After all the news about PRISM and data collection of internet traffic in the US and abroad, it got me thinking about how security is even more relevant now that so much of our work is done on the Internet. While running basic security techniques won’t really stop entities with special back-door access, being vigilant about security while using services on the cloud is always a best practice.
The cloud is often divided into three main categories. Infrastructure-as-as-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). The majority of users are most familiar with SaaS, either interacting with one at work (most likely Salesforce, among others) or even internet mail (Gmail, Yahoo Email, etc.).
Security with SaaS is often very similar to one you would consider when using a website. You will almost always want to:
- Create a unique password that is difficult to guess
- Enable HTTPS whenever possible
- Enable two-factor authentication
- Guard against socially engineered attacks
As a user, you are reliant on the SaaS provider to ensure that the systems that they are running on are secure, that they employ best practices, and are PCI-compliant (if they are taking your credit card information). The basic items listed above are some of the steps you can take to improve security.
The first item is well-known for anyone who has used email before so I will go into more depth about the other options. Enabling HTTPS means that the traffic from your browser to the server is encrypted. So anything sent through the internet will be difficult to read if it is ever intercepted. Clearly this is important when sending your login information since that complex password is meaningless if anyone sniffing your traffic can grab it. The details of this encryption can be fairly complex but essentially you want providers who use at least 1024 bit key but the standard is quickly moving to 2048 (the longer the length, the harder it is to crack). However, this only encrypts traffic in transit and NOT at rest. So once your data is in the server, it may or may not be encrypted.
Two-factor authentication is all the rage since passwords are guessed, stolen or simply given away in socially engineered attacks. The idea behind this security is that to get in, you need to have something you know (your password) and something you have (your token) and its unlikely that a remote hacker will have both. The token can take the form of a physical key – like an RSA token that generates a random number every 60 seconds, an app that does the same thing on your smart phone (like Google Authenticator) or a random number sent as a text message to your phone. While there are ways to defeat two-factor (like man-in-the-middle attacks) it is generally safer than single authentication.
Social engineering is the electronic version of the con game – using psychological manipulation to gain information for the purposes of theft, fraud or other nefarious activities. The danger in these types of threats is that as a user, you are dependent on people you don’t even know, who have access to your personal information, being vigilant about not giving away your information. While there is little that you can do about this other than ensuring that your SaaS vendor has known security policies and procedures to prevent this from happening. You can also protect yourself somewhat by not linking your Internet life together. Use different passwords and try not to link too many services together – doing so may lead to a vulnerability in one imploding the rest. Mat Honan wrote an excellent article about his unfortunate experience of getting hacked and what steps he could have taken to prevent it.
I’m going to skip PaaS since it is rapidly beginning to blend into IaaS (and vice versa). When you are using an IaaS provider, you are operating at the infrastructure layer, meaning the individual components that are used to host your application. You are no longer interfacing with a website but rather dealing at the compute, network and storage layer. You are most likely using this type of provider because you are hosting your own SaaS service and want it to reside in the cloud or are hosting some sort of online service, like a website or mobile app. Because you are now dealing with infrastructure, you are faced with a whole different set of security requirements than SaaS users. You will want to look into:
- The physical security of the data center where your infrastructure is located
- The security settings of the server
- The security services offered by the provider
- Any certifications that you need to meet for your particular use case
- Specific security you need to provide for your customers
- Data backup and disaster recovery
- Your own security policies and procedures
At the IaaS layer, you are often a business serving your own customers so you have more security considerations to think about. You are also responsible for configuring your own security above the server layer as this is often not the responsibility of the IaaS provider.
One of the things to look for is if the data centers of the provider have strong security and controls – this is often reflected in attaining a SSAE 16 Type II and / or ISO 27001 certified data center designation. This is an internationally recognized auditing standard that contains a detailed audit report of the providers controls and security and in the case of Type II, the auditor’s opinion on whether the controls were operating effectively. Note that SSAE16 Type II replaces SAS 70 Type II (they are one and the same). Determine if the provider has the right compliance (PCI, HIPAA, FISMA, etc.) for your particular requirements. Data retention (what happens when your cancel your account) and data distribution policies (is your data automatically replicated or backed-up to other data centers?) should also be investigated.
The security settings of the server have to determined. There are a lot of factors to consider here that could probably consume a full-time training course. Suffice to say, you will need to do your research on what you need to tweak on your operating system of choice in order to meet the security requirements of your use case. One option to consider is to install CloudPassage on your server – in addition to providing firewall management for Linux and Windows, it also makes security recommendations. Note that some of these changes are uncommon and may not be compatible for all applications.
Research what security services are offered by your cloud provider. There is often a firewall option (software or hardware), a virtual private cloud option (which is a way to create network isolation), VPN services and even more advanced options like a Web App Firewall (WAF) or Intrusion Detection Systems (IDS / IPS). Firehost is one company that focused specifically on security and provides a variety of options.
An important consideration in any situation is how you can backup your data in the case of failure. Does the vendor provide a mechanism for backing up your data or will you need to provide that yourself? In some cases the vendor has built-in high-availability (for example, Amazon offers 99.999999999% durability for S3). However, standard data backup (defining a secondary location to store your data) is a good practice since durability guarantees do nothing if your sys admin deletes your files by accident.
You are responsible for you own security
Ultimately, you have to do the legwork to ensure that where ever you run your application or website, it will have the right level of security that you need. I don’t think that the cloud is inherently less safe than on-premise. After all, maintaining the integrity and security of their service is in the best interests of the vendor. In the case of IaaS, their core competency is on maintaining infrastructure – something your company is probably not focused on. Your company’s expertise is most likely geared towards your particular industry. However, you will need to be aware of the security options that are available to you and to make sure to take advantage of the ones offered by the vendor.