3 overlooked cloud security attack vectors

A 2022 Thales Cloud Security study revealed that 88% of enterprises store a significant amount (at least 21%) of their sensitive data in the cloud. No surprise there. Indeed, I thought the percentage would be much higher. The same report showed that 45% of organizations have experienced a data breach or failed an audit involving cloud-based data and applications. This news is less surprising and less encouraging.

As I covered previously, humans create most cloud computing security problems. They make easily preventable mistakes that cost enterprises millions in lost revenue and bad PR. In their defense, most don’t get the training they need to identify and deal with ever-changing threats, attack vectors, or attack methods. Enterprises can’t skip this education and still maintain control of their cloud security.

Let’s talk about three little-known cloud computing attack vectors that you should share with your peers:

Side-channel attacks

In the context of cloud computing, side-channel attacks can extract sensitive data from virtual machines that share the same physical server as other VMs and processes. A side-channel attack uses information obtained from the physical environment, such as power consumption, electromagnetic radiation, or sound to infer sensitive information about a system. For instance, an attacker could use power consumption data to figure out the cryptographic keys used to encrypt data in a neighboring virtual machine. Yes, it’s complex and difficult to pull off, but it’s already been done several times.

Mitigating side-channel attacks can be challenging, as they often require careful attention to physical security and may involve complex trade-offs between performance, security, and usability. Common defenses include techniques such as masking, which adds noise to the system, making it more difficult for attackers to infer sensitive information. Also, hardware-based countermeasures (shields or filters) reduce the amount of information that can leak through side channels.

These protections will be the responsibility of your cloud provider. You can’t show up at their data center, even if you know where it’s located, and start installing countermeasures to side-channel attacks. Ask your cloud provider how they mediate these risks. Change providers if they don’t have a good answer.

Container breakouts

Container breakouts are a type of attack where an attacker gains access to the underlying host operating system from within a container. This can occur if a human has misconfigured the container or if the attacker can exploit a vulnerability in the container runtime, of which there are many. Once an attacker has gained access to the host operating system, they can potentially access data from other containers or compromise the security of the entire cloud infrastructure.

Defending against container breakout attacks includes some basic processes, including securing the host system, implementing container isolation, applying least-privilege principles, and monitoring container activity. These defenses must occur wherever the container runs: on public clouds or on more traditional systems and devices. These are just some of the emerging best practices; they are cheap and can be implemented by container developers and security specialists.

Cloud service provider vulnerabilities

Along the same lines as a side-channel attack, cloud service providers themselves can be vulnerable, which can have significant consequences for their customers. An attacker could exploit a cloud provider’s infrastructure vulnerability to access customer data or launch a denial-of-service attack. Additionally, nation-state actors can target cloud providers, seeking access to sensitive data or disrupting critical infrastructure, which is the most significant risk right now.

Again, this requires trust in your cloud provider. Physical audits of their infrastructure are rarely an option and would likely prove unhelpful. You need a cloud provider that can quickly and easily answer questions about how they deal with their vulnerabilities:

  • Do they have playbooks to respond to issues they will likely see in the next few years?
  • How will they detect problems?
  • What are they doing to remove vulnerabilities?
  • What monetary guarantees can they provide?

If they balk at any of these core questions, find another provider with the right answers.

Copyright © 2023 IDG Communications, Inc.

Source

Originally posted on April 11, 2023 @ 6:10 pm