8 IaaS Cloud Security Challenges You Should Be Aware Of

8 IaaS Cloud Security Challenges You Should Be Aware Of

cloud security challenges FIIt’s little wonder that Infrastructure as a Service (IaaS) is becoming increasingly popular for organizations of all sizes – it’s the fastest-growing cloud segment according to Gartner. The benefits of an IaaS model are many and very compelling for enterprise and small business alike:

  • IaaS models are elastic and scalable, letting businesses purchase extra capacity as needed without investing in hardware that must be deployed and maintained;
  • an IaaS framework requires less up-front investment and overhead, fantastic for small businesses but also quite handy for enterprises; and
  • an IaaS model enables an increasingly remote workforce, who can connect to their business from any place with an Internet connection.

This is, of course, by no means an exhaustive list, and leaves out other valuable things like faster time to market, built-in disaster recovery plans, and enabling leadership to focus on growth rather than making technology decisions.

However, the many benefits of running your business’ computing environment through cloud providers like Azure or Amazon Web Services (AWS) are not without downsides. What are some of the most critical cloud security challenges any CIO or CISO must consider before moving their business to an IaaS environment?

IaaS Cloud Security Risks to Be Aware Of

  1. Misconfiguration. In my experience, this is one of the most common cloud security missteps around: when setting up a new cloud server or even a simple storage bucket, IT staffers often don’t properly configure their authentication or security standards, leaving potentially sensitive information vulnerable to unauthorized access. This is almost always a question of user error, typically on the part of the client – so always remember to double-check all security settings with your new IaaS provider for optimal cloud data protection… and if you’re not sure if you’ve properly configured things? Ask an expert.
  2. Changes in visibility. This isn’t necessarily a risk unto itself but is rather a compounder of other risks. For an IT team, you will never have as much visibility into an IaaS environment as an on-premises one that is completely controlled by your organization. Even the most transparent IaaS providers cannot offer the full visibility of an on-premises server, which means your ability to detect and respond to threats may be impaired or delayed. I recommend protecting your organization by partnering with a cloud service provider with a proven track record of rapid response to newly-found threats and vulnerabilities.
  3. Blocking data exfiltration. Because a client is not in full control of the server environment, it may be difficult to block exfiltration to someone without legitimate credentials – or who is using legitimate credentials illicitly. Mitigate this risk by having additional control measures in place to monitor the use of privileged accounts and movement of data outside of an established baseline.
  4. Cloud email isn’t as secure. Cloud email platforms have many of the same vulnerabilities as other email products – chief among them is a vulnerability for human error. These email platforms also typically offer less robust protection than secure email gateway products, which don’t typically translate well to the cloud. I can count scores of times recently where emails that clearly should have never made it to my inbox ends up with me having to report it to the cloud email provider as a phishing email.
  5. Different points of vulnerability. When transitioning to a cloud environment, it’s very popular for developers to do what’s called a “lift-and-shift,” i.e., simply deploying all existing apps and solutions on the cloud as though it were the on-premises server. This is common because it is cheaper to use extant solutions rather than adopt or develop new ones. It also results in fewer interruptions to productivity as employees can continue using tools to which they’re accustomed. However, a lift-and-shift deployment neglects to account for there being different points of vulnerability in a cloud environment as opposed to an on-premises one. Specialized tools may not work as well, if at all. Consequently, any infosec team used to rely on a given set of tools may find themselves blindsided by things they didn’t expect and scrambling to respond.
  6. Physically different locations. Every single interaction from a team working in an IaaS environment goes over the Internet. An environment can become exponentially more complex if the cloud servers aren’t in the same data center. For example, suppose an enterprise expects a sudden need for extra capacity and purchases more from their platform provider, but there is no more room in their extant data center so the new applications and computers must be located in a physically different one. In theory, employees should notice little to no difference, but these additional locations mean that there must be additional firewall or routing rules to handle traffic accordingly. Complexity is the enemy of security – more points for failure, especially given point #1.
  7. Compliance and regulation differences. This is particularly true for business that does business internationally or with governments around the world and may be required to follow certain regulations or compliance protocols that their cloud providers might not be. If your IaaS provider isn’t in compliance, you might not be in compliance, and so it’s imperative to check. For example, certain nations require the use of sovereign crypto algorithms that aren’t in use elsewhere. Does your IaaS provider support them? Ask.
  8. You’re responsible for your IaaS provider’s mistakes. This isn’t so much one of our cloud security challenges as it is a closely related PR problem. In the event that a cloud provider security breach that puts your business’ data at risk – more specifically, your customers’ data at risk – then the fact that it wasn’t your fault may be cold comfort. Your customers will be angry at you for exposing them to potential fraud, and regulatory bodies aren’t likely to care much whose fault it was, only that the data that you were supposed to protect has been exposed. Thus, it is critical that in each step in the process, you focus on IaaS cloud data protection as much as is feasible.

Bolstering Your Cloud Data Protection

Obviously this blog wouldn’t have been written if I didn’t believe the many benefits of IaaS are worth moving to a cloud environment; indeed, it is possible to ameliorate many, if not all of these risks through careful planning, not cutting corners when it comes to cloud security, and being mindful of the security risks.

There are many things that CISOs and infosec teams can do to maximize cloud security while still taking advantage of the many benefits of an IaaS framework. For instance, an organization might find it convenient to run something of a hybrid system, where most work is done in a cloud environment but sensitive data and apps – like secure email clients – are run on-premises.

Another key tool in the arsenal is AI-powered cloud security, which can help eliminate false positives caused by an unfamiliar environment. In this new environment, behavior that appears unusual may simply be just that – unusual, rather than malicious. For instance, an employee working remotely and struggling to connect to the cloud from a poor connection might trigger warnings about multiple logins from the same user.

Today’s AI-based network security tools designed to protect public cloud workloads don’t just look for signs of malware, but rather know what threat behavior looks like and what malware is designed to do. This enables them to distinguish between benign anomalies, like the one above, and malicious ones. Through the use of such powerful cloud data protection solutions, an IaaS environment can become nearly as secure as your old on-premises servers.

Richard Henderson

Richard Henderson

Richard Henderson is Head of Global Threat Intelligence, where he is responsible for trend-spotting, industry-watching, and evangelizing the unique capabilities of Lastline’s technologies. He has nearly two decades of experience and involvement in the global hacker community and discovers new trends and activities in the cyber-underground. He is a researcher and regular presenter at conferences and events and was lauded by a former US DHS undersecretary for cybersecurity as having an “insightful view” on the current state of cybersecurity. Richard was one of the first researchers in the world to defeat Apple’s TouchID fingerprint sensor on the iPhone 5S. He has taught courses on radio interception techniques multiple times at the DEFCON hacker conference. Richard is a regular writer and contributor to many publications including BankInfoSecurity, Forbes, Dark Reading, and CSO.
Richard Henderson