As more people and businesses use Web-based applications the list of vulnerabilities increases generating issues with cloud security trust. In 2008, IBM’s Annual X-Force Report showed Web application vulnerabilities on a steep ascent, climbing by approximately 3,000 over the previous year. The same report showed data manipulation and file manipulation as the only two of eight vulnerability items on the increase, with data manipulation steeply climbing, and file manipulation on a gradual upward trend.
Attacks are shifting from the network layer to the framework of the applications layer. This is happening because the applications are largely run through Web browsers. The other troubling issue is one of application provider response to vulnerabilities that can affect cloud security trust. IBM’s report also showed that of all the Web application vulnerabilities exposed in 2008, 74 percent had no patches available by the end of the year.
A classic example of a data manipulation scheme is an SQL injection attack and according to Georg Hess, CEO and cofounder of Art of Defence, a company that provides comprehensive application security technology for every scale, these attacks can gather your database contents by simply populating the login field with a valid SQL command.
“Typical attack vectors are not targeting the network layer but they are trying to manipulate the software itself,” Hess says. “Think of a log-in field where you supply your name. When you put in your name there will be a cloud application that takes your name and checks it with a database. If the name is in the database you get access to your CAD data in the cloud. But if that cloud application does not validate the input then anyone could input a small phrase written in the database language that causes the database to reveal all the data files of all the valid users of that application.”
In the annually updated Open Web Application Security Project Top Ten List, (OWASP), of the typical attacks that only attack the application layer, this SQL injection attack is one of the most prominent.
According to OWASP, injection attacks, (not limited to SQL databases), let attackers spoof identity, tamper with data, change transactional data, reveal all the data on the system, destroy data or take control of the data as an administrator. The organization recommends having a strong data security policy and using methods that complement each other to mitigate SQL injection.
- Parameterized queries that keep the query and data separate by using placeholders called “bound” parameters
- Using parameterized stored procedures
- Minimum privilege accounts and never sa, dba or admin
Hess recommends making sure to ask your SaaS cloud provider to describe the kinds of security controls it uses on all layers subject to vulnerabilities. This should go beyond just network security and also address application security. Ask the same questions of any managed security services you use, or intend to use. Identity management is another key area to inquire about.
When moving applications to an infrastructure as a service (IaaS) provider it may not be able to cover the full range of security controls for all of the layers. In that case Hess says to use the services of one of the provider’s partners that offers those kinds of security packages. For example, he says, Art of Defence offers a small plugin that works with Amazon’s offerings.
The keys to cloud security focus on knowledge. You have to know what your vulnerabilities are and how to mitigate the risks. Your cloud provider must be part of that equation.