Citrix TIPs: Top 5 cloud security risks

Cloud services give businesses the ability to quickly scale and deliver a multitude of services via the Internet. As cloud utilization increases, so does the amount of data stored in the cloud. Consumers of cloud services, regardless of the cloud model they use (IaaS, PaaS, or SaaS), must always remember that data security is their responsibility, not the cloud service provider’s.

In addition to the potential for data compromise, other risks are associated with cloud services and should not be ignored. This blog covers the top five risks that any enterprise should consider when adopting cloud technologies.

1. Data Governance Failure

Managing data in a cloud environment is similar to managing data on premises. In both cases, the goal is to prevent access by unauthorized users. Cloud service providers usually develop perimeter firewalls, access controls, encryption, and monitoring tools to safeguard data stored in their systems; however, it is the customer’s responsibility to understand and implement these security protections.

Additionally, where the data reside in relation to geographic boundaries can play a vital role in cloud storage strategy and governance. For example, the General Data Protection Regulation (GDPR), Europe’s new data privacy and security law, requires data controllers to apply sufficient due care when handling data within the European Union’s geographic boundary. Non-compliance can result in a substantial fine. The cloud service provider must ensure the data resides within the EU geographic boundary. If data has to be stored outside the boundary, this arrangement must be made transparent and be agreed to by the data owner.

Another, often overlooked, aspect of data management is the retention lifecycle within the cloud environment. Data storage components owned by cloud-service providers are supplied to customers as part of the service. Data is typically spread across multiple storage units by the service provider for redundancy purposes. In this distributed scenario, the customer cannot validate if the data has been securely deleted by the service provider or if there are remnants based on the DoD 5220.22-M standard. Most cloud service providers strive to provide a secure method of deletion; however, the ultimate responsibility lies with the data owner. Cloud consumers must perform due diligence in identifying or requesting the data deletion and lifecycle methodology used by their cloud service provider.

2. Increased Complexity and Lack of Training

Cloud service providers handle the complexity of deploying cloud-based services to promote ease of use and quick turnarounds for customers. However, migrating from an on-premises environment to the cloud introduces complexity into an organization’s IT operations. The existing IT staff may lack hands-on experience in managing and supporting cloud services, requiring the team to learn a new model. In particular, teams need to learn about data security in the cloud.

Cloud service providers provide a data encryption solution to customer IT teams. These solutions typically vary. For example, Microsoft Azure provides Azure Storage Service Encryption, and Amazon Web Services provides EBS Volume Encryption. All this complexity and the cloud learning curve can lead to security gaps in cloud and hybrid-cloud implementations.

The solution lies in providing sufficient training to the IT team and engaging the cloud service provider to deploy their solution based on leading practices. Additionally, the enterprise IT team should develop a robust operational policy before moving to the cloud-based model.

3. Misconfigurations

Misconfiguring a system is a common security risk. To stand out from competitors and provide a set of features, cloud service providers enable one-click deployment models where configuration complexities are hidden. Because configuration by the customer must be done post-deployment, a lack of technical understanding may cause errors or omissions. Here are the top five security misconfigurations, neutral to service providers, that Citrix Consulting Services has discovered to date:

Unrestricted outbound access
Unused security groups
Unencrypted storage
No multi-factor authentication
Misconfigured security groups

Misconfiguration risk can be managed strategically by planning security before deployment, not as an afterthought. Enterprise customers should obtain the service provider’s assistance in the design and deployment phases to ensure cloud services are configured according to leading practices. Continuous auditing and testing should be performed as part of the enterprise strategy to help in discovering any security gaps and ensuring the overall health of the cloud services.

4. Multi-Tenant Separation and Availability Failure

Cloud service providers offer a variety of cloud-based architectures like private clouds, hybrid multi-clouds, and public clouds. This varied offering is typically intended to host multiple clients within a single physical cloud architecture or data centers spanning across geographic boundaries. Regardless of the type of cloud architecture, the service provider strives to restrict each tenant within their enclave and ensure that usage of shared resources does not negatively influence the other tenants.

