Practical Cloud Security

Figure 1-8.

pizza, so there are some gray areas. At the bottom of the diagram, things are concrete (often literally). The cloud provider has complete responsibility for physical infra‐

Likewise, if the provider offers virtualized environments, the virtualized infrastruc‐

ture security controls keeping your virtual environment separate from other virtual environments are the provider's responsibility. When the Spectre and Meltdown vul‐ nerabilities came to light in early 2018, one of the potential effects was that users in one virtual machine could read the memory of another virtual machine on the same physical computer. For IaaS customers, fixing that part of the vulnerability was the responsibility of the cloud provider, but fixing the vulnerabilities within the operating system was the customer's responsibility.

Network security is shown as a shared responsibility in the IaaS section of Figure 1-8.

Why? It's hard to show on a diagram, but there are several layers of networking, and the responsibility for each lies with a different party. The cloud provider has its own network that is its responsibility, but there is usually a virtual network on top (for example, some cloud providers offer a virtual private cloud), and it's the customer's responsibility to carve this into reasonable security zones and put in the proper rules for access between them. Many implementations also use overlay networks, firewalls, and transport encryption that are the customer's responsibility. This will be discussed in depth in Chapter 6.

Operating system security is usually straightforward: it's your responsibility if you're

to break it, you usually have the responsibility for securing it!)

Middleware, in this context, is a generic name for software such as databases, applica‐

tion servers, or queuing systems. They're in the middle between the operating system and the application—not used directly by end users, but used to develop solutions for end users. If you're using a PaaS, middleware security is often a shared responsibility; the provider might keep the software up to date (or make updates easily available to you), but you retain the responsibility for security-relevant settings such as encryp‐ tion.

bilities at this layer (such as cross-site scripting or SQL injection) are the provider's responsibility, but if you're reading this book you're probably not just using someone else's SaaS. Even if all of the other layers have bulletproof security, a vulnerability at the application security layer can easily expose all of your information.

incorrectly tell your cloud provider to allow access to specific data, such as granting incorrect storage permissions, middleware permissions, or SaaS permissions, there's really nothing the provider can do.

The root cause of many security incidents is an assumption that the cloud provider is

handling something, when it turns out nobody was handling it. Many real-world examples of security incidents stemming from poor understanding of the shared responsibility model come from open Amazon Web Services Simple Storage Service (AWS S3) buckets. Sure, AWS S3 storage is secure and encrypted, but none of that helps if you don't set your access controls properly. This misunderstanding has

caused the loss of:

• Auto-tracking company records

• Wireless customer records

• Over 3 million demographic survey records

you're in the top quartile. According to a Barracuda Networks survey in 2017, the shared responsibility model is still widely misunderstood among businesses. Some 77% of IT decision makers said they believed public cloud providers were responsible for securing customer data in the cloud, and 68% said they believed these providers were responsible for securing customer applications as well. If you read your agree‐

Risk Management

Risk management is a deep subject, with entire books written about it. I recommend

reading The Failure of Risk Management: Why It's Broken and How to Fix It by Doug‐ las W. Hubbard (Wiley), and NIST Special Publication 800-30 Rev 1 if you're interes‐ ted in getting serious about risk management. In a nutshell, humans are really bad at assessing risk and figuring out what to do about it. This section is intended to give you just the barest essentials for managing the risk of security incidents and data breaches.

At the risk of being too obvious, a risk is something bad that could happen. In most

risk management systems, the level of risk is based on a combination of how probable it is that the bad thing will happen (likelihood), and how bad the results will be if it does happen (impact). For example, something that's very likely to happen (such as someone guessing your password of "1234") and will be very bad if it does happen

risk. Something that's very unlikely to happen (such as an asteroid wiping out two different regional data centers at once) but that would be very bad if it does happen (going out of business) might only be a low risk, depending on the system you use for

deciding the level of risk.4

In this book, I'll talk about unknown risks (where we don't have enough information

one of four things with them:

tem—no more risk, but also none of the benefits you had from running the sys‐ tem in the first place.

2. Mitigate the risk. It's still there, but you do additional things to lower either the

likelihood that the bad thing will happen or the impact if it does happen. For example, you may choose to store less sensitive data so that if there is a breach, the impact won't be as bad.

3. Transfer the risk. You pay someone else to manage things so that the risk is their

problem. This is done a lot with the cloud, where you transfer many of the risks of managing the lower levels of the system to the cloud provider.

4. Accept the risk. After looking at the overall risk level and the benefits of continu‐

ing the activity, you decide to write down that the risk exists, get all of your stake‐ holders to agree that it's a risk, and then move on.
Any of these actions may be reasonable. However, what's not acceptable is to either

have no idea what your risks are, or to have an idea of what the risks are and accept them without weighing the consequences or getting buy-in from your stakeholders. At a minimum, you should have a list somewhere in a spreadsheet or document that details the risks you know about, the actions taken, and any approvals needed.

4 Risks can also interact, or aggregate. There may be two risks that each have relatively low likelihood and

impacts, but they may be likely to occur together and the impacts can combine to be higher. For example, the impact of either power line in a redundant pair going out may be negligible, but the impact of both going out may be really bad. This is often difficult to spot; the Atlanta airport power outage in 2017 is a good example.

Data Asset Management and Protection

Now that Chapter 1 has given you some idea of where your provider's responsibility

ends and yours begins, your first step is to figure out where your data is—or is going to be—and how you're going to protect it. There is often a lot of confusion about the term "asset management." What exactly are our assets, and what do we need to do to manage them? The obvious (and unhelpful) answer is that assets are anything valua‐ ble that you have. Let's start to home in on the details.

In this book, I've broken up asset management into two parts: data asset management

and cloud asset management. Data assets are the important information you have, such as customer names and addresses, credit card information, bank account infor‐ mation, or credentials to access such data. Cloud assets are the things you have that store and process your data—compute resources such as servers or containers, stor‐ age such as object stores or block storage, and platform instances such as databases or queues. Managing these assets is covered in the next chapter. While you can start with either data assets or cloud assets, and may need to go back and forth a bit to get a full picture, I find it easier to start with data assets.

The theory of managing data assets in the cloud is no different than on-premises, but

in practice there are some cloud technologies that can help.

Data _dent_fic_t_on and C__ss_fic_t_on

If you've created at least a "back-of-the-napkin" diagram and threat model as

described in the previous chapter, you'll have some idea of what your important data is, as well as the threat actors you have to worry about and what they might be after. Let's look at different ways the threat actors may attack your data.

ity, integrity, and availability. A threat actor trying to breach your data confidentiality wants to steal it, usually to sell it for money or embarrass you. A threat actor trying to breach your data integrity wants to change your data, such as by altering a bank bal‐ ance. (Note that this can be effective even if the attacker cannot read the bank balan‐ ces; I'd be happy to have my bank balance be a copy of Bill Gates's, even if I don't know what that value is.) A threat actor trying to breach your data availability wants

to take you offline for fun or profit, or use ransomware to encrypt your files.1

Most of us have limited resources and must prioritize our efforts.₂ A data classifica‐

tion system can assist with this, but resist the urge to make it more complicated than absolutely necessary.

Example Data C__ss_fic_t_on Levels

Every organization is different, but the following rules provide a good, simple starting

point for assessing the value of your data, and therefore the risk of having it breached:

low or negligible. Here are some examples:

• Application log data without any personal data, secrets, or value to attackers

• Software installation materials without any secrets or other items of value to

attackers