The use of cloud services to support business needs has exponentially increased over the past years. Most companies have now moved from traditional IT environments to private or public cloud deployments to support IT, security and business needs.
The increase in cloud services usage comes with a great responsibility for cloud providers and cloud customers. Conducting proactive and regular security audits is necessary to secure these services.
To help illustrate this, let’s have a look at the most recent high-profile cybersecurity attack. On 2 July, Kaseya Virtual System Administrator (Kaseya VSA) was compromised by an attack attributed to REvil, also known as Sodinokibi, an active criminal organization taking advantage of insecure platforms to launch ransomware as a service (RaaS) attacks. Here is the Incident Overview and Technical Details posted by Kaseya.
Kaseya VSA is an IT monitoring service available on-prem or through a Software as a Service (SaaS) deployment. The vulnerabilities leading to this attack could have impacted thousands of companies relying on Kaseya’s cloud products.
Researches such as TrueSec have identified various potential zero-day vulnerabilities (no patch available) that led to this attack. The following vulnerabilities were part of the exploit chain confirmed by TrueSec:
- Authentication Bypass
- Arbitrary File Upload
- Request Forgery Token Bypass
- Local File Code Injection
View Large Graphic. Source: TrueSec Blog
We can observe how the attackers gained access by taking advantage of known application security risks. While the attack on its own has a sophisticated flow, these types of vulnerabilities can be identified and remediated by conducting proactive security audits.
Although Kaseya’s incident is related to the application security itself (cloud provider), many other cybersecurity attacks involve insecure cloud services configuration (cloud customer).
Now, let’s explore cloud security audits. There are various elements to consider when thinking about auditing the security in cloud services, and there are two major perspectives to consider:
Auditing from a cloud provider perspective
This is likely the most critical piece for cloud security audits. We need to keep in mind that a cloud service is, in essence, an application deployed in such a way that allows broad network access, on-demand self-service, resource pooling, rapid elasticity and measured service.
The security aspects of a cloud service from a cloud provider standpoint can be broken down by various domains, including: application security, encryption, change control, and others. Introducing security audits at all stages of the product lifecycle becomes critical to ensure the service is secure and reliable.
The Cloud Control Matrix (CCM) v4 from the Cloud Security Alliance contains 17 security domains with 197 controls divided as follows:
The control specifications in this matrix are mapped to various security standards, including ISO27001, ISO27017, HITRUST, PCI, COBIT, NIST, ENISA Cloud Computing Risk Assessment, etc.
Certainly, the CCMv4 provides great insight into aspects that cloud providers must include in their audit and assessment programs. While some of these concepts are not new to security professionals, others are specific to secure cloud environments. Encryption and Key Management are not new concepts – however, both are much more complicated in cloud products. Enabling strong encryption at rest and in transit, and providing flexible key management solutions to cloud customers, are critical for protecting data stored in such products. Interoperability and Portability are cloud-specific concepts. Cloud providers must ensure they enable the portability of data to avoid a vendor lock-in problem.
Concerning application security, cloud providers must also incorporate auditing of known security risks such as the OWASP Top Ten Web Application Security Risks. Incorporating a proactive audit of these risks could prevent successful exploits leading to large cybersecurity attacks, particularly injection, broken authentication, broken access control, and the use of components with known vulnerabilities. It is paramount to incorporate extensive audits of these risks before product launches.
ISO/IEC 27017:2015 is another comprehensive set of guidelines or security practices for cloud services based on ISO/IEC 27002. It contains various similarities with the CCMv4 and other standards.
The Security, Trust, Assurance, and Risk (STAR) Program from the Cloud Security Alliance is an excellent vehicle for security assurance in cloud environments. This program is based on the Cloud Control Matrix and the Consensus Assessment Initiative Questionnaire (CAIQ). The CAIQ provides industry-standard practices for documenting security controls in IaaS, PaaS and SaaS services.
The STAR Program allows cloud providers to evaluate the security of their products through two different levels of assurance: Level 1: Self-Assessment and Level 2: Third-Party Assessment. The certifications or attestations obtained through the Level 2 of this program can support SOC 2 engagements, ISO27001 certifications and other compliance needs.
Auditing from a cloud customer perspective
Cloud providers are not responsible for all security aspects of cloud environments. An essential part of security audits in the cloud falls under cloud customers. Here is where visibility becomes a challenge. Clearly, cloud providers are reluctant to disclose sensitive information about their products, location of data centers, and any information concerning their infrastructure and products in general.
In most cases, cloud providers rely on independent third-party attestations such as an SOC 2 report or certifications like ISO27001 to provide a certain level of assurance to their customers. However, having an SOC 2 report or an ISO certificate won’t warranty that the security in the cloud product is flawless. This is a risk that cloud customers must consider when migrating to cloud environments.
The level of security audits that a cloud customer can perform is directly related to the cloud service model:
- In IaaS, the cloud customer will retain most control over the environment; therefore, their audits can be extensive;
- In SaaS, the cloud customer will only control the data and some security settings; therefore, their audits will be limited.
These are factors that cloud customers must consider when planning their security audit programs. While SaaS audits can be complicated due to the limitations, here are some critical aspects to include in an audit plan:
- Encryption and Key Management: Is the data in the cloud service encrypted? And does the cloud customer have sufficient control over the encryption keys?
- Identify and Access Management: Are there controls to ensure data and services can only be accessed by the right people at the right time?
- Device Level Security: Can you prevent/control access to the cloud service and data from unauthorized devices?
- Security Logging: Are there sufficient logging capabilities to identify and prevent malicious user behavior?
- Contractual Agreements: Are there adequate contracts with the cloud services? And have they provided independent security audit results?
Cloud security continues evolving. ISACA and the Cloud Security Alliance recently formalized the Certificate of Cloud Auditing Knowledge (CCAK) as a perfect complement of CISA and CCSP, enhancing the tools available for security professionals supporting cloud security.
Cloud providers and cloud customers must ensure they incorporate cloud security in their audit and assessment programs, taking advantage of key industry resources. A proactive approach to auditing cloud computing can prevent the next cybersecurity incident.
About the author: Gary Carrera is a Privacy Program Manager at Facebook. He has 14 years of experience supporting large tech companies in Information Security and Privacy programs, most recently at Facebook and Apple. He holds an MS in Business Administration and Project Management and CDPSE, CISM, CISA, CCSP, HITRUST CCSFP, ISO27001, among other certifications. The postings on this site are the author's own and don't necessarily reflect his employer’s positions or opinions on the subject.