Enterprises need to make adopting a “cloud first” strategy a top priority more than they ever have before, despite the cloud security challenges. As the term “public cloud” suggests, each new instance of this type of cloud computing has the potential to create a security crisis. It is quite improbable that the default settings for a new cloud instance will meet even the most fundamental security requirements for any type of company operation.
Although the cloud presents the new potential to upgrade services and restructure operations, fewer businesses realize the full value anticipated from their investments in the cloud.
The most significant obstacle to cloud adoption is still the risk associated with security and compliance. These limitations, the difficulty of identifying the complexity of secure configuration, coupled with a skills gap, may pose substantial obstacles on the path to cloud-first computing.
In the cloud-first path, security is frequently viewed as the most significant barrier; yet, in truth, it can be the most significant enabler. Let’s break down the cloud security challenges into the following topics.
What are the Top 11 Cloud Security Challenges?
The Cloud Security Alliance (CSA) disclosed in its report “Top Threats to Cloud Computing: According to the Pandemic 11”, the security concerns of cloud security providers (CSP) have shifted substantially. New, more elements, such as configuration and authentication, suggest that consumers’ awareness of cloud computing has evolved and that they are actively contemplating cloud migration.
In other phrases, the focus of cloud security has shifted from information security to setup and authentication, according to a study.
The report prioritized the following security challenges in order of importance and offers control recommendations and real-world reference samples to help regulatory, risk, and technology teams.
- Insufficient identity, credentials, access, and key management
- Insecure interfaces and APIs
- Misconfiguration and inadequate change control
- Lack of cloud security architecture and strategy
- Insecure software development
- Unsecure third-party resources
- System vulnerabilities
- Accidental cloud data disclosure/disclosure
- Misconfiguration and exploitation of serverless and container workloads
- Organized crime/hackers/APT
- Cloud storage data exfiltration
1. Insufficient Identity, Credential, Access, and Key Mgt, Privileged Accounts
Identity, credential, and access management systems comprise tools and rules that enable enterprises to control, monitor, and safeguard access to valuable resources. Examples include digital files, computer systems, and physical assets such as server rooms and structures.
In order to prevent personnel access following offboarding or a role change, privileged accounts have to be de-provisioned immediately and precisely. That decreases the probability of data exfiltration or exposure. In addition to de-provisioning privileged accounts, it is essential that responsibilities and roles correspond to the “need to know” scale. Multiple people with excessive privileges increase the probability of data mishandling or account takeover.
How does it Affect The Business?
The following are examples of potentially unfavorable outcomes that can result from inadequate identity, credentials, access and key management, and privileged account management:
• Poor business performance and decreased production result from retaliatory and excessively restrictive lockdowns.
• Testing burnout among employees, which leads to a reduction in compliance and apathy about security concerns.
• Exfiltration of data by unauthorized or malevolent users as opposed to data loss, corruption, or replacement.
• A drop in consumer confidence and sales volume in the market.
• The costs of responding to incidents and conducting investigations, which caused financial burdens.
• Ransomware, as well as disruptions to supply chains.
Examples of This Security Challenge
The following are some examples of more recent cloud security incidents:
- A deeper look at SEGA Europe’s cloud reveals two significant cloud misconfigurations that are important for configuration management – The permissions for accessing the AWS S3 bucket were changed to allow public access. In the cloud, credentials were stored in a hard-coded format. If sandbox submissions had been implemented, it would have given systems additional time to validate changes and risk-score the access context, which would have prevented the need for content replacement in AWS and CDN networks. (2021)
- The CapitalOne AWS insider breach relied heavily on the unauthorized use of dynamic IAM roles borrowed from other accounts. S3 buckets were not open to the Internet, as was the case with many other breaches; however, it is possible that an EC2 instance with an excessive IAM role was the source of the breach. (1/2019 – 7/2019)
How to Deal?
Results of proper IAM, credential and key management could include the following:
- Because of strengthened defenses at the core of enterprise architectures, hackers are now forced to focus on the endpoint user identity as the easiest target.
- A simple authentication process for separate users and application-based isolation is not enough to make a robust zero-trust layer.
