Cyber Interview: the challenges of cloud security
Hello Julien, Cloud security is one of the key cybersecurity trends in 2017. How has this happened?
The use of the Cloud is pretty widespread. I do not think we can say it’s new, just like technology. On the other hand, security for technologies using or built in the Cloud was not considered in their design.
This means that people have created online machines – it was very simple, but they forgot a very important factor since the machines were open, of course, but to everyone! With increasing use, attacks became more intense. Both professionals and the general public are aware that, like any computer infrastructure, machines in the Cloud are not immune to attacks. It is therefore necessary to improve security in this respect: applications must be protected, whether in terms of access or in terms of the security of the application itself.
But like any new technology or concept, one thinks first of all of the uses – practicality, rapidity, etc. and security always comes last! This is something that has been systematically observed!
For example, I’ve recently been reading about connected cars that are equipped with more and more electronics, and it’s amazing! Security by design does not exist! It’s the same for the Cloud. We deploy machines thinking that if we create or install a security group (a group of users with the same privileges on a specific domain) on Amazon or Azure, for example, the application or the machine will be secure. That’s a mistake. But, what matters to us at this point is not security; it’s that the machine is deployed right away, that you can access it quickly with a small password and that everything is easy to use.
I have the impression that this phenomenon can also be linked to the fact that we do not really know what is hiding behind this concept of the Cloud.
Specifically, what are we talking about when we talk about the Cloud?
The Cloud is a paradigm that makes it possible to use applications on demand, from everywhere, to have a scalable infrastructure, and so on. The adoption of the Cloud is important today, but the question for companies is rather to know which one of the 3 models of the Cloud is best suited to their new uses: SaaS (Software as a Service), PaaS (Platform as a Service), or IaaS (Infrastructure as a Service).
Then, we have Cloud providers and operators. Cloud providers like Microsoft, Amazon, Google, etc. provide Cloud platforms. After that, there are Cloud operators, that is to say people who lease infrastructure to these cloud providers to offer services that are directly hosted in the Cloud. For example, Dropbox uses Saas, Software as a Service, that is to say it offers its customers a subscription to a service that is hosted on an Amazon infrastructure.
So, we can see that there are several levels of security that must be respected when talking about Cloud, since it is necessary not only to ensure that the infrastructures managed by Cloud providers are secure, but also to be sure that the Cloud service operator secures its virtual hosting environment at the provider level.
If we concentrate on businesses, is Cloud security an additional cybersecurity issue?
I would not necessarily say that it is an additional issue. Rather, I think it is a matter of trying to extend a good number of best security practices acquired for conventional infrastructures to Cloud environments. There are things that can be applied right away. I’m thinking about passwords -whether they’re stored in the Cloud, on a machine, or on a desktop, it’s the same thing. Password management is crucial regardless of the environment or where the machine or server is located.
Despite this, these best practices are not enough when it comes to Cloud security because new methods of administration are being added with new uses. In that case, we can actually talk about additional security issues because we will have to rethink the way we access it, the resources we use, or the way people use it. Since these are virtual machines in the Cloud, many people will be forced to use them, which means – theoretically – greater access, thus more control and rigour in access accreditations.
More precisely, how do you control all such access to the Cloud?
Today, the main Cloud vendors such as Amazon and Microsoft provide what is known as a kind of IAM (Identity and Access Management), which allows delegation of rights in a rather granular way, which will enable control and access (through authorization workflows) to key resources and servers. On the other hand, we will not know what has been done in terms of administration. In this respect, I should distinguish the use of machines that will be target machines dedicated to trades (for example, with compilation, R&D people who will work on it because it is their tool, etc.) from those dedicated to administration. Administration today is related to people who will administer the Cloud infrastructure of a company. These are people who have the keys to the realm and who will be able to do the same thing as they would do on a machine hosted in a data center or on a desktop. Looking at these scenarios, we realize that the management of IAM and the management of roles offered by Cloud providers are essential, but insufficient because they will not allow us to know what has happened, to act post mortem, to manage fine passwords, to basically do everything that one can do on internal infrastructures with a solution like the Bastion from WALLIX.
More specifically, how does the Bastion work at this level?
If we take the example of service providers who host their virtual machines with Cloud Azure providers, etc.; they will necessarily pass through a Bastion that allows them at any time to request administration traces, or to implement a policy of changing passwords on their own virtual machines. The added value is that the customer can know what is happening or what has happened at any time, and can manage the security of his virtual machines himself through a single access point which is the Bastion. So, the Bastion acts as a more or less strong barrier between the service provider and the administered machines. It then reduces the internal threat, as we discussed in another interview, although for me the internal threat, which I believe is the most threatening issue for a company. In the context of Cloud security, the problem particularly impacts privileged users; it is linked to outsourcing which implies that companies we may be even less trusting of the people who arbitrate their machines! To reduce threats from the Cloud, we recommend cutting access to the machines and connecting only to the Bastion for access to reduce the risk of incidents. The Bastion acts in this case as a barrier since direct access to the machines will theoretically be no longer possible. We recommend this approach so that passwords are known only by the Bastion, while supporting users with this change of security habits in order to facilitate its adoption.
For more information on the WALLIX Bastion, please visit http://www.wallix.com/ or contact us for a live demo.