Cloud Security: Keeping Those Keys Safe

Advertise on CloudTweaks

Cloud security: Keeping those keys safe

Jack Murgia, from Cloud Controllers, sent me an interesting query last week: “How does LabSlice ensure that the Amazon Web Services (AWS) Access Keys remain secure within the application?”

This is a great question, as the AWS Access Keys are the keys to the house for any business using the Amazon Web Services cloud. It’s true that our application stores more keys than most (we provide an AWS management service that utilizes our customers’ keys), but you will more than likely find keys used within your application, whether to upload files to cloud storage (S3) or within scripts that are launched by your application.

In fact, any cloud service provided by any vendor will ultimately involve some sort of key, certificate or credential authentication to give the application access to various cloud resources. So extend these ideas to the cloud of your choice…

We secure our cloud platform by:

  • Leveraging the inbuilt security controls of our development platform: In our case we use the ASP.NET Membership Services to manage application authentication and password storage, declarative security to limit access to sensitive parts of the application (eg. those that utilize AWS keys) and page security definitions to ensure that only particular users have access to particular pages. None of these controls are specific to the cloud, but security at home starts by making sure you have locked your doors and closed your windows.
  • Storing sensitive attributes in encrypted format on disk: Storing the AWS keys in encrypted format protects them from systems administrators and other management folk that may need to get console access to our application. It also ensures that the keys remain secure when nightly backups are taken and shipped to S3.
  • Running all key transactions over HTTPS, not just the login page: This seems to be a new trend in security (likely due to FireSheep) and we decided to adopt it as well. It’s a useful additional control to protect those AWS transactions that are run under the context of our customers’ AWS Access Keys.

But this is about cloud security…

Notice that the security controls we use have little to do with cloud computing. So is there anything cloud-related that we do to improve security? Turns out there is. I have come across three useful controls that are very cloud specific and that both us and our customers are implementing:

1.             Termination protection: This is a feature of the Amazon cloud that blocks APIs from terminating a machine. It’s somewhat of an operations control, to stop your administrator from mindlessly terminating a production machine. But it’s also a useful security control in case your Access Keys somehow leak out, or maybe to protect yourself against a malicious employee days before their own termination.

2.             Access Key permissions: By default most keys used in the cloud give global access to everything. As cloud vendors mature, so do the restrictions on these keys. If you’re using keys for limited activities (say, to upload files to S3) then it’s a good idea to restrict permissions solely to those activities. Our customers also limit the AWS Access Key permissions of the keys they use on our system. For example, Cloud Controller’s policy (see below) specifically forbids the ability to take snapshots, which is a good way to reduce their attack surface whilst using our system.

3.             Network access: Again, a specific control to Amazon, which can be mapped to your favorite provider. If you’re using Amazon then you would naturally want to use their Security Groups (firewall) to block public access to your RDP and SSH interfaces.

Notice the difference?

Whilst cloud does has its security controls, the vast majority of our efforts go into implementing and maintaining security using familiar techniques that have nothing to do with cloud computing. If you’re using the cloud then forget about cloud security. Go back to basics and learn about CIA and follow the OWASP Top 10 guide. Whilst cloud has valid security concerns, the vast majority of security compromises in the cloud will still end up due to a failure with the basics: Poor access control, vulnerability to command injection (eg. SQL) and inadequate logging and monitoring.

 

By Simon Ellis

CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in cloud connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as technology related infographics and comics.

Contact us for more information on how to get involved in our content related services and placement programs.

CONTRIBUTORS

Beacons Flopped, But They’re About to Flourish in the Future

Beacons Flopped, But They’re About to Flourish in the Future

Cloud Beacons Flying High When Apple debuted cloud beacons in 2013, analysts predicted 250 million devices capable of serving as ...
A Ray of Digital Sunshine During a Hurricane Portends Big Changes in One of the World’s Largest Industries

A Ray of Digital Sunshine During a Hurricane Portends Big Changes in One of the World’s Largest Industries

A Ray of Digital Sunshine Here’s something that will bring a smile: As hurricane Irma was about to slam into ...
Security and the Potential of 2 Billion Device Failures

Security and the Potential of 2 Billion Device Failures

IoT Device Failures I have, over the past three years, posted a number of Internet of Things (and the broader ...
Safeguarding Data Before Disaster Strikes

Safeguarding Data Before Disaster Strikes

Safeguarding Data  Online data backup is one of the best methods for businesses of all sizes to replicate their data ...
Want To Save The Planet And Be Green? Then Go Cloud!

Want To Save The Planet And Be Green? Then Go Cloud!

Going Green Data Centers (DC’s) – they are hungry beasts. Ten years ago the EPA estimated that DC’s consumed 61 ...
2017 Brings DLP Technology and IoT's Weaknesses to Light

2017 Brings DLP Technology and IoT’s Weaknesses to Light

DLP Technology In regards to data loss prevention (DLP), in the last five years many companies rushed to implement DLP ...
Why a White Label Cloud for Emerging Economies

Why a White Label Cloud for Emerging Economies

White Label Cloud  Given our starting point, one of the inquiries we field every now and then is: ‘why did ...
The Cancer Moonshot: Collaboration Is Key

The Cancer Moonshot: Collaboration Is Key

Cancer Moonshot In his final State of the Union address in January 2016, President Obama announced a new American “moonshot” ...

NEWS

New IDC Spending Guide Forecasts Nearly $120 Billion in Worldwide Spending on Security Products and Services in 2021

New IDC Spending Guide Forecasts Nearly $120 Billion in Worldwide Spending on Security Products and Services in 2021

FRAMINGHAM, Mass., October 19, 2017 – Worldwide spending on security-related hardware, software, and services is forecast to reach $119.9 billion in ...
Cisco Unveils Industry's First Predictive Services Powered by AI

Cisco Unveils Industry’s First Predictive Services Powered by AI

New offerings designed to manage growing technical skills gap through unique expertise, intelligence and automation SAN JOSE, CA--(Marketwired - Oct ...
Treacherous 12: Top Threats to Cloud Computing + Industry Insights

Treacherous 12: Top Threats to Cloud Computing + Industry Insights

Top Threats to Cloud Computing SEATTLE, Oct. 20, 2017 /PRNewswire/ -- The Cloud Security Alliance (CSA), the world's leading organization dedicated to defining ...

NEWSLETTER SUBSCRIBE

CloudTweaks has been a prominent influence covering cloud technologies since 2009. We have worked and continue to work with a tremendous number of writers, contributors and partners throughout the world – all of whom provide insights into the cloud business community. This information is provided to our Newsletter subscribers on a weekly basis - free of charge.

Subscribe to receive our weekly collection of Best of Thought leadership, Technology news, Tweaks, Curated resource links, Exclusive promotions and our popular Comic series.

Something went wrong. Please check your entries and try again.