- Operational policies and structured risk models are also essential components of sophisticated tools such as CIEM.
- User objects must be assigned risk scores, which must be able to adjust in accordance with the needs of the business dynamically. It is better to earn trust than to just hand over the keys and codes.
2. Insecure Interfaces and APIs
The application programming interface (API) is becoming increasingly important, and its use is becoming increasingly widespread. It is necessary to test APIs and microservices for vulnerabilities caused by improper configuration, sloppy coding practices, insufficient authentication, and inappropriate authorization. Due to these omissions, the interfaces may be left open to attacks by malicious actors. Common examples include:
- Endpoints without authentication
- Insufficient authentication
- Excessive permissions
- Deactivation of standard security measures
- Incompletely patched systems
- Issues with logical design
- Disabled monitoring or logging
How does it Affect The Business?
The risk posed by an insecure API or interface varies according to the API’s usage and the associated data, as well as the speed with which the vulnerability is found and fixed.
The unintended exposure of sensitive or private data left unsecured by the API is the business impact reported the most frequently.
Examples of This Security Challenge
An example of issues caused by insecure interfaces and APIs:
Personal identifying information (PII) belonging to Peloton customers was made publicly available via APIs after user authentication, and object-level authorization failed. This included information about the user’s ID, location, weight, gender, and age, among other things. (May 5, 2021)
How to Deal?
- APIs’ attack surface must be monitored, configured, and secured.
- Updates to traditional controls and change management policies and procedures are required in order to keep up with the expansion and transformation of cloud-based APIs.
- Businesses should embrace automation and use technologies that can continuously monitor abnormal API traffic and fix issues in a manner that is very close to real-time.
3. Misconfiguration and Inadequate Change Control
Misconfigurations are the erroneous or sub-optimal setup of computing assets, which may expose them to unintended damage or external/internal malicious activity. Misconfigurations can be caused by a lack of system knowledge or understanding of security settings and malicious intent. Some common misconfigurations are:
- Unsecured data storage elements or containers
- Excessive permissions
- Default credentials and configuration settings are left unchanged
- Standard security controls disabled
- Unpatched systems
- Logging or monitoring disabled
- Unrestricted access to ports and services
- Unsecured Secrets Management
- Poorly configured or lack of configuration validation
How does it Affect The Business?
The consequences can be severe depending on the nature of a misconfiguration/inadequate change control and the speed with which it is recognized and corrected. Classifications of impacts are:
- Disclosure of Data – Technical Impact – Confidentiality
- Loss of Data – Technical Impact – Availability
- Destruction of Data – Technical Impact – Integrity
- System Performance – Operational Impact
- System Outage – Impact on Operations
- Demands for Ransom – Financial Effect
- Non-Compliance and Penalties – Compliance and Financial Effects
- Revenue Loss – Financial Effect
- Stock Price Reduction – Financial Effect
- Business Reputation – Reputational Impact
Examples of This Security Challenge
Notable issues caused by misconfiguration and insufficient change control include:
- It was stated that over 70% of tested ServiceNow instances had security vulnerabilities due to improperly configured customer-managed ServiceNow ACL (Access Control List) setups and overprovisioning permissions to guest users. (March 9, 2022)
- Facebook’s applications Facebook, Instagram, WhatsApp, and Oculus were no longer accessible. The backbone routers managing network traffic between data centers generated issues that disrupted connectivity due to misconfigurations. The network traffic disturbance had a cascade effect on how the data centers interacted, halting services. This outage also affected several internal tools and systems required for daily operations, making diagnosing and resolving the issue more difficult.
How to Deal?
• Businesses must adopt existing solutions that continually check for misconfigured resources to enable real-time correction of risks.
• Change management approaches must reflect the ceaseless and dynamic nature of continual business transformations and security problems in order to ensure that approved changes are implemented correctly via real-time automated verification.
4. Lack of Cloud Security Architecture and Strategy
The cloud security strategy and security architecture include the analysis and selection of cloud deployment models, cloud service models, cloud service providers (CSPs), service area availability zone, particular cloud services, general principles, and predeterminations.
