More data and applications are moving to the cloud. However, this creates several unique information security challenges. So, here are the top security threats companies face when using cloud services.
Identity and access issues top the list of concerns for IT professionals. At least that’s what the annual report Top Threats to Cloud Computing: The Pandemic 11 by the Cloud Security Alliance (CSA), released in 2022, says. – CSA Global Research President John Yeoh. “This year, they weren’t even in the top 11.”
“What that tells me is that the cloud client is getting much smarter, ” says Yeoh. “They are moving away from worrying about the results – a breach or loss of data is a result – and looking at the causes of those results (data access, incorrect configurations, insecure applications) and taking control of them.”
Has the quality of service improved?
This trend is indicative that cloud service providers (CSPs) are doing a better job. At least in defending its end of the shared responsibility model, where the CSP is responsible for securing its infrastructure while the cloud user is on the hook to ensure the data, applications, and access in their cloud environments.
However, this puts more pressure on the organization consuming the service, as attackers naturally place a much greater focus on them.
This finding supports the narrative that organizations that consume cloud services need to do everything they can to mitigate the risk of security events and data breaches. That is, they need to do more to maintain their side of the model.
Top Cloud Security Threats According to CSA
Insufficient identity, credentials, access, and key management
According to the CSA report, concerns about identity and access are at the forefront of cybersecurity professionals’ minds.
“Access is at the top of the list this year because protecting your data starts and ends with access,” says Yeoh.
Forrester vice president and principal analyst Andras Cser agreed.
“Identity and access across a CSP’s platforms are everything,” he says. “If you have the keys to the realm, not only can you enter it, but you can also reset it.
And this is one of the biggest cloud security threats that create severe problems for any organization’s operational stability and overall security.”
“Attackers no longer try to force access to the corporate infrastructure,” adds Hank Schless, senior manager of security solutions, a provider of mobile phishing solutions.
“With so many ways to compromise and steal corporate credentials, the preferred tactic is to impersonate a legitimate user to avoid detection.”
So as more organizations move their applications to the cloud, identity management remains a hot topic, says Tushar Tambay.
He is vice president of product development for data protection solutions at Entrust, a digital security and credential issuance company.
“With many companies still working remotely, IT teams need to verify the identities of employees working from anywhere, anytime, and on any device,” he says. “Additionally, companies are engaging with customers and partners in the cloud.”
Special attention to key management
However, Tambay adds that key management also needs to be prioritized. “Strong key management can keep data secure and help ensure that relying parties only have access to the data they absolutely need,”
He speaks. “Unfortunately, securing data through encryption can often cause a bit of a headache in key management due to the increasing number of keys.”
Identity management relies almost entirely on the user to manage correctly, says Daniel Kennedy, research director for information and network security at 451 Research.
“Cloud providers provide help; however, the flexibility of cloud platforms comes with the need to efficiently manage user and system access and privileges,” he says.
“Therefore, it is one of the company’s main responsibilities to leverage the cloud in a shared responsibility model and therefore figures prominently in their risk assessment.”
Critical findings on access and identity management identified in the report and how they generate cloud security threats include:
- The hardened defenses at the heart of enterprise architectures have moved to hack-to-endpoint user identity as an easy fruit.
- Discrete user and application-based isolation are required to achieve a robust zero-trust layer beyond simple authentication.
- Advanced tools, like cloud infrastructure rights management (ICES), are only part of the story. That is, operational policies and structured risk models are also vital.
- Trust is more than giving keys and codes. Therefore, user devices must be given risk scores that dynamically adjust as the business requires.
Insecure interfaces and APIs
APIs and similar interfaces potentially include vulnerabilities due to misconfigurations, coding vulnerabilities, or lack of authentication and authorization, among other things, the report stated.
These oversights can potentially leave them vulnerable to malicious activity. No wonder it was considered one of the biggest threats to cloud security.
However, the report adds that organizations face difficulty managing and securing APIs. For example, the speed of cloud development is significantly accelerated.
Processes that took days or weeks using traditional methods can be completed in seconds or minutes in the cloud.
Notwithstanding, using multiple cloud providers also adds to the complexity, as each provider has unique features that are improved and expanded almost daily.
This dynamic environment requires an agile and proactive approach to change control and remediation that many companies do not master.
Key takeaways about APIs include:
- The attack surface provided by the APIs must be tracked, configured, and secured.
- Traditional controls and change management policies and approaches must be updated to keep up with the growth and changes of cloud-based APIs.
- Enterprises must embrace automation and employ technologies that continuously monitor anomalous API traffic and correct issues in near real-time.
Incorrect configuration and inadequate change control
The report explained that misconfigurations are the inaccurate or suboptimal configuration of computing assets that can leave them vulnerable to unintentional damage or malicious external and internal activity.
