Cloud data storage facilitates the efficient and fast transfer of data throughout the globe. The dominant companies offering third-party cloud storage, such as Microsoft and Amazon, have supported the growth and maturation of millions of businesses. The infrastructure at the heart of these services has the potential to cause untold damage, however. With cloud data security becoming ever more important to both industries and customers, it’s vital to take a proactive approach to your cloud storage security.
Efficient Storage – With a Budget Twist
The budget-friendliness of today’s cloud storage solutions make them particularly attractive to scaling businesses. By offering swathes of computing power on an as-you-need basis, the financial and administrative demands of the cloud are kept to a lean minimum. In essence, cloud providers offer pools of resources for their customers. The physical servers they operate may offer vast computing possibilities, but slicing this up in a flexible way demands clever architecture. A hypervisor is what divides these physical servers into millions of smaller virtual servers, abstracting the computing power into more efficient, smaller chunks.
From a software perspective, this is described as multi-tenancy architecture. The tenancy here is an analogy for externally-owned computing resources that can be switched and transferred at will. The benefits of this multi-tenant layout are numerous: sophisticated applications and large databases are able to be run immediately, enabling plug-and-play SaaS solutions, and allowing customers to save on storage, hardware, and CPU costs.
Fundamentally, multi-tenancy architecture is the beating heart of Database and Software as a Service. As the cloud has exploded in popularity, the cramming of multiple customers onto each virtual server has drawn slight concern from the more security-minded, however.
AppSync’s Deputy Issue
AppSync is a vital tool for drawing data from multiple connected AWS databases. It provides a robust interface for API production, supporting efficient data caching and easy endpoint creation. Thanks to AppSync’s ability to publish and query the data within a connected AWS database, it holds a fairly tenuous position within the security of an account. This sets the stage for a confused deputy problem – that is, when a less-privileged entity (an attacker kept out via authentication protocols) confuses a more-privileged entity (AppSync) into performing actions for the attacker’s benefit. To prevent this, AppSync was built with a failsafe: when creating a source for the API to pull from, the account name is checked against the database’s own account info.
However, researchers at Datadog Security Labs recently found and published a major flaw within this security protocol. Despite the check put in place, the researchers found that this check was vulnerable to malicious inputs. By manually feeding this function the Amazon Resource Name (ARN) of a different AWS account, AppSync could be tricked into assuming the access privileges of that unrelated account. This lends the attacker access to all resources under that account.
Allowing attackers access to once-protected databases is cause for major concern. Thankfully, AWS reacted with incredible swiftness when the researchers bought up the new exploit. Notifying the company on the 1st September, a patch was pushed to the AppSync service only five days later. Analyzing the impact of the newly-discovered vulnerability, Amazon analyzed all relevant logs, stretching back the service’s launch. AWS conclusively determined that the no customer accounts had become victim to this attack vector, and that the only accounts involved in this attack were those owned by the researchers.
Guaranteeing Cloud Security in 3 Phases
One of the benefits of the cloud is how simple and speedy its services are. Accelerated design and deployment have become a mainstay of DevOps; fantastic for innovation, but often considerably lacking in security. Sometimes, the need for speed can accelerate the creation of dire consequences. Instead of sacrificing speed and ease of use, purpose-built cloud-native security solutions offer security at pace.
Firstly, you can’t protect what you don’t know. Data governance is a rising issue, as cloud environments scatter databases hither and thither – meaning it’s also a key component of comprehensive, cloud-based security. The drift that naturally occurs as databases are created, deleted and cloned means that tracking every bit – no matter where it is, what data it consists of, and who is accessing it – has never been more difficult. Delivered as SaaS, modern data posture management can keep up with rapid deployment.
With data discovery handled, it’s now possible to start classifying said data. This automated process tags data according to its sensitivity, type, and value to the organization if altered or destroyed. This can occur through content, context or user info of each piece of data. By automatically assessing the ins and outs of each piece of data, it becomes possible to rank the risk following your organization’s own structure. The first benefit to this process is its ability to give organizations the most comprehensive overview of their risk level possible. Ultimately, however, this sets the foundation for the final phase of cloud security.
Once you’ve clarified what the data is, and which users can begin using said data, it becomes a lot easier to sniff out any instances of policy violation. This lends itself to top-notch authorization policies, with best practice and historical info helping establish who should have access to each level of sensitive data. Policy violation responses can be automated: for instance, if someone is suddenly attempting to transfer sensitive data outside the organization; or an account seeing suspicious behavior; the suspicious activity is terminated before a breach occurs.
With a security solution handling the three pillars of cloud security, your customers and industry partners are kept safe from profiteering cybercriminals and malicious actors.
