Tag: Cloud

Are You Outsourcing Your Security With a Cloud Application?

You finally decided to use cloud services for your organization? Great! There are definitely many advantages. Your objective was also to outsource the security to the provider? Sorry, not quite. The security of your information will always be your own responsibility. You will still have some shared responsibilities with the cloud provider. True, you will probably manage less technology controls but still many administrative ones.

As with any partnerships, you have the responsibility to perform due diligence on your future business partners. And it is definitely valid for your third-party vendors, including cloud providers. This is only an introduction on the subject when it’s time to discuss a new cloud project.

Company

It should be obvious for many people but do you even know the organization behind the cloud solution? Is it a one-person organization managed from a basement? Is it even a legal entity? Any insurances? Are you able to find a few reviews online? It is beyond the basic security scope but it definitely helps to have a big picture on the situation. It could be the best solution but it is maybe a risk that your organization is not able to accept.

Compliance

It is important to keep in mind that a cloud provider that is compliant is not necessarily secure. However, it will allow you to have a reasonable assurance on its security processes and internal controls. You should mainly look for a SOC 2 Type 2 report, PCI DSS attestation, or ISO 27001 certificate. Be careful to validate that scope includes services currently used with the provider. You should go through all conclusions and confirm that there are no major deficiencies.

For the following security domains, it is possible to validate the cloud provider responsibility with controls within a report. What about your side of the responsibility?

Physical Security

The physical security is mainly related to the data centre where your provider hosts the IT infrastructure used to support the cloud services. For example, the actual physical access to the infrastructure or the environment controls e.g. HVAC, generators, UPS, network connections, etc. 15 years ago, it was not rare to deal with a provider with servers within its offices with a room that somehow could look like a servers’ room. At the end, it was probably more a closet, but different topic. These days, all serious cloud providers will use a well-known data centre to host its infrastructure e.g. Equinix, Cologix, OVH, etc. Or, be itself on a cloud provider such as AWS, Azure, Google, etc.

A well-known external firm should audit all the physical security measures of the data centre. If you are dealing directly with a data centre, you should be able to receive a copy of this report. However, if your cloud provider is the direct client, maybe you will not be allowed to receive a copy… You will have to ask more specific questions to your cloud provider.

Human Resources

Your cloud provider should perform background checks before and during the employment for everyone with a direct or indirect access to the production environment. It is important for an organization to have a clear picture on the past of its employees. This will be the first step to trust them. Employees and consultants should also receive security awareness. This could be an annual training but even better, training in continue according to the job positions. For example, developers should receive training on best security practice in development to avoid most common vulnerabilities. However, you should do the same within your organization, even with employees not related to technology positions. There are many attacks’ vectors initiated by an unaware user that could lead to a security breach.

Access Management

There are so many organizations that manage credentials for cloud solutions as an ad hoc process. Procedures for access management should also include all access modifications to cloud applications. For example, for a cloud marketing application, someone should still be responsible for approving new access before the creation. An access review should occur at least once a year for all accounts on the cloud application. When there is a departure, the organization must confirm that they are no accounts left on cloud applications. For many organizations, previous employees are still able to log in many months later into the cloud application.

You are also responsible for configuring the cloud application with best practices. Many cloud providers will offer the possibility to activate a two-factor authentication (2FA) on the application, for all users or specific roles e.g. administrators. However, the organization must take the decision since this feature is often disabled by default. Many cloud applications targeted for enterprises also offer a single sign-on (SSO) feature, often with SAML.

Business Continuity

All cloud providers will assert they have the best redundancy and implemented backup strategies. They probably have infrastructure distributed within many data centres. Again, you are still responsible for your own data and you unfortunately can’t rely only on the provider. They will do anything to avoid downtime or lose any data. This situation would be difficult on their business. But, in the fine prints, they are often not responsible for any data or financial loss for your business. You also have to account for the situation where the provider could simply shut down their operations. In any cases, you need to prepare and backup data to a different site than your cloud provider. This will probably be a manual export with most cloud applications but better that than lose all data. For more critical applications, you should negotiate or select a provider where it’s easier to perform backup.

Log Management

The cloud providers will surely implement the required logs for the infrastructure. These logs are rarely shared with customers considering the multi-tenant environments. However, you should still have access to basic logs within your administrative interface. For example, you should be able to see the latest connections, users’ changes, configurations’ changes, etc. With some enterprise solutions, it is possible to forward logs to your own server. Even if these logs are available, they are not always monitored since this is your organization responsibility.

