Most of the web applications are moving to cloud technology. While this enhances the appliaction functionality, it also introduces security issues. Since everything is virtual in case of a cloud hosting, it is difficult to gain fine grain control of the "data at rest" and "data in transit".
Cloud computing technology offers three basic models of implementation.. Infrastructure as a service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS). Securing cloud environments is a sweeping proposition that touches on the topics of virtualization security, access control, data protection and a host of other areas.
Cloud Application Penetration Tesing
To manage cloud security in today’s world, you need a solution that
helps you address threats to enterprise data and infrastructure,
including the major trends you are up against.
1. Changing attackers and threats: Threats are no longer the purview of isolated hackers looking for personal fame. More and more, organized crime is driving well-resourced, sophisticated, targeted attacks for financial gain. Plus cybercriminals have expanded their attack targets from just software to the platform.
2. Consumerization of IT: As mobile devices and technologies continue to proliferate, employees want to use personally owned devices to access enterprise applications, data, and cloud services.
3. Evolving architecture technologies: With the growth of virtualization and the use of public clouds, perimeters and their controls within the data center are in flux, and data is no longer easily constrained or physically isolated and protected. Cloud technologies present new security challenges; for example, API management and governance is a critical discipline for enterprises to scale delivery of cloud services to mobile and other clients.
4. Dynamic and challenging regulatory environment: Organizations—and their IT departments—often face ongoing burdens of legal and regulatory compliance with increasingly prescriptive demands and high penalties for noncompliance or breaches. Commonly cited examples of regulations include Sarbanes-Oxley (SOX), the Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA) in the United States, the Data Protection Act in the United Kingdom, and the European Union (EU) Data Protection Directive.
Data loss or leakage. Protecting data can be a headache because of the number of ways it can be compromised. Some data—customer, employee, or financial data, for example—should be protected from unauthorized users. But data can also be maliciously deleted, altered, or unlinked from its larger context. Loss of data can not only distract your business operations, but also damage your company’s brand and reputation, affect customer and employee trust, and have regulatory compliance or competitive consequences.
Account or service hijacking. Attacks using methods such as phishing and fraud continue to be an ongoing threat. With stolen credentials, hackers can access critical areas of your cloud and potentially eavesdrop on transactions, manipulate or falsify data, and redirect your clients to illegitimate sites. IT organizations can fight back with strong identity and access managemenAt, including twofactor authentication where possible, strong password requirements, and proactive monitoring for unauthorized activity.
Abuse and nefarious use of cloud services. Many infrastructureas- a-service (IaaS) providers make it easy to take advantage of their services. It’s typically easy for users to register an account and start using cloud services right away. Cybercriminals actively target cloud services providers, partially because of this relatively weak registration system that attempts to obscure identities, and because many providers have limited fraud-detection capabilities. Stringent initial registration and validation processes, fraud monitoring, and subsequent authentication are ways to remediate this type of threat. Insecure interfaces and APIs, and lack of enterprise-class security. APIs are used to consume, expose, or aggregate cloud services, including controlled spin-up of virtual machines (VMs), management of API version and security policy, sharing and discovery of APIs with developers, orchestration and integration, and API monitoring and metering to drive revenue. These interfaces are an important application-layer control point for protecting against data loss prevention, threat protection, and other content-delivered attacks. Edge API gateways for on-premises enforcement, combined with cloud-delivered API portals, are an emerging design pattern for enterprise control.
Multitenancy and shared technology issues. Clouds deliver scalable services that provide computing power for multiple tenants, whether those tenants are business groups from the same company or other companies. That means shared infrastructure—CPU caches, graphics processing units (GPUs), disk partitions, memory, and other components—that was never designed for strong compartmentalization. Even with a virtualization hypervisor to mediate access between guest operating systems and physical resources, there is concern that attackers can gain unauthorized access and control of your underlying platform with software-only isolation mechanisms. Potential compromise of the hypervisor layer can in turn lead to a potential compromise of all the shared physical resources of the server that it controls, including memory and data as well as other VMs on that server.
