Coronavirus 2019 (COVID-19) has had an effect on organizations’ cloud adoption plans. In its 2020 State of the Cloud Report, for instance, Flexera found that the pandemic had altered the strategies of a subset of survey respondents’ employers. More than half of that group said that their cloud usage would be higher than initially planned because of the growing demands posed by remote work. Other respondents said that their organizations might accelerate their migration plans given difficulties in accessing traditional data centers and delays in their supply chains.
That’s a worry, as most organizations that have migrated to the cloud are already struggling with security concerns. In Cybersecurity Insiders’ 2020 Cloud Security Report, 75 percent of respondents said that they were either “very concerned” or “extremely concerned” about public cloud security. Continuity Central reported that security in the cloud is even more challenging seeing how 68% of respondents said that their employers used two or more different public cloud providers. This means that security teams need to use multiple native tools to try to enforce security across their employers’ cloud infrastructure.
These results beg some important questions. For instance, why are organizations having such a difficult time securing their cloud environments? And what challenges stand in their way?
This blog post highlights three challenges that organizations commonly face when it comes to securing their cloud environments: misconfiguration, limited visibility and unprotected cloud runtime environments. After a brief discussion of each, we provide recommendations on how organizations can address these challenges and enhance their cloud security.
1. Cloud & Container Misconfiguration
A cloud misconfiguration is when an administrator inadvertently deploys settings for a cloud system that don’t align with the organization’s security policies. The risk here is that a misconfiguration could jeopardize the security of the organization’s cloud-based data depending on which asset or system is affected. Dark Reading explains that a malicious actor could leverage compromised credentials or a software vulnerability in their environment to ultimately spread to other areas of a victim’s environment:
… [T]hey leverage privileges within the compromised node to access other nodes remotely, probe for improperly secured apps and databases, or simply abuse weak network controls. They can then exfiltrate your data while remaining under the radar by copying data to an anonymous node on the Web or creating a storage gateway to access data from a remote location.
Misconfiguration can be difficult to spot. Even more significantly, threat actors use automation to probe organizations’ cloud defenses even as the majority of enterprises are stuck with manual methods of managing their cloud configurations.
This threat isn’t theoretical, either. In its 2020 Cloud Misconfigurations Report, DivvyCloud found that 196 publicly reported data breaches caused primarily by cloud misconfigurations had occurred between 2018 and 2019. Those incidents exposed a combined total of more than 33 billion records and collectively cost victim organizations $5 trillion.
2. Limited Network Visibility
Visibility of a network implies that an organization knows what is going on in that network. That includes what hardware and software is connected to the network and what network events are transpiring. In the absence of network visibility, however, an organization is blind to potential digital threats such as attackers using a misconfiguration incident to infiltrate the network, installing malware and/or moving laterally to sensitive data.
Achieving comprehensive visibility in the cloud isn’t always easy, however. As noted by Help Net Security, administrators cannot access their environment’s net flows as easily as they could in a data center via a switch or firewall. That’s because they don’t have direct access to the cloud infrastructure provided by their CSP. Instead, they need to go through their CSP’s list of offerings. Those tools may or may not contain tools that provide valuable (or complete) insight into which devices are connecting to one another.
That’s not the only visibility difference between the cloud and traditional data centers. Help Net Security notes that compute resources are segmented by default. This means that administrators sometimes need more data points than just an IP address to keep track of their cloud-based entities. It also requires that administrators use roles and policies to enable particular connections to happen instead of relying on firewalls to disallow certain connection attempts.
3. Unprotected Cloud Runtime Environments
Besides misconfiguration and poor visibility, there’s the issue of the runtime environment. Left unprotected, cloud runtime environments grant malicious actors plenty of opportunities through which they can prey upon an organization. For instance, they can exploit vulnerabilities within the organization’s own code or within the software packages used by an application that is executed in the runtime environment to infiltrate the network.
The first issue with securing cloud runtime environments is that organizations sometimes either do not know what their responsibilities are in the cloud or have difficulty managing them. Organizations with assets in the public cloud hold shared responsibility for cloud security with the CSP. The former is responsible for security “in” the cloud, while the latter is charged with ensuring security “of” the cloud. Sometimes organizations do not understand what this shared responsibility model entails or else they struggle with executing those responsibilities, meaning they could fail to harden their cloud security and/or not implement measures available from the CSP.
There is also the problem with understanding what types of security tools work for the cloud. The tools, methods, and skills which secure on-prem IT often fall flat in the cloud, where visibility is challenged, the perimeter ethereal, and the speed of innovation far beyond manual methods. On top of this, the rush from on-prem to cloud has spawned a large number of point-specific solutions, often with overlapping functions, which have unnecessarily complicated the job of security cloud instances. In some case, organizations may think they can apply their legacy AV solutions to cover their cloud systems and data, but these solutions fail to address threats that commonly target cloud workloads.
How to Address These Threats
While the future is uncertain, the playbook for securing cloud workloads is relatively straightforward. In order to help address misconfiguration, organizations can follow Gartner’s Market Guide for Cloud Workload Protection Platforms and use secure configuration management to establish a baseline for assets connected to the network, monitor those assets for deviations from that baseline and return their assets to an approved baseline in the event a deviation occurs. Moreover, organizations require automated defense measures in order to protect their systems against automated attacks that could abuse a misconfiguration or other security vulnerability.
As for network visibility, it is essential to be aware of not only what is on your network but also which assets remain unprotected. This can be achieved through asset discovery tools used by TN Team. These can provide device discovery and rogue device isolation across the network by leveraging protected endpoints as sensors without adding resource overhead or requiring extra hardware.
Finally, organizations can safeguard the cloud runtime environment by proactively resolving digital threats in real time with runtime protection and EDR for containerized workloads. This can include tools that lock down a container and protect it against unauthorized installation and abuse of attacker tools, regardless of whether those are legitimate LOLBins or custom-built malware.