The rapid rate of change and the common decentralized self-service approach to cloud infrastructure administration impede the capacity to account for technical and commercial factors and deliberate design. Anecdotes from breaches in the industry indicate that the absence of such planning could result in cloud environments and applications failing to become resilient to cyberattacks or failing to do so efficiently.
How does it Affect The Business?
The lack of a cloud security strategy and architecture hinders the implementation of an effective and efficient company and infrastructure security architecture. Without these security/compliance measures, goals will not be accomplished, resulting in penalties and data breaches, or achieving these goals would be expensive due to the need to build workarounds, refactor, and migrate.
Examples of This Security Challenge
Walmart-owned US clothing retailer Bonobos suffered a huge data breach that exposed millions of consumers’ personal information. A threat actor known as ShinyHunters published the complete Bonobos database (70 GB SQL database containing 7 million user records), which included customers’ addresses, phone numbers, partial credit card details, and site orders.
This occurred because an external cloud backup service hosting the backup file was compromised. A variety of access controls, encryption, vendor security, redundancy, and other areas can be utilized to mitigate the severity or frequency of such security breaches. (January 2021)
How to Deal?
- Companies must evaluate corporate objectives, risks, security concerns, and legal compliance while designing and deciding upon cloud infrastructure and services.
- Consider cloud services, infrastructure strategy, and design concepts to be more crucial to develop and adhere to, given the quick rate of change and lack of centralized control.
- Consider due diligence and security audits of third-party vendors as core standards. Complement with threat modeling, secure design, and integration, keeping in mind the effects of vendor failure.
5. Insecure Software Development
Cloud technologies have a tendency to add to the complexity of software. This complexity results in the emergence of unwanted functionality that could facilitate the establishment of exploits and possible misconfigurations. As a result of the accessibility of the cloud, threat actors can utilize these “benefits” with greater ease than ever before.
Cloud service providers (CSPs) offer capabilities for identity and access management (IAM), providing developers with vetting tools and implementation help.
Monthly, major software companies provide updates that address vulnerabilities that potentially compromise a system’s confidentiality, integrity, and/or availability. The past has demonstrated that not all software flaws pose a security risk but that even seemingly harmless oddities can become substantial risks. Adopting cloud technologies enables businesses to hone in on what is distinctive to them while allowing the CSP to own and manage everything else that is commoditized.
How does it Affect The Business?
• Loss of customer confidence in the product or solution
• Damage to brand reputation due to a data breach
• Legal and financial impact due to lawsuits
Examples of This Security Challenge
- Due to a parser error in the log4j library, the notorious Log4Shell vulnerability made RCE straightforward. (December 9, 2021)
- Multiple remote code execution and credential theft vulnerabilities (ProxyOracle, ProxyShell) have been discovered in the ubiquitous Microsoft Exchange. (January 5, 2021)
How to Deal?
• Cloud computing prevents developers from recreating existing solutions, allowing them to concentrate on business-specific issues.
• By leveraging the shared responsibility model, items such as patching can be the responsibility of a CSP and not the business.
• CSPs prioritize security and provide guidance on how to implement services in a secure manner, such as a Well-Architected Framework or secure design patterns.
6. Unsecure Third-Party Resources
In a world where cloud computing use is accelerating, a third-party resource may refer to anything from open source code to SaaS products and API risks (Security Issue 2) to a cloud vendor’s managed service. Risks resulting from third-party resources are also called supply chain vulnerabilities, as they are inherent to delivering your goods or services.
These dangers occur in all consumable goods and services. Despite this, the growing reliance on third-party services and software-based goods over the past few years has led to increased exploits of these vulnerabilities and hackable configurations. According to a study conducted by Colorado State University, two-thirds of breaches are caused by the supplier or third-party vulnerabilities.
Due to the fact that a product or service is the sum of all the other products and services people use, the exploit can begin at any point in the chain and then spread. This suggests that in order for the malicious hacker to fulfill their objective, they need “just” to hunt for the weakest connection as an entry point. It is typical practice in the software industry to leverage SaaS and open source to scale. With the same potential for expansion, malicious hackers are able to harm more victims with the same exploit.
How does it Affect The Business?
• Loss or stoppage of key business processes.
