Cloud Storage Services
Character
Access to a Broadband Network
Services are offered across a network, most commonly the internet, and are available from a variety of network-connected devices, such as a web browser.
Elasticity that is quick
Resources and capacity can be rapidly raised or lowered in response to changing needs from Cloud Storage Services, giving the end user the impression of nearly endless capacity.
Service Metrics
Storage, bandwidth, compute capacity, and application activity are all measured for reporting and potential charge-back to both the provider and the consumer.
Self-Service on Demand
The cloud service user can provision capabilities and capacity independently without requiring considerable human engagement or collaboration.
Pooling of Resources
All capabilities are given through a shared resource pool that supports several customers in a multi-tenant arrangement and with customer isolation, so individual customers only see the resources that have been allotted to them.
Cloud Service Models
Software as a Service (SaaS) (SaaS)
The highest degree of abstraction, in which the supplier delivers the full software application to the consumer over the network. The customer merely uses a web browser or another network client programme to access the application. Consider the sales management system.
Platform as a Service (PaaS) (PaaS)
Where the service provider provides the core computer platform and consumers have complete control over installing their own apps and data. Consider web hosting.
Infrastructure as a Service (IaaS) (IaaS)
The cloud provider provides the computer infrastructure (storage, hardware, and network connectivity), and customers have complete freedom to instal and configure any operating systems, application software, and data they choose on that infrastructure. AWS and Rackspace are examples.
Tools and security techniques are provided or supported by cloud providers.
- Principle of least privilege.
- Multi-factor Authentication
- SSL/TLS Encryption
- Virtual Private Networks
- Block Storage Encryption (hard drive)
- Access Management platform
Possible:
- Remote Wipe – Remote wipe is a security feature for mobile device management that allows you to remotely clear data from a lost or stolen mobile device. Dropbox Plus, Professional, and Business users can delete any data on their device or hard drive’s Dropbox folder, ensuring sensitive files remain in their control.
- One-time Passwords – One-time password (OTP) systems provide a mechanism for logging on to a network or service using a unique password that can only be used once, as the name suggests. The static password is the most common authentication method and the least secure.
Quick Facts
Cloud-based malware attacks – Malware classes can be developed to be provided and propagated using the cloud. These include ‘bare metal’ malware, which remains in data centre hardware despite virtual machine re-imaging, malware created for specific hypervisors, and 0-day malware designed to affect cloud providers’ individual IaaS, PaaS, and SaaS operating systems and/or software bundles.
Cloud-based botnets – Cloud resources can and have been rented for the purpose of hosting DDoS botnets.
Confidentiality – Cloud platforms support encryption in transit and at rest, as long as the customer enables these capabilities. Cloud platforms also support the principle of least privilege by allowing fine-grained control over access permissions for different categories of users. Multi-factor authentication is also supported by cloud platforms.
Integrity – Cloud platforms provide automated backup and versioning, which can be utilised to restore data that has been destroyed or altered as a result of a breach. Scripting features can be used to automatically update content to the most recent version or to update content after modifications (DevOps, CI/CD).
Availability – Cloud solutions improve availability by automating load balancing, ‘horizontal’ scalability, redundancy, and DDOS protection, which is especially important with SaaS and PaaS service models.
Security monitoring – Some cloud providers will enable remote monitoring of network and account activities, which, when combined with anomaly detection, can notify CERT, CIRT, and SOC personnel of suspected breaches.
Patch Management in PaaS and SaaS – SaaS and PaaS service models include automated patch management (supplied by the cloud provider), which reduces the customer’s security management burden.
Risks
- Contract breach and data assets loss.
- Collecting forensic evidence is difficult.
- Insider danger (customer or cloud provider).
- There is a chance of an outage and data loss.
- Privilege abuse or escalation.
- Defending against zero-day attacks.
- Security settings or controls that have been incorrectly configured.
Notes:
Large/hyper-scale cloud providers have extremely sophisticated systems for managing crypto keys for their customers, and they manage and supply these services to a variety of cybersecurity frameworks, including cloud-specific cybersecurity frameworks such as ISO 27017 and 27018.
Cryptographic keys were controlled by Amazon Certificate Manager (ACM) and cloud customer organisations.
ACM, for example, can be used to create/issue X.509 SSL/TLS public certificates that employ a public key in the certificate to connect the customer’s organisation to the website (or other SSL/TLS service). These are commonly used on Amazon Web Services load balancers, API gateways, AWS Cloudfront, and other services.
Except when disseminated for use in CloudFront, ACM stores the accompanying private key in a hardware security module (HSM) solely in the region in which it was established (CDN).
The use of ACM X.509 SSL/TLS certificates eliminates the dangers associated with certificate-based services.
ACM controls the automatic renewal of certificates ahead of their expiry date, as well as the deployment of those certificates to the services that rely on them.
ACM also controls certificate renewal and association under a revocation scenario, which occurs when one of the certificates in the chain, anywhere up to the root CA, is revoked.
This method decreases the risk of downtime caused by expiring certificates. Many clients will refuse to connect to server services with expired certificates.
However, there are some hazards to using Cloud Storage Services. Within an account, there should be need-to-know, low-privilege access to the AWS ACM service. The related AWS Route53 DNS zones or externally managed DNS zones must have protected access with need-to-know, least privilege, and change control for “DNS validation” of the certs. As a result, the root account (login) in the organization’s AWS account should be enabled with 2FA/MFA, and any use of IAM/role-based access with access to ACM and Route53 should likewise be configured with 2FA/MFA. The contact emails linked with the domain’s whois and 5 special email addresses admin@, administrator@, hostmaster@, webmaster@, and postmaster@ domain should have controlled access recipients and trusted mail exchange admins for “email validation of the certs.” An ACM Private CA service can also be used to maintain private root CAs and certificate hierarchies, as well as to import externally managed certs.
If an organisation uses a third-party supplier to manage their certificates, such as a certificate reseller, there are risks associated with managing the deployment of new certs that are renewed into cloud provider service(s), as well as similar risks associated with unplanned/scheduled events such as revoke cert in the certificate chain.
An intriguing example of this occurred on February 28th, 2018, following Google’s announcement that Google Chrome would begin distrusting Symantec certificates issued before to December 2017. This prompted a “spat” between Trustico (an Australian certificate reseller) and Digicert (a Trustico certificate supplier), resulting in Digicert cancelling 200,000 certifications with only 24 hours’ notice, allowing Trustico clients less than 24 hours to replace/redeploy every certificate. Digicert provided free one-year certificates to Trustico customers, but Trustico provided Comodo certificates instead.
The organisation frequently manages private keys for usage in VPNs, private infrastructure, and internal applications/services.
The administration of private keys in an organisation creates work for the sysadmin/crypto/appsec/network teams. Key custodians should be adequately versed on best practises, crypto standards, and key management dangers. There are dangers in every C.I.A. area, including HA and BCP/ITDR.