Identity and access issues topped the list of concerns of IT pros in the Cloud Security Alliance’s annual Top Threats to Cloud Computing: The Pandemic 11 report released earlier this month. “Data breaches and data loss were the top concerns last year,” says CSA Global Vice President of Research John Yeoh. “This year, they weren’t even in the top 11.”
“What that tells me is the cloud customer is getting a lot smarter,” Yeoh continues. “They’re getting away from worrying about end results—a data breach or loss is an end result—and looking at the causes of those results (data access, misconfigurations, insecure applications) and taking control of them.”
That trend is indicative of cloud service providers (CSPs) doing a better job of upholding their end of the shared responsibility model, where the CSP is responsible for protecting its infrastructure while the cloud user is on the hook for protecting the data, applications, and access in their cloud environments, says Corey O’Connor, director of products at DoControl, a provider of automated SaaS security. “This puts more pressure on the organization consuming the service, as attackers naturally place a much bigger focus on them,” he says. “This finding supports the narrative of organizations consuming cloud services needing to do everything they can to mitigate the risk of security events and data breaches. They need to do more to uphold their end of the model.”
Here are the Pandemic 11 in order of importance.
Concerns about identity and access are foremost in the minds of cybersecurity pros, according to the CSA report. “Access is at the top of the list this year because protecting your data starts and ends with access,” says Yeoh.
Forrester Vice President and Principal Analyst Andras Cser agreed. “Identity and access in a CSP’s platforms are everything,” he says. “If you have the keys to the kingdom, you can’t just enter it but reconfigure it—a major threat to operational stability and security of any organization.”
“Attackers no longer try to brute-force their way into enterprise infrastructure,” adds Hank Schless, a senior manager for security solutions at Lookout, a provider of mobile phishing solutions. “With so many ways to compromise and steal corporate credentials, the preferred tactic is to pose as a legitimate user in order to avoid detection.”
As more organizations migrate their applications to the cloud, identity management continues to be a hot button issue, asserts Tushar Tambay, vice president of product development for data protection solutions at Entrust, a digital security and credential issuance company. “With many companies still working remotely as well, IT teams have to verify the identities of employees working from anywhere at any time on any device,” he says. “Additionally, businesses are engaging with customers and partners in the cloud.”
Tambay adds that key management needs to be prioritized, too. “Strong key management can keep data secure and help ensure that trusted parties only have access to data that is absolutely necessary,” he says. “Unfortunately, securing data through encryption can often cause a bit of a key management headache due to the growing number of keys.”
Identity management is almost entirely on the user to manage properly, says Daniel Kennedy, research director for information security and networking at 451 Research. “The cloud providers provide help, but the flexibility of cloud platforms come with a requirement to effectively manage user and system access and privileges,” he says. “It’s one of the primary responsibilities of the enterprise leveraging cloud in a shared responsibility model, and thus figures prominently in their assessment of risk.”
Key takeaways about access and identity management identified in the report include:
APIs and similar interfaces potentially include vulnerabilities due to misconfiguration, coding vulnerabilities, or a lack of authentication and authorization among other things, the report stated. These oversights can potentially leave them vulnerable to malicious activity.
It added that organizations face a challenging task in managing and securing APIs. For example, the velocity of cloud development is greatly accelerated. Processes that took days or weeks using traditional methods can be completed in seconds or minutes in the cloud. Using multiple cloud providers also adds complexity, it continues, as each provider has unique capabilities that are enhanced and expanded almost daily. This dynamic environment requires an agile and proactive approach to change control and remediation that many companies have not mastered.
Key takeaways about APIs include:
Misconfigurations are the incorrect or sub-optimal setup of computing assets that may leave them vulnerable to unintended damage or external and internal malicious activity, the report explained. Lack of system knowledge or understanding of security settings and nefarious intentions can result in misconfigurations.
A serious problem with misconfiguration errors is they can be magnified by the cloud. “One of the biggest advantages of the cloud is its scalability and the way it enables us to create interconnected services for smoother workflows,” Schless says. “However, this also means that one misconfiguration can have magnified ramifications across multiple systems.”
