Securing the slow but inevitable transition from traditional network and application infrastructures to the Cloud has long been a point of emphasis. Save for the follies of misconfigurations and mediocre administration, the plethora of defensive technologies has seemingly served their purpose. However, the COVID fueled acceleration of Cloud-first infrastructures, combined with tectonic shifts in the Cloud threat model and a substantial lack of cloud security specific talent, has us fighting next generation attackers, with last generation thinking.
Past the point of no return, research from Fortinet shows 39% of companies have more than half of their workloads in the cloud, and 58% plan to within the next 12-18 months. Gartner also proclaimed more than 85% of organizations will be embracing a cloud-first strategy by 2025.
Unsurprisingly, the “bad guys” have taken notice with cloud exploitation cases nearly doubling (up 95%) between 2021 and 2022 (PDF), while incidents of adversaries targeting cloud environments shot up by a staggering 288%, according to the CrowdStrike 2023 Cloud Risk Report (PDF).
Flying blind
As if the situation weren’t “cloudy” enough, security teams are having the most challenging time seeing the path forward. While on premise infrastructure is well understood and monitored, in the cloud they’ve lost sight – literally and figuratively – of the vast differences between the assets they know, and those for which they have now ceded oversight to others.
Changes happen outside of enterprise purview by multiple entities, from business units to the cloud providers themselves. Each time a cloud asset is added, removed, or changed – the organizational security posture is put at risk. Most companies don’t have clear insight into all the applications, systems, and data they are running in the cloud, and for more than 75% of companies, across multiple clouds. The morass of configuration and security settings across multiple cloud environments is massive, and that’s not even accounting for cloud assets deployed under “Shadow IT.” – which data from Gartner sizes at 75% of employees acquiring, modifying, or creating technology outside of IT’s visibility by 2027.
This lack of clarity extends to vulnerabilities. While open buckets and misconfigurations get the most attention, they are only a fraction of the risks that security teams must account for, including sensitive data movement, access misuse/abuse, insecure interfaces/APIs, external sharing, hijacking, and malicious insiders.
It paints a distressing picture. The range of understanding about how best to assess security of cloud infrastructure and assets are as varied as the issues themselves. Some put trust in the cloud provider controls, some apply on premise methodologies and concepts in a range of new (or cloud-adapted) tools and services. But in keeping with the theme of flying “blind” these approaches provide visibility comparable to the parable of the blind men and the elephant. Depending on what tool, what asset and even in what timeframe they choose to try and understand what’s in front of them, their comprehension of the situation changes.
The most forward-looking organizations are going beyond cloud asset and activity enumeration, to understanding how cloud assets can be compromised, and the paths to and between assets that represent real business risk.
A Fragmented Defense is the worst Offense
Unfortunately, the only real test of organizational cloud vulnerability is how it withstands an attack. Fortunately, much like applications and code, a corporate cloud can be subjected to a penetration test. This involves simulating an attack on a cloud environment via a compromised asset and/or conducting manual penetration tests based on specific objectives, not simply assets. For example, determining answers to questions such as: “Can you get to our most sensitive data?” or “Can you get admin access to all our cloud environments?”
As referenced previously, many organizations fall back to what is comfortable and familiar in traditional, independent – mostly defensive – methods to assess infrastructures/controls, assets/configurations and applications. While important and a good way of determining the strength of individual asset compliance with security best practices, this approach fails to provide an accurate representation of how the controls will perform against real-world attacks or even account for all the risks facing cloud resources. Some examples of these individual solution categories include:
- Infrastructure Testing – Cloud Security Reviews provide strong inventories of assets, controls and configurations that may be sub-optimal and at risk of compromise.
- Posture Review – examines optimal composition and coordination of overall cloud protections and best practices for securing cloud environments. In most cases, separate reviews are also conducted for multi-infrastructure (SaaS, PaaS, IaaS) and multi-cloud environments.
- Applications – solutions focused on workload protection range from examining the susceptibility of data in use to be potentially compromised, to monitoring for abnormal behavior around data assets.
These methods are lacking in two ways. They independently assess strength with respect to industry trends and threat intelligence, not understanding interconnections and interdependencies that could be exploited, and more critically, they lack validation of actual exposure. Assessments of potential for abuse or compromise could produce an overwhelming amount of best practice recommendations. In contrast, Cloud penetration testing is about identifying exploitable findings and focusing on vulnerabilities that matter, to provide actionable recommendations and affect quantifiable improvement. It’s about chaining together multiple vulnerabilities to hit a bullseye, offering a more authentic representation of potential attacks – not just a theoretical playbook of enhancements. Regardless of the approach, as stated earlier, change is inevitable, and relentless. So to put an even finer point on the differences in assessment, not only should it be comprehensive, but also continuous.
What’s on the Radar
The relentless pursuit of agility and efficiency in technology advances in spite of compounding risk. We’re seeing concerning shift where the security of cloud-based applications is falling to the responsibility of development teams, not traditional IT and security teams.
Gartner estimates that by 2025 more than 95% of new digital workloads will be deployed on cloud- native platforms, a significant increase from 30% in 2021.
This further expands the potential attack surface and abstracts an enterprise ability to ensure security, compliance, and observability. However, while applications and cloud infrastructure present different risk profiles and require different security assessments, they must not be viewed separately with regards to enterprise defense. This continued expansion of business assets and operations in the Cloud highlight the need for a comprehensive view and approach, that acknowledges the singular focus and coordinated approach attackers will take to achieve their goal.
