Cloud in the Crosshairs
As security practitioners continued to do their jobs during the COVID-19 pandemic, they looked for ways to leverage the ability to connect to their systems and data from anywhere. This meant they were increasingly moving to the cloud.
End-user spending on cloud services grew 23.1 percent in 2021 to more than $332.3 billion, said Gartner in a press release published in April 2021. Gartner later estimated in August 2021 that end-user spending on public cloud services will reach $396 billion by the end of the year and grow 21.7 percent to reach $482 billion in 2022.
“Today, the cloud underpins most new technological disruptions, including composable business, and has proven itself during times of uncertainty with its resiliency, scalability, flexibility, and speed,” Gartner said. “Hybrid, multicloud, and edge environments are growing and setting the stage for new distributed cloud models.
“In addition, new wireless communications advances, such as 5G R16 and R17, will push cloud adoption to a new level of broader, deeper, and ubiquitous usage. Use cases such as enhanced mobile banking experiences and healthcare transformation will also emerge.”
These use cases will boost public cloud spending to become more than 45 percent of all enterprise IT spending, an increase from just 17 percent in 2021, according to Gartner.
The events of last year allowed CIOs to overcome any reluctance of moving mission critical workloads from on-premises to the cloud.
“The events of last year allowed CIOs to overcome any reluctance of moving mission critical workloads from on-premises to the cloud,” said Sid Nag, research vice president at Gartner in a statement. “Even absent the pandemic there would still be a loss of appetite for data centers. Emerging technologies such as containerization, virtualization, and edge computing are becoming more mainstream and driving additional cloud spending. Simply put, the pandemic served as a multiplier for CIOs’ interest in the cloud.”
And it didn’t just influence CIOs; security practitioners were looking for options to manage systems at multiple sites—such as video management of multiple campus locations. They were also looking to adopt cloud-based solutions to monitor the health of their technology systems, says Dan Cremins, global leader of product management for March Networks.
“It’s grown substantially,” Cremins says of practitioners wanting to leverage cloud-based solutions. “We’ve seen two trends. We have a whole mix of customers and see small customers that don’t have an IT staff at all—think of a franchise owner that has (individual) stores—and they need some level of enterprise management, so smaller applications they’ll outsource and go to a cloud solution.
“The other ones are large—super large—installations with thousands of locations, have a full IT staff, servers, but the system has gotten so big even their trained staff need help,” he adds. “So, they’ll say, ‘We need help for managing our large enterprise system.’”
This makes sense from an operational perspective, and it allows organizations to scale solutions to meet their needs as they grow. But moving systems to the cloud isn’t without risk. New research from IBM’s X-Force team found that vulnerabilities in cloud-deployed applications are growing—reaching more than 2,500 vulnerabilities in 2021, a 150 percent increase in the last five years.
IBM’s data shows that “the severity of cloud-targeting vulnerabilities has grown significantly in recent years, likely due to threat actors’ realization that organizations are increasing their use of storing their critical data in multi-cloud environments,” according to the 2021 IBM X-Force Cloud Security Landscape Report. “Cloud environments are heavily traveled data highways and are appetizing to threat actors due to the target-rich attack surface.”
And that appeal is likely to continue with more organizations utilizing the cloud, meaning that gaining access to the cloud gives threat actors increased opportunities to gather confidential data, conduct fraud, use systems for cryptomining, and carry out ransomware attacks.
Threat actors “want a return on investment, and to get that return they’re evolving their malware and going to target cloud environments,” says Charles DeBeck, X-Force cyber threat intelligence expert and an author of the report.
For instance, in January 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory after it discovered several recent cyberattacks against organizations’ cloud services.
“CISA observed cyber threat actors using phishing emails with malicious links to harvest credentials for users’ cloud service accounts,” according to the advisory. “The cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain Initial Access to the user’s cloud service account.”
IBM also found that two-thirds of the breaches to cloud environments that it examined would likely have been prevented if systems were hardened, including implementing security policies and patching systems.
During its analysis, the X-Force team discovered that all of its penetration tests into cloud environments identified issues with password or policy violations.