• Business data being accessed by outside parties (Security Issue 11).
• Patching or fixing a security issue depends on the provider and how quickly they respond.
• Once they provide the fix, integration might require updating internal applications and products.
•Impact on a business can be crucial, depending on the importance of the vulnerable component to an application.
Examples of This Security Challenge
Solarwinds is an American corporation that monitors networks. In 2020, it was reported that tens of thousands of its government and private customers were affected by a supply chain attack that exploited many avenues to access their networks, credentials, and private data via Solarwinds’s network and products. The unknown is the actual outcome of this strike. Due to the exfiltration of sensitive data, a number of firms were required to rebuild their whole networks and servers. (December 13, 2020, through April 6, 2021)
How to Deal?
• You cannot prevent code vulnerabilities or products you did not develop, but you can make an informed choice about which product to use. Look for officially supported products, have compliance certifications, are upfront about their security efforts, have a bug bounty program, and treat their users responsibly by promptly disclosing security vulnerabilities and releasing patches.
• Recognize and monitor the third parties you employ. You do not want to discover that you have been using a vulnerable product when the list of victims is public. This covers open source, SaaS solutions, cloud providers, managed services, and any additional interconnections your application may have.
• Conduct periodic audits of third-party resources. If you discover unnecessary products, remove them and withdraw any access or rights you allowed them to your code repository, infrastructure, or application.
• Do not be the weakest link in the chain. Utilize static application security testing (SAST) and dynamic application security testing (DAST) technologies and conduct a penetration test on your application within a scope that is appropriate for your organization.
7. System Vulnerabilities
Cloud service platforms contain system vulnerabilities. They could be exploited to undermine the confidentiality, integrity, and availability of data, potentially disrupting service operations. All components may contain flaws that leave cloud services vulnerable to attack.
There are four primary types of vulnerabilities:
- Zero-day vulnerabilities
- Missing security patches
- Configuration-based vulnerabilities
- Weak or default credentials
How does it Affect The Business?
• Successful data breaches frequently result from assaults that exploit system vulnerabilities. According to IBM’s Cost of Data Breach 2021 Report, third-party software vulnerabilities were responsible for 14% of the examined data breaches, while cloud misconfiguration and compromised credentials were responsible for 20% and 15%, respectively.
• A data breach can interrupt a company’s operations, prohibiting customers from utilizing the company’s services. In the aftermath of a data breach, acquiring new consumers may be more difficult if the company’s brand and services are no longer trusted. Both possibilities can result in a revenue loss.
• The IBM analysis identified four cost areas for data breach incidents and their average cost per occurrence in millions of dollars. Each incident cost $4.24 million in total. In these incidents, the number of hacked documents ranged from 2,000 to 101,00. For breaches involving 50 million to 65 million records, the total average incident cost was $401 million.
Examples of This Security Challenge
- Microsoft researchers spotted a Russian government-affiliated cyberespionage outfit developing a backdoor that attacks ActiveDirectory Federation and obtains configuration databases and security tokens. Microsoft calls the malware FoggyWeb and ties it to the Russian hacking organization APT29 (aka Cozy Bear and NOBELIUM). (September 2021)
- According to the Ransomware Spotlight Year-End 2021 Report by Ivanti, the number of vulnerabilities related to ransomware attacks increased by 29%, from 233 in 2020 to 288 in 2021.
How to Deal?
- System vulnerabilities are faults inside system components that are frequently introduced by human error, making it easier for hackers to exploit the cloud services of a corporation.
- Post-Incident Response is an expensive endeavor. Losing company data can have a detrimental effect on a firm’s revenue and reputation.
- In conjunction with stringent IAM procedures, security threats resulting from system vulnerabilities can be significantly mitigated through routine vulnerability identification and patch distribution.
8. Accidental Cloud Data Disclosure/Disclosure
A lack of security governance and control is frequently caused by the complexity of the cloud and the transition to cloud-service ownership, which involves multiple teams and business divisions. Increasing amounts of configurations for cloud resources in multiple CSPs make misconfigurations increasingly likely, and the lack of transparency into cloud inventories and proper network exposure can result in unintended data breaches.
