Many organizations are rapidly moving to the cloud for hosting everything from their products and services to their corporate infrastructure. A cloud infrastructure offers a highly-scalable virtual environment, and can also eliminate the need for a local server infrastructure. Multi-tenancy, a common feature of cloud deployments, requires customers to share the resources supporting databases, web applications, and other infrastructure, in order to increase efficiency and lower expenses. This means that physical hardware is being shared by multiple distinct organizations, and the separation between data, processes, and services is logical in nature, rather than physical. In general, this sounds like it could be beneficial, since computing resources, including disk space, memory, and CPU utilization will not be wasted. However, shared tenancies in a cloud-based virtual environment can introduce new information security risks.
Small companies often do not maintain adequate resources to deal with cyber threats. Additionally, the management and maintenance of a secure and reliable cloud environment may be beyond the capabilities of a small organization. When moving to the cloud, service providers can provide varying degrees of support and maintenance, but some security responsibilities will usually still fall on the organization itself. In a common Infrastructure-as-a-Service configuration, the user may be responsible for software and application security, while the service provider maintains secure hardware and operating systems.
Vulnerability Management
Hopefully, the organization has vulnerability management, access controls, incident response processes, and other information security best practices in place for the components they are responsible for. However, consider the situation where a vulnerability exists in a platform or system component over which the organization itself has no control. For example, a service provider may fail to remediate firmware vulnerabilities in a timely manner. Or even worse, it’s possible that certain vulnerabilities or threats which exist in other tenancies could affect the security of all systems hosted on that hardware stack. This means that if one tenant is compromised, the data being processed and stored in all other tenancies may be at risk.
For example, Intel recently disclosed a hardware-based flaw called the L1 Terminal Fault (L1TF), which exploits an attack vector similar to the well-known Spectre and Meltdown vulnerabilities. This vulnerability has implications for service providers who leverage virtualization technology to support multi-tenant environments. L1TF can be used to bypass traditional virtualization security mechanisms and access data and processes within other virtual machines. Cloud service providers, such as Digital Ocean, use Intel hardware to support virtual environments for client organizations. Because the flaw is in the Intel hardware that Digital Ocean maintains, who is responsible for applying the required updates, and who is responsible if an incident occurs? According to Digital Ocean, the flaw could allow an attacker to view another Droplet’s (virtual machine hosted by Digital Ocean) data, from the attacker’s own Droplet. By design, Droplets in different tenancies are supposed to be completely segregated. As noted, this vulnerability does not let attackers target Droplets themselves, or Digital Ocean users.
Assigned Security Measures
When it comes to responsibility, it is critical to define and agree on responsibilities for security at all levels. This includes assigning responsibility for physical security, hardware-based security, as well as firmware, operating system, and software security. Both the service provider and client organization must understand what controls they are responsible for implementing. These responsibilities may include patching, monitoring, access management, incident response, and configuration management. These responsibilities should be codified in a contract or service agreement.
Additional measures can be taken to increase cloud security. As a way to mitigate the risk of L1TF and other vulnerabilities affecting shared tenancies, an organization may require a single tenancy environment. This often requires additional investment, as one might expect. In this configuration, hardware is dedicated to the organization, so no other processes or data exists on the machine. Another way to protect data is to encrypt sensitive data at rest in cloud environments. Encrypting data makes it difficult or impossible for the attacker to decipher stolen data. Finally, due diligence is key when evaluating cloud service providers. Service Organization Control (SOC) reports are a great resource which may be used to review the control environment of a cloud service provider. Consider auditing or periodically re-evaluating the performance of service providers to ensure they meet contractual obligations and implement information security best practices. Call OCD Tech today for more information on SOC2 reports and service provider assurance.
