Everyone and his IT guy has been feverish over the cloud over the last several years. It’s been great for remote work, easy file access, secure backups, and many other applications. You can share files easily with your coworkers, and all of your company data can be stored in the same place. Even Microsoft Office applications are largely cloud-based. However, in all the excitement, have you been keeping an eye on your cloud data protection?
Supply Chain Vulnerabilities and the Cloud
Cloud infrastructure is great for keeping an off-site backup, for example. However, do you know how secure your cloud provider’s server is? If their security fails during an attack, do you know what will happen to your data? When you use a cloud service as part of your company’s infrastructure, you are depending on that Cloud Service Provider (CSP) to prioritize their security and keep their infrastructure protected.
You might feel a bit less confident in your CSP when you realize that most cloud deployments use third-party code, and third-party code built into apps tends to have a lot of vulnerabilities. Especially if this third-party code is partly or wholly derived from open-source code, your cloud provider could have a web app full of security holes.
Add this to users’ security hygiene (which, realistically, is often quite bad), and you’ve got a host of issues. This creates additional attack vectors, and since 95% of security incidents are caused by human error, things are not looking up in the security department.
Obviously, this isn’t going to work long-term. All of these factors contribute to supply chain risks, wherein malicious code inserted into third-party apps used by your CSP are distributed to every client of the CSP, including you. Here’s a recent near miss.
Inside the IBM Cloud Vulnerability
Earlier this year, IBM’s cloud databases had a security flaw, which created a major attack vector. An attack nicknamed “Hell’s Keychain”, which is theoretically able to give the attacker superuser credentials, was discovered. Superuser credentials are essentially administrator privileges typically reserved for the IT department in a company. This means that an attacker would have had largely unfettered access to IBM’s data and code.
As a result, an attacker could have executed code remotely on IBM’s database host and accessed additional credentials within the system. Because an attacker could have moved freely throughout the system and accessed source code, credentials, and other sensitive data, that attacker also would have been able to access customer data.
Hacker News explains that an exploitation of the bug could allow a bad actor to remotely execute code in customers’ environments. This supply chain attack, fortunately, did not have any ramifications for customers as IBM has not discovered any malicious activity at this vector. Since any exploitation had not occurred or been successful, IBM’s cloud customers are safe.
You don’t really want to depend on being that lucky, though. Here are some ways you can protect your company from supply-chain attacks coming from your CSP.
Keeping Data Safe in the Cloud
It’s imperative for companies to use best practices for security, especially when their infrastructure and any essential services depend on the CSP. Fortunately, there are several things you can do to mitigate the damage caused by supply-chain attacks.
- Implement cloud data security protocols. You can require authentication from anyone trying to access your data, and you can limit the users who have access. No one should be able to access your data without authenticated company credentials. Anyone who does get access should be logged.
- Minimize access. If an employee doesn’t need access to a certain database, restrict that access. Fewer people being able to use their credentials to access data equals fewer potential attack vectors. This also helps to mitigate any damage caused by that poor security hygiene we were talking about earlier.
- Automate reporting processes. Implement a program that will compile reports of users who accessed your data and what they did with it. You want to be alert to unusual activity.
- Inventory your licenses. Have an old license that you don’t use? Eliminate it. This also reduces your potential attack vectors. Only keep software online if you are actively using it in your business operations.
- Discourage immediate updates. Let your IT department take a look at software updates before you implement them throughout the company, or delay implementation for a period to ensure that no news stories pop up about that update being a supply chain attack.
Following best practices won’t guarantee your security, but it can go a long way towards preventing attacks on your infrastructure. There are myriad benefits to using the cloud as part of your business operations, but it’s important to stay alert to security risks, especially supply chain attacks. Had IBM been attacked before spotting the vulnerability, all of its clients could have been at risk.
However, the clients who followed best practices could have significantly lowered their risk. Being aware of the risk is the first step toward attack prevention.