nobeastsofierce - Fotolia
The risk involved with enterprise cloud deployments is expanding, with several recent reports indicating a rise in cloud security incidents and threats.
The 2019 SANS State of Cloud Security survey reported "a significant increase in unauthorized access by outsiders into cloud environments or to cloud assets." Nineteen percent of the surveyed organizations reported experiencing such incidents, compared to 12% in 2017.
Meanwhile, Skybox Security's midyear update on threat trends found that vulnerabilities in container software increased 46% in the first half of 2019 when compared to the same period in 2018. They also calculated a 240% increase in container vulnerabilities over the past two years.
The consequences of a cloud security incident can be significant. A case in point is the theft of 100 million-plus records from Capital One that was reportedly pulled off by a former Amazon employee who exploited a well-known cloud computing vulnerability.
Cybersecurity experts said neither the statistics nor the fallout from breaches is surprising, as cloud brings both business benefits and new risks in equal measure.
"With all of the positive aspects that come with the digital economy, it can also be a double-edged sword bringing about significant security threats to CIOs, CISOs and enterprises if they are not adequately armed to protect their data," said Satish Thiagarajan, vice president and global head of cybersecurity at Tata Consultancy Services Ltd.
Modern cloud security threats
The 2019 SANS report looked at what issues were most commonly involved in successful attacks. These include the following:
- credential hijacking, with 49% of survey respondents experiencing this type of attack;
- misconfiguration of cloud services or resources, with 42% reporting this as an issue;
- privileged user abuse (38%);
- unauthorized (rogue) application components or compute instances (31%);
- insecure API or interface compromise (29%);
- shadow IT (29%);
- denial-of-service attacks (29%); and
- several other issues, including cloud provider vulnerabilities, each cited by less than 25% of respondents.
The "2019 Cloud Security Report," supported by Netskope and produced by Cybersecurity Insiders, a 400,000-member information security community, identified similar trends. It listed the following as top cloud security vulnerabilities:
- insecure interfaces and APIs (cited as the most severe cloud security vulnerability by 57%);
- misconfiguration of the cloud platform (48%);
- unauthorized access through misuse of employee credentials and improper access controls (46%);
- external sharing of data (34%);
- hijacking of accounts, services or traffic (32%);
- malicious insiders (31%); and
- denial-of-service attacks (28%).
The root causes of cloud risk
Cybersecurity experts pointed to several factors that contribute to the modern threat landscape during enterprise cloud deployments.
Satish Thiagarajan Vice president and global head of cybersecurity, Tata Consultancy Services
The lack of governance and oversight is one of the biggest contributors, according to Dave Shackleford, founder of Voodoo Security and a SANS analyst who authored the 2019 cloud report.
"People go to the cloud without a plan. They lack governance or even conversations within the organizations," he said.
He noted that business units can -- and often do -- deploy SaaS options without consulting IT or security, potentially exposing the organization to risk as a result.
But the business side isn't the only group unwittingly exposing the organization to risk, he said. IT, with its focus on agility and speed, also inadvertently introduces vulnerabilities in its use of cloud by exposing encryption keys, passwords or other sensitive data.
Tony Buffomante, cybersecurity global co-leader for KPMG, offered a similar take.
"Some of the core tech spend has moved out of IT and into business units, so that means business leaders are making decisions about the technology sourcing and cloud solutions," Buffomante said. "There's a risk of confusion over who is responsible [for which security pieces] if the IT organization isn't aware of some of these cloud usages or isn't involved in negotiating contracts with the cloud providers."
Buffomante also pointed to the increasing complexity of cloud environments. Most companies use a mix of on-premises, public cloud and private cloud (including SaaS offerings). This further increases cloud security threats that organizations face.
"The multi-cloud environment increases the complexity of monitoring and managing security," he added, noting that each platform provider has its own security configurations and monitoring tools that enterprise security teams must track and learn to use.
Although cloud has created new security challenges for organizations, cybersecurity leaders said CISOs should rely on the conventional mix of people, processes and technologies to build adequate defenses. They also suggested layering in new elements such as cloud access security brokers and updated governance policies to appropriately address the new realities of cloud security.
"The security team can't just use one process, one tool or one technology to lock down the critical data and to manage and monitor that going forward," Buffomante added. "That makes it harder to see individual security gaps and more difficult to see vulnerabilities."