Managing the top security threats to public cloud

Managing the top security threats to public cloud

Migrating to public cloud? Here’s how you should approach the task.

According to the 2022 Thales Cloud Security Report, 45% of businesses have experienced a cloud-based data breach or failed audit involving data and applications in the cloud, up 5% from the previous year. This raises even greater concerns regarding the migration to public cloud and protection of sensitive data from cybercriminals.

Public cloud adoption, however, has been more rapid than ever. Gartner forecasts worldwide end-user spending on public cloud services to grow 20.4% in 2022 due to reduced infrastructure costs, reduced time to market for applications, and new technologies like data lakes, machine learning and AI. But is it OK to relax security measures as a result of these advantages?

Before deciding what cloud model to use, I would like to draw a simple analogy of a guard and a security practitioner. A guard must know his/her responsibilities, the landscape he/she protects, the threats and the effective countermeasures he/she could use. When an organization decides to migrate to a public cloud, security practitioners must know the shared responsibility matrix between the cloud service provider and the customer.

The risks of cloud breaches vary depending on the environment and the methods used to attack. According to the CSA Cloud and Web Security Challenges 2022 report, IaaS environments (45%) and third-party applications (40%) had the highest breach rate, while SaaS and web applications (32%) had the lowest levels. Hence, depending on the cloud environments you deploy, you will have to manage different risks, not only to your data, but also to your overall infrastructure.

In this blog we will discuss what threats each cloud model faces. To do so, we will outline the landscape or attack surface, threats and possible countermeasures.

Cloud type #1:

SaaS – Software as a service

Context
The 2022 Verizon Data Breach Investigation Report indicated that web applications are one of the top vectors for attacks. While it is the SaaS provider’s responsibility to remediate the vulnerabilities and update the applications, the SaaS customer is responsible for implementing best practices to secure the application configuration.

Main threats
Even though SaaS applications seem like the easiest model to choose and the least burdensome for customers, threats against SaaS applications cannot be easily eliminated. Because SaaS puts applications, data, user identities and endpoints into play, they face threats like application vulnerabilities, misconfigurations, insecure permissions and data loss.

In fact, 47% of organizations are concerned about sensitive data loss or exfiltration from cloud and web attacks, according to the 2022 CSA Cloud and Web Security Challenges report. The challenge comes in two forms:

  • Shadow IT1 services are a governance and compliance nightmare for CISOs and IT administrators. Companies risk losing control over their data if employees upload sensitive data onto a shared public drive that has not been approved, or onto their personal cloud storage service. Without visibility, there’s no way to control the leaks.
  • Even when SaaS applications like Office 365 are approved by the IT department, misconfigurations that lead to data breaches are likely to happen. Cloud misconfigurations often result from enabling excessive permissions. By granting users too many rights, you increase the attack surface that can be exploited by hackers and malicious insiders by taking advantage of wide-ranging permissions.

Countermeasures
User identity protection can be enhanced by enforcing multifactor authentication (MFA) and role-based access control. Bring your own device (BYOD) and hybrid work model have increased the emphasis on endpoint and mobile device management because they can allow malicious data upload and data leak into the SaaS applications. Hence, data encryption at rest or transit and endpoint/threat protections (EDR, MDR, XDR) are also important to counter malware attacks on the cloud.

[1] IT systems that are not supported by the IT department but are implemented without their knowledge.

Cloud type #2:

PaaS – Platform as a Service

Context
PaaS enables developers and organizations to build, run and manage applications without the need to manage underlying expensive infrastructure.

Main threats
Risks related to applications are one of the main focuses of PaaS. Zero-day vulnerabilities in applications and supporting libraries are a very serious issue to be considered. One of the biggest zero-day vulnerability of the decade is the Log4shell vulnerability.

Finding a zero-day vulnerability can take a lot of time, especially identifying which areas were impacted. Moreover, patching can also be a complex and time-consuming process, which is why organizations must be able to implement a more proactive approach.

Countermeasures
Static application security testing (SAST) and dynamic application security testing (DAST) can be used to identify such exploits. Adopting DevSecOps security practices early in the CI/CD pipeline ensures continuous testing and verification of the code during the initial stage of development. Zero-day application vulnerabilities can be thwarted by properly configuring rules on web application firewalls. Monitoring application and security logs for any unauthorized API calls is mandatory.

Cloud type #3:

IaaS – Infrastructure as a Service

Context
IaaS could be easier to migrate from on-premises, but the cost burden, administration overhead and most importantly, the security landscape, remain the same. Managing the compute, storage, network, platform, identity, endpoint, applications and data creates a plethora of responsibilities for an organization.

Last Pass
one of the world’s leading password managers — recently reported a security incident on its development environment. An attacker compromised a developer’s identity, gained access to the source code and some proprietary information, but no customer data was lost. This incident is an excellent example of how a vast attack surface can become a playground for an attacker.

Main threats
The major threat to IaaS (in addition to those mentioned for SaaS and PaaS) are its controls and standards. Unlike traditional IT, IaaS mainly relies on code and APIs that can be compromised or exposed. Poor coding can immediately put API security at risk. Code injections, in which an attacker sends a script to an application server through an API request, are another threat to APIs that lack the right authentication and validation processes. Such an attack can result in data exfiltration and harm the application.

Countermeasures
While infrastructure as code (IaC) can solve issues related to inconsistent configurations, scalability and availability, configuration templates and images should be stored in a trusted registry, and vulnerability assessments should be conducted often. Secrets must be managed via key management.

Cloud Vendor Vulnerability

Most of the attackers target the customer responsibilities of the shared responsibility model, but often overlooked are the vulnerabilities on the services managed by the cloud provider. A recent vulnerability on Azure AutoWarp Automation Service allowed to obtain authentication tokens of other customers. As in this case, one of the major checkpoints to be done while choosing a service from the cloud vendor is to understand the architecture of the applications and what part of the service is shared between tenants and if the tenants are isolated.

Conclusion

With a multi-cloud strategy, Cloud Access Security Broker (CASB), Cloud Security Posture Management (CSPM) and Cloud Workload Platform Protection (CWPP), organizations can tackle the problem of visibility, threat protection, compliance and data security.

Remember: as a cloud customer, data security is your responsibility and yours alone. Your security practitioners must know where your data resides in the cloud, who consumes the data, how it’s accessed and how to isolate and secure the data using effective countermeasures.

In the cloud, new threats can pop up with the same speed that makes the cloud so attractive in the first place. hence standing up application, services that are only necessary and keeping your attack surface to a minimum can help successfully manage the migration to cloud — safely and securely.

Share this article

About the author

Panos Zarkadakis

Srinivasan Gnanapiran

Senior Manager – Cloud Threat Management (CTM)

Srinivasan is a security professional with over a decade and half of experience working with SMB, Enterprises, Service providers and over multiple domains as SOC, Perimeter and Cloud Security.

Follow or contact Srinivasan