In outsourced cloud computing services, public cloud Platform as a Service (PaaS) providers only ensure security on the outside of the cloud—not inside. For security inside the cloud, PaaS users have to take matters into their own hands. While that should concern all public cloud denizens, for managed service providers (MSPs) the issue gets magnified by the number of customers on their Software as a Service (SaaS) solutions.
“It’s the most important practice for security practitioners to do everything to minimize risk of SaaS infrastructure security gaps within their own organizations first,” says Chris Carter, CEO, Approyo, a global SAP solution provider. “Some of the most important steps can help security managers tighten cloud security and keep their organizations safe by leveraging Cloud Access Security Brokers—CASB. These tools help executives find unauthorized applications and manage risk across all their clouds.”
And with many MSPs responsible for a great and growing number of customer public cloud instances, it has become impossible to manually maintain security on them all. However, continually monitoring security and configuration vulnerabilities exists as a mission-critical item to cross off the MSP checklist. How to accomplish it has yet to receive an answer. Talkin’ Cloud reached out to industry thought leaders to ask what they think. What follows remains anecdotal and does not purport to cover all aspects of the subject. If something significant got left out, leave a comment. Let’s discuss it.
The ‘In’ Crowd Source
With large public cloud PaaS providers like Amazon Web Services (AWS) and Microsoft Azure busy battling for control of the internet business of governments and Fortune 500 companies, they may have overlooked prospects of the MSP market—and its ecosystem of startups. While inside-out-only security seems just fine for those large customers—who have their own legacy business IT departments to worry about internal security—it does not come close for MSPs and the Internet of Things (IoT) and billions of device events headed their way.
“Even the most secure cloud providers only offer security of the cloud,” says Matthew Fuller, co-founder, CloudSploit, provider of automated AWS security and configuration monitoring. “The user is responsible for security in the cloud. As groups, roles and devices change, oversights and misconfigurations open vulnerabilities that can lead to outright hacks or financial DDoS.”
To help solve this issue, continual monitoring of AWS instances can prove effective. For example, CloudSploit customers can run tests that they choose or want to create and as frequently as desired, according to Fuller. And if they find issues, CloudSploit alerts designees, keeping records of findings, detailed issue descriptions and likely resolutions, according to Fuller.
“Security experts from around the world contribute to CloudSploit,” Fuller says. “It is an open source project with goal of increasing compliance with best practices to protect MSP infrastructure and customer information.”
Benchmarks, Shared Responsibility and Control Planes
With MSPs overwhelmed by information technology (IT) applications duties and customers at best novices about cloud security in many cases, exactly how it must get done remains dubious. Agreement as to the course of action and who has onus for completion must take priority before establishing SaaS defense—and before a cloud exploit comes into existence.
“The cloud provider shared responsibility model places a security burden on enterprises consuming services,” says Dave Ginsburg, vice president, marketing, Cavirin, provider of security and compliance across physical, public and hybrid clouds. “But, in some cases, IT will not have the processes or expertise to properly mitigate risk. The result may be a breach that could have been prevented or reluctance to move critical applications to the cloud, creating competitive disadvantage.”
What MSPs and cloud customers need remain consensus benchmarks to properly share responsibility for their respective pieces of the security pie. The fact that cloud workloads now exist in constant flux—exacerbated by virtualization and containers—makes it even more critical, according to Ginsburg. But how do you gauge performance of how the parties divide the responsibility?
“Therefore, enterprises require continuous visibility into their security postures and one set of tools designed to test against benchmarks that include NIST, CIS, PCI, HIPAA and FISMA,” Ginsburg says. “Tools deployed by the enterprise should support these and have full visibility into different AWS services via APIs. The same applies for Microsoft Azure, Google Cloud Platform and others.”
Fortunately, many public PaaS providers including AWS have issued security best practices for hardening cloud instances that align with CIS. And MSPs can employ third party compliance solutions to help implement them. In addition, both AWS and Azure provide sophisticated tools to secure access to their control planes.
“A control plane compromise is generally worse than a server compromise, as control planes provide access to servers as well as direct access to the account,” says Jarret Raim, head of strategy and operations, Rackspace Managed Security. “Rackspace tools like CloudTrail from AWS will surface the changes made to the control planes and should be monitored for abuse.”
Points of Demarcation
Hand-in-hand with the cooperation that must exist between MSPs and customers when it comes to security, a boundary must delineate where each has total responsibility in cloud defense. And it cannot come as an afterthought. Security among MSPs and customers needs careful planning built in the beginning, with proper resource liaising a must, according to cyber infrastructure experts.
“Security management is a key prerequisite for driving a cloud strategy,” says Steve Hanney, chief cloud officer, Presidio, an IT solutions provider focused on digital infrastructure, cloud and security solutions. “And with vendor management from the outset paramount, there must be a demarcation of responsibility defined between MSP and customer.”
After creating customer security rules of engagement, MSPs can craft secure and compliant environments that protect services and data seamlessly, end-to-end throughout the relationship lifecycle, according to Hanney. This secure network access control—secure infrastructure—establishes appropriate predefined traffic rules using firewalls, network policy engines and secure tunnels between customer on-premises data center environments and off-premises MSPs, paraphrasing Hanney, with reference link provided by Cloudscene.
Blacklisting vs. Whitelisting
As the off-premises cloud solutions concept takes hold, the trust model of internet connection must change, in the view of some IT experts. Whereas a presumed-innocent-until-proven-guilty mindset that attempted to fingerprint black hats upfront has prevailed among many security experts until now, the explosion of links in cloud computing has made more cautious practitioners dissent and opt for a trust-but-verify stance to identify white hats in advance.
“The cloud is becoming a set of computing utilities and will be as essential as the electricity grid,” says Amir Sharif, co-founder, Aporeto, provider of comprehensive cloud-native security for deploying and operating cloud-native applications. “Like any critical service, security needs to be part of cloud infrastructure and automatic. Protecting individual data assets in the cloud requires a whitelist security model, only allowing intended connections, instead of the existing blacklist model, where all links are implicitly allowed unless explicitly prohibited.”
Implementation of this security model requires a robust policy regime where application and personal intention get captured, if possible, and described easily, according to Sharif.
Password Reuse and Brute Force Attacks
As many know, the internet has become increasingly hostile, with cyber criminals targeting poorly secured hosted services. For example, at MSPs and other hosted services, applications can come under attack from old-fashioned hacking attempts like password reuse attack and bruteforce attack. This poses particular problems for MSPs that use remote monitoring and management (RMM) solutions to administer customer accounts, according to MSP security experts.
“The most likely RMM compromise is a password reuse attack,” says Ian Trump, global security lead, SolarWinds MSP. “This scenario led to account compromise in hosted services like GitHub and others. Also, this attack is the easiest to mitigate. By simply enabling Two Factor Authentication (2FA) protection of your RMM dashboard, it easily prevents account compromise in event your password falls into hands of the bad guys from a previous data breach.”
Brute forced weak passwords guessing attacks of RMM accounts remain the next most likely MSP exploit, according to Trump. But SolarWinds always offers 2FA options to customers to mitigate successful guesses by hackers, according to Trump.
And MSPs can prevent further hacking by banning IP addresses of where brute force attacks emanate, according to Trump.