Cloud services are an essential part of the digital infrastructure of modern enterprises. While their use has brought many companies more opportunities for collaboration, flexibility, scalability and cost savings, it has also created a new attack surface. That’s because as the services have grown in popularity, the focus of attackers has also shifted. More and more cyber actors are abusing cloud services for their machinations.
The most common cloud attack vectors used by eCrime attackers and other intruders include:
- the exploitation of cloud vulnerabilities
- the theft of credentials
- the abuse of cloud service providers
- the use of cloud services for hosting malware and command and control (C2)
- the exploitation of misconfigured image containers
Another trend, according to the Global Threat Report: Cloud Security 2022, are attacks on decommissioned or neglected cloud infrastructures to tap sensitive data. This is because these environments often no longer support security controls such as monitoring, detailed logging, security architecture and planning and vulnerability remediation, making them an attractive target.
The pandemic has accelerated digital transformation and the adaptation of cloud services at many companies. Some have decided to go all-in on the cloud, others have only gradually moved certain services and functions to different cloud platforms. And still others, who were early cloud adopters, moved from older cloud implementations to newer architectures in hopes of better scalability, maintenance and security.
Cyber experts continue to encounter cases where neglected cloud infrastructures still contain critical business data and systems. Attacks on such systems have led to sensitive and reportable data leaks in the past, resulting in costly incident response and reputational damage. And in some cases, where the systems were still providing critical services that had not yet been fully transitioned to a new infrastructure, these attacks resulted in momentous service outages. In addition, the investigation, containment and recovery from such incidents had a very negative impact on some organizations.
When companies only had to only worry about their on-premises systems, it was easier to monitor and analyse activity in some cases. Unfortunately, the traditional security and networking tools that worked in many legacy environments are not actionable in the cloud.
As a result, many organizations have opted for a mix of homegrown and legacy approaches that create silos and make management difficult. Insufficient visibility means security risks can go unnoticed and open the door to attackers. Security teams that have visibility into attackers’ tools and tactics have the best chance of detecting and stopping threats faster.
Here are three key cloud security principles they should keep in mind.
- Enable runtime protection and provide real-time visibility. Enterprises can’t protect against what they can’t see – this includes infrastructure that is about to be decommissioned. Central to securing cloud infrastructure to prevent breaches is runtime protection and the visibility that cloud workload protection provides. It remains critical to protect workloads with next-generation endpoint protection, including servers, workstations and containers, whether they are in an on-premises data centre or hosted in the cloud.
- Eliminate configuration errors. The most common cause of cloud intrusions continues to be human error and oversights that occur during general management activities. It is important to set up a new infrastructure with cloud-specific processes and audit measures that facilitate secure operations. One way to do this is to use a cloud account factory to easily create new sub-accounts and subscriptions. This strategy ensures that new accounts are set up in a predictable manner, eliminating common sources of human error. Also, make sure you set up roles and network security groups that prevent developers and operators from having to create their own security profiles and inadvertently creating new vulnerabilities.
- Leverage a CSPM solution. Enterprises should ensure that their cloud account factory enables detailed logging and cloud security posture management (CSPM) with alerts to responsible parties, including cloud operations and security operations centre (SOC) teams. Unmanaged cloud subscriptions should be actively searched for. Once they are identified, it is important to ensure that the responsible parties are either made to decommission any cloud shadow IT or have it incorporated into your CSPM and fully managed. The CSPM should be used for the entire infrastructure until the day the account or subscription is fully decommissioned to ensure that operations teams have ongoing visibility.
Defending the cloud is likely to become even more complex, as not only are cloud services constantly evolving, but attackers are also increasingly looking to attack cloud infrastructure as well as applications and data. However, with a comprehensive approach based on visibility, up-to-date threat intelligence and cloud-specific threat detection, enterprises have the best chance of leveraging the cloud without sacrificing security.
