If anything, keys and certificates may be more important to cloud security than they are to on-premises security. With a shared infrastructure, protecting access to digital assets is critical. This was illustrated by a recent bug in Azure that was discovered by software engineer, Ian Duffy. He unveiled a massive vulnerability in Microsoft update that left virtual machines on Azure running Red Hat Enterprise Linux open to attack.
SC Magazine UK reports that “Azure used an unusual installation script in its pre-configured RPM Package Manager that comprises build host information enabling hackers to find all Red Hat Update Appliances which expose REST APIs over HTTPS.” This allowed users such as Duffy to access archives containing configuration files and SSL certificates. Hackers could misuse this information to attain full administrative access to VMs.
In a blog post Duffy outlines the vulnerability, "It was possible to copy the SSL certificates from one instance to another and successfully authenticate. Additionally, if you duplicated a Red Hat Enterprise Linux virtual hard disk and created a new instance from it, all billing association seemed to be lost but repository access was still available."
Venafi Chief Security Strategist Kevin Bocek told SC Magazine UK “that as the update services use SSL/TLS encrypted tunnels, communicating and exploiting the service would almost certainly be a blind spot for Microsoft and Azure customers.” Security blind spots are dangerous and can leave you unwittingly open to attack. You need full visibility into where your SSL certificates live and how they are being used.
“Network security systems need to be fed SSL/TLS keys to have full visibility – something that is extremely difficult since most data centers have thousands of SSL/TLS keys and certificates, most completely unknown or out of reach of security administrators. Only automated SSL/TLS key and certificate discovery and orchestrated distribution to security systems can make can make full visibility possible,” continued Bocek.
Can you see all your SSL certificates that are being used in the cloud?