Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Top Guns: Defending Corporate Clouds from Malicious Mavericks

While applications and cloud infrastructure present different risk profiles and require different security assessments, they must not be viewed separately with regards to enterprise defense.

Defending Corporate Clouds

Securing the slow but inevitable transition from traditional network and application infrastructures to the Cloud has long been a point of emphasis. Save for the follies of misconfigurations and mediocre administration, the plethora of defensive technologies has seemingly served their purpose. However, the COVID fueled acceleration of Cloud-first infrastructures, combined with tectonic shifts in the Cloud threat model and a substantial lack of cloud security specific talent, has us fighting next generation attackers, with last generation thinking.

Past the point of no return, research from Fortinet shows 39% of companies have more than half of their workloads in the cloud, and 58% plan to within the next 12-18 months. Gartner also proclaimed more than 85% of organizations will be embracing a cloud-first strategy by 2025.

Unsurprisingly, the “bad guys” have taken notice with cloud exploitation cases nearly doubling (up 95%) between 2021 and 2022 (PDF), while incidents of adversaries targeting cloud environments shot up by a staggering 288%, according to the CrowdStrike 2023 Cloud Risk Report (PDF).

Flying blind

As if the situation weren’t “cloudy” enough, security teams are having the most challenging time seeing the path forward. While on premise infrastructure is well understood and monitored, in the cloud they’ve lost sight – literally and figuratively – of the vast differences between the assets they know, and those for which they have now ceded oversight to others.  

Changes happen outside of enterprise purview by multiple entities, from business units to the cloud providers themselves. Each time a cloud asset is added, removed, or changed – the organizational security posture is put at risk. Most companies don’t have clear insight into all the applications, systems, and data they are running in the cloud, and for more than 75% of companies, across multiple clouds. The morass of configuration and security settings across multiple cloud environments is massive, and that’s not even accounting for cloud assets deployed under “Shadow IT.” – which data from Gartner sizes at 75% of employees acquiring, modifying, or creating technology outside of IT’s visibility by 2027.

This lack of clarity extends to vulnerabilities. While open buckets and misconfigurations get the most attention, they are only a fraction of the risks that security teams must account for, including sensitive data movement, access misuse/abuse, insecure interfaces/APIs, external sharing, hijacking, and malicious insiders. 

It paints a distressing picture. The range of understanding about how best to assess security of cloud infrastructure and assets are as varied as the issues themselves. Some put trust in the cloud provider controls, some apply on premise methodologies and concepts in a range of new (or cloud-adapted) tools and services. But in keeping with the theme of flying “blind” these approaches provide visibility comparable to the parable of the blind men and the elephant. Depending on what tool, what asset and even in what timeframe they choose to try and understand what’s in front of them, their comprehension of the situation changes.

Advertisement. Scroll to continue reading.

The most forward-looking organizations are going beyond cloud asset and activity enumeration, to understanding how cloud assets can be compromised, and the paths to and between assets that represent real business risk.

A Fragmented Defense is the worst Offense

Unfortunately, the only real test of organizational cloud vulnerability is how it withstands an attack.  Fortunately, much like applications and code, a corporate cloud can be subjected to a penetration test. This involves simulating an attack on a cloud environment via a compromised asset and/or conducting manual penetration tests based on specific objectives, not simply assets. For example, determining answers to questions such as: “Can you get to our most sensitive data?” or “Can you get admin access to all our cloud environments?”  

As referenced previously, many organizations fall back to what is comfortable and familiar in traditional, independent – mostly defensive – methods to assess infrastructures/controls, assets/configurations and applications. While important and a good way of determining the strength of individual asset compliance with security best practices, this approach fails to provide an accurate representation of how the controls will perform against real-world attacks or even account for all the risks facing cloud resources. Some examples of these individual solution categories include:

  • Infrastructure Testing – Cloud Security Reviews provide strong inventories of assets, controls and configurations that may be sub-optimal and at risk of compromise.  
  • Posture Review – examines optimal composition and coordination of overall cloud protections and best practices for securing cloud environments. In most cases, separate reviews are also conducted for multi-infrastructure (SaaS, PaaS, IaaS) and multi-cloud environments.
  • Applications – solutions focused on workload protection range from examining the susceptibility of data in use to be potentially compromised, to monitoring for abnormal behavior around data assets.

These methods are lacking in two ways. They independently assess strength with respect to industry trends and threat intelligence, not understanding interconnections and interdependencies that could be exploited, and more critically, they lack validation of actual exposure. Assessments of potential for abuse or compromise could produce an overwhelming amount of best practice recommendations. In contrast, Cloud penetration testing is about identifying exploitable findings and focusing on vulnerabilities that matter, to provide actionable recommendations and affect quantifiable improvement. It’s about chaining together multiple vulnerabilities to hit a bullseye, offering a more authentic representation of potential attacks – not just a theoretical playbook of enhancements. Regardless of the approach, as stated earlier, change is inevitable, and relentless.  So to put an even finer point on the differences in assessment, not only should it be comprehensive, but also continuous.

What’s on the Radar

The relentless pursuit of agility and efficiency in technology advances in spite of compounding risk.  We’re seeing concerning shift where the security of cloud-based applications is falling to the responsibility of development teams, not traditional IT and security teams.

Gartner estimates that by 2025 more than 95% of new digital workloads will be deployed on cloud- native platforms, a significant increase from 30% in 2021.

This further expands the potential attack surface and abstracts an enterprise ability to ensure security, compliance, and observability. However, while applications and cloud infrastructure present different risk profiles and require different security assessments, they must not be viewed separately with regards to enterprise defense. This continued expansion of business assets and operations in the Cloud highlight the need for a comprehensive view and approach, that acknowledges the singular focus and coordinated approach attackers will take to achieve their goal.    

Written By

Tom Eston is the VP of Consulting and Cosmos at Bishop Fox. Tom's work over his 15 years in cybersecurity has focused on application, network, and red team penetration testing as well as security and privacy advocacy. He has led multiple projects in the cybersecurity community, improved industry standard testing methodologies and is an experienced manager and leader. He is also the founder and co-host of the podcast The Shared Security Show; and a frequent speaker at user groups and international cybersecurity conferences.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.