Cloud security is complex -- but most vulnerabilities fall into three key categories
With most enterprises leveraging at least one type of cloud deployment today, the question arises: is the cloud more or less secure than on-premise solutions?
The reality is that for on prem or even private cloud environments, the approach to security largely relies on a barrier defense. When organizations are compromised within this barrier, it can basically become open season for malicious actors, which we’ve seen in marquee incidents such as the Target data breach, the Home Depot hack in 2014, or the recent Uber breach, which exploited an unpatched security vulnerability.
Taking a step back, we see that cloud vulnerabilities fall into three main categories: cloud misconfigurations, application exploits and in security patch management.
Cloud configurations that are not aligned to security best practices commonly lead to exploits, as we saw in the case of the 2019 Capital One data breach. In this breach, the bad actor took advantage of an AWS misconfiguration to bypass authentication requirements and enter the network. According to Gartner, misconfigurations and other customer missteps will result in 99 percent of cloud security incidents by 2023.
There are some exceptions in how bad actors take advantage of cloud misconfigurations, such as last year’s attack exposing flaws in Microsoft Azure’s Cosmo DB, which left thousands of customers exposed to malicious actors. While significant, these scenarios are rarer to see. Thankfully, when it comes to shared responsibility, we see generally vendors do a good job of holding up their end of the bargain.
The shared responsibility model also applies to patch management. We continue to see customers compromised through unpatched vulnerabilities, which often stem from not applying patches quickly enough or at all. Cloud vendors such as AWS provide transparency around their security events and maintain updated records of security bulletins, similar to Microsoft’s Patch Tuesday updates.
However, security patches are only useful if they are applied in a timely manner. This was reiterated in the latest revision from the U.S. National Institute of Standards and Technology (NIST), which recently updated its guidance for enterprise patch management to encourage enterprises to implement strategies for streamlining patch management.
There are also ways to reduce the element of human error when it comes to patch management. Patch management tools today which leverage Artificial Intelligence (AI) to apply automation to the patch management process, can help establish standardization policies for security teams managing patches.
While not the most recent, the 2013 Target data breach remains a hallmark cyber event to warn of the dangers regarding application exploits. In the Target breach, Hackers gained access through a third-party HVAC vendor, which enabled them to access additional systems on the network and amplify their exploits. This brings up the false sense of security some organizations have from the tools used to protect networks, and points to why it is equally important to apply best practices to third-party applications.
Some tools, like Intrusion Detection Prevention (IDP) devices, can help identify hackers moving laterally through a compromised network to exploit applications. While some organizations view these types of tools as a last line of defense, they should be considered an important part of cloud security best practices.
Cloud security works when combined with best practices
Going back to the question around security in on-premise environments vs. cloud environments lies in the following explanation. If attackers compromise a cloud environment, the security tools available are far better to limit the blast radius of an exploit than in an on-premises environment. When architecting cloud environments with security best practices applied, you decrease the opportunity for bad actors to the leverage access of one application to compromise another higher-value application containing potentially more sensitive or even customer data.
When environments are designed with cloud-native security capabilities, such as Identity and Access Management (IAM), there are tools available such as role-based access, which, for example, in an AWS environment, enables enterprises to assign role-based access to specific databases and servers. Once a role is established, only the designated server can talk to the correlating database.
These security mechanisms are built-into the cloud platforms, which are designed for securing workloads that protect the crown jewels inside of the castle – an aged but still apt metaphor for an enterprises’ cloud estate. In theory, when an attacker does surpass the barrier, they are contained to one room in the castle, as opposed to securing boundless access to the entire cloud estate.
Kevin Davis, Global CTO of AWS at Cloudreach, an Atos company knows that like building a house, it is necessary to dedicate appropriate resources and build a solid foundation to ensure its stability and reduce future risk. The same is true for storing data securely in the cloud, shortcuts can lead to unnecessary risk and potential exposure in the future.