Identity and access issues topped the list of concerns of IT pros in the Cloud Security Alliance’s annual Top Threats to Cloud Computing: The Pandemic 11 report released earlier this month. “Data breaches and data loss were the top concerns last year,” says CSA Global Vice President of Research John Yeoh. “This year, they weren’t even in the top 11.”
“What that tells me is the cloud customer is getting a lot smarter,” Yeoh continues. “They’re getting away from worrying about end results—a data breach or loss is an end result—and looking at the causes of those results (data access, misconfigurations, insecure applications) and taking control of them.”
That trend is indicative of cloud service providers (CSPs) doing a better job of upholding their end of the shared responsibility model, where the CSP is responsible for protecting its infrastructure while the cloud user is on the hook for protecting the data, applications, and access in their cloud environments, says Corey O’Connor, director of products at DoControl, a provider of automated SaaS security. “This puts more pressure on the organization consuming the service, as attackers naturally place a much bigger focus on them,” he says. “This finding supports the narrative of organizations consuming cloud services needing to do everything they can to mitigate the risk of security events and data breaches. They need to do more to uphold their end of the model.”
CSA’s top cloud security threats
Here are the Pandemic 11 in order of importance.
1. Insufficient identity, credential, access and key management
Concerns about identity and access are foremost in the minds of cybersecurity pros, according to the CSA report. “Access is at the top of the list this year because protecting your data starts and ends with access,” says Yeoh.
Forrester Vice President and Principal Analyst Andras Cser agreed. “Identity and access in a CSP’s platforms are everything,” he says. “If you have the keys to the kingdom, you can’t just enter it but reconfigure it—a major threat to operational stability and security of any organization.”
“Attackers no longer try to brute-force their way into enterprise infrastructure,” adds Hank Schless, a senior manager for security solutions at Lookout, a provider of mobile phishing solutions. “With so many ways to compromise and steal corporate credentials, the preferred tactic is to pose as a legitimate user in order to avoid detection.”
As more organizations migrate their applications to the cloud, identity management continues to be a hot button issue, asserts Tushar Tambay, vice president of product development for data protection solutions at Entrust, a digital security and credential issuance company. “With many companies still working remotely as well, IT teams have to verify the identities of employees working from anywhere at any time on any device,” he says. “Additionally, businesses are engaging with customers and partners in the cloud.”
Tambay adds that key management needs to be prioritized, too. “Strong key management can keep data secure and help ensure that trusted parties only have access to data that is absolutely necessary,” he says. “Unfortunately, securing data through encryption can often cause a bit of a key management headache due to the growing number of keys.”
Identity management is almost entirely on the user to manage properly, says Daniel Kennedy, research director for information security and networking at 451 Research. “The cloud providers provide help, but the flexibility of cloud platforms come with a requirement to effectively manage user and system access and privileges,” he says. “It’s one of the primary responsibilities of the enterprise leveraging cloud in a shared responsibility model, and thus figures prominently in their assessment of risk.”
Key takeaways about access and identity management identified in the report include:
- Hardened defenses at the core of enterprise architectures have shifted hacking to endpoint user identity as low-hanging fruit.
- Discrete user and application-based isolation is required to achieve a robust zero trust-layer beyond simple authentication.
- Advanced tools are only part of the story, such as cloud infrastructure entitlement management (CIEM). Operational policies and structured risk models are also vital.
- Trust is more than giving keys and codes. It’s earned. User objects must be given risk scores that dynamically adjust as the business requires.
2. Insecure interfaces and APIs
APIs and similar interfaces potentially include vulnerabilities due to misconfiguration, coding vulnerabilities, or a lack of authentication and authorization among other things, the report stated. These oversights can potentially leave them vulnerable to malicious activity.
It added that organizations face a challenging task in managing and securing APIs. For example, the velocity of cloud development is greatly accelerated. Processes that took days or weeks using traditional methods can be completed in seconds or minutes in the cloud. Using multiple cloud providers also adds complexity, it continues, as each provider has unique capabilities that are enhanced and expanded almost daily. This dynamic environment requires an agile and proactive approach to change control and remediation that many companies have not mastered.
Key takeaways about APIs include:
- The attack surface provided by APIs should be tracked, configured, and secured.
- Traditional controls and change management policies and approaches need to be updated to keep pace with cloud-based API growth and change.
- Companies should embrace automation and employ technologies that monitor continuously for anomalous API traffic and remediate problems in near real time.
3. Misconfiguration and inadequate change control
Misconfigurations are the incorrect or sub-optimal setup of computing assets that may leave them vulnerable to unintended damage or external and internal malicious activity, the report explained. Lack of system knowledge or understanding of security settings and nefarious intentions can result in misconfigurations.
A serious problem with misconfiguration errors is they can be magnified by the cloud. “One of the biggest advantages of the cloud is its scalability and the way it enables us to create interconnected services for smoother workflows,” Schless says. “However, this also means that one misconfiguration can have magnified ramifications across multiple systems.”