A lack of system knowledge or understanding of security settings and nefarious intentions can result in incorrect configurations.
However, a severe problem with misconfiguration errors is that the cloud can extend them.
“One of the biggest advantages of the cloud is its scalability and the way it allows us to build interconnected services for smoother workflows,” “However, it also means that a misconfiguration can have wide ramifications across multiple systems.”
Due to an automated continuous integration/continuous delivery (CI/CD) pipeline, misconfigurations and vulnerabilities not identified during build time are automatically deployed to production.
Key takeaways about misconfiguration and poor change control include:
- Companies need to adopt available technologies that continually scan misconfigured resources to enable real-time vulnerability remediation.
- Change management approaches must reflect the relentless and dynamic nature of ongoing business transformations and security challenges to ensure that approved changes are made correctly using automated real-time verification.
Lack of cloud security architecture and strategy
The report notes that the rapid pace of change and the decentralized self-service approach to cloud infrastructure administration hamper the ability to consider technical and business considerations and conscious design.
As a result, security threats in the cloud increase. However, the report also added that security considerations and risks should be addressed if cloud efforts are to be successful and secure.
These issues can be compounded when multiple cloud providers are involved. “Leveraging cloud providers are certainly not new anymore.
However, the security product space continues to emerge and evolve around the cloud,” says Kennedy. “As examples, we saw cloud workload security emerge early on as an approach to providing common third-party security functions.”
Find the right combination to prevent cloud security threats:
“So, most security professionals looking at cloud security should consider what combination of standard cloud provider controls, premium cloud provider controls, and what third-party security product offerings address their specific risk profile. Sometimes, this profile is different at the application level.
After all, it can be very complex in the face of emerging threats,” adds Kennedy.
Key takeaways about the lack of cloud security architecture and strategy include:
- Companies must consider business objectives, risks, security threats, and legal compliance in cloud services and infrastructure design and decisions.
- Given the rapid pace of change and limited centralized control in cloud deployments, it is most important, not least, to develop and adhere to an infrastructure strategy and design principles.
- Adopters are advised to consider fundamental supplier security assessment and due diligence practices. That is, they must be complemented with secure design and integration to avoid systemic failures in SolarWinds, Kaseya, and Bonobos breaches.
Insecure software development
While the cloud can be a robust environment for developers, organizations need to ensure that developers understand how the shared responsibility model affects the security of their software.
For example, a vulnerability in Kubernetes could be the responsibility of a CSP. However, a bug in a web application using cloud-native technologies may be the developer’s responsibility to correct.
Key takeaways to remember about developing insecure software include:
- Using cloud technologies avoids reinventing existing solutions, allowing developers to focus on unique business problems.
- By leveraging shared responsibility, items such as patches can be owned by a CSP, not the company.
- CSPs place importance on security and will guide how to implement services securely.
Unsecured third-party resources
According to the CSA report, there are third-party cloud security threats in every product and service we consume.
He noted that because a product or service is a sum of all the other products and services it uses, an exploration can start at any point in the product’s supply chain and increase from there.
Watch out for the weakest link.
Therefore, threat actors know they must only compromise the weakest link in a supply chain to spread their malicious software. And they often use the identical vehicles developers use to scale their software.
Key findings about unsafe third-party resources include:
- You can’t avoid vulnerabilities in code or products you didn’t create; however, you can decide which product to use. So, look for products that are officially supported. Also, consider those with compliance certifications, who speak openly about their security efforts, who have a bug bounty program, and who treat their users responsibly by reporting security issues and providing fixes quickly.
- Identify and track the third parties you are using. After all, you don’t want to discover that you’re using a vulnerable product just when the list of victims is published. This includes open source, SaaS products, cloud providers and managed services, and other integrations you may have added to your app.
- Perform a periodic review of third-party resources. So if you find products you don’t need, remove them and revoke any access or permissions you may have granted them in your code repository, infrastructure, or application.
- Don’t be the weakest link. Penetration tests your application teaches your developers about secure coding and use static application security testing (SAST) and dynamic application security testing (DAST) solutions.
System vulnerabilities
These are flaws in a CSP that can be used to compromise data confidentiality, integrity, and availability and disrupt service operations.
Typical vulnerabilities include zero days, missing patches, misconfiguration, vulnerable default settings, and weak or default credentials that attackers can quickly obtain or break.
Key findings about system vulnerabilities include:
- System vulnerabilities are flaws in system components usually introduced by human error, making it easy for hackers to attack your company’s cloud services.
- The post-incident response is an expensive proposition. After all, the loss of company data can negatively impact your company’s bottom line in revenue and reputation.
- Security risks due to system vulnerabilities can be greatly minimized through routine vulnerability detection and patch deployment combined with rigorous IAM practices.
Accidental disclosure of data in the cloud
The report noted that data exposure remains one of the biggest security threats in the cloud and a widespread problem among cloud users.
