Is SSL enough for Cloud Security?
Web sites are highly functional applications, which rely on a two-way flow of information, between server and browser. For example: from login, registration, financial transactions, personal information storage, browsing habits of users, to the insight of user’s social life, etc. All these are done to present users tailored specific contents. This is done by web applications dynamically in real time.
National Institute of Standards and Technology defines Cloud Computing as
“A model for enabling on-demand and convenient network access to a shared pool of configurable computing resources (e.g., networks, servers, storage applications, and services) that may be speedily provisioned and free with token management effort or service supplier interaction”.
Availability of information within the cloud with access to 24/7 for 365 days becomes very crucial for applications to work in and with business. However, it has equal risks of exposing data to applications which contains loophole of there can be a possibility of one due to use of obsolete technology in them that makes them vulnerable with the attack of “components with known vulnerability” which was A9 in 2013 OWASP Top 10 Attacks published by OWASP. Similarly, use of virtualization for cloud computing can bring the risk of misleading user with their information once a guest OS is run over a hypervisor while not knowing the dependencies of the guest OS which if is obsolete or is running with un-patched security components that can make a system vulnerable. From giving backdoor access to run remote procedure calls.
In all of these most of the information processed is private and sensitive, hence privacy becomes a major concern. Being a part of the internet, Web Applications are equally part of the intranet to support business functions which involve working with user-specific data. For Example business details of employees, clients, Enterprise resources, Interdependencies with other enterprise resources like servers, work stations, virtual machines, etc.
Resources considered to be internal to an enterprise are now increasingly being hosted to cloud as cloud solutions in business are proven to be more reliable and efficient. As cloud works on service-oriented approach apart from PaaS, and IaaS, with its ability to scale to meet up with user requirements, multi-tenancy, etc.
Cloud uses a location transparency model which hides the location of their services and data. Hence supplier is able to host their services from anyplace within the cloud. In this case, the organization might lose their control over information and probably are not acquainted with the proper security mechanism in place at the remote place where their information gets stored. All this can make data, and used technology in architecture transparent to a wider range of potential attacks as the integrity of security defenses go off organizations hands.
Although equal regulations are put on the organization for data collection and transit, and organization is mostly asked to store data related to citizens of a country within its geographical rage as it can be regulated under a country’s compliance which is must be followed by an organization to carry their “business of data”.
And so the most serious attacks against web applications are those that exploit sensitive data or give unrestricted access to the back end of an application.
Most applications state that they are secured because they use SSL.
"This site is designed to use 128-bit Secure Socket Layer (SSL) technology."
Users are often urged to trust site on the basis of its certificate, and cryptographic protocols in use, to transmit their personal information. Increasingly, organizations also cite their compliance with the Payment Card Industry (PCI) standards to reassure users that they are secure.
"This site is scanned daily to ensure that we remain PCI compliant and safe from hackers."
But, most of the internet applications are insecure, despite the widespread usage of SSL/TLS technology and the adoption of regular PCI scanning and hence are checked for vulnerability assessment and penetration testing is done by them self on their network to know their own loopholes.
ISO/IEC 27001:2013 asks the organization to carry at least 2 checks every year by a certified auditor to give confidence to the end user client of the business and the service provider also.
OWASP publishes Top 10 vulnerabilities every three years on the basis of the survey which studies attacks that do most damage globally. Clouds with their advantage bring their risk of usage also. The majority of attacks against internet applications involve injecting input to the server that’s crafted to cause some event that wasn’t expected or desired by the application’s designer. Ex. malicious code injection of server side, whether SQL Injection or XSS.
For this application must assume that all input is potentially malicious, and it must take steps to ensure that attackers cannot use crafted input to compromise the application by interfering with logic and behavior, that gives unauthorized access to data and credentials over functionality. Examples of submitting crafted input to attain these objectives are:
- To change the price of a product transmitted in a hidden HTML form field
- Altering some input that will be processed by a back-end database to inject a malicious database query and access sensitive data
- Modifying a session token transmitted in an HTTP cookie to hijack the session of a legitimate user
- To remove the certain parameters which normally submitted to exploit a logic flaw in the application’s processing
SSL does not prevent from submitting crafted input to the server. If the application uses SSL/ TLS, this simply means that other users on the network cannot view or modify the attacker’s data in transit. Because the attacker can send anything through his side of the SSL tunnel.
If any of the attacks which can exploit any loophole that’s un-patched works on the server side can bring a great level of damage to the entire business. Example of such attack is “Wanna-cry virus” attack which targeted health care system of entire Europe as they were running Windows XP with an unpatched security flaw that was exploited. Wanna-Cry got created at first place due to loss of a software source code from the CIA which CIA kept with itself as spyware, which was then crafted into the virus by some group of hackers. In recent times ASUS supply chain faced similar attack, but this time attack was on just 27(Not Sure!!)specific MAC id based devices.