Threatening clouds: how can enterprises protect their public cloud data?

There is no end to the evidence that as more and more critical business data and business apps are hosted in the public cloud, cybercriminals are scrambling to exploit them.

While organizations average a six different tools or features to secure their public cloud environments, 96% of decision makers still report that their organizations have experienced security incidents in the past 12 months. According to the Thales Cloud Security Study 2022, 45% of companies experienced a cloud-based data breach or failed audit in the past year. Ransomware data breaches between 2020 and 2021 increased 82% and interactive intrusion campaigns increased by 45%.

Hackers are increasingly aggressive after all the vulnerabilities and vulnerabilities – stealing all the credentials and other valuable information – they can find.

“Cloud services are an essential part of the digital fabric of the modern enterprise,” notes a report from a cybersecurity technology company CrowdStrike.

While the adoption of the cloud has brought greater agility, scalability and cost savings, it has also created a hostile shift. “Just as organizations have achieved efficiencies through the cloud, so have attackers,” the report’s authors write. “Threat actors use the same services as their prey, and for the same reason: to improve and optimize their operations.”

Cloudy view

According to Gartner VP analyst Patrick Hevesi, there are no inherent security risks in public clouds. In fact, hyperscale cloud providers typically have more layers of security, people, and processes than most organizations can afford in their own data centers.

However, the biggest red flag for organizations when selecting a public cloud provider is the lack of understanding of their security measures, he said.

Some of the biggest problems in recent memory: cloud storage bucket misconfigurations, Hevesi said. This has opened files for data exfiltration. Some cloud providers have also experienced outages due to misconfigurations of identity platforms. This has resulted in their cloud services not starting up properly, which in turn affects tenants.

Smaller cloud providers, meanwhile, have been taken offline due to distributed denial-of-service (DDoS) attacks. This is when perpetrators make a machine or network resource unavailable to the intended users by interrupting the services – short or long term – of a host connected to a network.

Forrester vice president and chief analyst Andras Cser identified the biggest problem as the software-based configuration of public cloud platforms — AWS, Google Cloud Platform, Microsoft Azure — that lack proper identity and access management.

“These configuration artifacts are easy to tweak and stay under the radar,” Cser says.

Insecure configuration of storage instances – for example, world writable, unencrypted – also provides a threat surface for attackers. He also sees threats around container network traffic, he said.

Multiple Attack Areas

The CrowdStrike report also identified these common cloud attack vectors:

• Cloud Vulnerability Exploitation (Arbitrary Code Execution, Accellion File Transfer Appliance, VMware).
• Credential theft (Microsoft Office 365, Okta, cloud hosted email or file hosting services).
• Abuse of cloud service providers (especially with MSPs or managed service providers).
• Using cloud services for malware hosting and C2.
• Exploitation of misconfigured image containers (Docker containers, Kubernetes clusters).

According to the report, CrowdStrike also continues to see hostile activity when it comes to:

• Neglected cloud infrastructure slated for retirement, but still contains sensitive data. These create vulnerabilities as organizations no longer invest in security controls – monitoring, detailed logging, security architecture, and remediation.
• A lack of outbound restrictions and workload protection against data exfiltration. This is especially a problem when certain cloud infrastructures are neglected, yet contain critical business data and systems.
• Opponents exploit loopholes in identity and multifactor authentication (MFA) strategies. This happens when organizations fail to: fully implement MFA, disable legacy authentication protocols that don’t support MFA, and track and manage privileges and credentials for both users and cloud service principals.

How can organizations protect themselves from public cloud attacks?

Ultimately, it comes down to being strategic and diligent in selecting and continuously assessing public cloud service providers.

The most valuable tools according to Forrester’s Cser:

• Cloud workload protection (CWP) or Cloud workload security (CWS): This process secures workloads that move across different cloud environments. Forrester’s Q1 2022 Forrester Wave report identified top providers in this area as Aqua Security, Bitdefender, Broadcom, Check Point, CrowdStrike, Kaspersky, McAfee, Palo Alto Networks, Radware, Rapid7, Sysdig and Trend Micro.
• Cloud Security Management (CSPM): This programming tool identifies misconfigurations and compliance risks in the cloud. It continuously monitors the cloud infrastructure to identify security policy enforcement gaps.
• Cloud Native Application Protection Program (CNAPP), which combines CWP and CSPM: This emerging process enables organizations to secure cloud-native applications throughout the entire application lifecycle. It integrates and centralizes security functions that would otherwise be housed in a single interface.

Cloud security ‘holy grail’

Gartner establishes a complex, multi-layered, multi-component cloud security architecture:

The above solutions can protect IaaS, PaaS and SaaS public cloud environments, Hevesi said, and the above illustrates how they fit into the architecture technically. They are especially effective if the organization has multiple IaaS, SaaS, and PaaS cloud providers, as the cloud access security broker (CASB) can give security teams “a single glass” across all their platforms.

He suggests that organizations also consider the following:

• What certifications does a public cloud provider have for its infrastructure?
• What tools and processes do they have to maintain security and respond to incidents?
• What physical security do they have?
• How do they conduct background checks for their employees?
• How do they secure tenants and protect user access to tenants and employees?

Threats arise when such examples are not identified and tracked by cloud providers, Hevesi said. Cloud misconfiguration is still the biggest problem regardless of IaaS, PaaS or SaaS.

“If a user with administrative access accidentally misconfigures a setting, it can have a huge impact on the infrastructure of the entire cloud provider, which in turn affects customers,” said Hevesi.

Silver lining

Experts point to the encouraging increased use of encryption and key management – used by 59% and 52% of Thales survey respondents respectively. Zero-trust models are also on the rise – according to Thales, 29% are already implementing a zero-trust strategy, 27% say they are evaluating and planning one, and 23% are considering it.

According to CrowdStrike, organizations should increasingly adopt cloud identity governance (CIG) and cloud infrastructure Entitlements Management (CIEM) solutions, and conduct AI-driven monitoring and investigations. It’s also critical to enable runtime protections and gain real-time visibility.

Defending the cloud will only become more complex as adversaries evolve and make more attempts to target cloud infrastructure in addition to apps and data, the report concludes. “With a comprehensive approach rooted in visibility, threat intelligence and threat detection, organizations can give themselves the best chance of leveraging the cloud without sacrificing security.”