Over 55 percent of businesses have at least one database that is now accessible via the internet. Many of these databases utilize weak passwords or do not need authentication, allowing them obvious prey for attackers who regularly search the internet for exposed databases.
How does it Affect The Business?
The cloud’s ease of use and, in particular, the speed with which managed databases and storage items may be set up contribute to their immense popularity.
- These databases may hold sensitive consumer information, personnel data, product information, and more. Exposure of such data results in unanticipated costs for forensic teams, customer support procedures, and customer compensation.
- According to IBM Research, data breach costs increased from $3.86 million to $4.24 million in 2021. IBM notes additional indirect costs of data breaches in their analysis, including internal investigation and communication, current customer loss, and future customer loss owing to the impact on the company’s reputation.
Examples of This Security Challenge
- A cloud misconfiguration exposed 23M records of over 60K users containing emails, user names, social issues, network IDs, and player data on the web. (January 2021)
- Elasticsearch storing 5.6M customer records was exposed on the web. (April 2021)
How to Deal?
- Examine your PaaS Databases, storage, and compute workloads that host databases. Include virtual machines, containers, and the installed database software on them. Configuration-based solutions cannot inspect or scan workloads and have limited capabilities to provide the required visibility.
- Choose exposure engines with complete visibility of your cloud environment in order to identify any routing or network services that expose traffic to the outside world. Includes load balancers, application load balancers, content delivery networks, network peering, cloud firewalls, Kubernetes networking, and more.
- Reduce access risk by implementing a least-privileged IAM policy and controlling and monitoring its assignment to database users.
9. Misconfiguration and Exploitation of Serverless and Container Workloads
In a serverless architecture, the CSP is responsible for the management and security of the underlying infrastructure.
The environment becomes less secure if a CSP permits customers to configure serverless containers with longer lifetimes and “warm start” configurations. A temporary file system and shared memory may also leak sensitive information, posing additional risks. Access to the temporary storage could be used to host or execute malware; therefore, the application code should delete the storage.
How does it Affect The Business?
Serverless and containerized workloads can significantly boost agility, reduce costs, simplify operations, and even improve security. Major security breaches, data loss, and financial depletion can result from implementing serverless applications without the required knowledge and diligence.
Examples of This Security Challenge
- The body of research on Denial of Wallet (DoW) attacks is expanding. Functionally, a DoW attack is comparable to a Denial of Service (DoS) attack. An attacker impacts the underlying infrastructure by sending many requests to a serverless application. In contrast, the goal of a DoW attack is to cost a cloud customer money by exploiting the auto-scaling consumption model of serverless platforms. These attacks can be defended against concurrency limits, but this changes the vector of attack from Denial of Wallet to Denial of Service. (As of 2021)
- Cado Labs discovered evidence of Denonia, the first known malware to directly target AWS Lambda, being actively used in the wild. Denonia is a Monero mining Lambda function that communicates with the C2 server via DNS over HTTPS. Even though this malware does not exploit any vulnerabilities in Lambda and would require administrative privileges to deploy, it illustrates how attackers can use serverless environments for financial gain at the expense of an organization.
How to Deal?
- Organizations must deploy automated auditing using Cloud Security Posture Management, Cloud Infrastructure Entitlement Management, and Cloud Workload Protection Platforms.
- Investments should be made in cloud security training, governance processes, and secure cloud design patterns that may be reused to reduce the risk and frequency of insecure cloud settings.
- Before shifting to serverless technologies that comply with conventional security measures, development teams should apply additional rigor to the best practices of application security and engineering.
10. Organized crime/Hackers/APT
Advanced persistent threats (APTs) are an umbrella term for an attack campaign in which an intruder or group of attackers maintain an unauthorized, long-term presence on a network in order to harvest extremely sensitive data.
APTs may include organized crime, which is intended to represent the method in which a group’s level of organization manifests itself in creating planned and reasoned acts that reflect the efforts of group members.
APTs have developed complex tactics, methods, and protocols (TTPs) for infiltrating their targets.
The threat intelligence community does extensive research on APT groups. Threat intelligence reports educate organizations and nations on the behavior of APT groups.
