Cloud In-Security (part 3)

We often hear security professionals profess “The cloud is not secure - it is just someone else’s computers you do not control”.

This statement is true but is very vague and does not give any specifics of the risks that are often prevalent in large cloud providers. Based on years of security assessments on large cloud providers, there are some specific risks that are fairly common.

Let’s look at the evolution of a real “Cloud” provider environment. This environment was a SaaS (Software as a Service) and IaaS (Infrastructure as a Service) platform that included over 7,000 servers (bare metal and virtual)

Active Directory

In this cloud environment many multi-tenant customers were simply given an OU (in Active Directory) in a shared domain with delegated control over their own OU for access.

Many customers then demanded "Domain Admin" access claiming they must have it to resolve an emergency or troubleshoot an issue and it was often granted.

This now gave them control over the entire AD Domain including the OUs of several other customers.

Eventually most customers had Domain Admin access and so they had “god rights” to all customers in the multi-tenant environment. The “Domain Admins” group grew to an unmanageable membership size. No auditing was performed on elevated privilege accounts.

Offshore

This organization utilized much offshore support. Security controls at many of these offshore support locations were tenuous at best.

Turnover at the offshore support locations was very high. Often security controls were bypassed completely by staff at these sites that had demands placed on them by their local leadership.

Security controls were completely circumvented for ease of use and convenience and to manage ridiculous time demands.

(watch for Part 4 soon)