Do Meltdown and Spectre invalidate the cloud? Do modern security issues invalidate the cloud? Does lack of provable security invalidate the cloud? But isn’t it provable? These are pretty strong statements, but the latest Spectre patch microcode recall for certain CPUs is starting to make some companies rethink their use of the cloud. What type of data will they place into the cloud? How does one mitigate snooping by others? Does the cloud “model” need to change? Clouds and data centers differ by quite a bit. Defense-in-depth tactics need to change as well.
That is the crux of the matter: private data centers and public clouds are different entities. They have different security considerations. Those are, simply:
- In a private cloud, all data is private to the cloud and the organization, but not the line of business.
- In a public cloud, no data is necessarily private between organizations.
The second is a strong statement, but there are three potential vectors to consider when assessing risk:
- Cloud administrators can potentially see, tamper with, and otherwise affect all data.
- Attacks like Spectre can lead to inadvertent leakage of data.
- Use of API keys inside code, within code repositories, allows potential unknown access to the cloud and other instances of lack of access controls.
However, for each of these vectors, you can set up defense in depth and compensating controls. In other words, the sky is not falling—the cloud is not melting. Developing these compensating defense-in-depth controls is why going to and using the cloud requires more planning than the average private data center. In the cloud, your control mechanisms may be limited. Here are some mitigations and compensating controls for each of these concerns. All are predicated upon knowing the data you have within the cloud: knowing where it is, how it is accessed, etc. Data management is crucial within the cloud.
- Cloud administrator access: Encrypt your data—and not just at rest, but in flight, including in flight within the storage system. For some workloads, you may even consider trusted execution environments so you can do just-in-time decryption of data. Verify that all actions by cloud administrators are tracked.
- Attacks like spectre: This is where data management really becomes an issue. There are two possible mitigations:
- Only place into public clouds data that is public: i.e., data known by all or seen by all, not data that is confidential or has any other nonpublic classification level.
- For nonpublic data, ensure that you have purchased, rented, or leased a nonshared environment from the cloud vendor, such as VMware Cloud Foundation, which runs on dedicated, elastic, bare-metal cloud infrastructure. (VMware Cloud on AWS, Amazon Bare Metal systems, Azure on bare metal, etc.) The best approach would be to use one set of systems per type of data in use: DMZ data, virtual desktop data for one group, virtual desktop data for another group, etc.
- Use of API keys and other access issues: This also has multiple mitigations:
- Use multifactor authentication for access to cloud, application, and system administration and access using just-in-time authentication techniques. In other words, no shared user data should be on the target system to leak.
- Use Key Vaults for API keys and tools to read code to ensure that API keys are not leaked (vaults can come from HashiCorp, Vormetric, and others). Ensure that API keys are properly rotated by the vault as well.
These mitigations are great for nonshared server systems. These approaches also apply to serverless setups. These same rules apply for DMZ systems and even desktop systems.
The key to the success of your defense in depth will ultimately be about the data within the target systems. We as IT practitioners, security personnel, and business owners need to understand the data in use. We need to understand the risk to the business if that data leaks out. We also need to understand the impact of that data’s leaking (not just to the business, but to society). Data management is key to the future of IT. Spectre is demonstrating that we need to better understand and handle our data.
However, a typical system has multiple forms of confidential and critical information in memory, such as encryption keys, password hashes, unencrypted data, and other data used by attackers to further infiltrate your environment. Will these mitigations stop these styles of attacks? In many ways, yes. Will you need to grow your footprint within the cloud? Potentially. Can you apply these same mitigations to your private data center? Of course.
Would moving from IaaS to SaaS systems offer mitigation? That depends on the SaaS system. Specifically, does the SaaS system run arbitrary code? If it does, then you may want to consider other alternatives. Do your own threat modelling of your applications.
What other mitigation and defense-in depth-configurations will be required? Is there anything I missed? Do your own threat assessment, and share your results here. These are just three potential vectors of attack; there are others. Let me know your other vectors.