How does it Affect The Business?
- The motivations of APT organizations are diverse and might vary from group to group. Others are organized criminal members. Multiple organizations are even nation-state actors. For instance, APT38 is believed to be a North Korean state-sponsored gang that targets worldwide financial institutions with cyber heists.
- To comprehend the commercial impact that an APT group can have on an organization, its information assets must undergo a business impact study. This enables the firm to comprehend how and why an APT group could target it and the potential business consequences of a security breach.
Examples of This Security Challenge
• Malware hunters at Broadcom’s Symantec business have discovered indications that a long-running cyberespionage campaign tied to Chinese nation-state hackers is now targeting global managed service providers (MSPs). (April 5, 2022)
• The Lazarus group (APT38) almost completely robbed the Bangladeshi central bank. (January 21, 2022)
How to Deal?
• Conduct a business impact analysis to comprehend your organization’s information assets.
• Participate in cybersecurity information-sharing groups to comprehend applicable APT groups and their TTPs.
• Conduct offensive security exercises to imitate the TTPs of these APT groups and ensure that security monitoring instruments are properly calibrated for detection.
11. Cloud Storage Data Exfiltration
Exfiltration of cloud storage data is an occurrence involving sensitive, protected, or confidential data. These data may be disclosed, accessed, stolen, or utilized by an individual outside the firm’s working environment. Exfiltration of data may be the primary purpose of a targeted attack and may result from exploited vulnerabilities or misconfigurations, application vulnerabilities, or poor security practices.
This exfiltration may result from human error or abuse, such as a PaaS service that has been improperly configured. Additionally, storage objects may expose sensitive data or files that are shared externally via personal cloud storage programs.
Other data exfiltration from cloud storage could begin with a phishing assault that manipulates an application or service.
How does it Affect The Business?
• Loss of intellectual property, as unique knowledge is lost and utilized in product development, strategic planning, and even as a precursor to a future attack.
• The loss of customers’, stakeholders’, partners’, and workers’ trust may impede business behavior, investments, and purchases and lessen the desire to work for and with the firm.
• Regulatory actions may include monetary fines or procedural and business change demands.
• Geopolitical consequences can have an effect on business practices.
• Loss of employee confidence in the organization’s ability to safeguard employee information.
Examples of This Security Challenge
• Facebook will be sued in Europe over the massive leak of user data that occurred in 2019, but just recently came to light after information on more than 533 million accounts was discovered on a hacker site for free download. (2021)
• Security experts have revealed that scores of firms are unwittingly disclosing important company and customer data because employees post easily discoverable public URLs to files in their Box enterprise storage accounts. (2019)
How to Deal?
• Cloud storage necessitates a well-configured setting (SSPM, CSPM).
• Apply the CSP best practices guidance, monitoring, and detection tools to detect and prevent attacks and data exfiltration.
• Employees must receive training on cloud storage usage, as data is dispersed across multiple locations and controlled by multiple parties.
• Implement client-side encryption where appropriate.
• Classifying data can aid in establishing diverse controls and documenting the required impact and recovery steps in an incident response plan.
Conclusion
The top spot is held by insufficient Identity, Credentials, Access, and Key Management. Replay attacks, impersonation, and over-permissioning persist in the cloud, despite the promise of greater accessibility. Using self-signed certificates, poor cryptographic management, and trusting every root CA are just a few of the risky options.
The continued adoption of microservices highlights the significance of secure interfaces and APIs. There should be more of them, and it is troubling that there are still significant challenges in securing these features, despite the cloud’s role in their development.
Misconfiguration and inadequate change control are two more examples of cloud security issues moving up the security stack. Misconfigurations with a cloud’s persistent network access and infinite capacity may have ramifications for multiple organizations within a company.
Eventually, there is the issue of Strategy and Architecture. Cloud computing is no anymore new; instead, it defines a big-picture approach and implements architectural design patterns.
In any case, the existence of these security flaws should serve as a wake-up call to develop and improve cloud security awareness, configuration, and identity management. Because the cloud in and of itself poses less of a threat in and of itself, the main focus of our attention right now is on the technologies used to implement cloud computing.