New take on an old joke: If a cloud service is hacked and no one is around, does it make a sound?
We’re living in a golden age of disruptive technologies, least of which is the rise of the “cloud”. Cloud computing is one of those terms that varies based on your perspective, so for the sake of our discussion today, we’re going to break it down to the basics: There is no cloud, only other people’s computers. Cloud is a nifty way to sell tiny slices of those computers resources, like storage and computing. That’s really all it is. But make no mistake, it’s someone else’s computer running with your data.
There are tremendous advantages to be gained from leveraging these services, without a doubt. The flexibility to pay for what you use, to scale up or down as necessary, to avoid capital expenses related to hardware and software, the redundancy and DR capabilities, the ubiquitous Internet access, all awesome things. We’re just going to take a look at how you can leverage these technologies safely.
Virtually every public cloud service provides you, the subscriber, with access to an administrative portal, usually a web application, where all of the administrative functions happen. Which makes sense, because your are using someone else’s computers after all, so they need to give you control over just your stuff.
How do you prevent unauthorized actions within this portal?
Well, usually the group of people designated as “admins” are given access to the portal, usually secured with a username and password. So technically they are the only people with access. Unless their password is easily guessable. Or they are victims of a phishing attack and disclose it. Or if it’s the password they use everywhere, and one of their other accounts is compromised. Oh, or if an attacker installs a key-logger on their system. Or if they log in from an unprotected wireless network.
Maybe your cloud provider has a two factor authentication solution you can utilize. That would help. Some private cloud service providers (including EI’s Cloud+) don’t even expose the admin console to the Internet to provide additional security.
Of course, if this system were hosted in our own data center, we would find a way to monitor that kind of login activity, both to log for patterns of brute forcing attempts, or to catch login attempts from unusual locations (someplace in Asia, let’s say). Unfortunately, most cloud providers do not provide the ability to log this type of data, and certainly not in anything like the real-time type nature we have grown accustomed to.
What this basically means is that the detective parts of your controls go out the window, and you are left with hoping that the authentication controls are sufficient.
Consider the case of Code Spaces, a service providing hosting for teams to collaborate on software projects. Their entire business was built using cloud services (in this case, Amazon’s Infrastructure as a service offering). Late on a Tuesday, the Code Spaces team realized they were the target of a massive distributed Denial of Service (DDoS) attack. The Code Spaces team was able to reach out to the attacker, who demanded a ransom to stop the attack. How did the Code Spaces team know how to contact the attacker? Because the attacker left their contact details inside of the admin dashboard of their Amazon account!
Realizing that the attacker had access to their control panel, they began to attempt to regain control over all of their accounts, but the attacker had created a few additional accounts, and started deleting everything inside of the Code Spaces account. Everything. All of the virtual machines, all of the virtual machine snapshots, all of the storage, and all of the backups.
Code Spaces had touted their ability to protect customer data from catastrophic events as one of their main selling points. To be fair, they probably were pretty well set up to recover from specific hardware or site failures, but no one had taken into account recovering from an instance where all of their data was deleted from the admin console.
As a result, Code Spaces is closing their doors. The cost of recovering their customer’s data plus the damage to their reputation was too much to overcome.
We don’t have many details on the exact nature of the attack at this point, but what little we know seems to indicate that a phishing attack targeted key individuals at Code Space, and was successful enough for the attacker to gain access to the Amazon dashboard.
So, how can you secure the admin console for your cloud services?
First, securing the admin portal should be as important to the cloud provider as it is to you. In most cases, the admin portal should be restricted, not just to authorized users, but from the Internet in general. While remote access is great, very rarely will you need access from absolutely anywhere on the Internet. Incorporating a VPN (with different credentials) to access administrative functions can provide an additional buffer. Most managed private clouds will work with you to only provide access to admin consoles through very restricted access. Obviously you can’t request physical access to most cloud service providers, which would enable physical access controls as well as logical ones.
Second, there should be some logging and alerting built in. Basic things like looking for series of incorrect passwords or connections from unusual locations is a good start.
Redundancy Outside of the cloud
Backups are such a critical component of DR/BC plans because you can always restore the app, but once you’ve lost the data, well that’s it. The Code Spaces team had designed their solution to handle lots of adverse conditions, just not one in which an attacker had access to their admin console. Had they leveraged a backup solution that kept their data outside the Amazon cloud (and away from the control of the attacker) they would have suffered an outage, but would have been able to restore to full functionality.
Cloud Security – Lots more!
The proliferation of various cloud services provides lots of additional attack surface that needs to be secured. We’ll be discussing additional cloud security concerns in upcoming blog posts.
Thanks for reading!
More details on the Code Spaces story can be found here: