You’ve been hearing it for years, “The Cloud is insecure”, we’ll I am here to tell you the secret to Cloud security. Companies have paid hundreds , even millions, of dollars to try to ascertain the information in this blog, and I am offering it to you for free. You will be surprised at how secure you can make the Cloud, using the secrets and tips I will share with you. Many other security folks will tell you that it is not possible, I am here to tell you it is! Using my award-winning and tried and tested formula for success, you can have a secure cloud as well. If you enjoy this, let me know and you’ll receive immediate access to my “Secure you enterprise in 10 easy steps”, for the low price of $11.93.
With that ground work laid, I now present to you “Phil’s 10 secrets to guaranteed Cloud Security”. Please do not share this proprietary information with others, it has taken me years of research to identify these “secrets” and only want my friends to benefit from my research.
Secret #1: Random selection via dart throwing doesn’t work
My research has shown that inorder for you top be successful, you actually have to plan something, and monitor to see if it worked. Yes, believe it or not, pure random security solution dart throwing does not produce success. I know this will be a shock to many, but taking the time to identify security controls and metrics that matter to the company is key to achieving actual security.
Secret #2: Self-healing is a myth
The second item that I have uncovered is that systems will become vulnerable over time, thus patching is important. I know many of you have been under the guise that systems are self-healing, and that patching is something that is left to the neophytes, but I am here to tell you that patching is important. Those self-healing tapes you have your systems listening too are not helping. Further digging into this phenomenon, I identified that you must patch both systems and applications Imagine my surprise when I found out that applications have vulnerabilities too, and that patching them was as important as patching the systems.
Secret #3: Developers are human
Third in my “secrets to Cloud security success” lies in the often hidden fact that your developers are not perfect, and will write vulnerable code. Much to my amazement, I was shocked to find out that developers make mistakes, and in some rare cases actually have no idea about the security requirements of the applications they are writing. To thwart this nefarious exposure, testing of application code for vulnerabilities is a must, and one of the closest held secrets in the “Cloud security” community. Those of us in that community do not like to let that little secret out much. You have just been granted access to the inner-circle with that tidbit.
Secret #4: Attackers have dictionaries
Those darn hackers have dictionaries too. We should not have to use things that are complicated, but that is part of the “secret sauce”, strong authentication. While I know that using your cat’s name or street name makes things much easier, it does so for the attackers as well. My #4 secret is to use some type of strong authentication or complex (in terms of length) password. It is good if you have a lockout policy as well.
Secret #5: People can see your traffic
During my early years in InfoSec, I was part of a team that would get alerts from major backbone providers if there were certain “traffic” that matched a communication pattern. This was visible, because anything that passes over the Internet is potentially subject to “sniffing” by any device on the path the packet traverses, we need to encrypt what we put on the wire (or air for that matter). If you want something to be secret, you need to make sure it is not exposed. For our purposes, the “secret” here is to encrypt the transport on things you want to keep private.
Secret #6: Your data needs protection too
Attackers will try many vectors to get at their target, and if you forget to patch a system or application and data get’s compromised, having data encrypted at rest may buy you some time. There have been multiple occasions where a system is compromised and used to gain access to a database. If the data had been encrypted at the application layer before placing into the database, the exposure would have been significantly reduced. Further, anytime you move the data off-line, if it is encrypted, you reduce your exposure. Secret #6 says encrypt your data at rest and manage keys properly.
Secret #7: Things you don’t plan for happen
I have seen many occasions where supposed “disabled” accounts were used to gain access to systems and data that they should no longer have access to. Further, there have been times where users with excessive access have fallen into the “curiosity kills the cat” metaphor, and ventured into things they should have not. Performing reviews of who has access to what, and what access they have is another “secret to success” in the Cloud security world.
Secret #8: Logs don’t review themselves
One of the most often overlooked “secret” is watching for things that you don’t expect. You will need to implement a mechanism to actually review logs and security related events. It doesn’t need to be sexy or expensive, but it does need to meet your specific circumstance. The one thing about attackers that they will get sloppy, and you can identify them, but if you never look, you won’t (kind of like a Yogi Berra statement).
Secret #9: What you don’t know can hurt you
Back to the things people don’t think much about, knowing the ins and outs of the development framework you choose for your application is important. Leveraging the security features can be a big win, and the opposite of trying to do something the framework is not designed to do has the opposite result. So “secret” #9 is Train your developers in the security features of the development frameworks you use.
Secret #10: The dark side is not always bad
The final “secret” to success is to look at your organization like an attacker would. Risk assessments are a key part, but only of done in the reality of the environment. If you are too theoretical, you will get bogged down in noise. Too optimistic, and you’ll get hacked because you left things unprotected. My final word of advice is to “Think like a bad guy when doing risk assessments”.
Summary
If you follow my tips and apply these “secrets” in your organizations use of Cloud computing, you will have a secure cloud. If you don’t, the chances of you being successful are minimal, as my system has a proven track record of success. My competitors have no such claims!
Phil “SnakeOilSecurity” Cox
Epilogue
By the way, if you have not figured out that the whole “secret sauce” and “easy steps” stuff is just a parody on the whole infomercial thing, please read again: There is no such thing as “secret sauce” and nothing is “easy”. The things I list above are just part of an overall good security program. The reality is that you need to have good security hygiene, in the Cloud or not, that is what keeps you secure (or minimizes your risk). Not tools or promises from others.
Phil “Just another security guy trying to do his best” Cox
Sec_Prof on Information Security 
FUCK YOU
/ September 6, 2014FUCK YOU AND YOUR SITE!!!!!!!!!!!!!!!!!!!!!!