IaaS cloud computing enables businesses to provide their customers with advanced PaaS and SaaS services. However, cloud servers belonging to AWS, Google Cloud, Microsoft Azure and additional providers are vulnerable to attacks and data breaches, which can directly risk your network and systems. This blog post will explain which vulnerabilities exist, why VPNs and Jump Servers cannot secure your network, and how zero trust can protect your assets. Let’s get started.
Cloud computing IaaS servers have integrated vulnerabilities. These vulnerabilities are common knowledge among the security community and hackers. If DevOps and security engineers who use these servers do not take active measures to secure the network, these server vulnerabilities can be used for malicious network penetration.
How do hackers find the vulnerable servers? Vulnerable servers that are open to the public network can be identified through automated scanners like Shodan and search queries like Google Hacking/Google Dorking. These free scanners and databases can be queried for the types of servers with known vulnerabilities, e.g: SSH server version X or RDP server version Y.. The scanners return a list of servers that have public network access.
Some companies and white hat hackers utilize this ability to identity threats and close the attack surface. Bad actors use them for identifying attack targets. Once they have the list, they can attack the servers with brute force attacks, credential stuffing, malware, etc. When they are in, they can steal personal data, wreak havoc, demand a ransom, mine bitcoin, and more.
As mentioned, DevOps and Security Engineers attempt to secure their networks despite the server vulnerabilities (and before perpetrators enter them). This is done through three main solutions:
Jump Server / Jump Box management
Zero Trust (see next section)
VPNs and Jump Servers are based on the castle-and-moat security approach. They attempt to secure the network perimeter by enabling authorized IPs access. Their assumption is that bad actors were not admitted entry.
However, this solution has multiple problems:
Overhead: Employees working remotely or connecting through mobile devices have various, changing IPs, which are difficult to track. This creates a lot of overhead and meticulous work for IT managers.
Security: Modifying security policies to all employees’ IP ranges makes the network vulnerable. When connecting remotely and from mobile, these approved IPs are also accessible to additional devices and people, who can then access the network.
Business Sluggishness: IT managers and other employees who constantly have to deal with IP management instead of work, become annoyed, cynical and demoralized. They suffer and the business suffers.
VPNs and Jump Servers were not created for securing cloud servers. Therefore, a different security solution is required.
Cloud computing infrastructure poses inherent challenges. A simple and efficient approach to ensure secure network access when using cloud servers is zero trust cloud security. Zero trust is an identity-based security access model. Meaning, even if perpetrators are able to penetrate the network through the servers, they will not gain access to internal servers, apps, systems or assets. This is because the entire network is hidden from them without authentication. They do not even know which assets (and vulnerabilities) exist in the network.
In addition, the perpetrator’s actions will be listed in the activity log, audited, and recorded for supervision. No more cat and mouse games trying to recap the bad actor’s actions inside the network. This ensures a high level of security, network visibility for CISOs and simple usage for IT managers.
DevOps engineers use cloud computing to ensure product quality, good customer experience and speedy time to market. However, these abilities can come at a security cost. By implementing zero trust, security engineers and IT managers can ensure business continuity, while improving the company’s security posture.
Dedi Yarkoni is CTO and co-founder of Cyolo. Prior to Cyolo, Dedi worked as the Cyber Lab Research Team Leader at GE Digital and the Applicational Security Technical Program Manager at AWS. He is also a certified ethical hacker and a veteran of the Israeli Navy.