Cloud Security Assessments

James Bromberger Posted 21 July 2018

Security is a fundamental necessity of any technology solution, and it is a constantly evolving landscape.

Once upon a time, just knowing a secret passphrase or a secret handshake was sufficient. The phone Phreakers of the 1950s knew that just making a 2600 Hz sound into a telephone would yield extended access and possibly free telephone calls. Over time, these systems have modified, but attempts to get free rides continues.

Today, access management is still just as important — be that in Operational or Information technology environments. And while currently we use modern encryption ciphers such as AES-256 1, encryption negotiation protocols such as TLS 1.2, and X509 certificate signing algorithms such as SHA256 with RSA, it is pretty clear that we will be shifting over time to even stronger implementations. This may sound alien, but your web browser you are using right now just did all this for you; and it decided to show you a green padlock (or similar) — because in the eyes of the browser vendor (Chrome, Firefox, IE, Opera, Safari, Lynx 2, Links 3) felt this was sufficiently secure (complex) to protect you at this time.

Fingerprinting Data

To highlight this, we have recently been looking at getting a digital fingerprint on documents being passed around between integration partners. These files (such as PDFsMS Word Docs, images, etc) may be subjected to a "hash" or "digest" to give a sort of fingerprint. Over time there have been different algorithms used to implement this fingerprinting. However, one of the risks of taking a fingerprint is the chance of a "collission", where two totally different sources produce the same fingerprint.

"Hello World"

For an example of fingerprint data in action, lets take the content "Hello World." and show it with a fingerprint from some legacy algorithms:

ALGORITHM | Value of hash('Hello World.')

  • CRC-16 4 | 0x53FE
  • CRC-32 | 13c15553
  • MD4 | 8fb696324ba38d8118ae52d8a4fd88bf
  • MD5 | d7527e2509d7b3035d23dd6701f5d8d0
  • SHA 1 | 5D8AB2C1372D6BF6754423CDECEBC60B7172754B
  • SHA 256 | EF9251FC61410F9767B0C6E0CA4DC4844C5BD96FE2A56BFB15552A9BDDD4E24E
  • SHA 384 | ded020e0ea23fd2d983f7d833c44811f9e3fa96e412f84f7427250af07a5630e26366a69c44bac94fd31ec73b1b847d1
  • SHA 512 | fee4e02329c0e1c9005d0590f4773d8e519e0cda859775ac9c83641e3a960c57e7ad461354e4860722b6e3c161e493e04f5ef07d9169ff7bdab659d6a57cc316
  • Whirlpool 5 | 8bcdd478008be50f0980e1c5aad0e2685f8c8c169972af1d544ed8cfe762835d7626c862c3690b7163c727b9465b0ab51ffa6b451771f0432f6ed5c2ff8cd5f6

Sometimes the output fingerprint value is the same length, but the method of fingerprinting — the order in which data is examined which modifies the output value — may make it more secure. But what is clear is that newer digests are generally producing larger checksum values.

Today, it is commonly seen as acceptable to use a SHA-256 algorithm — indeed, we are at the tail end of a multi-year migration from using SHA-1 as the signature algorithm from web site SSL certificates. I am sure that, over the course of time, we will move to a longer and stronger (more unique) fingerprint just as we see Moore's Law continue to improve compute capacity, and bandwidth continues to increase globally.

Case in point for a hash collision: an article in February 2017 from The Register shows a collission for the SHA-1 hash, but rightly concludes that the difficult (and financial cost) to doing this is dropping over time.

Browser Improvements

So what has this got to do with Cloud security, or technology in general?

The underpinning idea is that there is a good way of doing most things today, but there are probably better ways of doing an activity in future. Cloud providers are constantly producing a better service: they employ more people than any individual company, and attract top tallent in order to produce these services. They also submit themselves to an ever growing list of compliance and certification regemes, the world over.

10 years ago (yes, a decade), EC2 Security Groups were the only protection provided by the Cloud providers for your virtual machines in the AWS EC2 environment. Other customers were on adjacent IP addresses — it was a shared (RFC1918) address space. Evolution happened and Virtual Private Cloud — your own private network — provided an extra layer of security. Then came Network Access Control Lists (NACLs), NAT Gateways and Egress-Only Internet Gateways (for IPv6 VPC networks). Multi-factor authentication for console sign on, IAM Policy and Policy ConditionsS3 Endpoints for VPC and Endpoint PoliciesDynamoDB Endpoints for VPC, etc. None of this stood still, and keeping current on the improving capabilities is itself a challenge (and for us, a passion).

We were recently asked to do a security assessment of a new AWS Cloud workload for a State Government agency that handles large volumes of financial transactions. Modis's an Enterprise-wide AWS Cloud security assessment (itself 2 pages), and a per-workload (per AWS Account) security checklist (10 pages at the time), makes a comprehensive assessment for security and operational considerations.

The purpose of this was two-fold: one to assertain what had been done already, but also to act as discussion points around the decisions and design of the workload from a security and operational perspective. However, we are not done, and in just a few months, this has grown again: there are more recommendations that we look at to further improve security and ease the operational management over time.

During this exercise, the customer's development and operations team members were engaged to think through their deployment from the lens of security and operations, while afterwards we wrote up the recommendations and findings and returned this to the customer for their consideration and implementation.

We now operate this with multiple Public Sector and commercial customers across the country — a one or two day assessment done with the security and operational teams (or just their team leads) to help reduce the risk in making changes to running environments.

Of course, we are constantly updating our checklists to keep track of current capabilities, and we know the future will be even richer in the controls and capabilities our customers may make use of.

We find that various customers have varying security and operational knowledge and experience, and it is our pleasure to bring a fresh perspective to these organisations to assist them on their cloud journey. Obviously there are many things we look at, including such embarrassing issues as leaving private data publicly accessible — such as the recent article about millitary contractors doing so with AWS S3, or preivous articles such as the CloudPets failure. These are mistakes that should be prevented by having polcies in place — and should routinely be verified to ensure they are still in place.


  1. AES: The Advanced Encryption Standard, also known as Rijndael (Wikipedia).
  2. Lynx: does not display an icon, as it is a text based browser (Wikipedia). Press "=" to see some page info.
  3. Links: Yes, another text based browser (Wikipedia), but pressing "=" will display cipher-suite and TLS protocol.
  4. CRC: Cyclic Redundancy Check (Wikipedia).
  5. Whirlpool: (Wikipedia).