The collapse of source code-hosting provider Code Spaces in the wake of an attack on its Amazon Web Services' control panel has sparked industry debate around what the organization should have been doing to protect itself. While the Code Spaces incident was a security failure on several fronts, experts say the biggest lesson from the attack is that multifactor authentication is a must when dealing with the cloud.
On June 17, a distributed denial-of-service (DDoS) attack struck Code Spaces -- a frequent occurrence according to a statement on the company's website -- but an attacker had also apparently gained access to an employee's login credentials for Code Spaces' Amazon Elastic Cloud Compute (EC2) control panel. The as-yet-unidentified attacker reportedly left a message in the control panel demanding a ransom in exchange for ceasing the DDoS attack.
After determining that the attacker could not access its machines, Code Spaces attempted to take back its control panel by changing the login credentials. The attacker noticed the attempt and subsequently deleted all of the company's Elastic Block Store (EBS) snapshots, S3 buckets and Amazon Machine Images (AMIs) – a devastating blow for a firm based entirely in one cloud provider's environment.
"Code Spaces will not be able to operate beyond this point; the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in an irreversible position both financially and in terms of on-going credibility," said the statement on Code Spaces' website. "As such, at this point in time, we have no alternative but to cease trading and concentrate on supporting our affected customers in exporting any remaining data they have left with us."
Jeff Schillingchief security officer, FireHost
Jeff Schilling, chief security officer for Dallas-based cloud hosting provider FireHost Inc., said the malicious actor that targeted Code Spaces likely gained access to the company's network via a typical phishing email, and once inside, was able to glean the necessary credentials to access the Amazon Web Services (AWS) control panel.
Perhaps the most worrying element of the attack, Schilling said, is that Code Spaces was likely not a specific target from the outset, but rather a target of opportunity.
"[Code Spaces] probably had a false sense of security, and thought [since] there are thousands of customers on AWS, no one will find them, but some attacker was fishing with dynamite," Schilling said. "What Code Spaces really brings home is that everyone is a target."
Why multifactor authentication wasn't implemented
Rachel Dines, senior product marketing manager for San Francisco-based Riverbed Technology, said the Code Spaces incident provided a number of cloud security lessons that many organizations have yet to learn, including that no one user should have an overwhelming amount of control over the cloud environment, that a business continuity plan should be in place well before an attack ever occurs, and that relying on a single-cloud provider strategy is a bad idea.
Perhaps most important, experts told SearchSecurity, is that Code Spaces' collapse may never have occurred if the provider had implemented multifactor authentication (MFA) for its AWS control panel -- a mistake described as all too common when deciding how to provision access to cloud services.
Schilling said his firm, a cloud hosting provider with a security focus, heartily advocates to customers the need for multifactor authentication, though not all customers agree to implement it because they view it as an extra headache. He added that the industry as a whole, including cloud providers, doesn't press the need for multifactor authentication often enough.
For one, cloud hosting providers such as AWS and Microsoft are ultimately trying to sell their wares, and if a security measure is perceived as adding cost or complexity, it tends to get cut in favor of making the sell.
"I always call it the Wal-Mart-Target competition … to see who can get to the lowest price and still provide good service. Security is what gets lost," Schilling said.
Conversely, Schilling said many smaller organizations like Code Spaces tend not to have even a single dedicated security professional, meaning they often don't fully consider how important multifactor authentication is, or even to ask its own providers if it's an option.
Multifactor authentication: Easier than it looks
While multifactor authentication may be difficult to implement at the infrastructure level, Schilling said it's a simple process for the customers of major cloud hosting providers. As a security control, he said it provides a barrier that discourages all but the most sophisticated attackers, making the lack of information provided on the subject by providers all the more frustrating.
"It's fairly easy for the customer" to implement MFA through cloud hosting providers, Schilling said, "but they don't have anyone to explain that to them.
"Security is an opt-in model at most hosting providers. At the end of the day, it's the customer's decision about what they do opt in for," Schilling continued, "but I think there has to be someone at the hosting provider to sell the value of security."
Mark Stanislav, security evangelist for Ann Arbor, Michigan-based MFA vendor Duo Security and a former consultant with experience administrating AWS environments, agreed with Schilling's assessment that implementing multifactor authentication is a relatively painless and cheap way of adding a security layer to a cloud environment -- regardless of whether customers choose to use a physical hardware token or the time-based one-time password (TOTP) algorithm.
Specifically in the case of Code Spaces, Stanislav said AWS provides perhaps the best set of MFA options among major cloud providers. Among AWS competitors, Microsoft acquired multifactor authentication vendor PhoneFactor in 2012 and has since rolled out the product to its Azure cloud customers, Stanislav noted, while Rackspace relies on the proprietary Symantec VIP multifactor product. AWS, on the other hand, gives its customers the option of utilizing the TOTP standard for free with smartphones and tablets.
As for why multifactor authentication hasn't become more pervasive, Stanislav said many veteran tech professionals that have spent large chunks of their careers in enterprises or government agencies may only associate multifactor authentication with SecurID, the RSA security product that was the go-to option when implementing MFA for many years. A rollout of SecurID's token-based authentication system could be a costly and painful process, with thousands of dollars going to handing out tokens, deploying the hardware to manage the tokens, and product licensing.
Stanislav too felt that cloud hosting providers and other organizations don't do nearly enough to educate customers on the necessity of deploying multifactor authentication, or indeed to market MFA options so companies know they exist.
While MFA has undoubtedly become a more mainstream option for financial firms and other consumer-facing businesses -- in fact, half of the more than 1,800 respondents to a recent Ponemon Institute survey said their organizations planned to adopt some form of multifactor authentication in 2014, while another 40% were considering it -- Stanislav said that more efforts are needed from cloud providers to up the adoption rate among enterprise customers.
"Unless you are a security-centric person or are really ingrained in this space, you probably wouldn't know to look for two-factor authentication," Stanislav said. "Would it really hurt AWS if, when you logged in the first time, they put a little splash banner at the top [reminding you to add two-factor authentication]? I think that would be an easy thing to do and would up the adoption rate pretty quickly.
"This idea of having one Web console that runs an entire architecture is still a relatively new concept," Stanislav added, "and I think some people just haven't made that mental leap to" understanding the need to protect these consoles.