By John P. Mello Jr.
Identity and access issues topped the list of concerns of IT pros in the Cloud Security Alliance’s annual Top Threats to Cloud Computing: The Pandemic 11 report released earlier this month. “Data breaches and data loss were the top concerns last year,” says CSA Global Vice President of Research John Yeoh. “This year, they weren’t even in the top 11.”
“What that tells me is the cloud customer is getting a lot smarter,” Yeoh continues. “They’re getting away from worrying about end results—a data breach or loss is an end result—and looking at the causes of those results (data access, misconfigurations, insecure applications) and taking control of them.”
That trend is indicative of cloud service providers (CSPs) doing a better job of upholding their end of the shared responsibility model, where the CSP is responsible for protecting its infrastructure while the cloud user is on the hook for protecting the data, applications, and access in their cloud environments, says Corey O’Connor, director of products at DoControl, a provider of automated SaaS security. “This puts more pressure on the organization consuming the service, as attackers naturally place a much bigger focus on them,” he says. “This finding supports the narrative of organizations consuming cloud services needing to do everything they can to mitigate the risk of security events and data breaches. They need to do more to uphold their end of the model.”
CSA’s top cloud security threats
Here are the Pandemic 11 in order of importance.
- Insufficient identity, credential, access, and key management
Concerns about identity and access are foremost in the minds of cybersecurity pros, according to the CSA report. “Access is at the top of the list this year because protecting your data starts and ends with access,” says Yeoh.
Forrester Vice President and Principal Analyst Andras Cser agreed. “Identity and access in a CSP’s platforms are everything,” he says. “If you have the keys to the kingdom, you can’t just enter it but reconfigure it—a major threat to operational stability and security of any organization.”
“Attackers no longer try to brute-force their way into enterprise infrastructure,” adds Hank Schless, a senior manager for security solutions at Lookout, a provider of mobile phishing solutions. “With so many ways to compromise and steal corporate credentials, the preferred tactic is to pose as a legitimate user in order to avoid detection.”
As more organizations migrate their applications to the cloud, identity management continues to be a hot button issue, asserts Tushar Tambay, vice president of product development for data protection solutions at Entrust, a digital security and credential issuance company. “With many companies still working remotely as well, IT teams have to verify the identities of employees working from anywhere at any time on any device,” he says. “Additionally, businesses are engaging with customers and partners in the cloud.”
Tambay adds that key management needs to be prioritized, too. “Strong key management can keep data secure and help ensure that trusted parties only have access to data that is absolutely necessary,” he says. “Unfortunately, securing data through encryption can often cause a bit of a key management headache due to the growing number of keys.”
Identity management is almost entirely on the user to manage properly, says Daniel Kennedy, research director for information security and networking at 451 Research. “The cloud providers provide help, but the flexibility of cloud platforms come with a requirement to effectively manage user and system access and privileges,” he says. “It’s one of the primary responsibilities of the enterprise leveraging cloud in a shared responsibility model, and thus figures prominently in their assessment of risk.”
Key takeaways about access and identity management identified in the report include:
- Hardened defenses at the core of enterprise architectures have shifted hacking to endpoint user identity as low-hanging fruit.
- Discrete user and application-based isolation is required to achieve a robust zero trust-layer beyond simple authentication.
- Advanced tools are only part of the story, such as cloud infrastructure entitlement management (CIEM). Operational policies and structured risk models are also vital.
- Trust is more than giving keys and codes. It’s earned. User objects must be given risk scores that dynamically adjust as the business requires.
- Insecure interfaces and APIs
APIs and similar interfaces potentially include vulnerabilities due to misconfiguration, coding vulnerabilities, or a lack of authentication and authorization among other things, the report stated. These oversights can potentially leave them vulnerable to malicious activity.
It added that organizations face a challenging task in managing and securing APIs. For example, the velocity of cloud development is greatly accelerated. Processes that took days or weeks using traditional methods can be completed in seconds or minutes in the cloud. Using multiple cloud providers also adds complexity, it continues, as each provider has unique capabilities that are enhanced and expanded almost daily. This dynamic environment requires an agile and proactive approach to change control and remediation that many companies have not mastered.
Key takeaways about APIs include:
- The attack surface provided by APIs should be tracked, configured, and secured.
- Traditional controls and change management policies and approaches need to be updated to keep pace with cloud-based API growth and change.
- Companies should embrace automation and employ technologies that monitor continuously for anomalous API traffic and remediate problems in near real time.
- Misconfiguration and inadequate change control
Misconfigurations are the incorrect or sub-optimal setup of computing assets that may leave them vulnerable to unintended damage or external and internal malicious activity, the report explained. Lack of system knowledge or understanding of security settings and nefarious intentions can result in misconfigurations.
