Enterprises across every vertical in every geography have moved to the cloud en masse. The cloud has revolutioned the way IT infrastructure gets managed – removing the need to purchase, install, and configure hardware – shifting the focus to building applications.

Cloud-first enterprises are reaping the benefits of greater flexibility, improved business continuity, and cost reduction. Not surprisingly, Gartner anticipates that 70% of all enterprise workloads will get deployed in cloud infrastructure platform services by 2023, up from 40% in 2020. Further, Gartner predicts worldwide spending on public cloud services will reach $600 billion in 2023.

Cloud-first doesn’t always mean security-first

Despite realizing many of the promises of the cloud, enterprises have also quickly realized the many security challenges that follow. Unanticipated pressures driven by the pandemic to provide remote work capabilities and access to business critical systems from anywhere anytime greatly accelerated a trend that was not really supposed to be completed in just two years. In great haste, many overwhelmed enterprises relied on security from the public cloud platform providers, or opted to rely on solutions that applied  legacy on-premises security technologies to the cloud.

What seemed like an easy security fix at first has started betraying enterprises. Even though cloud platform providers are responsible for securing the infrastructure, the security of the applications and services running in the cloud falls on the enterprise. With cloud adoption showing no signs of slowing, enterprises are realizing their security comes up short, as they deploy more and more cloud-native applications, while security teams struggle to keep up.   

To add more fuel to the fire, enterprises across the globe are at serious risk of being attacked by cyber criminals every day. In the past year, critical and ubiquitous vulnerabilities like Log4Shell, and to a lesser extent Spring4Shell, had security teams working around the clock. In addition to all this, teams are dealing with tremendous global unrest, heightening the chance of cyberattacks on enterprises. According to IDC, in 2021, 98% of companies experienced a cloud data breach in the last 18 months, up from 79% in 2020.

Lessons learned to set the path forward

For companies to move forward securely, it’s important that they understand where they’re falling short, what the gaps are, and what actions organizations need to  take to strengthen cyber security postures. With 2023 on the horizon, there’s no better time to reflect and reframe cloud security mistakes as an opportunity to learn and develop.

Our recent research analyzing data from billions of cloud assets across AWS, Azure and Google Cloud scanned by our platform sheds light on the current state of public cloud security and the critical gaps that are leaving enterprises vulnerable to damaging attacks. Many, if not all, of the key findings from the report can serve as a guide for security teams looking to fix the most glaring gaps in public cloud security in the new year. Let’s break down some of those findings and what actions security teams can take to ensure a stronger cloud security posture in 2023. Here’s a checklist to follow:

  • Prioritize patching. 

Whenever possible, security teams should patch systems with known vulnerabilities. The research found that an alarming 78% of identified attack paths use known vulnerabilities (CVEs) - including Log4j - as an initial access attack vector.

However, given the sheer number of vulnerabilities discovered every day, coupled with the fact that patching complex, mission critical systems requires rigorous testing rather than a simple update, means it's impossible to keep up with each newly discovered vulnerability.

Here’s where we need strategic remediation. It’s impossible to patch all vulnerabilities, so it’s important to understand which vulnerabilities enable dangerous attack paths and prioritize those risks first. To do this successfully, organizations will require deep and wide insight into cloud workload, configuration, and identity risks and how attackers can leverage a combination of these risks to reach their end target.

  • Get back to basics. 

The research also found that even the most basic security measures are not being followed. For example, 42% granted administrative permissions to more than 50% of the organization’s users and 71% use the default service account in Google Cloud.

Reviewing the fundamental security building blocks like Multi-Factor Authentication, good password management, adhering to the principle of least privilege, encrypting critical assets and strong port security are key actions security teams can take immediately to fix glaring security gaps in the cloud.

  • Embrace cloud-native services. 

Although easy to spin up, cloud-native services can quickly create risks, misconfigurations, and headaches for security teams. The research found that

69% of cloud-native services have at least one serverless function exposing secrets in the environment variable; another 70% have a Kubernetes API server that’s publicly accessible, and 16% of containers are in a neglected state (unsupported operating system or unpatched for 180+ days).

Other experts and analysts have also pointed to relaxed configuration and management of cloud-native services as an issue in the past. In its 2021 Hype Cycle for Cloud Security, Gartner predicts that through 2025, more than 99% of cloud breaches will originate from preventable misconfigurations or mistakes by end users.

Security teams can decrease the existence of these gaps by having access to a full and comprehensive cloud asset inventory, utilizing checklists when creating and configuring cloud assets and resources, as well as onboarding and offboarding users, and performing regular configuration audits.

Moving forward, cloud remains high on the enterprise agenda and shows no signs of slowing. As cloud grows, so do the security concerns, making it more important for enterprises to reflect and reevaluate 2023 cloud security approaches. Anyone that has worked in cybersecurity for any tenure knows that there’s a high probability of at least one global, critical vulnerability next year. By looking back and analyzing the cloud security mistakes made in 2022, enterprises can better prepare themselves for future events, big or small.

Avi Shua, chief executive officer, Orca Security