Cloud Security: Keeping Those Keys Safe

Cloud security: Keeping those keys safe

Jack Murgia, from Cloud Controllers, sent me an interesting query last week: “How does LabSlice ensure that the Amazon Web Services (AWS) Access Keys remain secure within the application?”

This is a great question, as the AWS Access Keys are the keys to the house for any business using the Amazon Web Services cloud. It’s true that our application stores more keys than most (we provide an AWS management service that utilizes our customers’ keys), but you will more than likely find keys used within your application, whether to upload files to cloud storage (S3) or within scripts that are launched by your application.

In fact, any cloud service provided by any vendor will ultimately involve some sort of key, certificate or credential authentication to give the application access to various cloud resources. So extend these ideas to the cloud of your choice…

We secure our cloud platform by:

  • Leveraging the inbuilt security controls of our development platform: In our case we use the ASP.NET Membership Services to manage application authentication and password storage, declarative security to limit access to sensitive parts of the application (eg. those that utilize AWS keys) and page security definitions to ensure that only particular users have access to particular pages. None of these controls are specific to the cloud, but security at home starts by making sure you have locked your doors and closed your windows.
  • Storing sensitive attributes in encrypted format on disk: Storing the AWS keys in encrypted format protects them from systems administrators and other management folk that may need to get console access to our application. It also ensures that the keys remain secure when nightly backups are taken and shipped to S3.
  • Running all key transactions over HTTPS, not just the login page: This seems to be a new trend in security (likely due to FireSheep) and we decided to adopt it as well. It’s a useful additional control to protect those AWS transactions that are run under the context of our customers’ AWS Access Keys.

But this is about cloud security…

Notice that the security controls we use have little to do with cloud computing. So is there anything cloud-related that we do to improve security? Turns out there is. I have come across three useful controls that are very cloud specific and that both us and our customers are implementing:

1.             Termination protection: This is a feature of the Amazon cloud that blocks APIs from terminating a machine. It’s somewhat of an operations control, to stop your administrator from mindlessly terminating a production machine. But it’s also a useful security control in case your Access Keys somehow leak out, or maybe to protect yourself against a malicious employee days before their own termination.

2.             Access Key permissions: By default most keys used in the cloud give global access to everything. As cloud vendors mature, so do the restrictions on these keys. If you’re using keys for limited activities (say, to upload files to S3) then it’s a good idea to restrict permissions solely to those activities. Our customers also limit the AWS Access Key permissions of the keys they use on our system. For example, Cloud Controller’s policy (see below) specifically forbids the ability to take snapshots, which is a good way to reduce their attack surface whilst using our system.

3.             Network access: Again, a specific control to Amazon, which can be mapped to your favorite provider. If you’re using Amazon then you would naturally want to use their Security Groups (firewall) to block public access to your RDP and SSH interfaces.

Notice the difference?

Whilst cloud does has its security controls, the vast majority of our efforts go into implementing and maintaining security using familiar techniques that have nothing to do with cloud computing. If you’re using the cloud then forget about cloud security. Go back to basics and learn about CIA and follow the OWASP Top 10 guide. Whilst cloud has valid security concerns, the vast majority of security compromises in the cloud will still end up due to a failure with the basics: Poor access control, vulnerability to command injection (eg. SQL) and inadequate logging and monitoring.

 

By Simon Ellis

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

Sorry, comments are closed for this post.

Cloud-Enabled Managed Hosting: 5 Things A Cloud Provider Should Offer

Cloud-Enabled Managed Hosting: 5 Things A Cloud Provider Should Offer

Cloud-Enabled Managed Hosting The IT industry moves at light speed fueled by constant change and advancement. No area of IT has been affected more by this change than the hosting and managed service space. Advancement in the cloud and its delivery models of IaaS and SaaS have caused a monumental shift in the way IT…

Hoarders And Data Collectors:  On The Brink Of Unmanageability

Hoarders And Data Collectors: On The Brink Of Unmanageability

Hoarders and Data Collectors In our physical world, hoarders are deemed “out of control” when they collect too much.  Surely the same analogy applies in our online world.  When providers collect realms of data from us, it seems they lose control of that too?  In the last months it’s not just the frequency of data…

Global Cloud Development An Open Question

Global Cloud Development An Open Question

Global Cloud Development Statistics and projections from Cisco’s Global Cloud Index show that the world’s data centers are already processing 4.7 zettabytes (4.7 million petabytes) per year. Cisco research says this amount will continue to grow by 23% annually for the next few years. (Inforgraphic Source: https://visual.ly/how-much-petabyte) If we project these numbers over the next 25…

The Cloud Showdown: How To Determine The Best Cloud Solution For Your Business

The Cloud Showdown: How To Determine The Best Cloud Solution For Your Business

The Cloud Showdown For small and medium businesses (SMB) seeking to grow in 2016, options for increasing efficiency abound. The Cloud offers many benefits for businesses, including slashing IT expenses, providing a more efficient and reliable way to store and back up data, and facilitating collaboration among employees. In fact, 39 percent of SMBs claim…

The Concept Of Securing IoT To Secure Your Building

The Concept Of Securing IoT To Secure Your Building

Securing IoT Ah, security. It is the dulcet tone of a symphony that we play over and over in the IT world. IoT (Internet of Things) and the myriad of connected devices allow us some intriguing security options. For example, in a mesh array of sensors, you could effectively force users to correctly identify themselves…

Carve Outs And The Cloud: A Synergistic Coupling

Carve Outs And The Cloud: A Synergistic Coupling

Carve Outs and the Cloud The mergers and acquisitions market is a complex and challenging industry and the last two years has seen a rise in the number of transactions. Working with companies in this space over the last 10 years, we at RKON have seen and hopefully helped change the mindset of private equity…

Cloud Email Marketing Services vs. Transactional Email Services

Cloud Email Marketing Services vs. Transactional Email Services

Cloud Based Email Marketing Services Every business can benefit from successful implementation of email marketing strategies, but the variety of SaaS on the market can be a little overwhelming at times. Whether you’re interested in learning more about email marketing or hoping to clear up any confusion surrounding transactional email, a little research into these…

CloudTweaks is recognized as one of the leading influencers in cloud computing, infosec, big data and the internet of things (IoT) information. Our goal is to continue to build our growing information portal by providing the best in-depth articles, interviews, event listings, whitepapers, infographics and much more.

Advertising