According to Gartner, the cloud computing services market is expected to reach $675 billion in 2024. Companies are shifting from testing the cloud computing waters to making significant investments in cloud-native IT, and attackers are shifting with them. As security teams scale up to support the transition, we're seeing three specific issues hindering cloud detection and response.
1) Cloud-native IT blurs the lines between the layers of the cloud stack – a true paradigm shift
Cloud applications, workloads, and infrastructure are increasingly connected and communicate with each other via reliable connections across assets, developers, and identities. Within these trusted connections are permissions to databases, S3 buckets, and many other resources, all of which are given open or loose permissions so you can interact, unhindered, with the underlying cloud services.
The implicit trust that cloud workloads have between pod-to-pod and node-to-node communications may be essential for seamless operations, but it comes at a cost. Not only does this leave the organization open to compromise, but if an attacker gets access to anything, they usually get access to everything. Securing these permissions is a non-starter. Although security teams apply the principle of least privilege to ensure that each asset has only the connections it needs, there will always be open connections. This means that there will always be something connected to the Internet, or something connected to something connected to the Internet – vulnerable exposures.
Furthermore, since almost all public cloud users use AWS, GCP, Azure, and Oracle, it becomes easier for an attacker to figure out how the environment was created. Defenders, on the other hand, face long learning curves as they adapt to protecting significantly larger and more complex environments. Security teams need to adjust their mindset beyond shifting left and become adept at shifting up and down the stack. It is the responsibility of the vendor community to help them.
2) Security teams are still adapting to the reality of complex cloud environments
One of the most challenging elements of cloud security is that cloud environments generate so much noise and are so complex that it is easy for questionable actions to occur unnoticed. Often, attacks go undetected because their actions appear to be legitimate behavior. In this sea of ​​noise and complexity, there are countless risk vectors that make things easier for attackers. The key is to know which ones are most important.
This year, non-human identities (NHIs) — automated identities such as access tokens, service accounts, and third-party integrations — have emerged as a major attack surface. NHIs have high access privileges and typically have long-lived or non-expiring tokens or keys. Because they typically cannot be protected by multi-factor authentication (MFA), they are inherently vulnerable, making them very low-profile for attackers. The number of NHIs located in cloud environments, coupled with the fact that cloud providers use different NHI authentication mechanisms and lifecycle management practices, has dramatically increased the risks they pose. To protect the huge investment being made in cloud-native IT, containing NHI risks must be a priority.
3) Cloud security tools are very isolated
This is essentially a matter of technological maturity. Most SOC teams lack the right tools or have too many cloud security point tools to handle the management burden. Cloud attacks happen too quickly for SOC teams to jump from one dashboard to another to determine if an application anomaly has infrastructure-level implications.
Given the interconnectedness of cloud environments and the accelerating pace at which cloud attacks unfold, if SOC teams can't see everything in one place, they'll never be able to connect the dots in time to respond. Most importantly, because everything in the cloud happens so quickly, we humans need to act faster, which can be nerve-wracking and increase the chance of accidentally breaking something. While the latter is a legitimate concern, if we want to stay ahead of our opponents, we must get comfortable with the accelerating pace of the cloud.
Although there are no quick solutions to these problems, the situation is far from hopeless. Cloud security teams are becoming more nimble and experienced, and cloud security tool sets are maturing along with cloud adoption. I, like many in the security community, am optimistic that AI can help address some of these challenges.
But, as always, time will tell.