Amazon Web Services (AWS) provides an easy-to-manage cloud platform to store your digital assets, host servers and more. Its simple client interface in tandem with extensive documentation makes it a popular choice amongst developers to host their applications. Amazon also has many settings for security controls including firewalls to block incoming and outgoing traffic and different identity and access management (IAM) accounts with varying levels of privileges. However, misconfigurations in your web application can allow an attacker to pivot into your cloud and exfiltrate both company and consumer data.
In the past, developers used hard-coded passwords to access different services, such as MySQL or FTP, to retrieve client data. Amazon realized this poor security practice and implemented what is called the Amazon Metadata Service. Instead, when your application wants to access assets, it can query the metadata service to get a set of temporary access credentials. The temporary credentials can then be used to access your S3 assets and other services. Another purpose of this metadata service is to store the user data supplied when launching your instance, in-turn configuring your application as it launches.
As a developer, you stop reading here – an easily scalable infrastructure with streamlined builds, all of which executing from the command line? Done. If you’re a security researcher, you continue to read the addendum: “Although you can only access instance metadata and user data from within the instance itself, the data is not protected by cryptographic methods.” From the attacker’s perspective, this metadata service is one of the juiciest services on AWS to access. The implications of being able to access it from the application could yield total control if the application is running under the root IAM account, but at the very least give you a set of valid AWS credentials to interface with the API. Developers often overlook putting sensitive information into the user startup scripts. User startup scripts can be accessed through the metadata service and allow EC2 instances to be spun up with certain configurations. Often times this is overlooked, and some startup scripts will contain usernames and passwords used to access various services. When assessing a web application, look for functionality that fetches page data and returns it back to the end user much like a proxy would. Since the metadata service doesn’t require any particular parameters, fetching the URL http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_USER_ROLE_HERE will return the AccessKeyID, SecretAccessKey, and Token you need to authenticate into the account. Recently, we discovered an instance of single sign-on functionality implemented insecurely for a client. It used XML to transfer data between web application and Google’s account authentication, and we were able to leverage XML external entity injection to query the metadata service and return the credentials to our server.
Another avenue of attack we have taken when exploiting AWS credentials are the restoring and mounting of EBS volumes created from snapshots. In an engagement, we found no trace of Ec2 instances running or S3 buckets available running under a root account. After further investigation, the company had moved to a different AWS account and operated under the new credentials; however, the old credentials we had obtained still had hundreds if not thousands of snapshots available. After restoring and mounting these snapshots following the process above, we were able to discover old source code from which the company continued to build off of. This old source still contained sensitive information, such as Github used to pull the developer repositories.
This section provides additional information regarding key features in security operations and summary information about the scalabilities. The OMS Security and Audit solution provides a comprehensive view into your organization’s IT security posture with built-in search queries for not able issues that require your attention. The Security and Audit dashboard is the home screen for everything related to security in OMS. It provides high-level insight into the Security state of your Azure Resource Manager Application Insights Azure Monitor Log Analytics Azure Advisor Azure Security Centre computers. It also includes the ability to view all events from the past 24 hours, 7 days, or any other custom time frame. In addition, you can configure OMS Security & Compliance to automatically carry out specifications when a specific event is detected. Azure Resource Manager enables you to work with there sources in your solution as a group. You can deploy, update, or delete all there sources for your solution in a single, coordinated operation. You use an Azure Resource Manager template for deployment and that template can work for different environments such as testing, staging, and production. Resource Manager provides security, auditing, and tagging features to help you manage your resources after deployment. Azure Resource Manager template-based deployments help improve the security of solutions deployed in Azure because standard security control settings and can be integrated into standardized template-based deployments. This reduces the risk of security configuration errors that might take place during manual deployments. Application Insights is an extensible Application Performance Management (APM) service for web developers. With Application Insights, you can monitor your live web applications and automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your apps. It monitors your application all the time it's running, both during testing and after you've published or deployed it. Application Insights creates charts and tables that show you, for example, what times of day you get most users, how responsive the app is, and how well it is served by any external services that it depends on. If there are crashes, failures or performanceissues, you can search through the telemetry data in detail to diagnose the cause. And the service sends you emails if there are any changes in the availability and performance of your app. Application Insight thus becomes a valuable security tool because it helps with the availability in the confidentiality, integrity, and availability security triad. Azure Monitor offers visualization, query, routing, alerting, auto scale, and automation on data both from the Azure infrastructure (Activity Log) and each individual Azure resource (Diagnostic Logs). You can use Azure Monitor to alert you on security-related events that are generated in Azure logs. Log Analytics part of Operations Management Suite– Provides an IT management solution for both on-premises and third-party cloud-based infrastructure (such as AWS) in addition to Azure resources.