As shown, 55% of companies have at least one database exposed to the public internet. Furthermore, many of these databases have weak passwords or do not require any authentication, making them easy targets for threat actors.
Key findings about accidental disclosure of data in the cloud include:
- What databases are in the cloud? Review your platform-as-a-service (PaaS) databases, storage, and compute workloads that host databases, including virtual machines (VMs), containers, and the database software installed on them.
- What is effectively exposed to the cloud environment? Choose exposure mechanisms that have complete visibility into your cloud environment to identify any routing or network services that allow traffic to be exposed externally. However, this includes load balancers, application load balancers, content delivery networks (CDNs), network peering, and cloud firewalls.
- Assess the external exposure of a Kubernetes cluster. The exposure mechanism must consider many Kubernetes networking components, including cluster IPs, Kubernetes services, and ingress rules.
- Reduce access exposure by ensuring the database is configured for the least privileged IAM policy and that policy assignments are controlled and monitored.
Misconfiguration and exploitation of serverless and containerized workloads
The report noted that managing and scaling the infrastructure to run applications can still be a challenge for developers.
They must take more responsibility for network and security controls for their applications. However, this is one of the most challenging cloud security threats.
While some of this responsibility can be shifted to a CSP using serverless and containerized workloads, for most organizations, the lack of control over cloud infrastructure limits options for mitigating application security issues and the visibility of traditional security tools.
The report recommended building strong organizational practices around cloud hygiene, application security, observability, access control, and remote management to reduce an attack’s blast radius.
Key takeaways from misconfiguration and exploitation of serverless and containerized workloads include:
- Enterprises should implement cloud security posture management (CSPM), ICES, and cloud workload protection platforms to increase security visibility, enforce compliance, and gain the least privileges across serverless and serverless workloads. Containers.
- Investments should be made in cloud security training, governance processes, and secure, reusable cloud architecture standards to reduce the risk and frequency of insecure cloud configurations.
- Development teams must apply extra rigor to application security and engineering best practices before migrating to serverless technologies that remove traditional security controls.
Organized crime, hackers, and APT groups
Advanced Persistent Threat (APT) groups often focus their forms of theft on data acquisition. As a result, these groups are closely studied by threat intelligence teams, who publish detailed reports on the groups’ methods and tactics.
Therefore, the CSA report recommended that organizations use these reports to conduct “red team” exercises to better protect themselves from APT attacks and conduct threat-hunting exercises to identify the presence of any APTs on their networks.
The report’s key findings in the APT area include the following:
- Conduct a business impact analysis on your organization to understand your information assets.
- Join cybersecurity information-sharing groups.
- Understand relevant APT groups and their tactics, techniques, and procedures (TTP).
- Conduct offensive security drills to simulate the TTP of these groups of APTs.
- Ensure security monitoring tools are tuned to detect TTP from relevant APT groups.
Cloud Storage Data Exfiltration
Exfiltration of data from cloud storage occurs when sensitive, protected, or confidential information is released, viewed, stolen, or used by an individual outside the organization’s operating environment. The report noted that data exfiltration could often occur without the data owner’s knowledge.
In some cases, the owner may only be aware of the data theft once notified by the thief or when it appears for sale on the internet. So, among the threats to cloud security, this one is the scariest for businesses.
Do identity-based controls help?
While the cloud can be a convenient place to store data, the report continued, it also offers multiple ways to exfiltrate it.
So, to guard against exfiltration, organizations have started to adopt a zero-trust model where identity-based security controls are used to provide less privileged access to data.
Key findings on cloud storage exfiltration in the report include:
- Cloud storage requires a well-configured environment (SaaS security posture management [SSPM], CSPM), patching vulnerabilities in infrastructure as a service (IaaS), which is still a significant threat vector, and strong identity and access control. Of non-human people and characters.
- To detect and prevent attacks and data exfiltration, apply CSP best practices guides, monitoring, and detection capabilities.
- Employee awareness training on cloud storage is required as data is spread across multiple locations and controlled by various people.
- Assess a cloud security threats provider’s security resilience and, at a minimum, adherence to security standards, legal agreements, and service level agreements (SLA).
- Client-side encryption can protect from outside attackers or malicious CSP insiders if not limited by the business. Overall, encryption is only sometimes feasible due to implementation considerations.
- Data classification can help define different controls and, if exfiltration occurs, assess the impact and necessary recovery actions.
Changing the focus of cloud security
The CSA report noted that its 2022 edition continued a nascent trend found in its previous version: a shift away from the traditional focus on information security, such as vulnerabilities and malware.
Regardless, these security issues are a call to action to develop and improve cloud security threats awareness and configuration, and identity management. The cloud is less of a concern, so now the focus is more on implementing cloud technology.
You can also count on the support of an IT company specializing in security to protect you.