Most organizations struggle to manage multiple cloud security solutions – however, multi-cloud adoption is growing, with 79% of businesses using more than one cloud provider. As evidenced by last year's MOVEit file transfer zero-day vulnerability exploited by the Clop Ransomware group, this was one of the first times we had seen an attack demonstrating a shift in targeting cloud storage providers on such a massive scale.
With so much room for error when organizations rely heavily on cloud providers' security controls, IT leaders need a way to reduce the likelihood of a cloud-based breach impacting their business.
There's no better time for leaders to re-evaluate their cloud security strategies, in light of increased security mandates and the shockwaves caused by major vulnerabilities across the industry. To stimulate these conversations and get leaders' minds out of the cloud and back to reality, here are four tips to better manage the risk of cloud-based attacks.
Constantly ask the question, “How do we evaluate our cloud security posture?”
Hopefully the obvious answer to this question is to ensure that the right processes and tools are in place to help automate the review of cloud security controls. There is an increasing demand for cloud computing infrastructure, which means that the attack surface is constantly changing and expanding as resources are added. A cloud security posture management (CSPM) tool can help shut down some of these attack surfaces by ensuring organizations can easily identify and remediate risks and protect their data and critical infrastructure.
However, many companies using CSPM tools still lack basic security hygiene and fail to conduct regular security assessments and audits. By conducting configuration reviews on an ongoing basis and working with a third party to conduct cloud penetration testing, organizations can stay one step ahead of threat actors and be proactive in assessing the strengths and weaknesses of their overall cloud security posture.
2. Follow the principle of least privilege to ensure that all cloud services are restricted to authenticated internal access if public access is not required
The National Institute of Standards and Technology (NIST) defines the principle of least privilege as the idea that “the security architecture should be designed such that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.” Although this can be standard practice, it is best to avoid using overly permissive “basic” or “general” roles. This principle is especially important when working in the cloud, where there are multiple layers of access controls that must be taken into account.
When an organization can limit identity and access management (IAM) permissions to those who really need them — and regularly assess who has access to what — it can limit the scope of the explosion if a breach occurs. In the event of a breach, restricting privileges can also prevent an attacker from having a range of disruptive options once in the environment – blocking data access, lateral movement, or escalating privileges. Whenever possible, organizations should enforce additional security controls and put them in place for those occasions when identities need more advanced privileged access.
3. Use a layered security approach that uses both individual service configuration settings and organization-level policies as an additional guardrail
The multi-layered security approach emphasizes complete protection of an organization's valuable assets. An additional guardrail, implemented before a breach or vulnerability is identified or activated, ensures that all cloud services are limited to authenticated internal access – where unintended public or anonymous access can expose sensitive data. If a multi-layered approach is not installed, resources may end up in a poorly configured and vulnerable state. Additionally, organizations can add security products and policies to help automatically correct misconfigurations or skewed configurations. All of these layers help organizations better identify cloud-based cyber threats by reducing security gaps across networks before they cause serious damage.
4. Review the cloud provider's shared responsibility model to determine what the customer is responsible for in terms of security
It is important to never assume that a cloud provider's security practices are as comprehensive as they need to be in order to keep up with today's evolving threat landscape. Although many cloud providers perform proactive security testing of their services, they do not receive the same level of scrutiny or scrutiny you would expect to see from a financial institution or credit card processor.
Last August, a Cybersecurity Review Board led by the Department of Homeland Security began looking into this issue in hopes of setting clear expectations for cloud providers regarding security auditing and accountability requirements. DHS's intervention should push cloud providers to create more efficient remediation processes to help reduce their repair times – as there have been instances where cloud providers did not receive the immediate attention needed to help fill key gaps. Although there are complexities in pushing fixes to global products, cloud providers must evaluate their services and their ability to act flexibly when issues require fixes. Hopefully this is the push cloud providers need to help hunt down these issues and proactively address them before someone else finds them.
While security leaders wait to see the ramifications of these investigations, they must acknowledge that additional steps are needed to ensure the security of cloud provider resources. A best practice for all teams is to review the cloud providers' shared responsibility model to determine which responsibilities fall within the cloud provider versus the organization itself. Additionally, organizations must enable regular patch management practices to keep their software up to date and upgrade all vulnerable and unsupported versions to supported versions that receive regular security updates.
Cloud providers need to step up their overall security practices. But organizations need this too if they have any hope of avoiding the emergence of cloud-based attacks. With 45% of breaches classified as cloud-based and recent data indicating that 80% of organizations have experienced a cloud-based incident in the past year, now is the time to take these tips seriously and implement a proactive approach to security.
