In their eighth annual State of the Cloud Survey of the latest cloud computing trends, RightScale found 91% of survey respondents have workloads in the public cloud. What’s more, addressing the public cloud is a top priority for 31% of enterprises that were surveyed. Such numbers reflect a growing confidence in cloud computing.
Traditionally, general cybersecurity concerns, as well as data loss and leakage issues, have acted as barriers to adopting cloud-hosted solutions. More workloads moving to the cloud indicates that enterprises are overcoming their fear of cloud security threats—enough, at least, to allow some of their data and applications to reside in the cloud.
Nevertheless, security threats and other risks of cloud computing still exist, and companies should take steps to avoid (or at least mitigate) them. In this blog post, we’ll review some of today’s most common cloud security threats and what enterprises can do to avoid them.
Who’s Responsible for Cloud Security?
To understand the risk that cloud security threats pose, it’s important to delineate responsibilities for securing different aspects of cloud computing. The split of responsibilities among the public cloud provider and the customer organization varies greatly depending on the computing model: SaaS, PaaS, or IaaS. To that end, let’s briefly explore the differences in cloud computing models…
Infrastructure-as-a-Service (IaaS) Cloud Computing
In the Infrastructure-as-a-Service (IaaS) model, the cloud service provider agrees to manage and secure the facilities, datacenters, network interfaces, processing, and hypervisors. The customer must manage and secure the virtual network, virtual machines, operating systems, middleware, applications, interfaces, and data.
Platform-as-a-Service (PaaS) Cloud Computing
That split of responsibilities changes a bit for the Platform-as-a-Service (PaaS) model. The cloud provider has the same duties as the IaaS provider, but also adds responsibility for the virtual network, virtual machines, operating systems, and middleware. The customer organization is left with responsibility for securing and managing applications, interfaces, and data.
Software-as-a-Service (SaaS) Cloud Computing
With Software-as-a-Service (SaaS) the cloud provider is responsible for the security of everything from the infrastructure to the application. The customer organization must ensure the security of its data as well as access to the application.
At the end of the day, however, the cloud provider and the enterprise customer must work under a shared responsibility model with the ultimate goal of keeping the enterprise’s data safe and secure. That said, let’s look at some of the top cloud security threats enterprises face today and what can be done to mitigate the risk of these cloud threats.
Misconfigurations of Cloud Hardware and/or Cloud Software
Configuration management can be difficult when deploying services and infrastructure to the cloud, and the misconfiguration of a critical component or feature can introduce serious cloud security vulnerabilities. The head of global security programs for Amazon Web Services once said that his biggest cause for concern is customers’ applications not being properly configured for security.
Under the AWS shared responsibility model, customers must secure the guest operating systems they run on AWS, up through the applications they are running. That leaves a lot of room for cloud configuration errors.
McAfee’s 2019 Cloud Adoption and Risk Report confirms that this is a big problem. According to the report, “Enterprise organizations have an average of 14 misconfigured IaaS/PaaS instances running at one time, resulting in an average of 2,269 individual misconfiguration incidents per month.”
As an example, McAfee reports that 5.5% of AWS S3 (storage) buckets have “world read permissions,” making them open to the public. Security firm Symantec says that it, too, has observed incorrectly configured access permissions that allowed anyone to access sensitive information stored in the cloud.
McAfee’s Cloud Adoption and Risk report cites a number of common misconfiguration mistakes, including:
- S3 bucket encryption is not turned on
- There’s unrestricted outbound access
- VPC Flow logs are disabled
- Multi-factor authentication is not enabled for IAM users
- EBS data encryption is not turned on
- Access to resources is not provisioned using IAM roles
- EC2 security group port is misconfigured
- EC2 security group inbound access is misconfigured
- Unencrypted AMI discovered
- Unused security groups discovered
Avoiding these and other cloud configuration mistakes often comes down to taking care of the basics:
- Be familiar with available security controls and default configurations and behaviors of each system component.
