IaaS, the initials by which infrastructure is known as a service, is the traditional model of cloud provided by suppliers such as VMware, Microsoft Azure or Amazon AWS, among others. Under this approach, virtual teams or computer services without a server are offered.
One of the advantages of IaaS is that there are very few limitations on what applications can be run on the infrastructure or what tools can be used to run the applications. In addition, many service providers also offer databases or storage in the cloud, as a complement to the infrastructure.
However, security services are one of the necessary additions to the IaaS equation since, in this type of platform, several problems may arise that require a good solution. Aviatrix offers many information on this and similar topics.
Security in Cloud Services
The security of any service that runs in the cloud depends on the level of protection that the cloud infrastructure can guarantee, as well as the vision of the user company to avoid the threat by making the best choices. In general, the risks of this type that affect the infrastructure represent an important security concern, which goes beyond those that affect traditional servers. Among the most notable, are the following.
Internal Threats - employees of the cloud service provider have direct access to hardware and networks, and many have access to hypervisors, provisioning systems, and authentication infrastructure. Therefore, they pose a potential threat due to their privileges. The way to prevent this type of situation is by focusing on the choice of reliable IaaS providers.
Escape of virtual machines, containers or sandboxes - once in a hypervisor, the attacker would have the possibility to modify the code, steal secrets and install malware in any instance of the same hardware. The risk of such breakdowns can be reduced by minimizing the number of virtualization drivers and other functions compatible with the hypervisor and intrusion detection tools.
Illegal obtaining of authentications - access to the accounts used to provision the virtual machines and other services in the cloud allows the attacker to simply use the API or user interface of the cloud service to destroy the services or grant additional access as desired. Credentials to access the cloud service can be obtained, for example, by installing a keylogger on an administrator's desktop as part of a wider breach in the internal network.
Vulnerability of encryption - one way to get access to the cloud is to break the encryption. Most cloud services and APIs are protected by the TLS protocol, which in turn depends on PKI for authentication. The typical way to break the cipher is to break the PKI. A PKI generally provides a good level of security against occasional attackers, however, it can be compromised by obtaining a CA certificate from any of the certification authorities. The way to avoid this threat to the integrity of the IaaS is to ensure the cloud service provider to keep its infrastructure properly patched and configured properly.