In 2022, security practitioners struggled to address the growing attack surface created by their rapid push to remote work and cloud-based operations during the previous two years. Cyber criminals exploited new vulnerabilities — including those introduced by the growing use of third-party software — to launch ransomware and other attacks.
But with tools like zero trust, XDR and more automated threat intelligence tech to bolster vulnerability management, cloud, email and endpoint security, organizations fought back — and established plans to invest more to secure networks and data in the next two years.
The following is the second of a seven-part series about where security practitioners struggled and, in many cases, made headway throughout 2022. Here, we focus on their cloud security challenges.
Security an afterthought amid rapid shift to cloud
Security executives recognize that most business technology systems will be maintained in a cloud environment moving forward. But in 2022, the way forward was littered with hazards.
An October 2022 article in SC Media captured the risk, noting that the average company possessed 157,000 sensitive records exposed to everyone on the internet by SaaS apps sharing features, representing $28 million in data-breach risk. Also in October, security vendor Proofpoint reported that 2021 data from its customer base showed troubling trends: more than 90% of monitored cloud tenants were targeted every month, with some 24% successfully attacked.
Indeed, the last year demonstrated the dramatic and costly ramifications that typically result when organizations fail to address security as part of larger, IT-driven evolutions in how they operate.
When companies rushed into the cloud at the start of the pandemic, the focus was to simply keep business afloat and provide employees with the ability to work from home. In the emergency, security often wasn’t top of mind. Throughout 2022, security practitioners acknowledged the security risks.
In October, Cloud Security Alliance (CSA) researchers reported that only 39% of organizations surveyed said they had high levels of confidence in their ability to secure cloud data, while only 4% reported sufficient security for 100% of their data in the cloud. The survey also found that third parties, contractors, and suppliers are the most-commonly-targeted groups (58%) in cyberattacks. And some 92% that have already experienced a data breach believe they will experience another breach of cloud data in the next 12 months.
The CSA findings were similar to during its 2022 survey of more than 300 IT and cybersecurity decision-makers and influencers in the United States. Respondents warned that to manage the risk. The study also revealed that even as some organizations learned and adopted “cloud-first” frameworks and procedures, others simply lifted and shifted their current applications to the cloud with little to no customization, creating the potential for significant long-term risks to their security posture.
As a result, 37% of respondents reported their organization experienced a cloud-based attack or breach in the last two years. On average, this amounted to four attacks per victim since 2020. As cloud-based assets/workloads increased, 50% of respondents were very concerned about their ability to secure their cloud systems, with 72% “extremely” or “very” concerned.
Understandably, increased reliance on cloud environments brought heightened concern. According to the survey, 55% of respondents said they were running up to 50 assets/workloads in the public cloud and 56% on hosted clouds; on average respondents maintained 66 assets in either public or hosted clouds. Specifically, the surge translated in the eyes of security practioners to increased risk of misconfiguration, depleted detection and response capabilities, and oversight challenges.
More vulnerabilities = more data breaches
In 2022, headlines about data breaches enabled by cloud vulnerabilities appeared almost daily. As recently as October, in fact, SOCRadar reported that their cloud security monitoring platform identified an exposed Microsoft Azure Blob server bucket that contained sensitive, non-public data for more than 65,000 Microsoft customers across 111 countries. The company said the leak, which they called BlueBleed, included proofs of concept and statements of work,
personally identifiable information, intellectual property, product orders, project details and other user information.
Furthermore, 2022 demonstrated how companies can be held responsible for such breaches, if deemed to be the result of failure to effectively secure cloud environments. Consider the grocery chain Wegmans, which in late June was hit with a $400,000 fine imposed by the New York State Attorney General for allegedly exposing the personal information of some 3 million shoppers. The AG said the company kept information such as addresses and driver’s license numbers in cloud storage containers that were misconfigured for over three years, during which time a bad actor could have easily cracked the login and made out with the data.
As stated in the ruling, there is “no excuse” in the 21st century for companies to have subpar cybersecurity systems.
The lesson: Much like email-based phishing and malware delivery, attempted cloud account compromise has developed into a substantial and permanent feature of the threat landscape, and companies that fail to address risks can face significant consequences.
The path to cloud security
The news wasn’t all doom and gloom, however. Challenges aside, some respondents of the CRA Business Intelligence survey expressed hope for real progress in their cloud security initiatives in 2022 and beyond. Ninety percent reported plans to spend 3% to 10% more on cloud defenses than they had in 2021 — an encouraging sign of recognition not only by security leaders but boards and executive teams that typically influence the purse strings.
They also found that investments in new tools were helping to bolster cloud security. Sixty-nine percent were spending more on vulnerability management, for example, while 56% were adopting a cloud workforce protection platform and 45% were investing in container security.
While some respondents described the impact of the rapid adoption of cloud in terms of being “so much harder to protect information,” and “vulnerable due to the amount of data being moved and integrated,” others were more optimistic and believed “early-stage hiccups would settle after some time and the cloud would become the best option.”