Software Engineering Institute

This month the SEI released a pair of technical reports on security in the cloud. Overview of Risks, Threats, and Vulnerabilities Faced in Moving to the Cloud details 12 challenges organizations must consider when developing applications using cloud services or moving existing applications to the cloud. Cloud Security Best Practices Derived from Mission Thread Analysis presents four security best practices organizations can use to improve the cybersecurity posture of their cloud deployments.

According to Gartner, the total worldwide revenue for public cloud services in 2018 was $182.4 billion, with rapid growth expected in the coming years. As offerings from cloud service providers (CSPs) grow, so too will cloud security incidents. In a recent survey by the SANS Institute, 11 percent of responding organizations reported experiencing a breach of their cloud data, and 31 percent reported unauthorized outside access of their cloud environments or assets.

The National Institute of Standards and Technology (NIST) defines the characteristics of cloud computing that differentiate it from a classic data center environment: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. According to the Overview of Risks report, these characteristics entail five unique threats, risks, and vulnerabilities:

• Reduced visibility and control. Organizations lose some visibility and control over assets and operations moved to the cloud.
• Simplified unauthorized use due to on-demand self-service. Organization personnel can provision additional services from the CSP without consent of the organization’s IT department.
• Management application programming interface (API) compromise. CSP APIs are accessible via the Internet, exposing them more broadly to potential exploitation.
• Logical separation failure among multiple tenants. Hosting multiple tenants in a single cloud environment could expose all tenants to attack and data leakage, should the isolation of tenants fail.
• Incomplete data deletion. Organizations are less able to verify the secure deletion of their data because of varying deletion procedures among CSPs and because the data is often distributed over multiple cloud storage devices.

The Overview of Risks report includes measures to mitigate these risks and seven others common to both cloud computing and data-center or on-premise computing, such as credential theft, insider threat, and compromised supply chain.

However, the five risks unique to the cloud environment are the focus of the report Cloud Security Best Practices Derived from Mission Thread Analysis. The report aims to help consumers increase the security of their cloud deployments by following four best practices:

• Perform due diligence. Fully understand the implications of having resources with a CSP.
• Manage access. Allow users to do their jobs, but protect resources from inappropriate or unauthorized use.
• Protect data. Prevent accidental or unauthorized disclosure, ensure access during disruptions, and ensure inaccessibility of deleted data.
• Monitor and defend. Detect unauthorized access to data or use of resources.

The authors developed the practices to mitigate the five cloud-specific risks identified in the first report. To analyze these risks, the authors developed a mission thread, or end-to-end set of steps and resources needed to exploit each risk. “The mission thread helps to define the context, stakeholders, assumptions, constraints, and additional information about a system of systems,” explains Timothy Morrow, lead author of the reports and technical manager of the situational awareness group within the SEI’s CERT Division. “It’s very important to developing an understanding of the system.”

The four practices are not a complete collection of security actions. Organizations should complement these practices with those provided by CSPs, general cybersecurity practices, regulatory compliance requirements, and practices defined by cloud trade associations.

In fact, cloud consumers’ failure to use, or misuse of, the security controls provided by their CSPs is a leading cause of security incidents in cloud-based systems. Many of the unique risks of cloud computing arise from the shared responsibility for security between the CSP and the consumer.

Some real-world examples of security incidents, caused by cloud consumers, CSPs, or both, provide a backdrop to the best practices. The report also gives examples of how the practices can be implemented in three of today’s most popular CSPs: Amazon, Microsoft, and Google. “Most times people like to tell you what is a good idea, but they don’t help you implement it,” says Morrow. “By providing the context and doing more prototyping work, the SEI is better able to help organizations.”

Though the two reports are grounded in today’s cloud environment, Morrow encourages cloud users to stay nimble. “Cloud computing is a rapidly changing environment, with the CSPs constantly adding and upgrading the services they provide,” he says. “Staying up to date on the changes, as well as the specific cloud security service each CSP provides, is a big effort.”

Download the report Overview of Risks, Threats, and Vulnerabilities Faced in Moving to the Cloud from https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=551354. For more information on this topic, listen to the authors’ podcast (https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=528530) and read the related blog post (https://insights.sei.cmu.edu/sei_blog/2018/03/12-risks-threats-vulnerabilities-in-moving-to-the-cloud.html).

Download the report Cloud Security Best Practices Derived from Mission Thread Analysis from http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=551466. For more information on this topic, listen to the authors’ podcast (https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=529967) and read the related blog post (https://insights.sei.cmu.edu/sei_blog/2018/03/best-practices-for-cloud-security.html).

Benefits and risks of cloud computing will also be the topic of the SEI’s Software and Cyber Solutions Symposium, September 10-11 in Arlington, Va. Learn more at https://www.sei.cmu.edu/news-events/events/event.cfm?customel_datapageid_5541=188758.