As enterprises race to adopt cloud technology, they also encounter a combination of new possible threats from the rapid and frequently unorganized deployment of different cloud-based technologies. Particular concerns surround the adoption of so-called hybrid cloud technologies, Sean Metcalf, founder of cloud security advisory company Trimarc told the attendees of DEF CON Safe Mode last week.
The hybrid cloud is a blend of on-premises infrastructure combined with cloud-hosted infrastructure (infrastructure-as-a-service, or IaaS) and services (software-as-a-service, or SaaS). The IaaS providers are usually giants such as Amazon’s AWS, Microsoft’s Azure or Google’s Cloud Platform. Extending on-premises data centers into the cloud basically means the cloud is effectively operating as a virtualization host like VMware or Microsoft Hyper V, Metcalf said.
Because of this effective virtualization, any attacks that are associated with those cloud data center elements are similar to how you would attack VMware and Hyper V “but with the additional overhead of ‘well, it’s hosted by Microsoft or it’s hosted by Amazon, or it’s hosted Google,’” Metcalf tells CSO.
Each of those hosting giants have different capabilities and configurations, which makes securing them even more complicated for companies. These complexities are especially true for larger organizations, which often have virtual machine (VM) instances that are installed across multiple cloud servers, Metcalf says. The use of multiple cloud providers is common for organizations because “anyone with a credit card can sign up for a cloud subscription or cloud account, which means any of the business units can set up their own subscription or their own account or tenant,” Metcalf says.
The challenges grow when factoring in the other elements of the hybrid cloud, the SaaS applications such as Salesforce or Workday or Office 365. Each of these SaaS elements have their own requirements and use their own synchronization tools that are configured in the on-premises environment. An extensive amount of information from the on-premises infrastructure, typically Active Directory, a directory service for Windows domain networks, often ends up in the cloud environment.