Attacking Public Clouds Through APIs
Organizations are moving to the cloud for a variety of reasons. Some want the scalability that it provides, while others are looking for cost savings derived from sharing infrastructure with other cloud customers. Regardless of the reason for cloud adoption, the cloud is a very different environment for organizations to operate and secure.
One often-overlooked attack vector in the cloud are the application programming interfaces (APIs) provided by a cloud service provider (CSP). These APIs are designed to enable a customer to configure and secure their cloud deployment, but their power makes them a potential threat to cloud security. Failing to properly configure and secure these APIs, using a web application firewall (WAF) or similar solution, leaves an organization’s cloud deployment vulnerable to attack.
Challenges of Cloud Security
As organizations move to the cloud, many of them find that cloud security is very different from securing on-premises environments. The steep learning curve of cloud security, and the fact that organizations are often moving to it without a complete understanding of the associated risks, leaves these organizations open to attack.
One major challenge for organizations transitioning to the cloud is the fact that the cloud is a very different environment than on-premises deployments. The perimeter-based security model that many organizations use, where everything within the network boundary is trusted and everything outside is untrusted, does not work as well when the organization’s cloud resources are outside the network perimeter, hosted on infrastructure that it doesn’t own, and directly accessible from the public Internet.
The use of CSP-owned infrastructure also creates problems for organizations with multi-cloud deployments, where a number of public and private cloud solutions are used to take advantage of CSPs’ optimizations for certain use cases. In these circumstances, the organization’s security team must figure out how to configure CSP-provided security controls (which differ from vendor to vendor) to meet the organization’s security policies.
This process of configuring vendor-provided security settings is complicated by the fact that many security teams have an imperfect understanding of the cloud shared responsibility model. Since the CSP controls part of an organization’s technology stack in the cloud and provides the customer with control over the rest of it, neither is capable of securing the entire ecosystem. Instead CSPs specify which parts they secure, which parts are the customer’s job, and what responsibilities are shared. A failure to understand where the CSP’s duties end and the customer’s responsibilities begin leave security gaps that attackers can exploit.
Cloud APIs Vulnerable to Attack
Uncertainty about the cloud shared responsibility model and how to operate in the new cloud-based ecosystem creates significant challenges for organizations’ internal security teams. While CSPs commonly clearly document their security features and how to use them, this is both an asset and a liability for many organizations.
One way that cybercriminals can attack cloud-based deployments is through the APIs provided by CSPs for their clients to manage their cloud-based deployments. These APIs are often at or near the border where the CSP hands off security responsibility to the customer, making it challenging for some organizations to understand their responsibilities and how best to configure CSP-provided security settings.
Managing a cloud deployment’s security is very different from on-premises. On premises, administrators can lock down access to features like APIs behind a well-protected network perimeter and using network segmentation. In the cloud, on the other hand, the APIs, like everything else, are accessible directly over the public Internet. This increases the difficulty of monitoring and managing access to these systems.
As a result, the security of API credentials is even more important in cloud-based environments. However, these credentials can easily be compromised. Leaks of API keys on sites like Github are a well- known security threat. Alternatively, an attacker with access to a cloud administrator’s computer may be able to steal credentials from where the CSP stores them in a local file.
CSPs are working hard to educate users about their cloud environments and the security features that they provide. The workings of cloud configuration settings and API details are exhaustively documented. However, this is both a liability and an asset. While cloud customers can read and use this documentation to improve their security, cybercriminals can read and make use of it as well, dramatically lowering the difficulty of exploiting cloud deployments via CSP-provided APIs.
The Importance of Securing the Cloud
Organizations are increasingly moving to the cloud to take advantage of the number of benefits associated with leasing computational resources rather than maintaining infrastructure in-house. However, the cloud is a very different environment for the organization’s security team to secure. The traditional perimeter-based security model is no longer applicable, traffic to and from the cloud does not pass through the corporate network for scanning, and the customer lacks visibility and control over some part of their technology stack in cloud deployments.
These issues are exacerbated by the fact that organizations are expected to monitor and secure their cloud deployments using CSP-provided APIs. These APIs are well documented by CSPs, which is useful for attackers looking for an opening, but often imperfectly understood by their owners. A failure to properly configure CSP-provided security settings can leave an organization open to attack, and the CSP’s API is a prime target. Deploying a WAF and other security controls to protect these APIs is critical to ensuring that they are not exploited by an attacker.
Featured image by kreatikar