- Ensure that data encryption is turned on where available.
- Enforce multi-factor authentication to conduct major actions.
- Use least privilege access on all systems.
- Change default credentials and configuration settings to match your needs.
- Institute change control policies and practices.
- Perform security audits and configuration reviews to ensure that your environment is not suffering from any misconfiguration issues that can introduce security risks.
- Make sure that logs are turned on and capturing information that can be analyzed for security threats.
- Embrace automation and use technologies that continuously scan for misconfigured resources and remediate problems in real time.
Identity and Access Management (IAM)
In the cloud, issues with identity and access management pose a very high risk and may include unauthorized access, stolen credentials, insider misuse of credentials, and more.
According to McAfee’s Cloud Adoption and Risk report, “On average, organizations experience 12.2 incidents each month in which an unauthorized third-party exploits stolen account credentials to gain access to corporate data stored in a cloud service. These incidents affect 80.3% of organizations at least once a month. Additionally, 92% of companies have cloud credentials for sale on the Dark Web.”
Symantec sums up the seriousness of compromised cloud access credentials: “Attackers can sell stolen cloud access credentials on underground forums for US$7-8 each. In most cases, the attackers misuse the stolen accounts to host their own command-and-control (C&C) servers or malicious sites in the cloud, in the hope that they can take advantage of the trust that users may have in the domain. Some attackers misuse the stolen resources to mine cryptocurrencies or launch distributed denial-of-service (DDoS) attacks. Of course, leaked or stolen credentials can also be used to access the client’s infrastructure and extract data.” This last outcome is what enterprises fear the most.
Malicious actors masquerading as legitimate users can read, modify, and delete data. Hackers also can issue control plane and management functions, snoop on data in transit, and release malware that appears to come from a legitimate source. The most common ways to steal cloud access credentials are through phishing emails, brute-forcing easy-to-guess passwords, or information-stealing malware.
There are a number of best practices to help prevent cloud credential and access abuse, including:
- Automate the rotation of cryptographic keys and passwords
- Use a scalable identity and credential management system
- Use multi-factor identification
- Use strong passwords
- Limit the use of root accounts and admin accounts
- Segregate and segment accounts, virtual private clouds (VPCs) and identity groups based on business needs and the principle of least privilege
- Remove unused credentials and privileges
Inability to Effectively Protect, Inspect, and Respond to Cloud Threats
As McAfee’s report points out, security incidents are no longer isolated to PCs and applications on the network, owed primarily to the scale of corporate data stored in the cloud today as well as the sheer number of events taking place in the cloud. However, many organizations have not yet adapted their security programs to address cyber threats in the cloud.
Traditional endpoint security tools like endpoint detection and response (EDR) platforms and next-generation anti-virus (NGAV) software aren’t optimized for detection and response in the cloud. Many of these types of solutions require an agent to collect data, and this may not be possible with cloud deployments. Nonetheless, it’s critical that security teams and incident responders can discover, inventory, inspect, detect, and respond to security incidents on AWS workloads without installing agents, deploying containers, or navigating the AWS Console.
The shared responsibilities model comes into play here. Your cloud service provider is responsible for monitoring the infrastructure and services provided to your enterprise, but is not responsible for monitoring the systems and application your enterprise creates using the provided services, or the data you place in the cloud. The cloud provider may give your organization monitoring information related to your use of the cloud’s services. This information should be used to augment data from your own monitoring tools.
For your cloud assets, applications, and infrastructures you need a tool that can proactively expose, investigate, and help you eliminate threats and vulnerabilities resident within your cloud environment. And, if you have a hybrid cloud deployment, choose a tool that can detect and respond across both your on-premise and cloud environments.
If you’ve had your cloud applications for a while and don’t feel confident about your cloud security posture, contact us about scheduling an agentless cloud security assessment to expose unknown threats, vulnerabilities, and other risks resident in your cloud environments. Knowing what is — or isn’t — hiding within your cloud is the first step to eliminating risk.