Security remains a major consideration for companies intending to migrate to the cloud. Even as a popular cloud adoption choice, the Infrastructure as a Service (IaaS) model is not exempt from security risks that can come from inside and outside the organization. It is an attractive option for businesses, but making a wrong security move can have costly consequences. This article from our partners at Matrix explains these risks and how to mitigate them.

Even as a cloud technology, IaaS is still vulnerable to all the threats that exist in a traditional IT environment. IaaS operates in a way that client applications run on virtual servers owned by the provider. This means that the responsibility of securing the operating system, applications, and databases continues to lie with the customer.

IaaS Security Threats

If not properly guarded, IaaS can be a potential treasure trove for hackers to exploit in order to steal computing resources, particularly data. Misconfigured service settings, misplaced access keys, and stolen credentials are common vectors that hackers can leverage to work out their plots.

Distributed Denial of Service (DDoS). DDoS is a cyber attack that intends to make network resources unavailable. It often involves the use of several machines to target a major object within a computing system to interrupt or suspend the services it provides. This results in a slowing down or complete blockage of services.

Data loss or breach. While cloud providers continue to find ways to secure their infrastructure, it is still possible that some data can be lost or breached. Data breach attacks can be directed at the web application itself or pursued through poorly configured permissions. Loss of data or privacy can also happen due to inadequate monitoring and response to hardware failures or to any brewing abnormal activity in the system on the part of the user.

Storage enumeration attack. IaaS providers allow customers access to storage resources with individual domains, called buckets, containers, or blobs, typically marked with a simple delineation. Simply knowing the domain name is not enough to open the storage buckets, but when the administrator forgets to restrict the access permissions, attackers can easily guess common folder names to ransack such as “backup,” “logs,” “database,” “archive,” and many others.

Mitigating the Risks

Security experts cite a number of security considerations and best practices to mitigate potential IaaS risks. The security issues are slightly different in public and private cloud environments, but both models can be protected by implementing the same best practices.

Authentication and authorization. An effective Data Loss Prevention (DLP) policy needs robust authentication and authorization procedures. In addition to strong passwords, consider two-factor or multi-factor authentication wherever possible, especially for all resources that need to be restricted. Layering access policies is an added security measure that limits access to resources depending on the level of authority of the user or degree of criticality of the resources.

Key management. Customers need to know how their providers create, manage, update, and destroy keys, and find out how they maintain control and distribution of each key. Enterprises with larger applications can also consider the use of identity and access management (IAM) solutions to track different access groups. Account privileges should be kept at a minimum and leaked credentials immediately revoked.

End-to-end encryption. Companies should leverage end-to-end encryption to ensure that data on the hard drive and other storage containers as well as other data files are all encrypted to prevent both offline and online attacks. Administrators should also make sure that communications to virtual machines and host operating systems in the IaaS infrastructure are encrypted. Homomorphic encryption is a relatively new tool that is worth exploring.
Robust logging and reporting. A comprehensive logging and reporting system helps administrators keep track of information such as who is accessing data, what machines are being used, and where are they stored. Logging and reporting will become even more important in case a security breach happens for more effective incident response and forensics.