As more government agencies move to cloud-first digital service delivery, security concerns have scaled new heights in line with a new and intensifying threat landscape, presenting special challenges for agencies looking to exploit the benefits of cloud infrastructure and applications.
Cloud computing is a service which is in high demand due to the advantages of computing power, agility, cheaper service costs, high performance, scalability, as well as availability and ubiquitous access.
Because cloud services live entirely through the web, agencies face a paradox that protecting their applications from attack using traditional security approaches can severely impact performance for citizens and stakeholders. This makes the remedy sometimes as bad as the infection agencies are seeking to protect themselves from.
The fact these services are accessible by any one with the correct credentials means identity management and managing permissions becomes highly critical. For this reason insider threats from rogue employers and contractors — current or ex — are far more problematic and, in a worst case, catastrophic.
In recent years, a spate of hacking attempts on the systems of the Reserve Bank of Australia, the Australian Bureau of Statistics and the Bureau of Meteorology leave no doubt that any type of government agency can be a primary target. The potential damage from theft of personal information (health, tax), national secrets and intellectual property can be disastrous.
Computer networks have always been vulnerable to attack. But it is the sheer scale of data stored on cloud servers today, coupled with the shared, on-demand nature of cloud computing that adds to security concern and complexity.
The Cloud Security Alliance warns that while cloud service providers deploy security controls to protect their environments, ultimately individual agencies and organisations are responsible for protecting their own data. As noted in the recent CSA “Treacherous 12” cloud computing threat report:
“Cloud services by nature enable users to bypass organization-wide security policies and set up their own accounts in the service of shadow IT projects. New controls must be put in place.”
Also among the top 12 security concerns are compromised credentials, APT (advanced persistent threat) parasites, denial of service (or DoS) attacks and malicious insiders.
Surveys consistently reveal Australian public sector agencies and private sector companies are generally underprepared to deal with attacks and their consequences. Many government agencies are stuck trying to update their old security practices in order to keep up with the online, cloud and mobile era.
But the old ways of protecting against attack — firewalls, signatures, tightening rules and broadening inspections for instance — work to some degree, but they also decrease performance.
The ‘DDoS paradox’
“It’s the DDoS paradox,” said James Tin, principal enterprise security architect of Asia Pacific and Japan for Akamai, a global content delivery network and security specialist. “The very act of shoring up defences in order to prevent DDoS and other attacks with on-premise or virtual equipment actually results in the same effects — sluggish performance or a knocked-down firewall — as the DoS attack itself.”
A Distributed Denial of Service (DDoS), one of the most common forms of attack, is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. Attackers build networks of infected computers, known as “botnets”, by spreading malicious software through emails, websites and social media.
Once infected, these machines can be controlled remotely, without their owners’ knowledge, and used like an army to launch an attack against any target. Some botnets are millions of machines strong and specialised online and underground marketplaces exist to buy and sell access to botnets for as little as $150.
DDoS attacks have become an increasing problem in Australia, which over the last year has been named both the world’s second-largest victim of DDoS attacks and, briefly, one of the world’s 10 worst DDoS sources.
According to Akamai’s latest State of the Internet report, released quarterly, there was a 40% increase in DDoS attacks and a 28% increase in web application attacks compared with Q3, setting new records for the number of attacks in the quarter. Australia ranked in the top 10 again as a target of web application attacks.
Repeat DDoS attacks were the norm, with an average of 24 attacks per targeted customer in Q4. Three targets were subject to more than 100 attacks each; one customer suffered 188 attacks — more than two per day for the quarter — and 56% of all DDoS attacks mitigated in Q4 2015 were multi-vectored, according to the Akamai report.
“We continue to see a dramatic shift in web attack volume, vectors and variety,” said Tin. “In order not to sacrifice performance, we need to think about security in a fundamentally different way.”
Notably, these challenges include a shortage of skilled security resources and a lack of staff training and security awareness within their organisation.
“Bringing the in-house talent and culture in line with a cloud-based environment is critical,” said Tin. “Agency leaders are recognising it’s not just the domain of the CIOs. It’s a top-down rethink of risk mitigation requiring education of executives whose expertise lies outside ICT. Agencies and businesses who approach cyber security in a cloud environment as an IT risk rather than a business risk will struggle to appropriately manage that risk.”
Akamai operates the world’s largest web content distribution network, spanning more than 210,000 servers in 120 countries. The company has a number of large Australian government customers and has close partnerships with the likes of Microsoft, Telstra and Optus.
Akamai delivers up to 30% of global internet traffic and up to 70% of the world’s web transactions. It’s a massive amount of data which is analysed for threat patterns. That data is exploited to battle-harden rules and systems. Because its Kona Site Defender security technology is installed and always on in each one of those servers, attacks can be identified and stopped at the perimeter and tightening and broadening rules does not have a measurable negative impact on throughput and performance.
Akamai’s cloud and network security defences and performance are further boosted by the recent launch of its scrubbing centre in Sydney, the seventh around the world. Scrubbing centres identify and “commandeer” DDoS attack traffic and strip it from the incoming traffic streams heading to Akamai’s telecommunications, cloud services and other customers. Without the Sydney centre, attack traffic had to be routed through Akamai sites in Hong Kong, Tokyo or Los Angeles.
“We attract all the attack traffic from Australia, scrub it and only allow the good traffic to pass on to our customers,” Tim explained. He and Mike Smith, Akamai CTO for security in Asia Pacific, are in Australia this week presenting at the annual AusCERT security conference on the Gold Coast.