A serious problem with misconfiguration errors is they can be magnified by the cloud. “One of the biggest advantages of the cloud is its scalability and the way it enables us to create interconnected services for smoother workflows,” Schless says. “However, this also means that one misconfiguration can have magnified ramifications across multiple systems.”
Due to an automated continuous integration/continuous deliver (CI/CD) pipeline, misconfigurations and vulnerabilities not identified during build time are automatically deployed to production, says Ratan Tipirneni, president and CEO of Tigera, a provider of security and observability for containers, Kubernetes and the cloud. “Misconfigurations and vulnerabilities in images are passed on to all containers created from those images.”
Key takeaways about misconfiguration and inadequate change control include:
- Companies need to embrace available technologies that scan continuously for misconfigured resources to allow remediation of vulnerabilities in real-time.
- Change management approaches must reflect the unceasing and dynamic nature of continuous business transformations and security challenges to ensure approved changes are made properly using real-time automated verification.
- Lack of cloud security architecture and strategy
The fast pace of change and the prevalent, decentralized, self-service approach to cloud infrastructure administration hinder the ability to account for technical and business considerations and conscious design the report notes. However, it added, security considerations and risks must not be ignored if cloud endeavors are to be successful and safe.
Those problems can be compounded when multiple cloud providers are involved. “Leveraging cloud providers is certainly no longer novel, but the security product space continues to emerge and evolve around the cloud,” Kennedy says. “As examples, early on we saw cloud workload security emerge as an approach to provide common third-party security functions.”
“Most security folks looking after cloud security must consider what mix of default controls from the cloud provider, premium controls from the same, and what third-party security product offerings address their specific risk profile, and sometimes that profile is different at the application level. It introduces a lot of complexity in the face of emerging threats,” Kennedy adds.
Key takeaways about the lack of cloud security architecture and strategy include:
- Companies should consider business objectives, risk, security threats, and legal compliance in cloud services and infrastructure design and decisions.
- Given the rapid pace of change and limited centralized control in cloud deployments, it’s more important, not less, to develop and adhere to an infrastructure strategy and design principles.
- Adopters are advised to consider due diligence and vendor security assessment foundational practices. They should be complemented with secure design and integration to avoid the kinds of systemic failures that occurred in the, SolarWinds, Kaseya and Bonobos breaches.
- Insecure software development
While the cloud can be a powerful environment for developers, organizations need to make sure developers understand how the shared responsibility model affects the security of their software. For example, a vulnerability in Kubernetes could be the responsibility of a CSP, while an error in a web application using cloud-native technologies could be the responsibility of the developer to fix.
Key takeaways to keep in mind about insecure software development include:
- Using cloud technologies prevents reinventing existing solutions, allowing developers to focus on issues unique to the business.
- By leveraging shared responsibility, items like patching can be owned by a CSP rather than the business.
- CSPs place an importance on security and will provide guidance on how to implement services in a secure fashion.
- Unsecure third-party resources
According to the CSA report, third-party risks exist in every product and service we consume. It noted that because a product or service is a sum of all the other products and services it’s using, an exploit can start at any point in the supply chain for the product and proliferate from there. Threat actors know they only need to compromise the weakest link in a supply chain to spread their malicious software, oftentimes using the same vehicles developers use to scale their software.
Key takeaways about unsecure third-party resources include:
- You can’t prevent vulnerabilities in code or products you didn’t create, but you can make a good decision about which product to use. Look for the products that are officially supported. Also, consider those with compliance certifications, that openly speak about their security efforts, that have a bug bounty program, and that treat their users responsibly by reporting security issues and delivering fixes quickly.
- Identify and track the third parties you are using. You don’t want to find out you’ve been using a vulnerable product only when the list of victims is published. This includes open source, SaaS products, cloud providers, and managed services, and other integrations you may have added to your application.
- Perform a periodic review of the third-party resources. If you find products you don’t need, remove them and revoke any access or permissions you may have granted them into your code repository, infrastructure or application.
- Don’t be the weakest link. Penetration-test your application, teach your developers about secure coding, and use static application security testing (SAST) and dynamic application security testing (DAST) solutions.
- System vulnerabilities
These are flaws in a CSP that can be used to compromise confidentiality, integrity and availability of data, and disrupt service operations. Typical vulnerabilities include zero days, missing patches, vulnerable misconfiguration, or default settings, and weak or default credentials that attackers can easily obtain or crack.
Key takeaways about system vulnerabilities include:
- System vulnerabilities are flaws within system components often introduced through human error, making it easier for hackers to attack your company’s cloud services.
- Post-incident response is a costly proposition. Losing company data can negatively impact your business’s bottom line in revenue and reputation.
- Security risks due to system vulnerabilities can be greatly minimized through routine vulnerability detection and patch deployment combined with rigorous IAM practices.