When you’re structuring that contract with pen testing, make sure that in particular API will be tested.
“These two elements trickled down to the most frequently observed initial infection vectors for organizations: improperly configured assets, password spraying, and pivoting from on-premises infrastructure,” according to the report. “In addition, API configuration and security issues, remote exploitation, and accessing confidential data were common ways for threat actors to take advantage of lax security in cloud environments.”
Two main challenges when it comes to API configuration revolved around access, DeBeck says.
“One account may have an access issue—letting people have access to it that they shouldn’t. And then having access to data that it shouldn’t have access to,” he explains. “Either can lead to a compromising situation for the organization.”
Threat actors are also gaining access to cloud environments by taking advantage of shadow IT. DeBeck says the team analyzed several incidents where an employee used a service or tool that wasn’t issued by the organization to finish a project. By the time the project was done, however, a threat actor had identified the shadow IT service and used that to gain access to the organization’s network and cloud systems.
“It was an inadvertent insider, where they’re not doing it intentionally—they’re just not following proper protocols,” DeBeck adds.
These threats are made more challenging because organizations are still learning how to monitor for and detect threats in the cloud. Additionally, many security policies do not address the cloud and organizations lack the incident response skills to apply them to cloud environments, according to the report.
“Organizations do not have the same level of confidence and expertise when configuring security controls in cloud computing environments compared to on-premises environments,” the report said.
The Cloud Security Alliance’s annual report, The State of Cloud Security Risk, Compliance, and Misconfigurations, echoed some of the IBM X-Force’s findings. The alliance surveyed 1,090 IT and security professionals between May 2021 and June 2021. It identified misconfigurations as a top concern for organizations that use the public cloud, which can lead to data breaches, data deletion or modification, and more.
The alliance further found that the lack of knowledge and expertise is a primary barrier to cloud security, the primary cause of misconfigurations, a barrier to proactively preventing or fixing them, and the primary barrier to implementing auto-remediation.
This can be especially problematic for video surveillance technology that is storing footage in the cloud, Cremins says.
“Video is a much more bandwidth-intensive data,” he explains. “I think it’s very easy, unless this is fully coordinated with IT—assuming you have an IT department—you run into trouble.”
For instance, if the proper precautions are not taken or conversations happening between the IT team, the security team, and the cloud service provider, Cremins says it’s easy to misconfigure a video system to send too much to the cloud—especially at a higher frame rate and higher resolution than intended.
“These findings highlight the trickle-down effect that lack of knowledge can have on security teams,” the alliance’s report said. “It starts as a general barrier to implementing effective cloud security measures. This leads to misconfigurations, the primary cause of data breaches.”
One positive, though, is that there are concrete steps organizations and security practitioners can take to improve cloud security and their overall risk posture. The X-Force report suggested organizations implement zero trust philosophies to segment networks and restrict the ability of unauthorized users from moving laterally through their systems. Organizations should also implement cloud monitoring and detection capabilities.
“Determine and enable audit logging requirements in cloud environments and leverage cloud-native tools and technologies to monitor for malicious activity and evidence of compromise,” the report explained.
DeBeck recommends first looking at your organization’s infrastructure complexity and simplifying it where possible.
“This will help reduce the likelihood of threat actors slipping through the cracks,” he says. Complexity has a “strong correlation with long breach response times and cost in general.”
When it comes to API misconfigurations, DeBeck says organizations should make sure their cloud providers are using penetration testing services and investigating their API.
“When you’re structuring that contract with pen testing, make sure that in particular API will be tested and searched for misconfigurations so you can patch them accordingly,” he adds.
Organizations that are able to also need to have incident response plans and teams in place that can address cloud incidents—especially for a ransomware response that includes plans for on-premises, cloud, and both being compromised—and test those plans.
“A lot of organizations might not have the ability to have an incident response team,” DeBeck explains. “Make sure you know who you’re going to call so you can expand your team as needed. You don’t want to be scrambling to find the Yellow Pages when an incident happens.”
Megan Gates is senior editor at Security Management. Connect with her at [email protected]. Follow her on Twitter: @mgngates.