New Strategies to Enhance Cyber Security in the Cloud

Robert Deng

Robert Deng

Robert Deng is AXA Chair and Professor of Cyber Security, Director of the Secure Mobile Centre, and Deputy Dean for Faculty & Research at the School of Computing and Information Systems of Singapore Management University. He is a Fellow of IEEE and Fellow of Academy of Engineering Singapore.

In about 2 decades, cloud computing has seduced virtually all organizations of all sizes on Earth as it brings many benefits such as rapid deployment, low up-front costs and scalability. Indeed, instead of owning their infrastructures for their software, hardware and data storage and having to maintain them, organizations have by and large turned to cloud-based operations, where they share infrastructures and sometimes services with other users.

This change towards shared infrastructures means new security challenges, including massive data breaches and hacks into computing resources to mine cryptocurrencies. Why is that?

Indeed, security challenges arise as cloud computing is less secure than on-premise computing. In traditional on-premise information systems, the physical infrastructure, the hardware and the software are all located within the organization. The organization can control everything and has a good visibility of what is happening in its own information systems.

Because of the virtualization of machines, servers, etc. in the cloud, you have different components at different locations, provided by different service providers. This means that the environment is very heterogeneous. Neither the data owner, nor the consumers, nor the service providers have full control over the whole environment. They even have little visibility over the system, which means that a breach may occur without anyone noticing.

In addition, in the cloud, what we call the ‘attack surface’ is much larger than in on-premise information systems: the system has more vulnerabilities and more exposure to cyber-attacks. Vulnerabilities can be in the machines themselves, on the service provider side, and also on the user side, for example, in a phishing attack, where users disclose their credentials.

In security, the biggest enemy is complexity.

What is the ‘Zero Trust’ strategy that now leads cloud security efforts worldwide?

So far, we have always assumed that we could trust our servers and operating systems to keep our data confidential, to authenticate the user correctly, to enforce access control. This worked well for traditional on-premise computing. Today, in the cloud, it is a much riskier assumption, but unfortunately still made by many.

The Zero Trust strategy is to not automatically trust infrastructures, devices and service providers. Rather, we think trust needs to be established based on different principles. An example is to create secure spaces separated by gatekeepers. For example, you might want to setup a firewall between an application server and a database server that contains confidential data.

Another principle is multi-level security control. If one layer of protection breaks down, a second layer is still up and running, protecting our information assets. For example, if the login access into your hard drive is breached because an attacker found your password, data encryption acts as a second layer of protection. Two-factor authentication relies on this principle.

A third principle is to follow the best security practices, for example follow the ’least privilege’ principle, which would be the numerical equivalent of granting access on a ‘need-to-know’ basis.

In the cloud, controlling access at every entry point soon becomes overwhelming. What are the strategies to tackle the scalability challenges related to distributed environments?

Models for access control that were designed for centralized information systems can work well for many distributed information systems.

The first option is ‘discretionary access control’: the data owner decides which user can read their data, or edit it, or own it. Even with a very distributed system, discretionary access control works well. Another option is ‘mandatory access control’, which is used in governments and the military for classified information. The data is labelled, depending on its required security levels. Each user is given a security clearance. If the label and the clearance match, access is granted. Finally, a variation is to have ‘role-based clearances’. This is useful when you have a rapid workforce turnover for example. Instead of giving access privileges to the user directly, you give privileges to a role, and whoever is holding that role will get the relevant clearance for their positions.

The Internet-of-Things (IoT) is an extreme example of a distributed environment. Are IoT security challenges different from cloud security challenges?

In cloud computing, the data center is managing the data and providing services, there is still some centralized management. The Internet-of-Things is a huge, complex and open environment, with a variety of users and devices, including physical objects with little computing capability and little battery-life: door locks, lights, etc. They cannot afford to be encrypted with strong security measures or solutions, and a common example of attack is the ‘Distributed Denial-of-Service’, in which an attacker sends so many requests that devices are overwhelmed and hang. In other words, the system complexity of the Internet-of-Things can grow beyond anyone’s ability to manage it.

Finding a good technical solution for access control in Internet-of-Things is an open research question today. I believe that IoT security requires a different approach: more security regulations and more public security awareness education to the common users. This could be done for example using certification: products such as CCTV cameras could be certified for specified security levels, to encourage users’ awareness and manufacturers to produce more secure devices.