One crucial fact: it is impossible to draw a clear line between business and technical aspects because they often tend to support each other. Failure of one can cause a domino effect. Multi-tenancy does have its advantages, for example, fewer IT resources to be patched by the cloud service provider, reduced overall total cost of ownership, and faster incident response time. However, in the event of a security breach, either a single tenant or multiple tenants sharing the underlying physical resources can be impacted. Malicious users who gain access to the underlying physical support system hosting multiple tenants can compromise one or more tenants if the provided logical or physical separation control fails. Besides the above, hardware failures can impact all the hosted tenants, causing availability issues.

The cloud service provider supplies all the necessary logical and physical security controls, a secure enclave for each of the tenants, and multiple failure domains to mitigate the above risks. Cloud services users should perform due diligence to understand the potential impacts of a multi-tenant environment and the risk mitigation strategies supplied by the service provider.

5. Cloud Cryptojacking

The recent upward yet volatile trend of cryptocurrency has introduced a new threat known as cryptojacking. Cryptocurrency such as Bitcoin requires high computing power, which has led malicious users to target cloud service providers for the wealth of computing resources that can be exploited to mine, or process transactions, using the digital currency. This new attack vector operates by executing undetected in the background to tap computing resources illicitly to enrich malicious users. Though it may seem harmless because no data or records are erased or compromised, this threat exploits the cloud-security boundary to insert the cryptojacking code. This exploit opens the door for malicious data wranglers to use similar methods to gain entry.

Cryptojacking exploits have increased by 141 percent since 2017, with the most notable being Tesla’s Amazon Web Services cloud account illegally accessed to mine digital currency and the web miner script embedded in the AOL advertising platform.

Misconfigurations and social engineering are the two methods employed by malicious users to transfer the cryptojacking exploit code onto the target. As more organizations move to the cloud, service providers are growing at an exponential rate to cope with the demand. This expansion has introduced a large attack surface and a series of security challenges. Customers and cloud service providers should work together to ensure cloud security micro services are configured based on leading practices, proper governance is in place, and end-user training on the intricacies of using cloud services is delivered. This strategy can potentially reduce both the customer’s and CSP’s financial losses incurred due to unauthorized use of computing resources to power cryptocurrency.

The Citrix Consulting Security Practice team can help with your securing your cloud design and hardening needs. Learn more about our security practice and reach out here.

— Sameer Sharma, Senior Consultant

Topics

Products

You might be interested in

Cybersecurity for financial services

Stay Informed.
Subscribe Today.

Citrix 2024 roadmap: Protecting business-critical apps and data

Mitigating Credential Risks with Citrix Technology: A Comprehensive Approach

Cybersecurity for financial services

Citrix 2024 roadmap: Protecting business-critical apps and data

Mitigating Credential Risks with Citrix Technology: A Comprehensive Approach

Introducing Seamless Profile Sync with Remote Browser Isolation

Deliver standardized UX for healthcare with 10ZiG Citrix-ready endpoints & management

Evolution of Cybersecurity in Healthcare: Insights from a CIO

Embracing Cloud Technology in Healthcare: Insights from a CIO

Surfing Through 2023: Navigating the features from the Citrix Enterprise Browser’s second birthday release!

Announcing the General Availability of new enhancements for Citrix Secure Private Access on-premises

Unveiling the power of Citrix Enterprise Browser’s integration with Citrix Analytics Service for Security

Citrix Connect Kicks Off in New York City!

Announcing the Incoming 2024 Citrix Technology Professional (CTP) Class

What’s new with Citrix: Join our April webinar for licensing and LTSR updates

Connect your Mac desktops with HDX & DaaS! Citrix VDA for macOS is Public Tech Preview!

Feature matrix comparison among Linux VDA LTSR releases

What’s new with HDX in the 2402 LTSR

Now Available: Citrix Virtual Apps and Desktops 2402 Long Term Service Release

Take your Citrix journey to the next level with the Citrix Administrator Academy

Citrix Public Sector April 2024 Update!

Unlocking New Possibilities with Intel GPUs in Citrix Environments