Egregious 11 Meta-Analysis Part 3: Weak Control Plane and DoS

By Victor Chin, Research Analyst, CSA

This is the third blog post in the series where we analyze the security issues in the new iteration of the Top Threats to Cloud Computing report. Each blog post features a security issue that is being perceived as less relevant and one that is being perceived as more relevant.

In this report, we found that traditional cloud security issues, like those stemming from concerns about having third-party providers, are being reported as less relevant. While more nuanced issues specific to cloud environments are being reported as more problematic. With this in mind, we will be examining Denial of Service and Weak Control Plane further.

**Please note that the Top Threats to Cloud Computing reports are not meant to be the definitive list of security issues in the cloud. Rather, the studies are a measure of industry perception of key security issues.

Weak Control Plane

Weak control plane featured at the 8th position in the latest iteration of the Top Threats to Cloud Computing report. A weak cloud control plane refers to when a cloud service does not provide adequate or sufficient security controls to meet the security requirements of the customer. One example of a weak control plane is the lack of two-factor authentication and the ability to enforce its usage. Like the other debuting security issues, a weak control plane is something that a customer might only realize after they have migrated to the cloud.

A key difference between traditional IT and Cloud

A key difference between traditional IT and cloud service applications that might help explain why weak control planes are becoming a problem in cloud services. In traditional IT environments, customer-controlled applications and their security features were designed with the customer as the main user. The application is hosted on the customer’s infrastructure and configured by the customer. The customer has full visibility and control over the application and is thus also responsible for its security. The main role of the IT provider would be to continually provide patches or updates to the application to ensure that bugs and vulnerabilities are fixed.

The situation for cloud services is different because the cloud service is never fully ‘shipped off’ to the customer. The cloud service will always be hosted by the cloud service provider. Hence, they not only have to design a suite of security controls in the cloud service that is useable by their customers. They also have to consider the security mechanism and features that protect the cloud service and the virtual infrastructure that hosts it. Furthermore, due to the nature of cloud services, customers generally cannot use their security tools or technologies to augment the cloud service (i.e. monitoring underlying virtual infrastructure). Both sets of security controls must meet the security, regulatory and compliance requirements of their various customers. With increasingly more enterprises adopting a ‘cloud-first’ policy, cloud service providers are faced with the situation of satisfying various technical security requirements of their many customers. Hence, it is not surprising that some enterprises might find the current security controls inadequate for their business needs.

Fulfilling regulatory and security requirements

To sidestep such issues, prospective customers have to do their due diligence when considering cloud migration. Customers have to ensure that the cloud services they wish to use can fulfill their regulatory and security requirements. Prospective cloud customers can use the Cloud Security Alliance’s Consensus Assessment Initiative Questionnaire (CAIQ)[2] to that end. The CAIQ is aligned with the Cloud Controls Matrix (CCM) and helps document what security controls exist in IaaS, PaaS and SaaS offerings, providing security control transparency. Furthermore, after cloud migration, customers should continue to monitor their regulatory and compliance landscape and communicate any changes to the cloud service providers. Having an open communication channel helps ensure that cloud service providers can make timely changes to the cloud service to align with changing customer security, compliance, and regulatory requirements.

Denial of Service

Denial of Service was rated 8th and then 11th in the last two iterations of the Top Threats report. In the latest Egregious 11 report, Denial of Service has dropped off the list. Denial of Service can take many forms. It can refer to a network attack such as a Distributed Denial of Service (DDoS) attack or system failure caused by a system administrator.

Denial of Service (like many other security issues that have dropped off the list), is a security concern stemming from the fact that cloud services are a form of third-party in nature. In the early days of cloud computing, it was natural that enterprises were concerned about service availability when considering cloud migration. These enterprises had valid concerns about the cloud service providers’ network bandwidth as well as their compute and storage capacities. However, over the years, cloud service providers have significantly invested in their infrastructure and now have almost unrivaled bandwidth and processing capabilities. At the same time, cloud service providers have built sophisticated DDoS protection for their customers. For example, Amazon Web Services (AWS) has AWS Shield[3], Microsoft Azure as Azure DDoS Protection[4] and Google Cloud Platform (GCP) has Google Cloud Armor[5].

In spite of all the infrastructure investment and the tools available to help customers mitigate DDoS attacks, other forms of denial of service can still happen. These denial of service incidents are often not malicious but rather occur due to mistakes by the cloud service provider. For example, in May 2019, Microsoft Azure and Office 365 experienced a three-hour outage due to a DNS configuration blunder[6]. Unfortunately, no amount of infrastructure investment or tools can prevent such incidents from happening. Customers have to realize that by migrating to the cloud, they are relishing full control of certain aspects of their IT. They have to trust that the cloud service provider has put in place the necessary precautions to reduce, as much as possible, the occurrence of such incidents.

______________________________________________________________________________

[1] https://cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-egregious-eleven

[2] https://cloudsecurityalliance.org/artifacts/consensus-assessments-initiative-questionnaire-v3-0-1/

[3] https://aws.amazon.com/shield/

[4] https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview

[5] https://cloud.google.com/armor/