Remote VPN access and moving to the cloud

Question

First of all, my question is related to Web Application security.

Often when I want to suggest customers to move to the cloud for certain applications, I am being told that our customers are reluctant to do so due to security considerations even though it would not be necessary to store data in cloud. By that I mean, data is stored only in their back end systems. These back end systems are hosted on their own servers within their network. The back end systems offer web services which can be SSL encrypted. The back end systems will not be exposed directly to the Internet, the traffic will be routed over additional network components like reverse proxies, firewalls and such. Additionally the data is routed over a third party cloud platform on which the web application is hosted. The cloud platform is provided by the same company (SAP.com) which provides the software for the back end systems. And that scenario is expected to be not secure.

However for these customers we have a remote access to their productive back end systems via customer's VPN (e.g. IPSec VPNs, Citrix).

After reading https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf I came to the conclusion that both VPN "encrypted" data and TLS encrypted data can be decrypted if the encryption is weak and attackers have sufficient budget to break the encryption. My understanding is that these 2 scenarios (VPN via data over several network components TLS-encrypted) basically offer the same security standards if properly done - What is the difference in security between a VPN- and a SSL-connection? helped me in that context. Is my understanding correct or do I miss some aspects?

Answer 1

First, SSL stopped at version 3.0, which is massively flawed. TLS is currently at 1.2 (plus a lot of activity in the TLS 1.3 working group). This is generally a matter of acronym - hopefully when you say SSL encrypted, you actually mean TLS, and you specifically mean TLS 1.2 with AEAD ciphers.

Second, for TLS of any type, both protocol version and cipher suite selection is critical. Please see My answer to Now that it is 2015, what SSL/TLS cipher suites should be used in a high security HTTPS environment?, which in this case boils down to: Use TLS 1.2 ONLY (no downgrade) with DHE or ECDHE, an AEAD (AES-GCM, ChaCha20) cipher and SHA-2.

Third, VPN can offer some protections like OpenVPN's --tls-auth, which is a pre-shared key that prevents clients lacking this key from even trying to connect. See the Hardening article on OpenVPN. TLS can try using client certificates for authentication, as well.

Fourth, you're missing several points regarding clients who have security concerns about applications in the cloud:

• The "cloud" is nothing more than "servers I don't own"

• Therefore, they're allowing servers they don't own access to their back end

• You're trying to cover the communication channels, but that implicitly means you trust both the client's servers and the cloud servers owned by someone else. The clients clearly aren't trusting those cloud servers the same way.

• Trusting a software provider is different than trusting a cloud provider. The software provider isn't able to suck all the data out of the client's systems without further access, nor can it put other data in, and that further access can be carefully managed and of limited scope and duration.

• A cloud provider can do whatever the link to the back end allows - and that link is open almost all the time.

• Every piece of data sent to that cloud provider is a piece that can leak, either in transit, or after arrival, or days, months, or years later after that cloud provider sells off some old hard drives carelessly, after their cloud service was running on an OS that happened to swap some RAM containing the client's proprietary, financial, and/or health care data to disk due to memory pressure, and then never overwrote those disk sectors.

  • Wiping data is, of course, more expensive than not wiping it.

  • And the company getting rid of the disks may not be the current cloud provider - that business may have been sold off, the company may have collapsed like Enron or Leeman Brothers, etc.

• And then there's the last case, where one or both sides purchased well known, highly regarded VPN appliances only to find a massive backdoor in them, like the recent Juniper case. No amount of correct setup can help with that.