious appetite for the huge volumes of data uploaded to the cloud. The fact that companies still consider security to be an obstacle to cloud adoption is not a passing fad; rather, it is a healthy reaction. Another obstacle lies in levels of shared responsibilities between suppliers and clients. It is appropriate for companies to practice good management and sound budgeting so as not to risk a torrent of unexpected expenses and place their reputation at a potentially significant risk.
Choosing the cloud means managing not only traditional threats but also threats that are unique to cloud business models and techniques.
A cloud environment is subject to the same types of attack as traditional systems, with an added effect of scale linked to the architecture used.
A distributed denial of service (DDoS) attack that targets just one hosted application may saturate the host’s Internet connection and impact all other non-targeted hosted services, if the attack is severe enough. In the case of a cloud in Iaas mode, companies must be particularly careful about compartmentalisation of networks and methods of data storage — all the more so if they are sensitive, as the very architecture of the cloud may be synonymous with vulnerabilities and new attack techniques.
On a cloud, each virtual machine may be likened to a hotel guest. While hotel guests may share hotel resources such as the restaurant, pool or gym, each must have a private room. No unauthorised person may enter that room.
All virtual machines are managed by a software program called a hypervisor. This acts as the hotel manager, who allocates rooms to guests depending on their needs. Imagine what would happen if a criminal had a unique key enabling access to all rooms. This is what happens on a cloud when an attacker makes use of the vulnerabilities of an OS running on one of the virtual machines in order to escape the boundaries of the virtual machine and enter neighbouring machines via the hypervisor. This is called virtual machine escaping, or guest escaping.
The cloud is essentially a shared space where the staff of the client company are added to the staff and partners of the cloud supplier.
This accounts for the explosive need for a serious, rigorously applied security policy. The trend is likely to continue to grow in proportion to digital transformation projects, including those launched by SMEs, which are following suit in ever-increasing numbers.
Cybercriminals are also growing in cloud mode
Cybercrime must be believed to be an activity like any other. It, too, is choosing the cloud.
Certain cybercriminals are hijacking public cloud servers and turning them into command-and-control or malware distribution infrastructure. This, much like a drug trafficking mule, gives an air of legitimacy to malicious traffic when it comes from a well-established cloud supplier.
By virtue of its economic model, the cloud also attracts attackers who see it as a means of distributing their attacks. Attackers who base their efforts on the huge volumes of data on the cloud enjoy a formidable “cost–risk–effectiveness” ratio. Attackers who put forth “as-a-service” offers — ransomware-as-a-service, exploit kits-as-a-service and malware-as-a-service — enable less expert hackers to access and use turnkey malicious services. Viral and scalable attacks are guaranteed.
According to Ruggero Contu, Research Director at Gartner, “Email, web and identity management security remain organisations’ top three priorities when it comes to the cloud.” One can only hope that the cloud certifications currently being developed at the French National Information Systems Security Agency (ANSSI), which will offer guarantees and options in this regard, will reassure companies and enjoin them to engage in more risk analysis for their cloud. This certification must not be used as a pretext to hold suppliers alone accountable.