With Cloud Storage services gaining momentum, it’s becoming clear that Cloud Storage is fast becoming an integral sub system of our IT Infrastructure whether it be online/offsite file storage or part of web services.
But there is a fundamental pitfall with securing Cloud based Services because they primarily focus on making data accessible via the internet with user level authentication and little validation on where authentication requests are coming from.
As any security consultant will tell you, Security is primarily about reducing the risk of security violations and identifying them when they happen. The more security messures you put in place, the less risk you have of your security and data being compromised. You’ll be never totally 100% guaranteed secure, but if you make your infrastructure and systems secure enough, it makes attempting to violate the security measures too costly and time consuming to bother, thus reducing the risk.
Cloud based Services like iCloud, Amazon S3, DropBox employ user level authentication to decrypt data as well as device level authentication to authenticate requests to distribute it – which is adequate for non-commercial Cloud Storage in home and mobile computing, but corporate computing requires an additional layer of security that limits the availability of all authentication methods, with overall control given corporate IT departments. By this I mean, IP and Geographical authentication as well as well as integration with existing corporate authentication methods.
Corporations often have security policies in place for securing their corporate data and network, adding additional thirdparty authentication methods to existing policies may not practical or possible. Corporations also invest heavily on location based authentication to secure their data, particularly over Wide-Area-Networks (WANs) and Virutal-Private-Networks (VPNs) where access to data is restricted and authenticated with both user and device levels (often with certificates) but more importantly from within their own network.
It’s clear corporations want to make their data more easily accessible within their organisation, but CTOs and CSO are reluctant about using Cloud based services given user and device authentication could potentially be compromised anywhere in the world. Services like DropBox only employ device authentication on mobile devices, not on their web portal, so all a hacker needs to access corporate data is an authorised username and password and they’re granted full access to read/write/delete anything being stored on that service. For DropBox this in affect means their device level authentication is pointless because all a hacker needs to do is obtain credentials collected by some malware keylogger and hey presto they have full access via a webbrowser to your corporate data…
Coming back to risk, generally speaking your corporate data is most likely to be compromised by a disgruntled employee, or someone from the outside entirely – usually not even in the same country.
It seems prudent to me that corporate users of Cloud services have the ability to firstly, separate the management portal from the data at that level and only allow devices access to read/write/delete corporate data, and secondly allow corporations to integrate their internal/external network directly into their provisioned cloud service, for example corporations could integrate a DNS Zone into the cloud service to make restricting authentication easier at TCP/IP level by defining their own access policy on their Cloud services so that user/device authentication isn’t even possible unless the request matches IP address access list, or approved IP geo location or IP providers (selected ISPs).
It would also be feasible that user credentials for cloud services be authenticated against corporate infrastructure, perhaps where the cloud services negotiates authentication over LDAP with say a corporations Active Directory infrastructure and then generates a cacheable token which it then uses to authenticate subsequent requests until the token expires. It’s probably not good practice to rely on user authentication built by the cloud provider for large scale corporate infrastructures using cloud services, particularly with many users, as logistically it may not be practical for IT Management. Even perhaps when staff maybe dismissed and a persons corporate user credentials might be disabled on the network but not on the cloud service..
Now this additional layer of security is by no means perfect, you could say that spoofing an IP address could potentially be used to bypass this additional layer of authentication, but surely it should be down to the corporation as to what level of compromise they have on their services, and narrowing the scope of vulnerability with an additional security layer is certainly better than having no layer that the corporation has control of. The more restrictive this security layer, the more effort a hacker has to put in – in order to gain access, which in my book reduces the chances and risk of your data being compromised.
Certainly on a liability point of view, it could benefit Cloud Service Providers with their SLA liability if a corporate security policy wasn’t sufficiently configured to reduce risk further than what can be provided as part of the service.
