It’s now an old cliché that anyone who doesn’t move to the cloud is left behind. As a result, cloud security has been on the list of “hot new trends” for the past few years with no sign of slowing down.
In 2020, the National Security Agency (NSA) suggested as much Cloud misconfigurations are by far the biggest threat to cloud security. “Crowdstrike”Global Threats Report 2023” (login required) listed “continued growth in cloud exploitation” as one of the top five themes for 2024. And Palo Alto Networks recently listed “cloud security and identity access management” like one of his own the five main concerns this year. Cloud migration and transformation are on every company’s agenda, even though cloud security is rarely sufficiently funded from the start. (Apparently, we are destined to learn the same lessons over and over again.)
Top 11 Cloud Security Threats
THE Cloud Security Alliance (CSA) is a non-profit organization dedicated to establishing and raising awareness of best practices to help ensure a secure cloud computing environment. In 2022 and 2023 it interviewed experts to identify key cloud challenges and threats, which it defines Pandemic 11 (Login required):
-
Insecure Interfaces and Application Programming Interfaces (APIs)
-
Incorrect configuration and poor change control
-
Lack of cloud security architecture and strategy
-
Insecure software development
-
Unsecured third-party resources
-
Accidental disclosure of data in the cloud
-
Misconfiguration and exploitation of serverless and container workloads
-
Organized crime, hackers and advanced persistent threats (APTs)
-
Exfiltration of cloud storage data
This is a collection of threat actors and attack vectors that creates an overlapping and non-exhaustive picture, but is still a useful lens into the minds of survey participants. In 2023, the CSA has mapped the main violations (Okta, Dropbox, Department of Defense, Uber, Lastpass, Log4j, Codecov, Cozybear, and GeneralBytes) and identified a combination of the 11 active in these attacks.
In recent years we have encountered configuration errors data leaks to all major cloud storage options. Fortunately, as KnowBe4’s Robert Grimes points out, many of the issues we expected to be problematic several years ago there have been no problems (yet)., including tenant collisions, cloud-based malware, client-to-client/host attacks on virtual machines, deletions, and data ownership issues. That said, there’s more than enough to keep everyone busy, if not overwhelmed.
10 ways to protect yourself from the pandemic 11
So, what can we do differently? This list is neither exhaustive nor simple, but these are some effective strategies we have seen in practice:
-
Build a serious identity program. Many companies have been investing in identity security tools for years, but aren’t putting enough energy into building the identity environment they need and want. It’s a serious commitment and requires a serious investment of resources. Gartner recommends “[selecting] the right key management as a service to mitigate data security challenges in the cloud. Stay compliant and maintain control over your cloud data regardless of where it resides.”
-
Ensure teams use an API integration platform as a service (PaaS) to secure your interfaces and APIs and provide adequate management and oversight.
-
Regularly audit your configurations as part of a robust change and audit management process. Document the process and ensure teams know and follow it.
-
Spend time designing the architecture and strategy of your desired future state. Establish metrics to enable accountability and update them regularly. Unfortunately, the standard practice of accumulating cloud infrastructure without a plan inevitably results in waste, unexpected expenses, and usage costs that far exceed expectations.
-
Involve security early in the software development life cycle (SDLC) (as everyone has been saying for the last 20 years).
-
Build automated processes to verify third-party security. Third-party risk management it has been around for a long time and there are many tools to manage it. The question is having the will and time to carry out the relevant processes and verify the appropriate resources. As organizations now understand, third-party source code and libraries pose a huge risk to development.
-
Automate vulnerability management programs to include patches and tie them tightly to asset management. Vulnerability management is only as effective as asset and configuration inventories and management programs. The time has come to elevate IT asset management to an important pillar and constantly improve its function.
-
Check, check, check. The cloud offers many efficiency benefits, but it is also much easier for accidental data leaks. Organizations need robust training programs, IT auditing initiatives, legal planning, and so on.
-
Provide security control across serverless and container environments. While serverless and containers can make IT management more cost-effective, they also make it more security-opaque. Security teams need resources dedicated to these resources.
-
Continue to invest in threat hunting and learn about government agencies that can help you if you encounter organized crime or a potential APT. Few organizations have adequate resources to combat true persistent threats, but the CISA has expanded significantly its support services.
Processes can address cloud threats
My colleague Justin Whitaker recently extolled “The lost art of platform architecture design documentation.” He wrote:
“Design and architecture diagrams are table stakes for organizations with mature cyber risk management programs. A variety of common security assessments (e.g., system architecture reviews, system security plans, and threats) require design and architecture documents. The alternative to full design documentation includes lengthy security questionnaires and multiple data collection sessions with security teams to gather all the necessary information, much of which would otherwise be captured in a security plan. design.”
This couldn’t be more true for the cloud. The design and architecture documentation constitutes a starting point for the development of the process. All 11 CSA cloud threats can be addressed with the right processes. It’s past time to get started in earnest.