- Accidental cloud data disclosure
Data exposure remains a widespread problem among cloud users, the report noted, with 55% of companies having at least one database that’s exposed to the public internet. Many of those databases have weak passwords or don’t require any authentication at all, making them easy targets for threat actors.
Key takeaways about accidental cloud data disclosure include:
- Which databases are in the clouds? Review your platform-as-a-service (PaaS) databases, storage and compute workloads hosting databases, including virtual machines (VMs), containers, and the database software installed on them.
- What is effectively exposed from the cloud environment? Choose exposure engines that have full visibility of your cloud environment to identify any routing or network services that allow traffic to be exposed externally. This includes load balancers, application load balancers, content delivery networks (CDNs), network peering, and cloud firewalls.
- Assess external exposure from a Kubernetes cluster. The exposure engine must factor in many Kubernetes networking components, including cluster IPs, Kubernetes services, and ingress rules.
- Reduce access exposure by ensuring that the database is configured to the least-privileged IAM policy, and that assignments of this policy are controlled and monitored.
- Misconfiguration and exploitation of serverless and container workloads
Managing and scaling the infrastructure to run applications can still be challenging to developers, the report pointed out. They must take on more responsibility network and security controls for their applications.
While some of that responsibility can be offloaded to a CSP through the use of serverless and containerized workloads, for most organizations, lack of control of cloud infrastructure limits mitigation options for application security issues and the visibility of traditional security tooling. That’s why the report recommended building strong organizational practices around cloud hygiene, application security, observability, access control, and secrets management to reduce the blast radius of an attack.
Key takeaways about misconfiguration and exploitation of serverless and container workloads include:
- Companies should implement cloud security posture management (CSPM), CIEM, and cloud workload protection platforms to increase security visibility, enforce compliance, and achieve the least privilege in serverless and containerized workloads.
- Investments should be made into cloud security training, governance processes, and reusable secure cloud architecture patterns to reduce the risk and frequency of insecure cloud configurations.
- Development teams should put extra rigor around strong application security and engineering best practices before migrating to serverless technologies that remove traditional security controls.
- Organized crime, hackers and APT groups
Advanced persistent threat (APT) groups typically focus their thieving ways at data acquisition. Those groups are closely studied by threat intelligence outfits, who publish detailed reports on the groups’ methods and tactics. The CSA report recommended organizations use those reports to stage “red team” exercises to better protect themselves from APT attacks, as well as perform threat-hunting exercises to identify the presence of any APTs on their networks.
Key takeaways from the report in the APT area include:
- Conduct a business impact analysis on your organization to understand your information assets.
- Participate in cybersecurity information sharing groups.
- Understand any relevant APT groups and their tactics, techniques and procedures (TTPs).
- Conduct offensive security exercises to simulate the TTPs of these APT groups.
- Ensure security monitoring tools are tuned to detect TTPs of any relevant APT groups.
- Cloud Storage Data Exfiltration
Cloud storage data exfiltration occurs when sensitive, protected or confidential information is released, viewed, stolen or used by an individual outside of the organization’s operating environment. The report noted that many times data exfiltration may occur without the knowledge of the data’s owner. In some cases, the owner may not be unaware of the data’s theft until notified by the thief or until it appears for sale on the internet.
While the cloud can be a convenient place to store data, the report continued, it also offers multiple ways to exfiltrate it. To protect against exfiltration, organizations have begun turning to a zero-trust model where identity-based security controls are used to provide least privileged access to data.
Key takeaways about cloud storage exfiltration in the report include:
- Cloud storage requires a well-configured environment (SaaS security posture management [SSPM], CSPM), remediation of vulnerabilities in infrastructure as a service (IaaS), which is still a major threat vector, and strong identity and access control of both people and non-human personas.
- To detect and prevent attacks and data exfiltration, apply the CSP’s best practices guides, monitoring and detection capabilities.
- Employee awareness training on cloud storage usage is required, as data is scattered in various locations and controlled by various personas.
- Evaluate a cloud providers’ security resilience and, at minimum, security standards adherence, legal agreement, and service level agreement (SLA).
- If not limited by business, client-side encryption can provide protection from external attackers or CSP malicious insiders. Overall, encryption is not always feasible, due to implementation considerations.
- Classifying data can help in setting different controls, and if exfiltration happens, assessing the impact and recovery actions required.
Shifting focus of cloud security
The CSA report noted that its 2022 edition continued a nascent trend found in its previous version: a shift away from the traditional focus on information security, such as vulnerabilities and malware. Regardless, these security issues are a call to action for developing and enhancing cloud security awareness and configuration, and identity management. The cloud itself is less of a concern, so now the focus is more on the implementation of the cloud technology.