Keeper Security and Random Deactivation

Keeper SecurityWe trust cloud services to keep our data secure. But we don’t always think about the impact in the event where the service would have some downtime. Even less in a situation where the provider would decide to disable the service. Well, I had the last situation with one provider, Keeper Security.

Context

All started in June 2017 when I subscribed to a 14-day trial period for the business edition. There is a sale representative who reached out to me toward the end of the trial period. He extended the trial period for 1 year; thus, until June 2018. It was a great offer and did enjoy the service for 11 months. In May 2018, someone from Keeper Security called me and left a message on my voicemail. He said something about the trial period that would expire soon. He was also not so sure why I got that 1-year trial period to start with. He was not able to confirm since the previous sale representative left the company. But he also confirmed that the trial period would expire only in a few weeks and to call him back.

Up to now, everything is good. I was planning to subscribe to the service and obviously to pay for it.

What happens?

Back home, a few hours later, I am ready to purchase a subscription and I login on my account… Then, I receive the error message “This account is expired”! The worst part is that it is not even possible to make a purchase or export the data when the account is not active. I had all my passwords lock in the vault without any warnings for a few hours. It was not even possible to unlock the vault through the browser extensions where I thought my passwords were saved on the local drive. The support team was at least able to quickly reactivate my account for a few days. But it was still a few hours where I thought I had to reset all my passwords.

Finally

As soon as I got access again to my account, I simply exported all my data. And, unfortunately, definitely closed my account with Keeper Security. Even if they have an interesting service, I can’t trust them anymore. This is not a situation directly targeted to this company. However, it did make me think twice about how I use some cloud services. It took me a very long time before trusting a cloud password manager…

I usually have a data export with my most important cloud services but it was not the case with this one. Back to the “old school” way. I have a local software password manager installed on my laptop with my data. KeePassXC, a fork of KeePassX from the well-known KeePass

Cloud Security with Object Storage

AWS logoMany cloud providers are often criticized for the security provided with object storage services. Even more after the disclosure of private information that occurred in 2017 by using these services. These security breaches were also from well-known organizations such as Verizon, Accenture, Booz Allen Hamilton, Viacom, National Security Agency, National Credit FederationAustralian Broadcasting Corporation, Department of DefenseRepublican National Committee, etc. There are often new organizations to add on this list but they are the main one from the last months. These organizations were mainly using the object storage service S3 from AWS.

Object Storage

This is not a technology only provided by AWS with the S3 service. There are many services provided by other well-recognized cloud providers to store files in the cloud such as Azure, Google Cloud, DigitalOcean, IBM, etc. However, AWS S3 is definitely the object storage service that is the most used by many organizations. The service was also first released in 2006 before other services from competitors. The statistics are a little bit old but as of April 2013, AWS mentioned that S3 has more than 2 trillion objects stored with 1.1 million requests per second. In 2018, it is possible to assume these numbers are even higher.

Amazon S3 is often wrongly targeted by the media. It is simply the most popular service used by many organizations of all size. We have to keep in mind that object storage is only a way to store files, often with a cloud provider but it could also be with a private infrastructure.

IT Administrators

I often read some IT professionals and even information security professionals to have doubts on these services. Mainly doubts on the security measures available to protect the information stored. It is important to understand that security breaches related to object storage are often not related to the underlying technologies. Cloud providers such as AWS, Google and Azure are able to provide secure environment for your files. The configuration for such spaces, or buckets in S3 terms, is secure and private by default. How is it possible in this case to have public files on the Internet?

Simply ask your IT administrators. It is more a question of misconfiguration. In order to authorize a public access to the stored files, someone actually needs to perform a manual action to change the default behaviour. The approach would be different for each service but the principle is the same. It is possible to manage accesses on S3 with rules but other services could be simpler with an option to be set at “Private” or “Public”. This is often a configuration available for the space and/or per file.

Maybe it is the time to review the accesses implemented for your files stored in the cloud? From object storage services like S3 but also on services like Office 365, Dropbox, Google Drive, etc. It is so easy to forget about a file that should not be available for all on Internet.

Third-Party Vendors

Are you aware of your third-party vendors who could use object storage with your information? For example, with Verizon and Republican National Committee, in both situations, third-party vendors were involved i.e. Nice Systems and Deep Root Analytics. Organizations easily trust more and more third-party vendors and share confidential information. This data can be about the organization operations but often on clients. Nevertheless, it is important to evaluate the information sent to external vendors and to understand how this one uses the data.