The Egregious 11: Examining the Top Cloud Computing Threats
Each year, the Cloud Security Alliance (CSA) releases its “Top Threats to Cloud Computing” study to raise awareness of key risks and vulnerabilities in the cloud and promote strong security practices.
The latest edition, The Egregious 11, ranks the top eleven cloud threats and provides recommendations for security, compliance, risk and technology practitioners. This installment reflects the widespread surge in cloud use and overall maturation in organizations’ understanding of cloud environments. However, it hints at continued over-reliance on cloud vendors to protect workloads, a troublesome trend we also observed in the CyberArk Global Advanced Threat Landscape 2019 report.
The CSA recorded a drop in rankings of traditional cloud security issues under the responsibility of cloud service providers – such as denial of service, shared technology vulnerabilities and CSP data loss – suggesting these issues are less of a concern for organizations than in years past. The biggest threats now come from issues like misconfigurations and insufficient identity access management where the customer is solely responsible for security.
As organizations utilize the cloud to enable remote work and accelerate digital transformation, there is a need to understand where potential security risks exist and address them head on. Here’s a look at five of the “Egregious 11,” along with steps organizations can take to strengthen their security posture. To explore all 11 cloud security challenges, along with CSA recommendations, check out the full study.
With the average total cost of a data breach now at $3.92 million, it’s unsurprising this is ranked as the number one cloud threat. Cyber attackers are after data – particularly personal information – and data accessible via the Internet is the most vulnerable asset to misconfiguration or exploitation. As more data shifts to the cloud, effectively protecting it begins with the question, “Who has access to this?”
Misconfiguration and Inadequate Change Control
Misconfigurations – including granting excessive permissions or unchanged default credentials – occur when computing assets and access are set up incorrectly. Misconfiguration of cloud resources is a leading cause of data breaches and can result in deleted or modified resources and service interruptions. The dynamic nature of the cloud makes traditional change control approaches for proper configuration extremely difficult.
To overcome cloud misconfiguration maladies, the CSA urges organizations to embrace automation tools that can continuously discover issues like unmanaged privileged accounts and instances to prevent misuse.
Insufficient Identity, Credential, Access and Key Management
The cloud introduces a host of changes and challenges related to identity and access management (IAM) and particularly to privileged access management (PAM), since privileged credentials associated with human users as well as applications and machine identities are exceptionally powerful and highly susceptible to compromise in cloud environments.
Once an attacker obtains privileged credentials, they can gain full access to sensitive databases, or even to an organization’s entire cloud environment. Attackers know this. Many recent attacks targeting IaaS and PaaS environments have exploited unsecured credentials, resulting in cryptojacking, data breaches and destruction of intellectual property and other sensitive data.
The CSA stresses the need for strict IAM controls for cloud users and identities including following the principle of least privilege to protect privileged access to high-value data and assets. It also notes that cloud access keys (e.g., AWS access keys, Google Cloud keys and Azure keys) must be rotated and centrally managed, while unused credentials or access privileges are removed.
Using phishing methods, vulnerability exploitation or stolen credentials, malicious attackers look for ways to access highly privileged accounts in the cloud, like cloud service accounts or subscriptions. Account and service hijacking means full compromise: control of the account, its services and the data within. The fallout from such compromises can be severe – from significant operational and business disruptions to complete elimination of organization assets, data and capabilities.
To protect against account hijacking, the CSA recommends defense-in-depth and strong IAM and PAM controls, such as credential lifecycle and provisioning management and segregation of duties.
Malicious insiders can be current or former employees, contractors or other trusted third parties who use their access to act in a way that could negatively affect the organization. Since insiders have legitimate access, pinpointing potential security issues can be extremely difficult and remediating incidents can be costly. According to the Ponemon Institute’s 2020 Cost of Insider Threats Study, the average global cost of insider threats rose by 31% in two years to $11.45 million and the frequency of incidents spiked by 47% in the same time period.
Whether it’s a privileged user abusing their level of access or inadvertently misconfiguring a cloud resource, having a PAM program in place to protect from these insider abuses is paramount.
Don’t Be An Egregious Offender. Secure Your Cloud with PAM
The cloud has fundamentally changed the notion of privilege. Now, even ordinary user credentials in the cloud and DevOps environments can hold as much power as administrator-level credentials do for other types of systems. Add in a complex and highly dynamic mix of machines and applications and the privilege-related attack surface grows dramatically.
Poor cloud security practices will inevitably lead to a breach or failed audit and force organizations to slow down – something that simply isn’t an option in the always-on, ultra-competitive digital era.