Data from Azure Monitor can be routed directly to Log Analytics so you can see metrics and logs for your entire environment in one place. Log Analytics can be useful tool in forensic and other security analysis, as the tool enables you to quickly search through large amounts of security-related entries with a flexible query approach. In addition, on-premises firewall and proxy logs can be exported into Azure and made available for analysis using Log Analytics. Azure Advisor is a personalized cloud consultant that helps you to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry. It then recommends solutions to help improve the performance, security, and high availability of your resources while looking for opportunities to reduce your overall Azure spend. Azure Advisor provides security recommendations, which can significant, improve your overall security posture for solutions you deploy in Azure. These recommendations are drawn from security analysis performed by Azure Security Centre.
Azure Security Centre helps you prevent, detect, and respond to threats with increased visibility into and control Applications Web Application vulnerability scanning Penetration Testing Web Application firewall Authentication and authorization in Azure App Service Layered Security Architecture Web server diagnostics and application diagnostics Web server diagnostics over the security of your Azure resources. It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions. In addition, Azure Security Centre helps with security operations by providing you a single dashboard that surfaces alerts and recommendations that can beached upon immediately. Often, you can remediate issues with a single click within the Azure Security Centre console. The above attack points could be easily hacked and hence VAPT or pentesting is vital for Azure cloud based apps.
Software as a Service (SaaS) is a software deployment model where applications are remotely hosted by the application or service provider and made available to customers on demand, over the Internet. Enterprises can take advantage of the SaaS model to reduce the IT costs associated with traditional on-premise applications like hardware, patch management, upgrades, etc. On demand licensing can help customers adopt the "pay-as-you-go/grow" model to reduce their up-front expenses for IT purchases. SaaS lets software vendors control and limit use, prohibits copies and distribution, and facilitates the control of all derivative versions of their software. SaaS centralized control often allows the vendor to establish an ongoing revenue stream with multiple businesses [tenants] and users. The tenants are provided a protected sandbox view of the application that is isolated from other tenants. Each tenant can tune the metadata of the application to provide a customized look and feel for its users. The SaaS software vendor may host the application on its own private server farm or deploy it on a cloud computing infrastructure service provided by a third party provider (e.g. Amazon, Google, etc.). The use of cloud computing coupled with the pay-as-you-go (grow) approach helps the application service provider reduce the investment in infrastructure services and enables it to concentrate on providing better services to customers.
In a traditional on-premise application deployment model, the sensitive data of each enterprise continues to reside within the enterprise boundary and is subject to its physical, logical and personnel security and access control policies. However, in the SaaS model, the enterprise data is stored outside the enterprise boundary, at the SaaS vendor end. Consequently, the SaaS vendor must adopt additional security checks to ensure data security and prevent breaches due to security vulnerabilities in the application or through malicious employees. This involves the use of strong encryption techniques for data security and fine-grained authorization to control access to data. In cloud vendors such as Amazon, the Elastic Compute Cloud [EC2] administrators do not have access to customer instances and cannot log into the Guest OS. EC2 Administrators with a business need are required to use their individual cryptographically strong Secure Shell [SSH] keys to gain access to a host. All such accesses are logged and routinely audited. While the data at rest in Simple Storage Service [S3] is not encrypted by default, users can encrypt their data before it is uploaded to Amazon S3, so that it is not accessed or tampered with by any unauthorized party.
