Data is accessible at the snap of a finger thanks to cloud technology advancements. But there’s a dark downside lurking below the surface. The more datasets there are publicly available, the more likely it is that personal or identifiable data will be mishandled, Nathaniel Quist, manager of cloud threat intelligence with Palo Alto Network's Prisma Cloud, wrote in a blog.
In its most recent Cloud Threat report, Palo Alto’s Unit 42 cybersecurity researchers analyzed over 200,000 cloud accounts to compile a list of the top pitfalls company leaders should look out for as they navigate the cloud security landscape. Here are the top risks they came up with:
- Failure to properly manage identity and access management (IAM) policies
- Lack of operationalization of cloud audit and log data
- Extended response times to cloud alerting
- Failure to assess the cloud threat landscape
- Unaware of cloud threat actor group operations
- Failure to detect and properly handle cloud-targeting malware
- Redundant security tool operations
- Multiple cloud platform owners
- Not implementing zero trust principles
- Failure to establish cloud-focused IR planning or operations
Authentication stays on top
In addition to the list above, Quist argued strong authentication should be top of mind for organizations, since attackers are increasingly using stolen credentials to enter and compromise cloud environments.
The report found that 76% of organizations don’t enforce multi-factor authentication (MFA) for console users and 58% of organizations don’t enforce MFA for root or admin users.
Plus, 83% of organizations surveyed have hard-coded Identity and Access Management (IAM) credentials within their source control management systems — which poses significant security risks because adversaries can use them to bypass most of the defense mechanisms.
“When approaching the security of cloud environments, a key question organizations can start with is ‘who has access to what?’” Quist told Silverlinings via email. “Defining a least privileged access approach with continuous trust verification ensures the right people have the right access for the right amount of time.”
Organizations shouldn’t place Cloud Native Application Protection Platform (CNAPPs) on the back burner either. “They provide a holistic view of cloud environments and can identify and prevent threats at every stage of the application lifecycle,” Quist said. “In evaluating a CNAPP, it’s important that the solution provides both visibility and prevention capabilities as several CNAPP providers only provide visibility, leaving the prevention component as an end user responsibility.”
The report also noted that 5% of a customer’s enabled cloud policies will generate more than 80% of all their alerting events. Essentially, another nod to prioritize permissions.
“This signifies that customers can solve 80% of their alerts by taking action on only a small handful of alerts,” noted Quist. “Our research indicates that the majority of these alerts can be remediated by limiting Identity and Access Management (IAM) permissions to users, roles or policies, or by implementing a shift-left approach to scanning cloud code prior to production deployment.”
The more (preventative measures) the merrier
Cloud workload protection (CWP) and runtime monitoring are also key detection solutions organizations should implement if operating in the cloud, according to Quist. Plus, cloud code scanning should be performed if any organization “builds, designs or writes any Infrastructure as Code (IaC) templates, or custom containers deployed within their cloud environments."
“Due to the dynamic nature of the cloud, a misconfiguration or vulnerability contained within a single cloud code template can have a sizable ripple effect on that organization's security risk posture,” he explained. “Scanning all cloud code templates and infrastructure data for misconfigurations and vulnerabilities can assist the organization in maintaining a secure risk posture.”
Implementing cloud storage audit logging policies is another step organizations can take to enhance security and threat detection. By tracking user activities and access to data, organizations can establish a clear chain of responsibility, identify individuals responsible for specific actions and promote a culture of responsible data handling, according to Quist.
There is no ‘I’ in team
At the end of the day, cloud security responsibility doesn’t trickle down to one sole user, and organizations should know there is a value in educating security professionals. “What is needed is a directive from executive tiers to make this education a priority,” Quist wrote when asked if there is a need to upskill or bridge talent gaps in security and operations teams to properly handle cloud-targeting malware.
“I believe more attention should be given to cloud-targeting malware and a greater emphasis should be placed on the proper handling of cloud resources that are compromised by this type of malware,” he concluded. “Properly educating security professionals and cloud DevOps personnel on how to quarantine an infected container or host, as well as performing forensic investigations on compromised containers would greatly assist in the fight against cloud-targeting malware.”