Due to an automated continuous integration/continuous deliver (CI/CD) pipeline, misconfigurations and vulnerabilities not identified during build time are automatically deployed to production, says Ratan Tipirneni, president and CEO of Tigera, a provider of security and observability for containers, Kubernetes and the cloud. “Misconfigurations and vulnerabilities in images are passed on to all containers created from those images.”
Key takeaways about misconfiguration and inadequate change control include:
The fast pace of change and the prevalent, decentralized, self-service approach to cloud infrastructure administration hinder the ability to account for technical and business considerations and conscious design the report notes. However, it added, security considerations and risks must not be ignored if cloud endeavors are to be successful and safe.
Those problems can be compounded when multiple cloud providers are involved. “Leveraging cloud providers is certainly no longer novel, but the security product space continues to emerge and evolve around the cloud,” Kennedy says. “As examples, early on we saw cloud workload security emerge as an approach to provide common third-party security functions.”
“Most security folks looking after cloud security must consider what mix of default controls from the cloud provider, premium controls from the same, and what third-party security product offerings address their specific risk profile, and sometimes that profile is different at the application level. It introduces a lot of complexity in the face of emerging threats,” Kennedy adds.
Key takeaways about the lack of cloud security architecture and strategy include:
While the cloud can be a powerful environment for developers, organizations need to make sure developers understand how the shared responsibility model affects the security of their software. For example, a vulnerability in Kubernetes could be the responsibility of a CSP, while an error in a web application using cloud-native technologies could be the responsibility of the developer to fix.
Key takeaways to keep in mind about insecure software development include:
According to the CSA report, third-party risks exist in every product and service we consume. It noted that because a product or service is a sum of all the other products and services it’s using, an exploit can start at any point in the supply chain for the product and proliferate from there. Threat actors know they only need to compromise the weakest link in a supply chain to spread their malicious software, oftentimes using the same vehicles developers use to scale their software.
Key takeaways about unsecure third-party resources include:
These are flaws in a CSP that can be used to compromise confidentiality, integrity and availability of data, and disrupt service operations. Typical vulnerabilities include zero days, missing patches, vulnerable misconfiguration or default settings, and weak or default credentials that attackers can easily obtain or crack.
Key takeaways about system vulnerabilities include:
Data exposure remains a widespread problem among cloud users, the report noted, with 55% of companies having at least one database that’s exposed to the public internet. Many of those databases have weak passwords or don’t require any authentication at all, making them easy targets for threat actors.
Key takeaways about accidental cloud data disclosure include:
Managing and scaling the infrastructure to run applications can still be challenging to developers, the report pointed out. They must take on more responsibility network and security controls for their applications.
While some of that responsibility can be offloaded to a CSP through the use of serverless and containerized workloads, for most organizations, lack of control of cloud infrastructure limits mitigation options for application security issues and the visibility of traditional security tooling. That’s why the report recommended building strong organizational practices around cloud hygiene, application security, observability, access control, and secrets management to reduce the blast radius of an attack.
Key takeaways about misconfiguration and exploitation of serverless and container workloads include:
Advanced persistent threat (APT) groups typically focus their thieving ways at data acquisition. Those groups are closely studied by threat intelligence outfits, who publish detailed reports on the groups’ methods and tactics. The CSA report recommended organizations use those reports to stage “red team” exercises to better protect themselves from APT attacks, as well as perform threat-hunting exercises to identify the presence of any APTs on their networks.
Key takeaways from the report in the APT area include:
Cloud storage data exfiltration occurs when sensitive, protected or confidential information is released, viewed, stolen or used by an individual outside of the organization’s operating environment. The report noted that many times data exfiltration may occur without the knowledge of the data’s owner. In some cases, the owner may not be unaware of the data’s theft until notified by the thief or until it appears for sale on the internet.
While the cloud can be a convenient place to store data, the report continued, it also offers multiple ways to exfiltrate it. To protect against exfiltration, organizations have begun turning to a zero-trust model where identity-based security controls are used to provide least privileged access to data.
Key takeaways about cloud storage exfiltration in the report include:
The CSA report noted that its 2022 edition continued a nascent trend found in its previous version: a shift away from the traditional focus on information security, such as vulnerabilities and malware. Regardless, these security issues are a call to action for developing and enhancing cloud security awareness and configuration, and identity management. The cloud itself is less of a concern, so now the focus is more on the implementation of the cloud technology.