Due to an automated continuous integration/continuous deliver (CI/CD) pipeline, misconfigurations and vulnerabilities not identified during build time are automatically deployed to production, says Ratan Tipirneni, president and CEO of Tigera, a provider of security and observability for containers, Kubernetes and the cloud. “Misconfigurations and vulnerabilities in images are passed on to all containers created from those images.”
Key takeaways about misconfiguration and inadequate change control include:
- Companies need to embrace available technologies that scan continuously for misconfigured resources to allow remediation of vulnerabilities in real-time.
- Change management approaches must reflect the unceasing and dynamic nature of continuous business transformations and security challenges to ensure approved changes are made properly using real-time automated verification.
4. Lack of cloud security architecture and strategy
The fast pace of change and the prevalent, decentralized, self-service approach to cloud infrastructure administration hinder the ability to account for technical and business considerations and conscious design the report notes. However, it added, security considerations and risks must not be ignored if cloud endeavors are to be successful and safe.
Those problems can be compounded when multiple cloud providers are involved. “Leveraging cloud providers is certainly no longer novel, but the security product space continues to emerge and evolve around the cloud,” Kennedy says. “As examples, early on we saw cloud workload security emerge as an approach to provide common third-party security functions.”
“Most security folks looking after cloud security must consider what mix of default controls from the cloud provider, premium controls from the same, and what third-party security product offerings address their specific risk profile, and sometimes that profile is different at the application level. It introduces a lot of complexity in the face of emerging threats,” Kennedy adds.
Key takeaways about the lack of cloud security architecture and strategy include:
- Companies should consider business objectives, risk, security threats, and legal compliance in cloud services and infrastructure design and decisions.
- Given the rapid pace of change and limited centralized control in cloud deployments, it’s more important, not less, to develop and adhere to an infrastructure strategy and design principles.
- Adopters are advised to consider due diligence and vendor security assessment foundational practices. They should be complemented with secure design and integration to avoid the kinds of systemic failures that occurred in the, SolarWinds, Kaseya and Bonobos breaches.
5. Insecure software development
While the cloud can be a powerful environment for developers, organizations need to make sure developers understand how the shared responsibility model affects the security of their software. For example, a vulnerability in Kubernetes could be the responsibility of a CSP, while an error in a web application using cloud-native technologies could be the responsibility of the developer to fix.
Key takeaways to keep in mind about insecure software development include:
- Using cloud technologies prevents reinventing existing solutions, allowing developers to focus on issues unique to the business.
- By leveraging shared responsibility, items like patching can be owned by a CSP rather than the business.
- CSPs place an importance on security and will provide guidance on how to implement services in a secure fashion.
6. Unsecure third-party resources
According to the CSA report, third-party risks exist in every product and service we consume. It noted that because a product or service is a sum of all the other products and services it’s using, an exploit can start at any point in the supply chain for the product and proliferate from there. Threat actors know they only need to compromise the weakest link in a supply chain to spread their malicious software, oftentimes using the same vehicles developers use to scale their software.
Key takeaways about unsecure third-party resources include:
- You can’t prevent vulnerabilities in code or products you didn’t create, but you can make a good decision about which product to use. Look for the products that are officially supported. Also, consider those with compliance certifications, that openly speak about their security efforts, that have a bug bounty program, and that treat their users responsibly by reporting security issues and delivering fixes quickly.
- Identify and track the third parties you are using. You don’t want to find out you’ve been using a vulnerable product only when the list of victims is published. This includes open source, SaaS products, cloud providers, and managed services, and other integrations you may have added to your application.
- Perform a periodic review of the third-party resources. If you find products you don’t need, remove them and revoke any access or permissions you may have granted them into your code repository, infrastructure or application.
- Don’t be the weakest link. Penetration-test your application, teach your developers about secure coding, and use static application security testing (SAST) and dynamic application security testing (DAST) solutions.
7. System vulnerabilities
These are flaws in a CSP that can be used to compromise confidentiality, integrity and availability of data, and disrupt service operations. Typical vulnerabilities include zero days, missing patches, vulnerable misconfiguration or default settings, and weak or default credentials that attackers can easily obtain or crack.
Key takeaways about system vulnerabilities include:
- System vulnerabilities are flaws within system components often introduced through human error, making it easier for hackers to attack your company’s cloud services.
- Post-incident response is a costly proposition. Losing company data can negatively impact your business’s bottom line in revenue and reputation.
- Security risks due to system vulnerabilities can be greatly minimized through routine vulnerability detection and patch deployment combined with rigorous IAM practices.
8. Accidental cloud data disclosure
Data exposure remains a widespread problem among cloud users, the report noted, with 55% of companies having at least one database that’s exposed to the public internet. Many of those databases have weak passwords or don’t require any authentication at all, making them easy targets for threat actors.
Key takeaways about accidental cloud data disclosure include: