President Joe Biden’s administration, as part of its recently released National Cybersecurity Strategysaid critical sector such as telecommunications, energy and healthcare rely on the cybersecurity and stability of cloud service providers.
Yet, recent reports The administration suggests there are concerns that major cloud service providers pose a massive threat surface — one where an attacker could disrupt public and private infrastructure and services.
That concern is hard to argue with given the monolithic nature of the sector. Research firm Gartner, in its latest look at global cloud infrastructure-as-a-service market share, has placed Amazon at the top, topping revenue of $35.4 billion by 2021, with the rest of the market share breakdown as follows:
- Amazon: 38.9%
- Microsoft: 21.1%
- Alibaba: 9.5%
- Google: 7.1%
- Huawei: 4.6%
The Synergy Group reportedly together, Amazon, Microsoft and Google accounted for two-thirds of cloud infrastructure revenues in the three months ending in September. 30, 2022, with the eight largest providers controlling more than 80% of the market, translating into three quarters of web revenue.
Jump to:
A focus on cloud service providers?
That was mentioned in the administration report threat actors use the cloud, domain registrars, hosting and email providers, as well as other services to carry out exploits, coordinate operations and spying. Additionally, it promoted regulations to encourage the adoption of secure-by-design principles and the regulations would specify “minimum expected cybersecurity practices or outcomes.”
Also, it will “identify gaps in authorities to encourage better cybersecurity practices in the cloud computing industry and for other important third-party services and will work with industry, congress and regulators to close these,” according to the administration’s report.
If the administration is talking to the CSPs that control traffic through the vast part of the world wide web with the aim of regulating their security practices, it may be questionable, because the CSPs have strong security protocols, said Chris Winckless, senior director analyst at Gartner.
“Cloud providers appear from all the evidence to be very secure in what they do, but the lack of transparency in how they do it is a concern,” Winckless said.
See: Cloud security, hampered by the proliferation of tools, has a “forest for the trees” problem. (TechRepublic)
However, Winckless also said there are limits to stability, and the money ultimately ends up on the customer’s desk.
“The use of the cloud is not secure, either from individual tenants, who do not configure properly or do not design for resilience, or from criminal/nation-state actors, who can take advantage of the dynamic and pay for the flexibility model,” He added.
Cloud providers already offer enough
Chris Doman, chief technology officer of cloud incident response firm Cado Security, says major cloud service providers are the best at managing and securing cloud infrastructure.
“To question their abilities and imply that the US government ‘knows better’ in terms of regulation and security guidance is misleading,” Doman said.
Imposing “know-your-customer” requirements on cloud providers may be well-intentioned, but it risks pushing attackers to use services further beyond the reach of law enforcement, he said.
The biggest threat to cloud infrastructure is physical disaster, not technology failures, Doman said.
“The financial services industry is a good example of how the sector is diversifying activity across multiple cloud providers to avoid any single points of failure,” Doman said. “Critical infrastructure entities modernizing to the cloud need to think about disaster recovery plans. Most critical infrastructure entities are not in a position to be fully multicloud, which limits points of exposure.”
Cloud customers need to enforce security
While the Biden administration said it would work with cloud and internet infrastructure providers to identify “malicious use of US infrastructure, share reports of malicious use with the government” and “make it easier for victims to report abuse of these systems and … make it harder for malicious actors to gain access to these resources in the first place,” doing so can pose challenges.
Mike Beckley, founder and chief technology officer of process automation company Appian, said the government was rightly reminded of the vulnerability of government systems.
“But, it has a bigger problem, and that is that most of its software is not from us or Microsoft or Salesforce or Palantir, for that matter,” Beckley said. “It was written by a low-cost bidder on custom contracts and, therefore, falls within most of the rules and constraints that we operate under as commercial providers.
“Whatever the government thinks it’s buying changes every day, based on less experienced or less qualified, or even the most malicious contractors with rights and permissions to upload new libraries and code. Each of those custom-code pipelines has to be built for each project and is therefore only as good as the team that builds it.”
It is up to customers to defend against major cloud-based threats
Finding malefactors is a big ask for CSPs like Amazon, Google and Microsoft, said Mike Britton, chief information security officer at Abnormal Security.
“At the end of the day, cloud is just a fancy word for servers out there, and digital space is now a commodity — I can store petabytes for pennies on the dollar,” Britton said. “We now live in a world where everything is based on APIs and the internet, so there are no barriers like in the old days.
SEE: Top 10 open-source security and operational risks (TechRepublic)
“There’s a shared responsibility matrix, where the cloud provider handles issues like hardware operating system patches, but it’s the customer’s responsibility to know what the public is dealing with and opt in or out. I think it would be nice if there was a ‘no’ failsafe equivalent that asked something like ‘Did you mean to do that?’ when it comes to actions like making storage buckets public.
“Taking your 50 terabytes into an S3 storage bucket and accidentally making it publicly available is potentially shooting yourself in the foot. So, cloud security posture management solutions are useful. And buyers of cloud services need to have a smooth process.”
Key threats to your cloud operations
Check Point Security’s 2022 Cloud Security report lists the top cloud security threats.
Wrong adjustments
A leading cause of cloud data breaches, organizations cloud security posture management approaches are not sufficient for protecting their cloud-based infrastructure from misconfigurations.
Unauthorized access
Cloud-based deployments outside the network perimeter and accessible directly from the public internet facilitate unauthorized access.
Insecure interfaces and APIs
CSPs often provide some application programming interfaces and interfaces for their customers, according to Check Point, but security depends on whether a customer has secured the interfaces for their cloud-based infrastructure.
Hijacked accounts
Not a surprise, password security is a weak link and often involves bad practices like password reuse and using weak passwords. This problem exacerbates the impact of phishing attacks and data breaches because it allows a stolen password to be used on many different accounts.
Lack of visibility
An organization’s cloud resources are located outside the corporate network and run on infrastructure not owned by the company.
“As a result, many traditional tools for achieving network visibility are ineffective for cloud environments,” Check Point said. “And some organizations are lacking cloud-focused security tools. This can limit an organization’s ability to monitor their cloud-based resources and protect them against attack.”
External data sharing
The cloud makes it easy to share data, whether through an email invitation to a collaborator, or through a shared link. The ease of sharing data poses a security risk.
Evil spirits
Although ironically because insiders are inside the perimeter, someone with malicious intent may have authorized access to an organization’s network and some of the sensitive resources it contains.
“In the cloud, detecting a malicious insider is much more difficult,” the CheckPoint report said. “With cloud deployments, companies have no control over their underlying infrastructure, making many traditional security solutions less effective.”
Cyberattacks as big business
Cybercrime targets are often based on profitability. Cloud-based infrastructure that is publicly accessible from the internet can be improperly secured and can contain sensitive and valuable data.
Denial of service attacks
The cloud is critical to many organizations’ ability to do business. They use the cloud to store business-critical data and to run important internal and customer-facing applications.
Ethical hacking can secure operations in the cloud and on premises
It is important for organizations to secure their own perimeters and conduct a regular rhythm of internal and external vulnerability tests.
If you want to hone your ethical hacking skills for web pen testing and more, check out this comprehensive TechRepublic Academy ethical hacking course bundle.
Read next: How to reduce security risks: Follow these best practices for success (TechRepublic)