We're excited to announce that Kivera, a cloud security, data protection and compliance company, has joined Cloudflare. This acquisition expands our SASE portfolio to include embedded cloud application controls, enabling Cloudflare One customers to control preventive security for all of their cloud services.
In today's digital landscape, cloud services and SaaS (Software as a Service) applications have become indispensable for the daily operation of organizations. At the same time, the amount of data flowing between organizations and cloud providers has exploded, increasing the chances of data leaks, compliance issues, and worse, opportunities for attackers. In addition, many companies – especially at the enterprise level – work directly with multiple cloud providers to achieve resiliency based on the strengths, resilience against outages or errors, and cost-effectiveness of different clouds.
Security teams that rely on Cloud Security Posture Management (CSPM) or similar tools to monitor cloud configurations, permissions, and inspect Infrastructure as Code (IaC) fail because issues are only discovered after misconfigurations occur with a massive volume of alerts. The combination of Kivera and Cloudflare One puts preventive controls directly into the deployment process, or “build-in,” preventing errors before they happen. This provides a proactive approach essential to protecting cloud infrastructure from evolving cyber threats, keeping data secure, and accelerating compliance.
An early warning system for cloud security risks
In a major leap forward in cloud security, the combination of Kivera and Cloudflare One technology adds preemptive, built-in controls to enforce secure configurations of cloud resources. By examining cloud API traffic, these new capabilities provide organizations with enhanced visibility and fine-grained controls, allowing for a proactive approach in mitigating risks, managing cloud security posture, and adopting a streamlined DevOps process when deploying cloud infrastructure.
Kivera will add the following capabilities to Cloudflare's SASE platform:
One-click security: Customers benefit from instant prevention of the most common cloud breaches caused by misconfigurations, such as accidentally allowing public access or policy inconsistency.
Forced cloud tenant control: Businesses can easily draw boundaries around their cloud resources and tenants to ensure sensitive data stays within their organization.
Prevent data leaks: Easily set rules to prevent data from being sent to unauthorized locations.
Reduce “shadow” cloud infrastructure: Ensure that every interaction between a customer and their cloud provider is consistent with pre-defined standards.
Simplify cloud security compliance: Customers can automatically assess and enforce compliance against the most common regulatory frameworks.
Flexible DevOps model: Enforce custom controls independent of public cloud setup and deployment tools, reducing layers of lock-in between the organization and the cloud provider.
Complement other cloud security tools: Create a first line of defense for cloud deployment errors, reducing the volume of alerts for customers who also use CSPM tools or cloud-native application protection platforms (CNAPPs).
An intelligent agent that uses a policy-based approach to enforce secure configuration of cloud resources.
Better with Cloudflare One
As a SASE platform, Cloudflare One ensures secure access and provides data controls for cloud and SaaS applications. This integration extends the scope of Cloudflare's SASE platform beyond user-facing applications to integrate increased cloud security through proactive configuration management of infrastructure services, beyond what CSPM and CASB solutions provide. With the addition of Kivera to Cloudflare One, customers now have a unified platform for all their built-in protections, including cloud control, access and threat management, and data protection. All of these features are available through single pass scanning, which is 50% faster than Secure Web Gateway (SWG) alternatives.
With the early acquisition of BastionZero, a Zero Trust infrastructure access company, Cloudflare One has expanded the scope of its VPN alternative to cover infrastructure resources as easily as it does applications and networks. Together, Kivera and BastionZero enable centralized security management across hybrid IT environments, providing a modern, DevOps-friendly way to help organizations connect and protect their hybrid infrastructure with Zero Trust best practices.
In addition to SASE capabilities, Cloudflare One is an integral part of Cloudflare's Connectivity Cloud, enabling organizations to integrate IT security tools on a single platform. This simplifies secure access to resources, from privileged developer access to technical infrastructure and cloud expansion. As Forrester says, “Cloudflare is a good choice for organizations seeking a high-performance, low-maintenance, DevOps-oriented solution.”
The growing threat of cloud misconfigurations
The cloud has become a prime target for cyberattacks. According to its 2023 Cloud Risk Report, CrowdStrike observed a 95% increase in cloud exploitation from 2021 to 2022, with a staggering 288% jump in cases involving threat actors directly targeting the cloud.
Misconfigurations in cloud infrastructure settings, such as incorrectly setting security parameters and default access controls, provide adversaries with an easy path to infiltrate the cloud. According to the 2023 Thales Global Cloud Security Study, which surveyed nearly 3,000 IT and security professionals from 18 countries, 44% of respondents reported having experienced a data breach, with misconfigurations and human errors identified as the primary cause, accounting for 31 % of accidents. .
