Threatening clouds: How can enterprises protect their public cloud data?

There’s no end to the evidence that as more and more critical business data and enterprise apps are hosted in the public cloud cybercriminals are doing whatever they can to exploit it. 

While organizations run an average of six different tools or features to secure their public cloud environments, 96% of decision-makers still report that their organizations faced security incidents in the last 12 months. According to the 2022 Thales Cloud Security Study, 45% of businesses have experienced a cloud-based data breach or failed audit over the past year. Between 2020 and 2021, ransomware-related data leaks increased 82% and interactive intrusion campaigns increased 45%.

Hackers are ever more aggressively going after any weaknesses and vulnerabilities — and stealing any credentials and other precious information — that they can find. 

“Cloud services are an essential part of the digital fabric of the modern enterprise,” notes a report by cybersecurity technology company CrowdStrike. 

Still, while cloud adoption brings increased agility, scalability and cost saving, it has also brought about an adversarial shift. “Just as organizations have realized efficiencies through the cloud, so too have attackers,” write the report’s authors. “Threat actors are using the same services as their prey, and for the same reason: to enhance and optimize their operations.”

Cloudy visibility

Public clouds don’t inherently impose security threats, said Gartner VP analyst Patrick Hevesi — in fact, hyperscale cloud providers usually have more security layers, people and processes in place than most organizations can afford in their own data centers.

However, the biggest red flag for organizations when selecting a public cloud provider is the lack of visibility into their security measures, he said. 

Some of the biggest issues in recent memory: Misconfigurations of cloud storage buckets, said Hevesi. This has opened files up for data exfiltration. Some cloud providers have also had outages due to misconfigurations of identity platforms. This has affected their cloud services from starting up properly, which in turn affected tenants. 

Smaller cloud providers, meanwhile, have been taken offline due to distributed denial-of-service (DDoS) attacks. This is when perpetrators make a machine or network resource unavailable to intended users by disrupting services — either short-term or long-term — of a host connected to a network.

Forrester vice president and principal analyst Andras Cser identified the biggest issue as software-based configuration of public cloud platforms — AWS, Google Cloud Platform, Microsoft Azure — that don’t have proper identity and access management in place. 

“These configuration artifacts are easy to modify and stay under the radar,” said Cser. 

Insecure configuration of storage instances — world writable, unencrypted, for instance — also provides a threat surface to attackers. He is seeing threats around container network traffic, as well, he said. 

Multiple areas of attack

The CrowdStrike report also identified these common cloud attack vectors: 

• Cloud vulnerability exploitation (arbitrary code execution, Accellion File Transfer Appliance, VMware). 
• Credential theft (Microsoft Office 365, Okta, cloud-hosted email or file-hosting services). 
• Cloud service provider abuse (particularly with MSPs, or managed service providers). 
• Use of cloud services for malware hosting and C2. 
• Exploitation of misconfigured image containers (Docker containers, Kubernetes clusters). 

According to the report, CrowdStrike also continues to see adversary activity when it comes to: 

• Neglected cloud infrastructure slated for retirement but still containing sensitive data. These create vulnerabilities because organizations are no longer making investments in security controls — monitoring, detailed logging, security architecture and planning posture remediation. 
• A lack of outbound restrictions and workload protection against exfiltrating data. This is particularly an issue when certain cloud infrastructures are neglected, yet still contain critical business data and systems. 
• Adversaries leveraging loopholes in identity and multifactor authentication (MFA) protection strategies. This occurs when organizations fail: to fully deploy MFA, to disable legacy authentication protocols that do not support MFA, and to track and control privileges and credentials for both users and cloud service principals. 

How can organizations protect themselves from public cloud attacks?

Ultimately, it comes down to being strategic and diligent in selecting — and continuously assessing — public cloud providers. 

The most valuable tools, according to Forrester’s Cser: 

• Cloud workload protection (CWP) or Cloud workload security (CWS): This process secures workloads moving across different cloud environments. Forrester’s Q1 2022 Forrester Wave report identified top providers in this area as Aqua Security, Bitdefender, Broadcom, Check Point, CrowdStrike, Kaspersky, McAfee, Palo Alto Networks, Radware, Rapid7, Sysdig and Trend Micro. 
• Cloud security posture management (CSPM): This programming tool identifies misconfiguration issues and compliance risks in the cloud. It continuously monitors cloud infrastructure to identify gaps in security policy enforcement. 
• Cloud native application protection program (CNAPP), which combines CWP and CSPM: This emerging process allows organizations to secure cloud-native applications across the full application lifecycle. It integrates and centralizes security functions that are otherwise siloed into a single interface. 

Cloud security ‘holy grail’

Gartner lays out a complex, multitiered, multicomponent cloud security structure: 

The above solutions can protect IaaS, PaaS and SaaS public cloud environments, said Hevesi, and the above illustrates how they technically fit into architecture. They are effective especially if the organization has multiple IaaS, SaaS and PaaS cloud providers, as the cloud-access security broker (CASB) can give security teams “a single pane of glass” for all their platforms. 

He suggests that organizations also consider the following: 

• What certifications does a public cloud provider have for their infrastructure? 
• What tools and processes do they have in place to maintain security and respond to incidents?
• What physical security do they have in place?
• How do they perform background checks for their employees?
• How do they safeguard tenants and protect user access to tenants and employees?

Threats occur when such examples are not established and followed by cloud providers, said Hevesi. Cloud misconfiguration is still the biggest issue, regardless of IaaS, PaaS or SaaS. 

“If a user with admin access accidentally misconfigures a setting, it could have a massive impact on the entire cloud provider’s infrastructure — which then affects the clients,” said Hevesi.

Silver lining

Experts point to the encouraging increased use of encryption and key management — used by 59% and 52%, respectively, of respondents to the Thales survey, for instance. Zero-trust models are also on the rise — according to Thales, 29% are already executing a zero-trust strategy, 27% say they are evaluating and planning one, and 23% are considering it. 

Organizations should increasingly adopt cloud identity governance (CIG) and cloud infrastructure entitlements management (CIEM) solutions, and perform AI-powered monitoring and investigations, according to CrowdStrike. It is also critical to enable runtime protections and obtain real-time visibility. 

Defending the cloud will only become more complex as adversaries evolve and increase attempts to target cloud infrastructure in addition to apps and data, the report concludes. “However, with a comprehensive approach rooted in visibility, threat intelligence and threat detection, organizations can give themselves the best opportunity to leverage the cloud without sacrificing security.”