Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

4/12/2019
10:30 AM
Ronan David
Ronan David
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Cloudy with a Chance of Security Breach

Businesses must be aware of the security weaknesses of the public cloud and not assume that every angle is covered.

The forecast calls for clouds, and they show no signs of clearing up. Cloud platforms are everywhere. In fact, IDG's 2018 Cloud Computing Study showed 73% of all businesses have placed at least one application or part of their infrastructure in the cloud. The public cloud space is particularly hot at the moment as Google moves to aggressively compete with Microsoft and Amazon.

Digital transformation has been the primary catalyst for this explosion. Typically, cloud adoption starts when some workloads are moved to public providers — usually, development and test environments that are less critical. After a while, noncritical applications might migrate over, followed by storage — files and databases — and then, bigger deployments.

The public cloud is attractive because underlying parts of the infrastructure and orchestration procedures hosting the application components are fully managed and mostly hidden — such as network functions, Internet access, security, storage, servers, and computing virtualization. Everything is easily configurable through a simple user interface or an API. Security is enforced by using private networks isolated from Internet… or is it?

Information on private networks hosted in a public cloud is not safe. This is because private networks, even without access to the Internet, are still able to communicate with it via DNS. Most of the time, no specific configuration is required to get full DNS access from the workloads pushed onto public cloud infrastructures. As a result, DNS tunneling, DNS file systems, and data exfiltration are possible on most public cloud providers by default. It is not a security flaw; it's a feature that's built-in on purpose, mainly to help workloads that need to access cloud serverless services to ease the digital transformation. This opens up any business to a wide range of possible data leaks.

Four of the most likely scenarios are as follows:

1. Malicious code is inserted into the back end to perform DNS resolution to extract data. Typically, access is gained through standard methods (such as SQL injection, heap overflow, known vulnerability, and unsecured API) from outside the organization.

2. Malicious code is inserted into a widely used library so that it affects all users (such as a supply chain attack) regardless of the language (such as Java, Python, and Node.js).

3. People inside an enterprise who have access to a host can modify/install/develop an application that uses DNS to perform a malicious operation (contact command and control, push data, or get malware content).

4. A developer inserts specific code that doesn't require a change in the infrastructure and that uses DNS to extract production data, events, or account information. The code will pass the quality gates of the continuous integration and testing part and be automatically deployed to production.  

So, what can an organization do — especially when it is deploying multitiered applications on multiple cloud services?

First, a private DNS service should be deployed for any business information stored on a private network hosted in public cloud, even if it's temporary. A private DNS service will allow you to filter what is accessible and what should not be. It will allow you to also regularly audit cloud architecture which is now mandatory in any public cloud environment. This requires specific identifying cloud patterns that are new to most systems and network architects. Most workloads don't require full access to the Internet. But sometimes, it's necessary — for example, when a DevOps team needs to update the infrastructure, installation packages, or dependencies because it simplifies the deployment phase. Businesses can approach this by designing an "immutable infrastructure" with prebuilt images, private networks, and controlled communication inbound and outbound. They should also perform testing phases, especially since options of cloud providers may change without being integrated.

Second, cloud providers propose private networking solutions to deploy internal resources and back-end services (e.g., databases, file storage, specific computation, back-office management). This addresses security and regulatory concerns like data protection (e.g., GDPR), data ciphering, or simply to stop parts of an application from being exposed directly to the Internet. All good practice. However, a better practice is to deploy computational back-end resources on subnets or networks not connected to the Internet, and that can only be reached by known sources. Then, filtering rules can be enforced to restrict access and comply with security policies.  

Finally, ensure there is a flexible DDI (DNS-DHCP-IPAM) solution integrated into the cloud orchestrator to make the configuration easier. DDI will automatically push appropriate records in the configuration once the service is enabled. This will not only bring considerable time savings to your organization, but it will also enforce policies to help secure public cloud deployments.

Moving applications to either a public or private cloud is inevitable. And as businesses continue to transform themselves, cloud usage will tag along on the journey. But businesses need to be aware that the public cloud isn't infallible when it comes to security, and must not assume that every angle is covered. Otherwise, the convenience of the cloud will turn into an inconvenience for your data.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

 

Ronan David is Chief Marketing Officer and Vice President of Business Development for EfficientIP. He is responsible for the global marketing activities and strategic alliances for a leading provider of network security and automation solutions ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.