In a SaaS deployment model, sensitive data is obtained from the enterprises, processed by the SaaS application and stored at the SaaS vendor end. All data flow over the network needs to be secured in order to prevent leakage of sensitive information. This involves the use of strong network traffic encryption techniques such as Secure Socket Layer [SSL] and the Transport Layer Security [TLS] for security. In case of Amazon WebServices [AWS], the network layer provides significant protection against traditional network security issues, such as MITM attacks, IP spoofing, port scanning, packet sniffing, etc. For maximum security, Amazon S3 is accessible via SSL encrypted endpoints. The encrypted endpoints are accessible from both the Internet and from within Amazon EC2, ensuring that data is transferred securely both within AWS and to and from sources outside of AWS.
The SaaS deployment needs to be periodically assessed for conformance to regulatory and industry standards. The SAS 70 standard includes operating procedures for physical and perimeter security of data centers and service providers. Access, storage, and processing of sensitive data needs to be carefully controlled and is governed under regulations such as ISO-27001, Sarbanes-Oxley Act [SOX], Gramm-Leach-Bliley Act [GLBA], Health Insurance Portability and Accountability Act [HIPAA] and industry standards like Payment Card Industry Data Security Standard [PCI-DSS]. Data privacy has emerged as another significant challenge. Different countries have their distinct privacy regulations about how data needs to be secured and stored. These might lead to conflicts when the enterprise data of one country is stored in data centers located in another country.
As discussed, SaaS solutions can either be hosted by the SaaS vendor or they can be deployed on a public cloud. In a self-hosted deployment, the SaaS vendor needs to ensure that adequate safeguards are adopted to combat against network penetration and DoS attacks. Dedicated cloud providers such as Amazon and Google help facilitate building secure SaaS applications by providing infrastructure services that aid in ensuring data security, network security, data segregation, etc. The SaaS applications that are deployed on these public clouds should ensure that they harden their application security settings to conform to the best practices recommended by the public cloud vendor.
Application Vulnerability Assessment
The application VA helps validate application security in a SaaS deployment. This is generally independent of the SaaS deployment model used by the vendor. However, dedicated cloud providers such as Amazon help facilitate building secure SaaS applications by providing infrastructure services that aid in ensuring data security, network security, data segregation, etc.
Cloud App Security is a critical component. It's a comprehensive solution that can help your organization as you move to take full advantage of the promise of cloud applications, but keep you in control, through improved visibility into activity. It also helps increase the protection of critical data across cloud applications. With tools that help uncover shadow IT, assess risk, enforce policies, investigate activities, and stop threats, your organization can more safely move to the cloud while maintaining control of critical data.
Cloud App Security integrates visibility with your cloud by
•using Cloud Discovery to map and identify your cloud environment and the cloud apps your organization is using.
•sanctioning and unsanctioning apps in your cloud.
•using easy-to-deploy app connectors that take advantage of provider APIs, for visibility and governance of apps that you connect to.
•using proxy protection to get real-time visibility and control over access and activities performed within your cloud apps.
•helping you have continuous control by setting, and then continually fine-tuning, policies.
There are already many existing laws and policies in place which disallow the sending of private data onto third-party systems. A Cloud Service Provider is another example of a third-party system, and organizations must apply the same rules in this case. It's already clear that organizations are concerned at the prospect of private data going to the Cloud. The Cloud Service Providers themselves recommend that if private data is sent onto their systems, it must be encrypted, removed, or redacted. The question then arises "How can the private data be automatically encrypted, removed, or redacted before sending it up to the Cloud Service Provider". It is known that encryption, in particular, is a CPU-intensive process which threatens to add significant latency to the process. A detailed vulnerability assessment and penetration testing for SaaS or PaaS applications is imperative.
Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.