Cloud In-Security

Part 1

We often hear security professionals profess “The cloud is not secure - it is just someone else’s computers you do not control”.

This statement is true but is very vague and does not give any specifics of the risks that are often prevalent in large cloud providers. Based on years of security assessments on large cloud providers, there are some specific risks that are fairly common.

Let’s look at the evolution of a real “Cloud” provider environment. This environment was a SaaS (Software as a Service) and IaaS (Infrastructure as a Service) platform that included over 7,000 servers (bare metal and virtual)

Multi-Tenant

There were policies and procedures for a secure offering in place but…

When any network or server problem occurred (severe enough for the customer to complain about it) members of leadership and sales “pulled out all the stops” and demanded immediate action to remediate the issue. These were often actions that would compromise the integrity of the security framework.

This included opening permissions up to Read/Write/Execute for everyone in case permission restrictions might have been part of the problem.

Done as a “temporary” fix - To be corrected “later” but “later” never came

The result became a “Swiss Cheese” network and server environment where almost all security measures had been circumvented or negated by “quick fixes”.

The nature of the “cloud” is that many IaaS and SaaS environments are multi-tenant and the removal of security controls in one customer environment often results in exposing all customers.

Stay tuned. I will post several other real examples in the coming days.