Egregious 11 Meta-Analysis Part 2: Virtualizing Visibility
By Victor Chin, Research Analyst, CSA
This is the second blog post in the series where we analyze the security issues in the new iteration of the Top Threats to Cloud Computing report. Each blog post features a security issue that is being perceived as less relevant and one that is being perceived as more relevant.
In this report, we found that traditional cloud security issues stemming from concerns about having a third-party provider are being perceived as less relevant. While more nuanced issues specific to cloud environments are being perceived as more problematic. With this in mind, we will be examining Shared Technology Vulnerabilities and Limited Cloud Usage Visibility further.
**Please note that the Top Threats to Cloud Computing reports are not meant to be the definitive list of security issues in the cloud. Rather, the studies measures what industry experts perceive the key security issues to be.
Shared Technology Vulnerabilities
Shared Technology Vulnerabilities generally refers to vulnerabilities in the virtual infrastructure where resources are shared amongst tenants. Over the years, there have been several vulnerabilities of that nature with the most prominent being the VENOM (CVE-2015-3456) vulnerability that was disclosed in 2015. Shared Technology Vulnerabilities used to be high up on the list of problematic issues. For example, in the first two iterations of the report, Shared Technology Vulnerabilities were rated at 9th and 12th. In the latest iteration of the report, it has dropped off entirely and is no longer perceived by as relevant. It had a score of 6.27 (our cutoff was 7 and above) and ranked 16 out of the 20 security issues surveyed.
Virtualization itself is not a new cloud technology, and its benefits are well known. Organizations have been using virtualization technology for many years as it helps to increase organizational IT agility, flexibility, and scalability while generating cost savings. For example, organizations would only have to procure and maintain one physical asset. That physical IT asset is then virtualized so that its resources are shared across the organization. As the organization owns and manages the entire IT stack, it also has visibility and control over the virtualization technology.
In cloud environments, the situation is markedly different. Virtualization technology (like hypervisors) is generally considered underlying technology that is owned and managed by the cloud service provider. Consequently, the cloud customer has limited access or visibility into the virtualization layer.
For example, the figure on the right is an architectural representation of the three cloud service models. Underlying technology in an Infrastructure-as-a-Service (IaaS) service model refers to APIs (blue) and anything else below it. Those components are under the control and management of the CSP. At the same time, anything above the APIs (blue) is under the control and management of the cloud customer. For Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS), underlying technology refers to anything underneath Integration & Middleware and Presentation Modality and Presentation Platform, respectively.
Naturally, in the early days of cloud computing, such vulnerabilities were a significant concern for customers. Not only did they have limited access and visibility into the virtualization layer, but the cloud services were also all multi-tenant systems which contained the data and services of other customers of the CSPs.
Over time, it seems like the industry has grown to trust the cloud service providers when it comes to Shared Technology Vulnerabilities. Cloud adoption is at its highest with many organizations adopting a ‘Cloud First’ policy. However, there is still no industry standard or existing framework that formalizes vulnerability notifications for CSPs, even when a vulnerability is found in the underlying cloud infrastructure. For example, when there is a vulnerability disclosure for a particular hypervisor, (e.g. XEN) an affected CSP does not have to provide any information to its customers. For more information on this issue, please read my other blogpost on cloud vulnerabilities.
That said, it is of note that many recent cloud breaches are the result of misconfigurations by cloud customers. For example, in 2017, Accenture left at least four Amazon S3 buckets set to public and exposed mission-critical infrastructure data. As cloud services developed, the major CSPs have, for the most part, provided sufficient security controls to enable cloud customers to properly configure their environments.
Nevertheless, virtualization technology is a critical component to any cloud service, and vulnerabilities in the virtualization layer can have severe consequences. Cloud customers must remain vigilant when it comes to Shared Technology Vulnerabilities.
Limited Cloud Usage Visibility
In the latest Top Threats to Cloud Computing report, Limited Cloud Usage Visibility made its debut in the 10th position.
Limited Cloud Usage Visibility refers to when organizations experience a significant reduction in visibility over their information technology stack. This is due to two main factors. Firstly, unlike in traditional IT environments, the enterprise does not own or manage the underlying cloud IT infrastructure. Consequently, they are not able to fully implement security controls or monitoring tools with as much depth and autonomy as they did with a traditional IT stack. Instead, cloud customers often have to rely on logs provided to them by the cloud providers. Sometimes, these logs are not as detailed as the customer would like it to be.
Secondly, cloud services are highly accessible. They can generally be accessed from the public internet and do not have to go through a company VPN or gateway. Hence, the effectiveness of some traditional enterprise security tools is reduced. For instance, network traffic monitoring and perimeter firewalls are not as effective as they cannot capture network traffic to cloud services that originate outside the organization. For many organizations, such monitoring capabilities are becoming more critical as they begin to host business-critical data and services in the cloud.
To alleviate the issue, enterprises can start using more cloud-aware technology or services to provide more visibility and control of the cloud environment. However, most of the time, the level of control and granularity cannot match that of a traditional IT environment. This lack of visibility and control is something that enterprises moving to the cloud have to get used to. There will be some level of risk associated to it, and it is a risk that they have to accept or work around. Organizations that are not prepared for this lack of visibility in the cloud might end up not applying the proper mitigations. That or they will find themselves unable to fully realize the cost savings of a cloud migration.
Continue reading the series…
Read our next blog post in this series analyzing the overarching trend of cloud security issues highlighted in the Top Threats to Cloud Computing: Egregious 11 report. We will take a look at Weak Control Plane and Denial of Service.