Cloud Asset Management and Protection: Storage Assets

Welcome to Part 2 of our 3-part series on Cloud Asset Management and Protection.

In the previous article, we unpacked various ways to manage cloud compute assets. Here, we tackle another important cloud asset – storage.

In the cloud, you can store data in different formats. Here, access management is important since it helps drive an effective asset-oriented approach to risk assessment. It also helps strengthen cybersecurity controls, and optimize cloud inventory and costs.

Persistent Storage in Cloud Storage Assets

Cloud storage assets are a type of “persistent storage”. This is storage that permanently retains data even if power to that device is shut off. Data stored in persistent assets can be difficult or time-consuming to move around. This is why it’s often described as “sticky”.

Persistent storage is important in the cloud because your data must remain available even if containers, worker nodes or clusters are removed, especially for:

• Core data that drives or influences business-critical decisions
• Stateful apps  that save user data between sessions
• Data for auditing and compliance
• Data to meet legal requirements
• Data shared across multiple app instances

Types of Persistent Cloud Storage Assets

1- Block Storage

Block storage provides fixed-sized storage capacity. Each data block is like an independent hard disk drive that becomes available to a server like a spinning disk controller.

Examples include:

• AWS Elastic Block Storage (EBS)
• Azure Premium Storage
• Google Persistent Disks
• Rackspace Cloud Block Storage
• IBM Cloud Block Storage

Bad actors with direct access to block storage can bypass operating system-level controls on the server. That’s why access management is critical. Securely manage data by analyzing what data is stored and encrypted, and deleting stored personal data. Use Secure Block Storage to protect files, databases and applications from component failure, and for backup storage. Some CSPs like IBM provision block storage with Endurance and Performance options to store and encrypt data without impacting performance.

2- File Storage

Cloud file storage organizes data into logical directories and hierarchical, shared files accessible to servers and applications. It provides scalability, interoperability, and cost control, and is best for workloads that rely on shared file systems, like development environments,  content repositories, and media stores.

Examples include:

• Amazon Elastic File System (EFS)
• Azure Files
• Google Cloud Storage
• FUSE
• IBM Cloud File Storage

Although the system provides access control lists (ACLs) to control file access and permissions, these are enforced by the operating system. As a result, malicious actors with access to the file storage can read, manipulate or compromise the files stored there. This is why access management is so important with file storage.

3- Object Storage

Elastic, scalable and flexible, cloud object storage is ideal for storing unstructured data, large datasets, log files, database dumps, and backup/archived files. Objects – which cannot be changed after creation – are thrown into a “bucket” without further organization. Data and custom metadata can be accessed directly via APIs, HTTP or HTTPS.

Examples include:

• Amazon S3
• Google Cloud Storage
• Azure Blob Storage
• Rackspace Cloud Files
• IBM Cloud Object Storage

Since object storage is highly distributed, data is more resilient to hardware failures. It also offers different layers of access control, e.g. individual ACLs for objects, and high-level policies for buckets. But when the latter are set for open access, they may lead to data breaches, so it’s critical to keep track of each of these assets so it’s important with a centralized policy framework.

4- Images

In a cloud environment, images are chunks of code that can be copied to create an “instance”, and run VMs, containers and aPaaS deployments.

When many people can access images and create new instances, it’s important to ensure that images don’t contain sensitive information. If they do, access should be strictly controlled. Images should be configured so when an instance is started, it gets secrets from a secure, highly-controlled location only. They should also be tracked so you can apply security patches for the operating system, custom application software, etc.

5- Cloud Databases

Cloud databases are either relational or non-relational. A relational database is a collection of data items with pre-defined relationships, and organized as a set of tables. These tables hold all the information about the objects represented in the database. Conversely, a non-relational database does not use a tabular schema to display object information, but just dumps the data in a single location in a semi-structured format. In general, it uses a storage model that’s optimized for the specific requirements of the data being stored. Your choice of database can impact the security of your overall application.

To secure your cloud databases, check if the cloud provider offers access control at the database layer, or better – fine-grained data control in the database.

6- Message Queues

Cloud message queues enable components to conveniently send and receive small amounts of data. But if these small chunks contain sensitive information like PII, attackers with write access may manipulate the queue to take undesirable actions.

To prevent this, protect access to message queues, and make sure that secrets are not sent across them.

7- Configuration Storage and Secrets Configuration Storage

Cloud configuration storage solutions like AWS Systems Manager Parameter Store separate configuration information from the cloud. This allows seamless code-sharing between different application instances.

Secrets configuration storage solutions like AWS Secrets Manager are designed to hold secret data. By separating access to secrets from other configuration data, it ensures that only authorized users can view the secrets.

To strengthen access management for configuration storage, identify and control access to assets that store configuration information or secrets. To ensure that attackers cannot modify source code or other artifacts during the deployment path, track these assets diligently. Also maintain an updated inventory of source code repositories, and regularly check them for open, exploitable vulnerabilities.

8- Encryption Key and Certificate Storage

It’s useful to use separate storage to store secrets that encrypt and decrypt data, and X.509 private keys. Encryption key storage like dedicated hardware security modules and multitenant key management systems allow operation wrap and unwrap without exposing the master key. Certificate storage systems raise alerts when certificates are due to expire.

Identify the assets that store encryption keys and private keys, and control access to them. Also control access to the encrypted data.

How Magalix Can Help?

Magalix policy enforcement engine is a fast, scalable and reliable way to implement “security-as-code” across your entire infrastructure. Get access to hundreds of built-in templates and policies so you can quickly apply all the security and compliance standards you need in a snap. Built for DevOps, Magalix enables you to shift left, and programmatically enforce security standards at any stage of the software pipeline with a single click.

Start protecting your cloud storage assets with codified security policies that effectively cover all your security, compliance, and operational needs.