{"id":5998,"date":"2017-03-16T00:00:00","date_gmt":"2017-03-16T00:00:00","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/2017\/03\/16\/iaas-security-threats-and-protection-methodologies\/"},"modified":"2022-08-17T20:06:21","modified_gmt":"2022-08-17T20:06:21","slug":"iaas-security-threats-and-protection-methodologies","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/networks\/iaas-security-threats-and-protection-methodologies\/","title":{"rendered":"IaaS Security: Threats and Protection Methodologies"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
\n

 <\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

By Maxim Sovetkin, Itransition<\/em><\/p>\n

Cloud services are becoming the main part of the infrastructure for many companies. Enterprises should pay maximum attention to security issues, moving away from typical approaches used in physical infrastructures, which are often insufficient in an atmosphere of constantly changing business requirements. Although cloud providers do all they can to guarantee infrastructure reliability, some of them limit their services to standard security measures, which can and should be significantly expanded.<\/p>\n

Typical Cloud Information Security Threats<\/h2>\n

According to the Cloud Security Alliance<\/a> the list of the main cloud security threats includes the following:<\/p>\n

Data Leaks<\/h3>\n

Data in the cloud is exposed to the same threats as traditional infrastructures. Due to the large amount of data, platforms of cloud providers become an attractive target for attackers. Data leaks can lead to a chain of unfortunate events for IT companies and infrastructure as a service (IaaS) providers.<\/p>\n

Compromising Accounts and Authentication Bypass<\/h3>\n

Data leaks often result from insufficient attention to authentication verification. More often than not, weak passwords in conjunction with poor management of encryption keys and certificates are to blame. In addition, IT organizations are faced with problems of managing rights and permissions when users are assigned with much greater powers than they actually need. The problem can also occur when a user takes another position or leaves the company: no one is in a rush to update permissions under the new user roles. As a result, the account has rights to more features than necessary.<\/p>\n

Moreover, cloud environments are often prone to use of all kinds of phishing, scams, exploits and various attempts to manipulate data.<\/p>\n

The threat may also come from current or former employees, system administrators, contractors or business partners. Insiders may have different motives, ranging from data theft to simple revenge. In the case of IaaS, the consequences of such actions can even take the form of full or partial infrastructure destruction, data access or even data destruction.<\/p>\n

Interface and API Hacking<\/h3>\n

Today, it is impossible to imagine cloud services and applications without friendly user interfaces (UIs) and application program interfaces (APIs). The security and availability of cloud services depends on reliable mechanisms of data access control and encryption. Weak interfaces become bottlenecks in matters of availability, confidentiality, integrity and security of systems and data.<\/p>\n

Cyberattacks<\/h3>\n

Targeted cyberattacks are common in our times. An experienced attacker, who has secured his presence in a target infrastructure, is not so easy to detect. Remote network attacks may have significant impact on the availability of infrastructure in general.<\/p>\n

Despite the fact that denial-of-service (DoS) attacks have a long history, the development of cloud computing has made them more common. DoS attacks can cause business critical services to slow down or even stop. DoS attacks consume a large amount of computing power that comes with a hefty bill. Despite the fact that the principles of DoS attacks are simple at first glance, you need to understand their characteristics at the application level: the focus on the vulnerability of web servers, databases and applications.<\/p>\n

Permanent Data Loss<\/h3>\n

Data loss due to malicious acts or accidents at the provider\u2019s end is no less critical than a leak. Daily backups and their storage on external protected alternative platforms are particularly important for cloud environments.<\/p>\n

In addition, if you are using encryption before moving data to the cloud, it is necessary to take care of secure storage for encryption keys. As soon as keys fall into the wrong hands, data itself becomes available to attackers, the loss of which can wreak havoc on any organization.<\/p>\n

Vulnerabilities<\/h3>\n

A common mistake when using cloud-based solutions in the IaaS model is paying too little attention to the security of applications, which are placed in the secure infrastructure of the cloud provider. And the vulnerability of applications becomes a bottleneck in enterprise infrastructure security.<\/p>\n

Lack of Awareness<\/h3>\n

Organizations moving to the cloud without understanding the capabilities the cloud has to offer are faced with many problems. If a team of specialists is not very familiar with the features of cloud technologies and principles of deploying cloud-based applications, operational and architectural issues arise that can lead not only to downtime but also to much more serious problems.<\/p>\n

Abuse of Cloud Services<\/h3>\n

The cloud can be used by legal and illegal businesses. The purpose of the latter is to use cloud resources for criminal activity: launching DoS attacks, sending spam, distributing malicious content, etc. It is extremely important for suppliers and service users to be able to detect such activities. To do this, detailed traffic inspections and cloud monitoring tools are recommended.<\/p>\n

Protection Methodology<\/h2>\n

In order to reduce risks associated with information security, it is necessary to determine and identify the levels of infrastructure that require attention and protection. For example, the computing level (hypervisors), the data storage level, the network level, the UI and API level, and so on.<\/p>\n

Next you need to define protection methods at each level, distinguish the perimeter and cloud infrastructure security zones, and select monitoring and audit tools.<\/p>\n

Enterprises should develop an information security strategy that includes the following, at the very least:<\/p>\n