As more enterprises adopt multicloud architecture, hackers and other malicious actors are finding new ways to infiltrate corporate networks. Understanding the changing nature of the threat landscape for enterprise cloud and multicloud environments is crucial for thwarting malevolent actors intent on harming a company’s reputation and bottom line.
Cloud security presents a challenge to CISOs, who must identify the expanded attack surfaces that must be protected in the cloud, protect against the most common vulnerabilities, and learn how to think about security threats so cybersecurity teams can prevent them.
Understanding the expanded attack surfaces
With cloud, not to mention multicloud, security teams are dealing with vastly different attack surfaces than previously seen in the on-premises world or the branch or datacenter world.
When thinking about attack surfaces, it's helpful to start by considering the outer edges of your network and work your way in. At the edges of your cloud network, the application layer has become a massive threatscape made more complex with the advent of containerization. Every day brings new application services security leaders haven’t seen before, and we see a corresponding increase in the threat level in this area.
The next layer of the attack surface is the cloud networking layer, where organizations have all the different networking constructs, like hidden Virtual Private Clouds (VPCs)/Virtual Network (VNET) routers, hidden load balancers, etc. And now, every single VPC/VNET has an Internet Gateway (IGW) sitting next to the application, which provides direct access to and from malicious IPs and bad actors. IGW and other services widen the attack surface for applications and services deployed inside the cloud.
In the case of hybrid deployments, there may be uncontrolled areas of the network where the cloud is connected to the on-premises environment, which is yet another attack surface.
Across all these layers, CISOs need to be mindful of both external and internal threats.
In addition to protecting your network from unauthorized external access by hackers attempting to breach the company's defenses, you need to establish proper governance and audit models for secure user access by authorized personnel. In a typical enterprise, developers, contractors, partners and other individuals and groups will need access to various applications.
Internal personnel can also create potential threats. If cybersecurity leadership fails to apply appropriate identity and access management (IAM) policies and microsegmentation for internal personnel, they may inadvertently enable unauthorized access to various resources, including virtual machines or the code.
Multiple clouds = multiple attack surfaces
Up to this point, we've been discussing attack surfaces in a single cloud. But in a multicloud environment, the problem is even more significant.
In multicloud, you have multiple challenges with visibility, because constructs like VPC routers, IGWs, transit gateways and load balancers are black-box resources. They're behind the scenes, and oftentimes IT doesn't have access to them. These issues exist even in the single cloud, but they’re compounded with a multicloud deployment because each cloud operates differently.
Additionally, organizations are dealing with multiple cloud service providers (CSPs), each with unique architecture and without any unified control or data plane.
Let's assume the IT team is trained in AWS. They know how to protect AWS. They know the ins and outs of AWS networking. But what about GCP? What about Azure? What about OCI?
Each of these CSPs provide resources and security services specific to their cloud. So, with each additional cloud, you have entirely different services, which may or may not be compatible with the compliance posture your enterprise mandates. With no unification, IT teams are dealing with a completely discreet, fractured architecture. If the organization has a fractured architecture, your security will be fractured as well.
The three biggest cloud vulnerabilities
1. Human error
Perhaps unsurprisingly, human error is still the most common challenge. People make mistakes. The mistake could be as minuscule as a typo in the code, which allows a bad actor to launch SQL Injection type attacks, compromising enterprise application security.
2. Lack of familiarity with new technologies
When it comes to new technologies, deep expertise is naturally rather limited. For example, more and more cyberattacks are targeting containers, service mesh and Kubernetes. These are relatively new technologies, and many people using them may not be completely familiar with their security flaws, which makes them attractive targets for malicious actors.
The cloud itself is a new technology, and the cloud skills gap is a serious problem, especially when it comes to security. People are migrating applications into the cloud before putting the right architecture in place. They're not thinking about layered security or defense for an in-depth security model in the cloud.
3. Expecting your CSP to handle security for you
For a lot of organizations, the cloud represents an 'easy button.' However, it's a mistake to believe that a CSP provides an effective 'easy button' for cloud security. You may have heard that security is a "shared responsibility" between the CSP and the enterprise. The truth of the matter is that security is in no way, shape or form a shared responsibility — it’s your responsibility.
Say a bad actor attacks an enterprise application or workload. After an attack, it can become difficult for enterprises and CSPs to work together because in many cases, visibility is a challenge. You can’t see behind the curtain on their side, and they can’t see behind the curtain on yours. The reality is that it comes down to the enterprise architect or the CISO or the CIO to ensure a proper security posture is maintained.
Rethinking the CISO approach to cloud and multicloud security
Many architects take an add-on approach to cloud security. While it may seem expedient at the outset, this approach doesn’t scale. It’s much better to use a holistic approach to architecting layered security from the beginning. This is especially important as enterprises move to multicloud.
My advice to CISOs:
- Embrace the security services CSPs offer. They’re available for a reason; use them.
- Extend additional security where CSPs don’t provide it.
- Leverage third-party services like firewalls.
- Adopt and build networks where security is the priority.
- Use microsegmentation with policies that can be enforced at different levels.
Enacting these strategies within organizational networks can result in a holistic, layered approach to security, as well as complete topological visibility that multicloud networks require.