BrandPosts are written and edited by members of our sponsor community. BrandPosts create an opportunity for an individual sponsor to provide insight and commentary from their point-of-view directly to our audience. The editorial team does not participate in the writing or editing of BrandPosts.
Over the last two years, organizations have significantly accelerated their shift to the cloud. IT teams that hadn’t already started this process by 2020 were kickstarted by the global pandemic when they suddenly found themselves needing to support a remote workforce. This trend only increased in 2021 as more and more companies and employees realized the scale, performance, and flexibility of cloud computing.
This transformation has come with its own set of challenges, especially around security. Cloud security is its own beast: you can’t just lift and shift on-premises technologies and policies and expect that they will work — at least not well. Instead, there’s a new set of best practices that must be followed around access control, monitoring, attack surface management, encryption, and more. Unfortunately, many organizations are immature in this area, leaving them vulnerable.
The Zscaler ThreatLabz team analyzes the world’s largest security data set, built off of over 200 billion daily transactions across the Zscaler platform. Each year, ThreatLabz compiles anonymous cloud workload statistics from this data to understand the current state of cloud security and its various challenges. For example, this year’s study of several thousand cloud workloads shows that compared to 2020, the range and prevalence of cloud security issues have only increased.
71% do not use multi-factor authentication for cloud access
56% do not periodically rotate access keys
92% do not log access to cloud storage, eliminating the ability to conduct forensic analysis of an incident
90% of organizations are not aware that they have extensive read-write permissions provided to third-party vendors
Identity and Access Control
Cloud providers continue to add more services, and the average number of distinct entitlements for these services now exceeds 5,000. This volume of entitlements has become exceedingly challenging to manage using traditional identity and access management (IAM) approaches like static policy and role-based access control (RBAC) and are much better managed by a Cloud Infrastructure Entitlements Management (CIEM) solution. Access control and password management in general have long been weak points for organizational security, which remains true in cloud environments.
71% of cloud accounts did not make use of software- or hardware-based multi-factor authentication, up from 63% last year
Over 25% of the user accounts had not been logged into for more than 45 days. Old and unused accounts are potential entry points into cloud accounts
Access keys pose a much bigger risk compared to passwords as they are routinely at risk of being exposed by either hard coding into the source or being leaked through config files
56% of access keys had not been rotated in the previous 90 days, an increase of 6% over last year
22% of accounts were found to have access to instances and data that have not been accessed in over 180 days. This indicates that they might have been provided excessive privileges, or the data may no longer be required
91% of accounts had been provided permissions that had never been used. The use of an access analyzer would have helped identify these issues
A majority of granted entitlements are unnecessary or incorrectly configured. More than 95% of accounts in IaaS utilize, on average, less than 3% of the entitlements they are granted, which significantly increases the attack surface for account compromises
The move to the cloud also enables interesting paradigms in centralizing access control specifically to databases. For example, 96% of one of the public cloud providers databases did not use IAM authentication. This would have allowed for truly password-less but authenticated access to all DBs without the need to manage additional users for each database.
Logging, Monitoring and Incident Response
Comprehensive and accurate logs are the cornerstone for proper incident response. Unfortunately, Zscaler ThreatLabz observed that most accounts were ill-equipped for this purpose as they did not sufficiently log everything.
92% of accounts did not log access to the accounts beyond 90 days. This is the same as last year
Access logs for object stores like S3 and blob stores were not enabled for over 90% of the buckets. This is an increase of 20% over the previous year and points to an increase in storage requirements. Unless organizations are monitoring these logs, unauthorized accesses cannot be identified
54% of the key vaults did not maintain access logs. This leaves security teams blind to any compromise
Diagnostics data serve as an early warning against potential problems in a system. Detailed diagnostics were not enabled for 89% of databases and VMs in 2020. This number has improved to 75% this year but still requires significant improvements
EC2 Instance Metadata Service (IMDS) v1 is known to be insecure and opens up EC2 instances to SSRF vulnerabilities. Over 22% of the instances were still found to have the deprecated version enabled
Exposing management ports over the internet opens up the risk of compromise through zero-day or known vulnerabilities in the management services themselves. The incidence of this has reduced significantly compared to last year. Only 11% of the SSH ports are exposed to the internet compared to 26% last year; 4% of RDP ports are exposed this year compared to 20% last year
Storage and Encryption
Queueing and notification services often hold sensitive information before processing and applying proper security measures. The sensitivity of this is frequently overlooked. 78% of such services were found to be missing server-side encryption
It is important to make use of customer-managed keys wherever possible;. 99% of the keys used were managed by a cloud service provider (CSP). CSPs have vulnerabilities too, which could result in a loss of confidentiality and integrity of the data stored in the cloud environments. The ChaosDB vulnerability in Microsoft Azure is a recent example
99% of storage buckets did not require mandatory data encryption at rest or in transit. This risk remains the same as last year. This exposes the files stored in these buckets to inadvertent compromise due to mistakes
The “Block Public Access” setting on S3 is a similar option that reduces the risk of public exposure of the files because of mistakes by users. 71% of the buckets did not have the setting enabled this year, which is a reduction of 7% over the year
80% of block storages did not have disk encryption enabled. This is an increase of 7% over last year. Azure storage sets an example of having disk encryption enabled by default
Cloud environments are not immune from malware and ransomware attacks. Threat actors continue to evolve their malware to target cloud environments and the data stored there more effectively. The most common ways attackers infiltrate businesses are by taking advantage of a misstep or misconfiguration, such as an improperly configured asset, exploiting weak passwords, or exploiting insufficient policy controls. These are pervasive cloud security issues – thus, cloud-based services are attractive targets for hackers who wish to steal or encrypt data.
