What self-inflicted damage can arise from cloud security threats? Recently, Dan Pitman, Senior Solutions Architect at Alert Logic, presented at the Cloud Security Summit in London on this very topic. He explored the biggest cloud security threats and shared the best practices for reducing the negative impact of IT sprawl, security sprawl and the ever-evolving (and expanding) attack surface.
The Alert Logic 2017 Cloud Security Report details various cyber threats that organizations might be subjected to. Some of the key findings from that report illustrate and reinforce the focus of Pitman’s presentation, The Biggest Cloud Security Threats are Self-Inflicted. When asked what they perceive to be the biggest threat to cloud security, the top responses were:
- 62% - Misconfiguration of the cloud platform or inappropriate setup
- 55% - Unauthorized access
- 50% - Insecure interfaces or APIs
- 47% - Hijacking of account services or traffic
In his presentation, Dan also described the current attack surface of cloud environments. 70% of the vulnerabilities observed in Alert Logic customer environments in 2014 and 2015 still remain active today. Shockingly, 4% of the incidents were traceable to vulnerabilities and exploits as far back as 1999. In addition to these old vulnerabilities—some of which are now old enough to hold a driver’s license, or vote—new ones continue to expose cloud environments to cyber attacks at every layer.
Understand the concept of the shared responsibility model
One of the main problems in cloud security is establishing who is responsible for what. The volume and sophistication of cyber attacks have grown, and so has the confusion about whose responsibility it is to secure the applications and workloads in the cloud. The thing is, it’s a shared responsibility. Customers, partners, and cloud security providers all play a role in IT security to some extent but ascertaining the specific nature of this can be difficult.
The cloud provider is generally responsible for managing and protecting the backend infrastructure that it is offering as a service. However, the customer is responsible for securing everything they add to or run in that cloud environment—and for properly setting up and configuring the provided by the cloud platform. You can look at the growing list of data leaks resulting from the poor configuration of AWS S3 cloud storage—Dow Jones, the WWE, the US Department of Defense, etc.—as evidence that many organizations do not understand the shared responsibility model.
The IT security basics
The biggest piece of advice still centers around the basics. This starts with providing continuous visibility, allowing you to identify vulnerabilities and configuration issues, and prioritize remediation. Secondly, you need to ensure effective compliance and monitoring—providing alerting and remediation for network threats, suspicious activity, and web application vulnerabilities.
While the principles of cybersecurity remain the same across a variety of environments, the approach to security can—and should—change. Traditional approaches to securing workloads and web applications are being challenged when moving to the cloud. Understanding who is responsible for what, inside and outside of an organization is also paramount for cybersecurity success. Address avoidable, self-inflicted cloud security threats so you can focus on more serious priorities—cybercriminals and external cyber attacks.
If you were not able to attend the Cloud Security Summit, you can view all of the sessions at our Virtual Cloud Security Summit.