Cloud Security

RSA 2015: Security in the cloud undermined by poor credential management, says Charney

Despite the rush to the cloud, certificate authentication is still the Achilles' heel of the industry, according to Scott Charney, corporate vice president, Trustworthy Computing at Microsoft.

In a keynote address to RSA 2015 on Tuesday, he said there is a growing awareness in the non-security world that cyber attacks can have devastating consequences, which is driving a fresh interest in cybersecurity.

“It's not just all the breaches that continue unabated, it's that the attacks have become more destructive,” Charney said, citing examples of the hackers who destroyed oil pipelines in Saudi Arabia and caused significant harm at Sony.

“The fact is that destructive attacks will stop you doing your daily business, and it's the nature of those attacks that has changed the conversation outside of the security community and in the executive suites and the boardrooms,” he said.

Moving to a cloud service provider can help companies manage their cyber-security, but taking the data out of the organisation and into the cloud raises issues of control and transparency.

“It changes the relationship between the vendors, who used to provide the technology to the customers, to customers saying, all right, I'm putting my stuff in your cloud, how should I think about trust models in that environment” he asked.

Trust cuts both ways. As a cloud provider, Microsoft wants to trust all of its customers but realistically some of them are going to be criminals. So you build the cloud to protect it from the VMs, he said, but the customers can turn that on its head and ask how the cloud service provider is going to protect the VMs from the cloud?

“How do we protect our systems from your administrators? It's not that we don't trust you because if we didn't trust you we wouldn't do business with you, but there's a lot of concern,” he said. “We want technically enforced trust boundaries and transparency.”

Security in the cloud is about mitigating risk, not eliminating it, so the question that cybersecurity professionals need to be asking themselves is how to do a better job of policing this new environment. And how can companies like Microsoft and other cloud service providers start to think about control and transparency?

Charney believes that username and password credentials are the biggest risk.

“It's not just that they get stolen and phished but also that people use the same ones everywhere so if you lose them in one place, you have lost them in a lot of places," he said. "We all know we need to move to a different system.”

He says Windows 10 will help solve this problem with a more robust and secure authentication system based on biometrics.

"It's about more personal computing, that is, your computer will recognise you and you will have a relationship with your machine,” he said.

As computers become more interactive, it should be possible to make security more user-friendly and do away with one-time passwords and other clunky security workarounds.

He said that Trusted Platform Modules (TPM) can be used to sign credentials so that even if someone steals your username and password and tries to use them on a different machine, the reliant party will recognise that they are coming from the wrong machine and reject them.

“That kind of technology, if it's embedded in a way that people can use easily, will deal with a lot of the phishing things – because your credentials will get phished but can't be played from another place,” he told the audience.

TPMs can also be used for trusted boots so you can know what your operating system should boot to and you can attest that the boot process worked the way it should, giving you control over trusted applications.

“To be clear, none of this is a panacea,” he said. “The terrain is dangerous, but what you want to do is narrow the attack surface so you can worry about less and be more intelligent about what you look for.”

The first generation of TPM came with one flavour of crypto-algorithm – SHA-1 – but with TPM 2.0 (currently working towards ISO standardisation), users will have a choice, giving them what Charney described as “crypto-agility."

With crypto-agility, users will be able to specify to their TPM chip vendors their choice of algorithm, yet another step toward giving the user more control.

User control means, for instance, that in Office 365, users can if they need to revoke the key that enables their cloud provider to have access to their email. “One of the principles of privacy is the destruction of data when it's no longer needed and this gives you that ability,” he said.

Charney said that the issue of system administration privileges needs to be addressed urgently. Microsoft's JitJea powershell tool ensures that the administrators do not have persistent admin privileges, giving them what they need when they need it.

“Now you can put the customer in control,” he said. “You can say to a cloud customer, you want us to access a file because you think it's corrupted. We are going to need system administration access but instead of granting it to ourselves, let's put you in the approval chain.”

Complementing this is the access log, which gives customers details of who has accessed what data so they can compare it to the list of authorisations they think they have granted.

Destructive attacks are causing boards and CEOs to wake up to the threats of the cyber-terrain in which they operate. By moving to the cloud, businesses that don't have the resources to have an IT security team can more effectively mitigate their risks, a decision that is made easier for these companies by the tools that have been developed to give them control and transparency comparable to what they would enjoy with an in-house IT service.  

This article originally appeared on SC Magazine UK.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.