Executive Briefing: Unit 42 Cloud Threat Report

Unit 42 is Palo Alto Networks’ world-renowned threat intelligence and security consulting team.

The key headline of the latest Unit 42 Cloud Threat Report isn’t about the most sophisticated attacks. It’s that nearly all organizations we analyzed lack the proper controls to keep their cloud resources secure.

The term for this in cloud security is identity and access management (IAM), and it refers to the policies that define who has permission to do what in a cloud environment. A fundamental best practice for policies like this is to apply least privilege access – ensuring that each user or group has the minimum access required to perform necessary functions. This helps minimize the damage an attacker can do in the event of a compromise as the attacker will only gain access to the limited information and capabilities of that one compromised cloud resource.

Unfortunately, we found a different situation when we studied how organizations are managing access to their cloud environments. We analyzed more than 680,000 identities across 18,000 cloud accounts from 200 different organizations and found that a staggering 99% of cloud users, roles, services and resources were granted excessive permissions. This matters because the majority of known cloud incidents start with a misconfigured IAM policy or a leaked credential.

How Could Lax IAM Policies Impact You?

Throughout the pandemic, many organizations moved significant amounts of data and business operations into the cloud. We found that 69% of organizations now host more than half their workloads in the cloud, compared with just 31% in 2020.

This makes the cloud a more tempting target for adversaries looking to—for example—steal sensitive data, deliver ransomware or take advantage of computing resources that don’t belong to them. While sophisticated attacks on cloud resources are possible, attackers don’t need to go to those lengths to achieve their goals when organizations allow excessive permissions and overly permissive policies. If your organization isn’t following best practices for IAM permissions in the cloud, you could be making an attacker’s job easier.

Improving Cloud Security: Recommendations

Your security should be just as native to the cloud as the applications you run there. CISOs should look into Cloud Native Application Protection Platform (CNAPP) suite integration. This can help bring disparate security functions into a single user interface, all tailored to cloud security.

Your security team should also harden IAM permissions. Our recent Cloud Threat Report includes an eight-step best practices guide that could help you.

Finally, as is common in cybersecurity today, an overabundance of alerts is likely hampering your security team and reducing their efficiency. Look into tools and workflows you can deploy to increase security automation, allowing your team the breathing room to get your overall security posture right, rather than being stuck responding to one alert after another.

Want to learn more? Download the full report here: Unit 42 Cloud Threat Report, vol 6