BCP/DR planning is critical to recovering from these kinds of attacks. While preventive measures can be taken, this acts as insurance in an attack. Cloud services make it extremely easy to back up and recover assets and data
Most newer ransomware encrypts the data and threatens to exfiltrate and release the data. This can be made void by choosing to encrypt all data at rest. This makes the exfiltrated data useless to the adversary
Patching. Besides taking advantage of misconfigurations, most malware is able to take hold because of unpatched vulnerabilities. Choosing cloud services where the shared responsibility of patching rests with the CSP eliminates this threat vector in cloud services
During a malware attack, speed of response is of primary importance. This means the ability to collect logs from all sources, monitor them, and automatically respond to critical events before they’ve had the chance to inflict damage
Supplier Chain Attacks in Cloud
Cloud environments are at increased risk of a supply chain attack and can even lead to compliance risks. Data shows that only 4% of organizations don’t have any third-party apps in their environment. This means that the risk of excessive exposure is a concern for almost all cloud-run organizations. Security teams need to focus on minimizing the risk of third parties in a cloud environment because it provides room for a supply chain attack. Reducing the permissions provided to third parties should be a top priority and a shared responsibility between customers and vendors alike.
15% of vendors receive extensive write-permissions that allow them to modify active cloud resources. In most cases, the access could have been restricted
Over 90% of organizations were unaware that they have extensive read-write permissions provided to third-party vendors
Use zero trust network access (ZTNA) to secure user access to cloud applications. The transformation from an office-based work environment to a secure work-from-anywhere environment cannot happen by adapting the same trust relationships. Companies have to adapt to ZTNA, where access to applications is allowed only for authorized users. Zscaler Private Access (ZPA) can help you get zero-trust right by eliminating external attack surfaces and risks of lateral propagation. ZPA hides applications behind a cloud-native proxy and brokers 1:1 connections between users and applications to not expose the network
Use zero trust for cloud workloads. The transformation to the cloud from legacy data centers to globally distributed cloud environments faces similar challenges. Companies should expand zero trust to the cloud as they do with people. This trust can be as broad as the communication between VPCs and as granular as communication between applications. Zscaler products such as Zscaler Cloud Connector and Zscaler Workload Segmentations can help solve these problems
Log and monitor access and traffic. Besides maintaining visibility as part of a zero trust deployment, incident response activities require comprehensive logging across all assets and services
Take responsibility for configuring and maintaining your environment. While cloud environments are covered under a shared responsibility for security with the service provider, the proper configuration of these environments is the responsibility of the consumers of cloud services. A cloud security posture management service can help identify misconfigurations, and coupled with Cloud Infrastructure Entitlement Management, it can be used to identify permission issues and act as a logical progression from long-established identity and access management (IAM) and privilege access management (PAM) solutions built on least privilege approaches
The use of public clouds is growing, and so are the attacks targeting them. But that doesn’t mean public clouds are risky, and organizations should stay away from them. ThreatLabz has found that the biggest factor in most successful cyberattacks on public cloud instances is security misconfigurations rather than underlying vulnerabilities in these infrastructures.
The pandemic has accelerated the shift to a distributed workforce and distributed applications. While the risks from these are expanding and the attacks exploiting them are increasing, companies should provide additional focus and scrutiny to their public cloud and focus on adapting their mindset towards securing a distributed workload.