Take a data-centric approach to securing information in the cloud to protect against the risks of privileged users
- 20 June, 2013 16:40
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
Privileged users such as system, network and domain administrators can pose a significant threat to mission-critical systems or ones holding highly sensitive data. In fact, the consequences of a disruption in service or stolen confidential information can be severe enough ruin a business. Revocation of certifications, loss of critical intellectual property, and exposure to the consequences of a data breach disclosure are all part of the consequences.
To prevent such consequences, organizations have put in place controls to manage the risk associated with these types of threats in their on-premises environments, but as they embrace new cloud solutions, these same enterprises open themselves up to significant new risks and attack vectors.
[ IN DEPTH:Biggest insider threat? Sys admin gone rogue]
An organization's ability to meet compliance requirements and protect sensitive data by thwarting advanced persistent threats, malicious insiders and other attacks becomes more complex in the cloud because it's a multi-tenant environment run by a third-party organization that may -- or may not -- have the proper data security safeguards in place. Enterprises need the ability to maintain the same, if not better, control over sensitive data in the cloud as they do in traditional on-premises environments. Essentially, they need to be able to establish trust in an untrusted environment.
Once a system is up and running, privileged users typically have complete access to everything; this is a fundamental risk for every single cloud service provider. In cloud environments, another element is added -- privileged cloud administrators. Cloud administrators have access to cloud-hosted data and systems as part of maintaining and supporting customers using the cloud environment, and create a new element of risk to enterprise customers.
To mitigate the risks of these privileged users, enterprises must embrace separation of duties and deploy new technologies that restrict privileged user access to data. This is the only way that organizations can provide users and applications with the ability to see sensitive data based on policy while at the same time shielding that information from the administrators managing their infrastructure and systems.
By way of example, let's take a spreadsheet with sensitive financial numbers that is now living in the cloud. The CFO should clearly have access to the data, but a system administrator with root access to the system holding this spreadsheet should not. The sys admin should be able to copy or backup the spreadsheet, but should never be able to see the financial data in the clear.
If a rogue administrator, or an APT malware component that has obtained root access (one of the most common actions for an APT) is in a cloud environment, the best way to protect the sensitive financial data in that spreadsheet is to reduce the attack surface by putting in place encryption, fine-grained access controls and detailed auditing and reporting of access attempts to that spreadsheet.
By doing this, the rogue administrator or APT might be able to perform system management operations and even alter permission on the local operating system, but would never have access to any sensitive data. To privileged users, sensitive data like this spreadsheet is only visible as a "data block" of nonsense information, as access control prevents decryption of the data for their usage.
Now, taking a data-centric security approach to locking down data doesn't completely stop the bad guys; one attack vector that would work in this instance is to compromise the CFO's account. But, with detailed reporting of access attempts to protected information, and pattern recognition based on typical access profiles, abnormal use by that CFO could also be highlighted, and the CFO could be alerted that his/her account might have been compromised.
The combination of access controls, encrypted data and information on data access attempts -- a data firewall -- dramatically reduces the attack surface available to hackers, insiders and thieves. [Also see: "Line blurs between insider, outsider attacks"]
Not only does firewalling data by taking a data-centric security approach reduce the attack surface, it also provides the ability for data to move freely across multiple untrusted environments. Both structured and unstructured data living on-premises that is secured can move to the cloud without a requirement for network security such as SSL since the payload (databases and files) maintains its protection profile.
Administrators can copy and move the data files, but not decrypt them. In fact, since data can only be viewed when an authorized user has properly authenticated, the payload should be able to continue to move through a cloud environment -- and even over to other cloud environments -- and remain secured. To maintain protection of data no matter where it lives, it is important to tie controls back to a set of individuals within an organization. This also leads to certain implications around data destruction in that if all enterprise users are revoked access (by modifying policy and deleting keys) to certain data, regardless of where copies of that data may live, it is rendered completely inaccessible and useless.
In multi-tenant environments, both cloud service providers and enterprises have the absolute requirement that commingled data only be accessible by the organization that owns that data. Given this, another significant benefit of data-centric security in the cloud is the protection it provides against risks of rogue applications crossing the security boundaries defined by cloud providers and the underlying hypervisor technologies. Even if a rogue application is able to cross boundaries, by allowing only specific authorized users to access sensitive data the attack surface can be reduced.
Another common attack vector in the cloud is through a privileged user attempting to view memory and information for another virtual machine running in the same cloud environment. While it may not be possible to completely prevent such occurrences, it is possible to significantly reduce the likelihood of data being compromised by reducing the attack surface and limiting which applications and users can see the data.
Gathering security intelligence is also crucial for any organization embracing cloud technologies because it is important to understand which users and applications are accessing sensitive data. Attempted access by unauthorized users, access location, time of day, and even the rate at which data is being retrieved can prove critical to understanding whether an enterprise is under attack or has already been breached.
If audit information from a series of events points to the presence of an APT or unusual activity suggests the risk of a breach, the organization in question may want to temporarily tighten the controls around its sensitive data. Examples of tightened controls include restricting access to the data in question to a much smaller subset of users and increasing the amount of auditing being performed.
While taking such measures could have an impact on business operations, eliminating privileged root users from stealing sensitive data and locking out previously authorized users who may have been compromised can dramatically reduce an enterprise's attack surface and an attacker's chance of success. As with every business decision, doing a cost-benefit analysis makes sense, but it is important to have the option to lock down data by tightly controlling access.
In summary, there are five key benefits to taking a data-centric approach to securing sensitive information in the cloud:
- Keep/prevent privileged users such as root from viewing sensitive data
- Enable the data to move safely across multiple on-premises and cloud environments while still maintaining its protection profile
- Be able to easily destroy data, even if protected copies live in the cloud
- Ensure that data is protected from malicious users and APTs attempting to steal information by crossing security boundaries in multi-tenant cloud environments
- Identify when an APT may be present so you can quickly take the necessary steps to tighten security
Cloud security continues to be a growing issue as more enterprises look to the cloud for cost savings and the ability to create entirely new business models. Given that cloud service providers are a prime target for cyberattacks, enterprises wanting to embrace the cloud but also protect what matters must take a data-centric security approach, protecting their sensitive data from the inside out.
Vormetric (@Vormetric) is the industry leader in data security solutions that span physical, virtual and cloud environments. Data is the new currency and Vormetric helps enterprise customers and government agencies protect what matters -- their sensitive data -- from both internal and external threats. In a world of Advanced Persistent Threats (APTs), Vormetric's market-leading privileged user access controls and security intelligence are invaluable. For more information, visit www.vormetric.com.