Most organizations struggle to manage multiple cloud security solutions – yet, multi-cloud adoption is surging, with 79% of businesses using more than one cloud provider. As evident by last year’s zero-day vulnerability in the MOVEit file transfer being exploited by the Clop ransomware group, this was one of the first times we’ve seen an attack demonstrate a shift in targeting cloud storage providers on such a massive scale.
With so much room for error when organizations rely heavily on their cloud providers’ security controls, IT leaders need a way to decrease the likelihood of a cloud-based breach impacting their business.
There is no better time for leaders to reassess their cloud security strategies, given increased security mandates and the shock signals that major vulnerabilities have caused across the industry. To jumpstart these conversations and get leaders’ heads out of the cloud and back to reality, here are four tips for better managing the risk of cloud-based attacks.
Continually ask the question, “How are we evaluating our cloud security posture?”
Hopefully, the obvious answer to this question is to ensure that proper processes and tooling are in place to help automate the review of the cloud security controls. There’s an increased demand for cloud computing infrastructure, which means the attack surface constantly changes and expands as resources are added. A Cloud Security Posture Management (CSPM) tool can help close some of these attack surfaces by ensuring organizations can easily identify and remediate risks and protect their data and critical infrastructure.
However, many firms with CSPM tools still lack basic security hygiene and fail to conduct regular security assessments and audits. By consistently running configuration reviews and working with a third party to perform cloud penetration testing, organizations can be one step ahead of threat actors and get proactive in assessing the strengths and weaknesses of their overall cloud security posture.
2. Follow the principle of least privilege to ensure that all cloud services are restricted to internal, authenticated access if public access is not required
The National Institute of Standards and Technology (NIST) defines the principle of least privilege as the idea “that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.” While it can be standard practice, it’s best to avoid the use of overly permissive “basic” or “general” roles. This principle is particularly important when working in the cloud, as there are multiple layers of access controls that have to be considered.
When an organization can restrict identity and access management (IAM) permissions to only those who truly need it – and regularly assess who has access to what – they can limit the blast radius in case of a breach. In the event of a breach, privilege restriction can also halt an attacker from having a suite of disruptive options once in an environment – blocking data access, lateral movement, or privilege escalation. Whenever possible, organizations must enforce and have additional security controls in place for those just-in-time occasions when identities need more advanced privileged access.
3. Employ a layered security approach that uses both individual service configuration settings and organization-wide policies as an additional guardrail
A layered security approach confirms the complete protection of an organization’s valuable assets. The extra guardrail, implemented prior to a breach or vulnerability being identified or active, ensures all cloud services are restricted to internal, authenticated access – as inadvertent public or anonymous access can lead to the exposure of sensitive data. If a layered approach is not installed, resources can end up in a misconfigured and vulnerable state. Additionally, organizations can add guardrail products and policies to help automatically correct misconfigurations or drift configurations. All of these layers help organizations better identify cloud-based cyber threats by minimizing security gaps across networks before they cause massive damage.
4. Review the cloud provider's shared responsibility model to determine what is within the customer’s responsibility for security
It’s important never to assume a cloud provider's security practices are as comprehensive as they need to be in order to keep up with today’s evolving threat landscape. While many cloud providers conduct proactive security testing of their services, they haven’t received the same level of scrutiny or auditing that you’d expect to see from a financial institution or credit card processor.
Last August, the DHS-led Cyber Safety Review Board started to dig into this issue in the hopes of setting clear expectations for cloud providers regarding security audit requirements and accountability. DHS stepping in should drive cloud providers to create more efficient remediation processes to help decrease their fix times – as there have been instances where cloud providers did not receive the immediate attention needed to help close major gaps. While there are complications with pushing fixes to global products, cloud providers should be evaluating their services and their ability to be agile when issues require fixes. Hopefully, this will be the push the cloud providers need to help proactively chase down and remediate these issues before someone else finds them.
While security leaders wait to see the repercussions of these investigations, they must acknowledge that additional steps are needed to ensure cloud provider resources are secure. A best practice for all teams is to review their cloud providers’ shared responsibility model to determine what responsibilities fall under the cloud provider versus the organization itself. Additionally, organizations should enable regular patch management practices to keep their software updated and upgrade all vulnerable and unsupported versions to supported versions that receive regular security updates.
Cloud providers need to step up their general security practices. But organizations need to as well if they have any hopes of avoiding the rise of cloud-based attacks. With 45% of breaches categorized as cloud-based and recent data indicating that 80% of organizations have undergone a cloud-based incident in the last year, now is the time to take these tips seriously and implement a proactive approach to security.