Various security tools and features have been made available to cloud end users over the past few years. They are designed to allow the application of security best practices on a cloud infrastructure, similar to how it is with an on-premise data centre. Yet many skeptics’ have questions around security in the cloud, for example:

  • “Is it safe to upload my files to a cloud provider?”,
  • “How secure is it?”
  • “Does the cloud provider offer infrastructure designs that comply with ISO standards?”

The above are only a handful of questions laid out. Despite all the new layers of security and monitoring added by cloud vendors, many people are still not convinced with the security features which are in place to handle sensitive data. This is primarily down to a psychological feel of not having the infrastructure or data in an on-premise centre. For example, what happens if an emergency case arises. Yet the frequent features, developments and upgrades introduced by cloud vendors surpass the quality found in on-premise data centres.

Demonstrated vulnerabilities in products procured or integrated from major vendors can sway opinions as to which cloud provider is deemed vulnerable or secure. One example of late; is the SolarWinds vulnerability attack uncovered by FireEye in December[1], last year. And although the hack was primarily linked to a technical change in the source code[2] that helped hackers exploit the vulnerability, more information is being uncovered to indicate that this is a concerted, coordinated effort. The technical change may well have contributed to the exploit, but the sophisticated attack (~ 4000 lines of code and 1 illegitimately linked mobile device) seemed more of a targeted hit than a fluke; a fluke of which the side effects reverberate across to an unknown number of customers. Under normal conditions, several layers of defence would have to be breached in the first place before an attack of this magnitude could occur. This is mainly due to the fact nearly everything cloud vendors provide to their customers falls under the umbrella of (insert something)-as-a-Service.  Which lies under the supervision of a Hypervisor of some sort, and shields the consumer from most of the top-level controls (eg., BIOS, Network Switch configurations etc.). These top-level controls are only controlled by the vendor. To elaborate the impact, hackers last year exploited BIOS updates and infected a million devices. A hackathon hosted a team[3] that demonstrated ways to carry breakout attacks – (the ability to bypass the hypervisor in a VM from the guest operating system and access the host one) on VMWare’s hypervisor (vSphere).  Despite many benefits demonstrated from using multi-factor authentication (MFA) in an enterprise, the FBI demonstrated in mid-2018 that a group of Iranian hackers exploited it on Microsoft’s cloud platform using single-factor protocols[4]. In a world where nothing is completely secure on the web, let alone the cloud, the greater impact is on a cloud vendor’s response and mitigation to the exploits identified.

In late 2019, there were two major vulnerabilities[5]; one a software bug related to the Remote Desktop Protocol that Windows RDP clients use to connect to remote sessions, which can be used to crash the client system and secure user privileges. The second one is due to a lack of security on Azure shared services utilizing virtual machines.  This  can be used to break out of the hypervisor and exploit the common hardware, giving unprecedented access to other users’ functions, commands and potentially files stored on a shared infrastructure. As both exploits were uncovered and reported by Check Point, a computer security company, Microsoft swiftly acted to patch the reported vulnerabilities. There is no real indication as to how quickly the patches went live.  We know the  vulnerabilities were reported in September last year, and as part of the monthly security round-up in October, Microsoft announced the fixes had already gone live.

In mid-2019, another computer security company, Skybox Security, released a report about vulnerabilities and threats over the first half of the year. What the report outlined was that VMs are lightweight machines vulnerable to the exploits of various sorts due to their simplicities and ease of deployment. Containers and images would be the most affected due to relaxed security measures in the deployment process of these VMs. The report demonstrated grave concerns relating to the rates of cyber-attacks on cloud infrastructures: in the first half of 2019 alone, the rates are up 49% compared to 2018, and 240% to the two year figure. Another study showed that in 2018 alone, 681 million attacks were carried out due to leaks in IoT services, software vulnerabilities and Web applications. To ameliorate the concerns, and restore confidence, cloud providers introduced a plethora of options to deploy security review processes as part of their infrastructure, which are ongoing to keep with the latest security protocols and features. Some of these processes involve the roll-out of tools to assess infrastructure compliance with expected cloud vendor standards to mitigate and avoid potential exploits.

Yet despite all of this, we should not forget the Pentagon’s (one of the most frenetic organizations about cyber-security) initiative for the cloud with a deal worth up to $10 billion for the Joint Enterprise Defence Infrastructure Cloud (JEDI).  This direction forms part of a broad modernization of the Pentagon’s information technology system. That is a lot of money to be spending if there was no trust in the upkeep in cloud security.

Though not directly advertised to consumers, cloud providers put security at the top of their list of key requirements. Security therefore sits in parallel to reliability. For example, Microsoft has introduced Sentinel[6], an AI-backed service that provides an enterprise with a bird’s eye view of various activities occurring in an infrastructure along with any recommendations to bolster its security.

AWS recently introduced Cloud HSM (a version of the service has been available for some time on Azure), which is a hardware-based security module that enables an enterprise to generate encryption keys only available to it. The benefit of this is due to many factors, one of which the fact that outsourcing hardware infrastructure to others lifts the burden of assuring privacy to the consumer. Thus, in theory not even AWS can have prying eyes on whatever a business stores on an outsourced device. HSM by itself is a physical add-on device that attaches to a network server and safeguards digital/cryptography keys on the hardware level. This means that the hardware generates the cryptographic keys instead of relying on software. The interface used to access the keys requires the uploader’s secret credentials for the hardware to unlock the actual keys. These HSM devices themselves also come from several vendors such as IBM, Gemalto, and Utimaco to name a few; all of whom are independent of AWS or Microsoft or any other cloud vendor. Thus, (and this is for the cloud skeptics), for an outsider to attempt to steal HSM-secured credentials, the search space for vulnerabilities is tripled as one would not know which solution is being employed at the cloud data centre or estate.  They also must be skilled with the algorithms used by the hardware vendor itself if they managed to identify it, which is highly unlikely. It then becomes the vendor’s reputation on the line should something falter.

The question then becomes: how secure do you really want your service or hardware in the cloud? It would certainly make pipelines and workflows slower to access using several layers of security such as bastions, portals and packet filterers before a user logs in to perform tasks. It can sometimes be an issue (expensive, timely or both) to retrieve data from the cloud due to bandwidth limitations (such as private links via the Azure ExpressRoute services), so with stringent security features, time delays could potentially increase due to increased packet filtering rules. A balance of weight and measure should be enforced to find the optimal configurations, without bending best practices that serve the needs of both security and accessibility.

If you would like to know more about cyber-security and the latest measures introduced and provided by different cloud vendors, please do not hesitate to get in touch.

Fouad S. Husseini – Senior Consultant

[1] Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | FireEye Inc

[2] New Evidence Suggests SolarWinds’ Codebase Was Hacked to Inject Backdoor (