A Hybrid vs. Cloud Architecture Horror Story
Treat all web interfaces as a frenemy—you know, that person who is great to hang out with but would be on the list of suspects if you’re discovered with a knife in your back? There is a moral in this security horror story: trust no one.
Online businesses have to be careful. It’s a dangerous world, full of anonymous people and services wearing digital skins. It sounds horrific because it is. On the other side of a transaction, could be anyone. There is unavoidable risk. Particularly when it comes to the web interfaces and, especially, API endpoints that online businesses depend on for transactions.
Looking towards your cloud provider for your security is like looking backward while running. It’s no way to stay ahead of danger. By the time you get a clear view of the attack, you may have gone down.
CDN-based security services filter incoming traffic. But that isn’t enough to fully protect against the bad guys. Client-side attacks, like CSRF or XSS attacks, aren’t necessarily captured by those filters. Depending on the cloud provider is ignoring their own susceptibility.
Their breach may end up harming you or your data; you do business as normal not realizing there is a hacker inside what looks like your friendly neighborhood provider. You may end up attacked indirectly, through the cloud provider or another service, during any routine task that you perform with that party. (This is why having your own heightened vigilance is essential to survival.)
When the Wrong One Gets In
Think Invasion of the Body Snatchers, Get Out, or Stepford Wives—cloud providers are themselves susceptible to access takeover attacks (credentials being hacked) and client-side vulnerabilities resulting from any online transaction.
Hackers can exploit these sorts of vulnerabilities, extracting valuable data like customer SSL certificates. Consider API like the chatty teenager in the film, hanging out with a ton of people. You can’t isolate them. And you can’t prescreen everyone they talk to. Adequately protecting APIs through regular-expression-based solutions is exceedingly challenging, and ramps up the exposure. Step in the hacker. Hackers know that APIs are vulnerable and great payoffs.
Old school strategies for securing APIs, are like landlines. They just don’t work anymore. Legacy WAFs utterly lack the ability to live through a horror movie. They cannot properly parse complicated API formats, such as REST/JSON/SOAP/XML. That means the hackers can get in, totally unnoticed.
Hackers may be hiding in your closet right now, dressed like JSON or covered in SOAP.
Now let’s talk about scary frontend activity . The CDN/WAF interface is a single point of access for all incoming unencrypted data , and it is all centralized. That’s like all the kids who bullied the unpopular kid in the same remote cabin in the woods with a dead car engine. The security of this centralized server is the weakest link in the web application and API security of all its clients. As soon as the main entrance is redirected to the provider, it becomes a silently opening front door for attackers.
Cyberattacks that Look Like Friends
A scary example of a cloud-based service being hacked is the Imperva Incapsula breach. Now, remain friendly to Imperva. It could happen to a lot of companies. What you don’t want is to have to suffer the same fate. Don’t root for the bad guys. Imperva is still the protagonist. Hackers are the real villains.
In one foul sweep of a breach, the following data was ghastly exposed:
- hashed and salted passwords
- private email addresses
- API keys
- customer-provided SSL certificates
Most troubling are the API keys and SSL. Obtaining SSL keys can allow hackers complete access to Incapsula customers’ unencrypted data. It also enables a number of auxiliary attacks, including man-in-the-middle attacks.
Ratcheting up the worry, are API keys and API security exposure. We can look to the serious damage caused by API keys exposure in a Docker repository vulnerability. API keys can render resources exploitable to be modified, misappropriated and misdirected. In this case, hackers can use the compromised APIs to redirect traffic from the CDN, install trojans, reconfigure access and more.
The exposure of these “keys” is like if Jason were to get the keys to the sorority and invites all his masked buddies for a Halloween party—but on a cyber level. Epic carnage and devastation await unsuspecting civilians.
Not all architectures are as vulnerable to attackers as others. Unlike cloud-based CDN / WAF, hybrid architecture security solutions can protect data privacy and protect sensitive data inside customer infrastructure.
Hybrid solutions perform initial processing and detection via filtering nodes that work as part of local load balancing infrastructure. That means SSL certificates and API keys are safely housed because they don’t need to be shared outside of the client organization. They never leave. Thus, your social teenage protagonist is in the safe room. Or, in tech talk: data exposure and threat vectors are drastically limited, reducing the compliance perimeter and limiting any risk of data exposure.
So, how you protect yourself really can come down to the environment and how well you keep your own home locked down.
You never want to let strangers in. But, if you aren’t in your own home, you may leave a window open. Or worse, if you don’t know what to test for, who you trust may not really be who you think they are. Make sure your security tools and protocols are filtering for the threats that lurk in that landscape and directly testing whatever comes in, whoever it looks like on the surface.