While technical details of the actual attack are lacking, the incident overall is an unfortunate example of the challenges companies face when it comes to securing their cloud-based environments and assets.
"When you don't control the infrastructure, your options to regain trust in the environment are limited," said Tim Erlin, director of security and risk, at Tripwire. "A business that relies on cloud-based infrastructure and tools can't avoid the same kinds of threat modeling and controls required for any organization."
Some businesses act on the misconception that when they put data into the cloud they somehow transfer responsibility and liability to the cloud provider and this is simply not true, said Amichai Shulman, CTO of Imperva.
"The cloud is a tool," Shulman said. "The responsibility is with the owner of the data. Businesses have the responsibility to define what is the correct data security and monitoring policy for them."
The challenge with doing that in the cloud is the lack of visibility into who is accessing the applications, according to Schulman. Fortunately, there are an increasing number of security products that address this problem, for example, by forcing log-ins to cloud accounts through a proxy server that can detect unauthorized locations or unusual activity patterns and enforce restrictions.
"Cloud services such as EC2 rely heavily on access keys for authentication," said Craig Young, security researcher at Tripwire. "One of the big challenges faced by users of these services is how to manage this authentication material securely. We have seen thousands of EC2 accounts abused after storing EC2 keys in public code repositories or inadvertent sharing. When a business relies on a third-party infrastructure it is crucial to solidify backup and disaster recovery plans even more so than with on-premise systems."
Security incidents like the one involving Code Spaces are avoidable if companies take effective steps to apply strict automated controls to privileged access and to whitelist applications, said Calum MacLeod, vice president of EMEA at Lieberman Software.
Code Spaces should have been using certificate-based authentication in combination with normal user IDs and passwords, MacLeod said. "Additionally credentials for such a critical application should have been on a schedule of being changed every few hours, combined with continuous discovery of the systems and applications to check if there were any changes to account settings, such as happened here with the creation of new privileged accounts that would allow sustainment of the attacker. In fact, this reads like a cyberattack 101 scenario, where ultimately the victim was breached because of their failure to properly manage privileged credentials."