Research released on Thursday by Valtix found that 95% of IT leaders say Log4Shell was a wake-up call for cloud security, changing it permanently. Some 87% now feel less confident about their cloud security now than they did prior to the incident.
The research also found that even three months after the incident, 77% of IT leaders are still dealing with Log4Shell patching with 83% saying that Log4Shell has impacted their ability to address business needs.
Business operations are built around software and when an underpinning of that software becomes vulnerable, it disrupts business operations at scale, across industries, said Davis McCarthy, principal security researcher at Valtix. McCarthy said IT teams now have an embedded vulnerability that isn’t just in the software stack, it’s in the business stack.
“Years of software development will turn to years of remediation,” McCarthy said. “There’s no such thing as an invulnerable app. As IT leaders refocus their efforts to gain visibility and control, applying defensive strategies outside the app — even in the cloud — is a must.
Matthew Warner, co-founder and CTO at Blumira, said for organizations that don’t already have a solid understanding of their exposed attack surface, moving to a cloud environment can create critical gaps in security visibility — further emphasizing that lack of knowledge. Warner said Log4Shell was a reminder for IT professionals that it’s important to not only understand your attack surface from a port-exposure perspective, but also the actual applications used.
“The introduction of cloud architecture can introduce some new risks, such as misconfigurations and insufficient identity and access controls,” Warner said. “These risks existed before remote work, but have grown quickly, such as lack of employee awareness, solution sprawl, and lack of visibility into employee actions. There's also cloud misconfigurations, leaving an unencrypted data store exposed to the public internet without requiring authentication, or failing to apply the least privilege principle. And organizations have also experienced data loss due to the ease of sharing data from cloud services with internal and external parties.”
Casey Ellis, founder and CTO at Bugcrowd, said that it’s not surprising to learn that 87% of respondents in this report feel less confident now about cloud security than they did before.
“They've just had a crash course demonstration of the fact that the cloud is built on open-source software, which is just as subject to vulnerabilities as their own code,” Ellis said. “And as defenders, there’s quite literally no such thing as 100% secure, even with all of the other security advantages afforded by using the cloud.”
Chris Olson, CEO at the The Media Trust, said IT leaders are right to see Log4Shell as a wake-up call for cybersecurity in the cloud. Olson said as one of many software supply chain vulnerabilities to emerge in the past two years, it reminds us that cloud configurations are built on top of many third-party dependencies from cloud service provider products to software components.
“One vulnerable partner can be the weak link in a chain leading to cryptomining, botnets, ransomware attacks, and data breaches,” Olson said. “In response, organizations need to [determine who's in their digital ecosystem] — and then take ownership to protect themselves and their customers from attacks. This caution extends to all digital surfaces, including cloud platforms, but also websites and mobile apps. From the configuration stage onwards, cybersecurity must be a top priority, with continuous monitoring to detect and remove vulnerable third-party components.”