Nothing sends a chill down a CISO’s spine like news of a data breach that originated from public cloud vulnerabilities.
Attacks on public cloud infrastructure can do irreparable harm to organizations. Some of the more insidious consequences include exposure or theft of sensitive data, operational sabotage, disruption of critical services, steep financial penalties, as well as erosion of public trust and loss of customers.
Recent findings indicate cloud security is a constant struggle for many SOC teams.
- The average company storing data in the cloud is estimated to have about 157,000 sensitive records exposed to anyone on the internet due to insecure SaaS apps, which amounts to roughly $28 million in data-breach risk.
- An investigation by IBM Security X-Force revealed a sixfold increase in new cloud vulnerabilities over the past six years, with 26% of cloud compromises the result of attackers exploiting unpatched vulnerabilities.
- Even though 2 out of every 3 organizations are known to host sensitive data or workloads in the public cloud, just under a third of respondents (31%) were either not confident or only slightly confident about their ability to protect sensitive data in a cloud.
- Thirty-seven percent of respondents surveyed by CyberRisk Alliance said their organization experienced a cloud-based attack or breach in the last two years alone — amounting to an average of four attacks per victim since 2020.
Security not guaranteed
In spite of these concerns, companies opting for a public cloud infrastructure have by and large seen major gains to service resiliency, worker productivity and digital transformation. Why, then, is public cloud security not guaranteed out of the box?
Part of it boils down to a major shift in security thinking. For decades, organizations primarily employed strong firewall and perimeter-based defenses to keep threats out. The notion of a perimeter-only defense is now practically extinct, however, as millions of endpoints have flooded the market and created new doors for attackers to penetrate corporate networks. Additionally, a significant portion of workers have permanently ditched the office to pursue home-based work arrangements. This ‘new normal’ has forced companies to find alternative methods for securing the ‘work-from-anywhere’ lifestyle while being careful not to violate employee privacy and personal issues.
The bottom line is that companies can’t rest on their laurels when it comes to securing the public cloud. Below, we’ve identified some of the most common stumbling blocks that organizations face when scaling up operations in the cloud. By understanding these challenges and the ways they can manifest, organizations can begin taking the first steps to eliminating security gaps where they exist.
Common challenges to public cloud security
#1: Poor visibility
Asset visibility is one of the first elements to take a hit when business units move workloads to the public cloud.
According to NIST’s most recent survey on the subject, 47% of respondents were concerned by lack of visibility into what data was being processed in the public cloud and where such data could be located. Whether it is cloud storage being segmented and siloed, or a proliferation of microservices, or just different teams making use of distributed cloud properties — managing and monitoring the flux of changing cloud assets can become overbearing, especially when organizations employ multiple public clouds from multiple public cloud providers.
Traditionally, companies have resorted to logging to visualize their cloud environment, but that invites its own challenges when the data in question is no longer constrained to the corporate enterprise network. Many times, this data does not have adequate access control — and worse yet, the security team doesn’t even know it exists.
#2: Understanding and prioritizing risk
Proper ordering of risk priority and gainful understanding of what generates risk in different organizational areas is key to addressing the broad spectrum of cloud threats. Configuration and implementation of cloud services can be a challenge – investigation and scanning for areas of risk should be a normal part of every organization’s cloud maintenance practices. Whether you are a provider or a customer, risk management is necessary.
A good team has tasks delegated to it, and tasks should be assigned in order of priority.
#3: Insecure APIs
Insecure application programming interfaces (or APIs) present another sore spot for cloud security teams, especially in the domain of public cloud infrastructure.
As reported by CRA Business Intelligence, most organizations experienced at least one API-related attack within the past year. For about three in four organizations (74%), “rogue” (or non-authorized) APIs were estimated to comprise up to 50% of their actual API environment.
Insecure APIs can be benign in origin. A developer might believe they’ve created an API that exposes tax statements exclusively to internal calls made from the home dashboard of a bank account, when, in fact, it’s set up in such a way that the API can be accessed by those without appropriate authentication. Hypothetically, an attacker could then exploit that API and gain access to sensitive financial data.
#4: Misconfigured settings
Scroll through any security headlines of the last year, and there’s a high likelihood that at least half of all data breaches stemmed from misconfiguration of cloud controls, such as unsecured AWS S3 containers, excessive permissions, default credentials or unrestricted inbound and outbound ports. Log4j, Spring4Shell and the more recent PAN-OS firewall CVE are just a few examples.
According to a survey by Cloud Security Alliance, 51% of respondents felt that cloud misconfiguration and improper security settings were one of their top concerns when it came to cloud security. In a separate study conducted in 2020, it was revealed that misconfigured storage services in 93% of cloud deployments had contributed to more than 200 breaches since 2018.
There are several reasons why misconfigurations crop up so frequently, but it essentially boils down to a mix of inexperience and lack of automated tooling. Organizations aren’t providing IT with sufficient on-the-job training in cloud security configuration, and they’re neglecting automated tools that could help pinpoint and remediate misconfigurations as soon as they emerge.
#5: Resourcing and expertise
Perhaps the most difficult challenge for organizations to overcome regarding public cloud security is the staggering shortage of expertise and resources available to IT and security departments.
According to a 2021 survey, 1 in 3 IT and security professionals believed their organization was insufficiently staffed to manage cloud environments. Another 79% of respondents reported staff-related issues to managing cloud deployments for remote workforce.With cybersecurity experts being in such short supply, many organizations have failed to cultivate and incentivize the personnel they do have to perform at a high level. The result is that security teams feel overworked, under-appreciated, and pushed to their breaking point. The human toll is therefore a major stumbling block that can jeopardize organizations’ efforts to secure the public cloud.
What can be done
These challenges aren’t insurmountable, but it’s vital for companies to understand and plan for them. In Part 2 of this three-part series, we’ll explore the steps that organizations can take to secure their public cloud activities.