As more enterprises adopt private, public and hybrid cloud infrastructure, the need for comprehensive data security across cloud workloads and containers increases exponentially. This need has become more urgent as adversaries have quickly turned their attention to the cloud, and cloud breaches continue to rise.
The reasons behind cloud breaches run the gamut, but can be broadly classified into four cloud security challenges:
- human errors
- runtime threats
- shadow IT
- poor strategic planning.
Challenge #1. Human Errors
Because of the nature of cloud environments, the majority of breaches in the cloud are caused by human error. In fact, according to Gartner, through 2025, 99% of all cloud security failures will be the customer’s fault.
In the cloud, the absence of perimeter security can make those mistakes very costly. These errors can include:
- misconfigured S3 buckets
- leaving ports open to the public
- the use of insecure accounts or APIs
Sometimes, organizations are not even aware of what APIs are being used, let alone understanding whether or not they are secure. Those errors transform cloud workloads into obvious targets that can be easily discovered with a simple web crawler. Multiple publicly reported breaches started with misconfigured S3 buckets that were used as the entry point.
Other examples of cloud misconfiguration leading to a breach involve servers in the DMZ that have ports wide open to the world. These configuration issues continue to happen, often leaving workloads and containers publicly exposed.
Challenge #2. Runtime Threats
In public clouds, much of the underlying infrastructure is already secured by the cloud service provider (CSP). However, everything from the operating system to applications and data are the responsibility of the user. This is what is referred to as the “shared responsibility model.”
Unfortunately, this model can be misunderstood, leading to the assumption that cloud workloads are fully protected by the service provider. This results in users unknowingly running workloads that are not fully protected, meaning adversaries can target the operating system and the applications to obtain access.
Attackers use zero-day exploits to gain a foothold, then establish persistence by planting advanced persistent threats (APT) and moving laterally within the data center. Any available attack surface will be leveraged by adversaries. Even securely configured workloads can become a security risk at runtime, as they are vulnerable to zero-day exploits and unpatched vulnerabilities.
In addition, the cloud provides more than just compute power. It has also become a storage facility for intellectual property and confidential documents, making cloud workloads and containers an increasingly attractive target for attackers. This is a trend observed by the CrowdStrike Services team across numerous breaches it investigated this year that originated in cloud workloads, which many adversaries seem to be targeting specifically
Challenge #3. Shadow IT
Shadow IT is another major issue for enterprise cloud environments. By its very nature, shadow IT challenges security because it circumvents the normal IT approval and management process.
The reason behind shadow IT’s existence is not normally malicious. It is typically the result of employees adopting cloud services to do their jobs. The ease with which cloud resources can be spun up and down makes controlling its growth difficult. Developers can easily spawn workloads using their personal accounts. These unauthorized assets are a threat to the environment, as they often are not properly secured and are accessible via default passwords and misconfigurations.
Cloud and DevOps teams like to run fast and without friction. However, obtaining the visibility and management levels that the security teams require is difficult without hampering DevOps activities. As DevOps becomes more mainstream, both security and IT teams need to adapt. DevOps needs a frictionless way to ensure that they deploy secure applications and directly integrate with their continuous integration/continuous delivery (CI/CD) pipeline. There needs to be a unified approach for security teams to get the information they need without slowing down DevOps. IT and security need to find solutions that will work for the cloud — at DevOps’ velocity.
Challenge #4. Lack Of Cloud Security Strategy And Skills
As workloads move to the cloud, administrators continue to try and secure these workloads the same way they secure servers in a private or on-premises data center. Unfortunately, traditional data center security models are not suitable for the cloud.
Cloud may give organizations agility, but it can also open up vulnerabilities for organizations that lack the internal knowledge and skills to effectively understand security challenges in the cloud. Poor planning can manifest itself in misunderstanding the implications of the shared responsibility model, which lays out the security duties of the cloud provider and the user. It can also manifest in mistakes by DevOps, which may find itself playing a much larger role in security as part of a shift left approach without the necessary skills or knowledge.
