To better guard against potential DNS attacks within the public cloud and secure sensitive business information, organisations should consider the deployment of a private DNS security solution in addition to the public cloud provider’s existing security infrastructure.
to occur. The reason most public cloud providers implement only ‘standard’ DNS security infrastructure is to allow ease of access and speed of access. Failing to adequately secure the DNS on public cloud platforms has potentially serious ramifications. A rudimentary DNS security infrastructure allows for a wide range of possible data leaks. For example: External: Malicious backend access of applications through the DNS performed via unsecured APIs, heap overflow and other methods can allow a hacker full visibility of a public cloud’s data. Internal: Persons inside the organisation who have access to a host can modify/install/develop an application that uses DNS to perform malicious operations against an
organisation (such as push data or get malware content). External: A malicious code inserted in a widely used library on the public cloud can potentially impact all users of the library. Internal: Persons inside an organisation could insert a specific code that uses the DNS to extract data, events and other account information.
Even a temporary storing of sensitive business information on networks hosted in a public cloud can expose a business to aforementioned entry tactics. Visma, a Norwegian cloudbased service provider, was hacked by a hacker group backed by the Chinese government called APT10 using an external entry method. Fortunately, the hackers were only able to exfiltrate Visma’s data and none of its clients’ before the attack was detected. To better guard against potential DNS attacks within the public cloud and secure sensitive business information, organisations should consider the deployment of a private DNS security solution in addition to the public cloud provider’s existing security infrastructure. Think of a private DNS security solution as the lock to a door of an apartment within a larger apartment building. While the apartment building has secure entry and exist methods, one would never think not to install door locks to one’s own apartment. The same approach should be applied to hosting an organisation’s sensitive data within the public cloud. We do not advocate that public cloud providers restrict their DNS access. We understand public cloud providers need to be able to provide easy and timely access to their customer’s data. However, we do believe private networks within the cloud should be deployed without DNS access. Instead, private networks should always be deployed with a private DNS security solution in place. sst
InsideLook 7.indd 62
Security Solutions Today • May / June 2019
3/5/19 10:13 AM
Security Solutions Today: May-Jun 2019