Cloud In-Security (part 4)
We often hear security professionals profess “The cloud is not secure - it is just someone else’s computers you do not control”.
This statement is true but is very vague and does not give any specifics of the risks that are often prevalent in large cloud providers. Based on years of security assessments on large cloud providers, there are some specific risks that are fairly common.
Let’s look at the evolution of a real “Cloud” provider environment. This environment was a SaaS (Software as a Service) and IaaS (Infrastructure as a Service) platform that included over 7,000 servers (bare metal and virtual)
Virtually Insecure
This cloud provider allowed access to the data center via a large scale VDI environment for their offshore support as well as a few customers for support and administration.
The offshore support teams accessed the production environment via a VDI framework (over ICA or RDP). These VMs ostensibly were maintained for patch levels and hardened to provide secure remote desktops to perform their support functions.
In reality, these remote desktop images were rarely updated or maintained because the support staff was “busy” which resulted un-patched desktop VMs.
Many of these were left up and running for years and became infected with malware and malicious code over time resulting in compromised desktops with elevated privileges and access in to customer production environments.
Into the Breach
Customers were never notified of breaches. Much greater effort was made to cover up breaches and risk then to prevent them. Security Controls were loudly touted to customer visitors as part of the marketing campaign. Most of these controls were nothing more than a smoke screen to appear secure but had little benefit to the customer data or environment.
Fooling the Auditors
A customer of the provider brought in an ISO27002 auditor for an assessment. A shell game then ensued. The provider hid the issues from the auditor carefully avoiding problem areas.
The auditor was never shown the issues and answers to the auditor’s security questions were vague and sometimes misleading. The auditor often told “We are busy but we will get back to you later with answers” but they never did.
More to follow in the next post.
Thx for sharing read all of the articles so far. I'm surprised no one has sued them.
Wow what a shady unethical company?😯😤
Great to hear from you Ed! Ping me here on DM anytime!
Eddie. It's been so many years since we worked together at Relera for a brief time. Always appreciated your knowledge and insight. Just a good opportunity to say hello.