Furthermore, according to GartnerⓇ, “During 2027, 99% of compromised records in cloud environments will be the result of user misconfigurations and account compromise, rather than a problem with the cloud provider.”1
Several factors contribute to cloud misconfigurations:
Rapid adoption of cloud services: Leaders are often driven by the scalability, cost effectiveness, and ability to support remote work and real-time collaboration that cloud services provide. These factors enable rapid adoption of cloud services, which can lead to unintended misconfigurations as IT teams struggle to keep up with the pace and complexity of these services.
Complexity of cloud environments: Cloud infrastructure can be very complex with multiple services and configurations to manage. For example, AWS alone offers 373 services with 15,617 actions and more than 140,000 parameters, making it difficult for IT teams to accurately manage settings.
Decentralized management: In large organizations, cloud infrastructure resources are often managed by multiple teams or departments. Without central oversight, inconsistent security policies and configurations can arise, increasing the risk of misconfigurations.
Continuous Integration and Continuous Deployment (CI/CD): CI/CD pipelines enhance the ability to quickly deploy and frequently change and update infrastructure. With this speed, the risk of misconfigurations increases when changes are not properly managed and reviewed.
Inadequate training and awareness: Employees may lack cross-functional skills needed for cloud security, such as understanding networking, identity, and service configurations. This knowledge gap can lead to errors and increases the risk of misconfigurations that compromise security.
Common exploitation methods
Threat actors exploit cloud services through various means, including targeting misconfigurations, abuse of privileges, and bypassing encryption. Misconfigurations such as exposed storage pools or improperly secured APIs allow attackers to easily access sensitive data and resources. Abuse of privilege occurs when attackers gain unauthorized access through compromised credentials or poorly managed Identity and Access Management (IAM) policies, allowing them to escalate their access and move laterally within the cloud environment. Additionally, unencrypted data allows attackers to intercept and decrypt data in transit or at rest, further compromising the integrity and confidentiality of sensitive information.
Here are some other weaknesses that organizations need to address:
Unrestricted access to cloud tenants: Allowing unrestricted access exposes cloud platforms to data exfiltration by malicious actors. Restricting access to authorized tenants with specific IP addresses and service destinations helps prevent unauthorized access.
Exposed access keys: Exposed access keys can be exploited by unauthorized parties to steal or delete data. Requiring encryption of access keys and restricting their use can mitigate these risks.
Excessive account permissions: Granting excessive privileges to cloud accounts increases the potential impact of security breaches. Restricting permissions to essential processes helps prevent lateral movement and privilege escalation by threat actors.
Insufficient network segmentation: Poorly managed network security suites and inadequate segmentation practices can allow attackers to move freely within cloud environments. Drawing boundaries around cloud resources and tenants ensures that data stays within your organization.
Improper public access configuration: Improper exposure of critical services or storage resources to the Internet increases the possibility of unauthorized access and data compromise. Preventing public access significantly reduces the risk.
Shadow cloud infrastructure: Abandoned or neglected cloud instances are often left vulnerable to exploitation, providing attackers with opportunities to access remaining sensitive data. Preventing the creation of unprivileged or unapproved cloud resources can reduce the risk of exposure.
Many organizations are turning to CSPM tools to give them more visibility into cloud misconfigurations. These tools often alert teams after an issue occurs, putting security teams in reactive mode. Remediation efforts require collaboration between security teams and developers to implement changes, which can be time-consuming and resource-intensive. This approach not only delays problem resolution, but also exposes companies to compliance and legal risks, while failing to train employees on secure cloud practices. On average, it takes 207 days to identify these breaches and an additional 70 days to contain them.
Addressing the growing threat of cloud misconfigurations requires proactive security measures and ongoing monitoring. Organizations must adopt proactive security solutions that not only detect and alert, but also prevent misconfigurations from occurring in the first place and enforce best practices. Establishing a first line of defense for cloud deployment errors reduces the volume of alerts for customers, especially those who also use CSPM tools or CNAPPs.
By implementing these proactive strategies, organizations can protect their cloud environments against the evolving cyber threat landscape, ensuring strong security and compliance while minimizing operational risk and disruption.
The Kivera product will not be an additional point solution. We're making it a core part of our Cloudflare One offering because integrating features from products like our secure web gateway gives customers an end-to-end solution that works better together.
We are excited to welcome Kivera to the Cloudflare team. By the end of 2024 through early 2025, the Kivera team will focus on integrating preventive cloud application controls built directly into Cloudflare One. We're looking for early access testers and teams to provide feedback on what they'd like to see. If you would like early access, please join the waiting list.
(1) Source: Outcome-Based Metrics You Can Use to Evaluate Cloud Security Controls, Gartner, Charlie Winkless, Paul Proctor, Manuel Acosta, 09/28/2023
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the United States and internationally, and is used here with permission. All rights reserved.