Strong privileged access controls help ensure that humans, applications and machines have only the necessary levels of access to sensitive applications and infrastructure to do their jobs and that activities occurring within the cloud environment aren’t risky (or if they are, privileged access controls enable SecOps teams to take swift action).
If you’re looking for more in-depth guidance beyond the CSA’s initial recommendations, tap into these actionable steps for protecting privileged access in cloud environments.
Original written by: Justyna Kucharczak
Over the past 12-18 months, there has been a mounting interest in the next generation of IAM systems. The promises of decentralized and self-sovereign identity promote a frictionless user experience, improved privacy controls, and appeal to organizations looking to reduce both costs and risks. How do you get started? Many organizations are just starting their journey to cloud, so the idea of a decentralized identity may seem too futuristic.In this session, experts from IBM, Pontis Research, PathMaker-Group & SecurIT discuss the value of such a transition and how clients are progressively moving towards it. Learn how use cases like password less authentication for law enforcement personnel and digital job credentials are becoming a reality. With the right strategy the next generation IAM is closer than you think.
As the business world navigates the ups and downs of today’s economy, a mindset shift is required to maintain cyber resilience. Cybersecurity, often an afterthought in a strong economy, must not be neglected in responding to shifts in the business landscape.
As more companies expand their remote workforce, the number of endpoints with access to corporate resources is proliferating. Hackers are seizing the opportunities this presents: Phishing email click rates have risen from around 5 percent to over 40 percent in recent months, according to Forbes.
With a strong cybersecurity mindset and some strategic planning, your company can position itself to survive these new working conditions and build up even more cyber resilience as you adapt. Because cybersecurity professionals are facing formidable adversaries, understanding how hackers think can go a long way in mitigating the threat they pose.
An Unfair Advantage
Security expert Frank Abagnale is one of the foremost experts on the thought processes of threat actors, and he was kind enough to lend his expertise to this piece.
Since the number of successful phishing attacks has skyrocketed, I asked him if this is more a function of hackers stepping up their game, or employees not possessing the right cybersecurity mindset to pay attention.
“It’s both,” he explained. “Any crisis is a perfect backdrop to phishing attacks. At the same time, employees are in a new environment, working from home with more distractions than ever. Add to this stress, cabin fever and anxiety, and you have the perfect phishing storm.”
What makes bad actors so successful, according to experts, is that they take advantage of the human condition. And the human condition is less guarded by security layers today than it has been in quite some time.
“Any fear and anxiety gets people to do things they normally would not do,” said Abagnale.
Take It From the Top
So what can an enterprise do to swim against this foreboding tide? Abagnale insists that vigilance is the key.
“It’s the way to go in normal times and especially now,” he said. “If a link or email sounds too good to be true, it probably is. Don’t rush to fill forms and provide your information to anyone who claims to be the IRS” — or someone who can accelerate your tax return.
But employees can’t be expected to bear the full responsibility of security, or even to recognize established best practices in every scenario. If something is too confusing or complicated and employees don’t know much about it, failure can seem inevitable. Good cybersecurity must be taught in ways that are easy to understand and that include actionable takeaways.
“We must use this time to educate and keep employees alert,” Abagnale asserted. And today, the cybersecurity responsibility elevator operates with only one button and one destination: the C-suite. It therefore falls to chief information security officers (CISOs) and security practitioners to connect the dots and ensure their colleagues understand what they can do to help.
Modern Problems, Modern Solutions
As we continue working, could the altered landscape change Abagnale’s mindset around cybersecurity? Would most of his convictions hold?
“I have been talking and warning executives and companies for over four decades about what criminals do to exploit unsuspecting humans,” he explained. “I now live to see the full effect of it, in a time that is ripe for fraud and deceit. My convictions are more reinforced today than ever. I am more energized to help educate the public about cybercrime and how we move forward to a better and more secure internet.”
Abagnale firmly believes that we must elevate our systems to prepare for the future, and the first piece of advice he would give to any company and security practitioner is to stop using passwords.
“Once you take the secret away from the human user, they cannot give it to the crooks,” he said. “They will not fall prey to keyloggers. It’s time we move forward from a 1960s technology to the 21st century.” Now may just be the time to put into action what Abagnale has been suggesting for years, and the path to a passwordless world may be simpler than you think.
Of course, moving away from passwords is just one aspect of the mindset shift security experts must embrace to bolster their cyber resilience. Don’t just keep cybersecurity and cyber hygiene front of mind; take the opportunity to reevaluate the true efficacy of our fundamental assumptions about security. Drastic changes in the threat landscape will continue to develop as working norms are overhauled, and security measures devised for outdated threats likely won’t serve us in the future — or even the present.