The ongoing COVID-19 pandemic has had a significant impact on cloud security, for example, as Flexera software pointed out in its recently released State of Cloud Security 2020 report that the pandemic has changed the strategies of some cloud users. Half of cloud respondents said their cloud usage will be much greater than originally planned due to the growing demand for remote work. Other respondents indicated that given the difficulty of accessing traditional data centers and supply chain delays, their organizations may accelerate migration plans.
The worry is that most organizations that move to the cloud are already struggling with security issues because cloud protection is riddled with vulnerabilities. In the cloud Security Report 2020, published by cybersecurity industry insiders, 75 percent of respondents said they were “very concerned” or “extremely concerned” about public cloud security. Given that 68% of respondents said their employer uses two or more public cloud providers for security backups, this means that security teams need to use multiple native tools to try to enforce security in their employer’s cloud infrastructure, Continuity Central reports.
Together, these concerns raise important questions. For example, why is it so hard for organizations to protect their cloud environments? What are their challenges?
To that end, this article highlights three common challenges organizations face when protecting their cloud environments: misconfiguration, limited network security monitoring capabilities, and unprotected cloud runtime environments. After a brief discussion of each issue, we will provide some suggestions on how organizations can address these challenges and enhance their cloud security.
1. The cloud and container configurations are incorrect
A cloud configuration error is when an administrator unintentionally deploys Settings for a cloud system that are inconsistent with an organization’s security policy. The risk is that a misconfiguration may compromise the security of an organization’s cloud-based data, depending on the affected asset or system. In technical terms, an attacker can exploit a certificate or software vulnerability in his environment and eventually spread to other parts of the victim’s environment. Attackers exploit advanced privileges within infected nodes to remotely access other nodes, detect insecure applications and databases, or simply abuse weak network controls. They can then steal the organization’s data unmonitored by copying the data to anonymous nodes on the Web or creating a storage gateway to access the data from a remote location.
Misconfiguration can be difficult for protection personnel to detect, and more importantly, most enterprises have to manage cloud configuration manually, while attackers use automated methods to find vulnerabilities in their organizations’ cloud defenses.
It’s important to note that this threat isn’t just theoretical. DivvyCloud wrote in its 2020 Cloud Misconfigurations report that there were 196 publicly reported data breaches between 2018 and 2019 that were primarily caused by Cloud misconfiguration. In all, more than 33 billion records were made public and the victims’ organizations involved lost a total of $5 trillion.
2. Limited network security monitoring capability
Network security monitoring capability means that the organization knows what is happening on the network, including the hardware and software connected to the network and the network events that are occurring. However, with limited network security monitoring capabilities, an organization often lacks awareness of potential or existing threats, such as attackers using misconfiguration events to penetrate the network, installing malicious software or moving infected targets horizontally to obtain sensitive data.
However, implementing comprehensive network security monitoring in the cloud is not always easy. As Help Net Security points out, administrators cannot access the Net traffic of their environment as easily as they can through switches or firewalls in a data center because they cannot directly access the cloud infrastructure provided by CSP. Instead, they need to browse the CSP’s product list. These tools may or may not include tools to interconnect devices that provide valuable (or complete) insight.
This is not the only visible difference between cloud and traditional data center security. By default, computing resources are segmented, meaning that administrators sometimes need more data points than IP addresses to track cloud-based objects. It also requires administrators to use roles and policies to enable specific connections, rather than relying on firewalls to prohibit certain connection attempts.
3. Unprotected cloud runtime environment
In addition to configuration errors and poor network security monitoring, there are run-time environment issues. If left unprotected, the cloud runtime environment provides a number of opportunities for malicious attackers to attack the organization. For example, they can exploit vulnerabilities in the organization’s own code or in software packages used by applications executing in the runtime environment to penetrate the network.
The first problem with securing a cloud runtime environment is that organizations sometimes do not know what their security responsibilities are in the cloud, or lack relevant skills in security management. Organizations with assets in the public cloud share responsibility for cloud security with CSPS. The former is responsible for security in the cloud, while the latter is responsible for ensuring security in the cloud. Sometimes, organizations do not understand the implications of this shared responsibility model, or they would have difficulty meeting those responsibilities, which means they may not be able to enhance their cloud security or implement measures available to CSP.
Understanding what types of security tools are appropriate for cloud computing is also a problem. The tools, approaches, and skills to secure on-prem IT often don’t work in cloud computing, where the challenge for network security is to attack technology ahead of the technology to secure IT. On top of that, the rapid evolution from on-PreM to cloud computing has spawned a large number of point-specific solutions, often with overlapping capabilities, that make securing cloud instances extremely complicated. In some cases, organizations may think they can apply their traditional anti-virus solutions to override their cloud systems and data, but these solutions do not address the threats typically targeted at cloud workloads.
How to deal with these threats
While the future is uncertain, the workbook for securing cloud workloads is relatively simple. To help resolve configuration errors, organizations can follow Gartner’s Market Guide for Cloud Workload Protection Platforms and use secure configuration management to establish a baseline for networked assets, monitor if they deviate from that baseline, and restore their assets to the approved benchmark if they do. In addition, organizations need automated defenses to protect their systems from automated attacks that can abuse configuration errors or other security vulnerabilities.
As for the monitoring capabilities of network security, it’s important not only to know what’s on your network, but also what assets are potentially vulnerable. This can be done with asset discovery tools such as SentinelOne’s Ranger technology, which provides device discovery and malicious device isolation across a network by leveraging protected ports as sensors without increasing resource consumption or requiring additional hardware.
Finally, organizations can protect the cloud runtime environment by proactively addressing digital threats in real time using runtime protection and EDR that include workloads. This can include tools such as application control engines that lock down containers and protect them from unauthorized installation and abuse of attacker tools, whether legitimate LOLBins or custom malware.