As part of its recently released National Cybersecurity Strategy, President Joe Biden’s administration said critical industries such as telecommunications, energy and healthcare rely on the cybersecurity and resilience of cloud service providers.
However, recent reports indicate that the administration is concerned that major cloud service providers represent a huge threat surface through which an attacker can disrupt public and private infrastructure and services.
That concern is hard to argue with given the monolithic nature of the field. Research firm Gartner, in its most recent look at global cloud infrastructure-as-a-service market share, has Amazon leading the way with $35.4 billion in 2021 revenue, with the rest of the market share broken down as follows:
- Amazon: 38.9%
- Microsoft: 21.1%
- Alibaba: 9.5%
- Google: 7.1%
- Huawei: 4.6%
Synergy Group reported that Amazon, Microsoft and Google together accounted for two-thirds of cloud infrastructure revenue in the three months ending September 30, 2022, with the top eight providers controlling more than 80%, that is, three quarters. web revenue.
Focus on cloud service providers.
The administration’s report notes that threat actors are using the cloud, domain registrars, hosting and email providers, and other services to conduct exploits, coordinate operations and spy. In addition, it advocated for regulations that would promote the adoption of secure design principles and that the regulations would establish “minimum expected cybersecurity practices or outcomes.”
Also, it will “identify regulatory gaps to promote better cybersecurity practices for the cloud computing industry and other critical third-party services, and work with industry, Congress and regulators to close them,” the administration’s report said.
If the administration is talking to CSPs that monitor traffic across vast swaths of the global network with the goal of regulating their security practices, it may be uncontroversial because CSPs already have strong security protocols, noted Chris Winkless, Gartner. senior director analyst.
“Cloud providers appear from all evidence to be highly secure in what they do, but lack transparency about how they do it,” Winkles said.
See. Cloud security, hampered by the proliferation of tools, has a “forest for the trees” problem (TechRepublic)
However, Winkles also said there are limits to flexibility, and the buck ultimately falls on the customer’s table.
“Cloud use is not secure, either from individual tenants who are not well configured or designed for resilience, or from criminal/nation state actors who can take advantage of the dynamism and pay for resilience model. ” he added.
Cloud providers already offer enough
Chris Dorman, chief technology officer at cloud incident response company Cado Security, says the big cloud service providers are already the best at managing and securing cloud infrastructure.
“To question Kasak’s abilities and conclude that the US government would ‘know better’ in terms of regulatory and security guidelines would be misleading,” Dorman said.
Imposing know-your-customer requirements on cloud providers may be well-intentioned, but it risks allowing attackers to use services that are further from law enforcement, he said.
The biggest threat to cloud infrastructure is physical disaster, not technological failure, Dorman said.
“The financial services industry is a great example of how the industry is diversifying operations across multiple cloud providers to avoid any single point of failure,” Dorman said. “Critical infrastructure entities upgrading to the cloud should consider disaster recovery plans. Most critical infrastructure entities are unable to overcome fully multi-cloud, limiting exposure points.”
Cloud customers must ensure security
While the Biden administration has said it will work with cloud and internet infrastructure providers to identify “malicious use of US infrastructure, share reports of malicious use with the government” and “make it easier for victims to report abuse of these systems and … malicious actors in the first place.” to gain access to resources,” doing so can present challenges.
Mike Beckley, founder and chief technology officer of process automation company Appian, says the government is right to be alarmed about vulnerabilities in government systems.
“But it has a bigger problem, and that’s that most of its software isn’t from us, Microsoft, Salesforce or Palantir,” Beckley said. “It is written into the customs contracts by the low-cost buyer and is therefore declassified under most of the rules and restrictions under which we operate as commercial suppliers.
“What the government thinks it’s buying changes daily based on the least experience or least qualifications, or even the most nefarious contractor who has the right and permission to upload new libraries and code. Each of those custom code pipelines has to be built for each project and is therefore only as good as the team that makes it.”
Customers need to protect against major cloud-based threats
Looking for bad guys is a big ask for CSPs like Amazon, Google and Microsoft, says Mike Britton, chief information security officer at Abnormal Security.
“At the end of the day, cloud is just another fancy word for external servers, and that digital space is now a commodity; I can store petabytes for pennies on the dollar,” Britton said. “We now live in a world where everything is based on APIs and the Internet, so there are no barriers like there used to be.
SEE. Top 10 Open Source Security and Operational Risks (TechRepublic)
“There is a shared responsibility matrix where the cloud provider handles things like hardware operating system patches, but it’s the customer’s responsibility to know what the public is facing and opt out or opt out. I think it would be nice if there was an equivalent of a “no” failure that asked “Did you mean to do this?” when it comes to actions like making storage buckets public.
“Taking your 50 terabytes in an S3 storage bucket and accidentally making it publicly available can shoot you in the foot. So cloud security posture management solutions are helpful. And consumers of cloud services must have good processes in order to be able to.
Top threats to your cloud operations
Check Point Security’s 2022 Cloud Security Report lists the top cloud security threats.
A major cause of cloud data breaches is that organizations’ cloud security posture management strategies are insufficient to protect their cloud-based infrastructure from misconfigurations.
Cloud-based deployments outside the network perimeter and directly accessible from the public Internet facilitate unauthorized access.
Insecure interfaces and APIs
CSPs often provide a variety of application programming interfaces and interfaces for their customers, according to Check Point, but security depends on whether the customer has provided the interfaces for their cloud-based infrastructure.
Not surprisingly, password security is a weak link and often involves bad practices such as password reuse and bad passwords. This issue exacerbates the impact of phishing attacks and data breaches, as it enables a single stolen password to be used across multiple different accounts.
Lack of visibility
An organization’s cloud resources are located outside the corporate network and run on infrastructure that the company does not own.
“As a result, many traditional tools for achieving network visibility are not effective for cloud environments,” Check Point notes. “And some organizations don’t have cloud-focused security tools. This can limit an organization’s ability to control their cloud-based resources and protect them from attacks.”
External data exchange
The cloud makes it easy to share data, whether it’s via an email invitation to a collaborator or a shared link. Ease of data sharing is a security risk.
Paradoxically though, because insiders are inside the perimeter, someone with bad intent can gain authorized access to an organization’s network and some of the sensitive resources it contains.
“Detecting a malicious insider in the cloud is even more difficult,” CheckPoint said in a report. “With a cloud deployment, companies have no control over their underlying infrastructure, making many traditional security solutions less effective.”
Cyber attacks as big business
Cybercrime targets are primarily driven by profitability. Cloud-based infrastructure that is publicly accessible from the Internet may be inadequately secured and may contain sensitive and valuable data.
Denial of service attacks
The cloud is essential to many organizations’ ability to do business. They use the cloud to store business-critical data and run critical internal and customer-facing applications.
Ethical hacking can secure cloud and on-premise operations
It is important for organizations to secure their own perimeters and regularly test for internal and external vulnerabilities.
If you want to brush up on your ethical hacking skills for web pen testing and more, check out this comprehensive set of ethical hacking courses from TechRepublic Academy.
Read next. How to minimize security risks. follow these best practices for success (TechRepublic)