Adversaries Targeting Cloud Infrastructure
One trend CrowdStrike saw in its 2020 CrowdStrike Cyber Front Lines Report involved threat actors targeting cloud infrastructure slated for retirement or simply neglected for various reasons, including:
- Adversaries target neglected cloud infrastructure slated for retirement that still contains sensitive data.
- Adversaries use a lack of outbound restrictions and workload protection to exfiltrate your data.
- Adversaries leverage common cloud services as a way to obfuscate malicious activity
This cloud vulnerability likely stemmed from infrastructure no longer receiving security configuration updates and regular maintenance. Unfortunately, security controls such as monitoring, expanded logging, security architecture/planning and posture remediation no longer occurred in these environments. CrowdStrike encountered cases where neglected cloud infrastructure still contained critical business data and systems.
As such, attacks led to sensitive data leaks requiring costly investigation and reporting obligations. Additionally, some attacks on abandoned cloud environments resulted in impactful service outages, since they still provided critical services that hadn’t been fully transitioned to new infrastructure. Moreover, the triage, containment and recovery from the incident in these environments had a tremendous negative impact on some organizations as these activities disrupted the release of a key feature launch in one case and delayed mergers and acquisitions (M&A) activities in another.
Not only did the CrowdStrike team see cloud infrastructure as a target of attacks in 2020, the cloud also served as a vehicle to launch attacks. Over the past year, threat actors leveraged common cloud services, such as Microsoft Azure, and data storage syncing services, such as MEGA, to exfiltrate data and proxy network traffic. A lack of outbound restrictions coupled with a lack of workload protection enabled threat actors to interact with local services over proxies to IP addresses in the cloud. This gave attackers additional time to interrogate systems and exfiltrate data from services ranging from partner-operated, web-based APIs to databases to custom network services — all while appearing to originate from inside the victim’s network and barely leaving a trace on local file systems.
What Can I Do To Protect My Cloud Environment?
Cloud computing introduces new wrinkles to proper protection that don’t all translate exactly from a traditional on-premises data center model. Security teams should keep the following firmly in mind as they strive to remain grounded in best practices.
Enable Runtime Protection And Obtain Real-time Visibility
You can’t protect what you don’t have visibility into — even if you have plans to decommission the infrastructure. Central to securing your cloud infrastructure to prevent a data breach is runtime protection and visibility provided by solutions like CrowdStrike Falcon Cloud Workload Protection (CWP). It remains critical to protect your workloads and containers with next- generation endpoint, workload and container security, including servers, workstations and mobile devices, regardless of whether they reside in an on-premises data center or virtual cluster, or are hosted in a private or public cloud.
Eliminate Configuration Errors
The most common root cause of cloud intrusions continues to be human errors and omissions introduced during common administrative activities. It’s important to set up new infrastructure with default patterns that make secure operations easy to adopt. One way to do this is to use a cloud account factory to create new sub-accounts and subscriptions easily. This strategy ensures that new accounts are set up in a predictable manner, eliminating common sources of human error. Also, make sure to set up roles and network security groups that keep developers and operators from needing to build their own security profiles and accidentally doing it poorly.
Leverage A Cloud Security Posture Management (Cspm) Solution
Ensure your cloud account factory includes enabling detailed logging and a CSPM — such as CrowdStrike Falcon Horizon — with alerting to responsible parties including cloud operations and security operations center (SOC) teams. Actively seek out unmanaged cloud subscriptions, and when found, don’t assume it’s managed by someone else. Instead, ensure that responsible parties are identified and motivated to either decommission any shadow IT cloud environments or bring them under full management along with your CSPM. Then use your CSPM on all infrastructure up until the day the account or subscription is fully decommissioned to ensure that operations teams have continuous visibility.
At CrowdStrike, we know enterprises need cloud computing security and speed to go hand in hand. Security controls should not slow the speed of cloud application delivery. As cloud adoption continues among developers, the importance of a shift-left approach to security has only grown.
To meet this need, CrowdStrike Container Security was designed to integrate frictionless cybersecurity into the continuous integration/continuous delivery (CI/CD) pipeline. This integration takes multiple forms, including continuously scanning container images for known vulnerabilities and misconfigurations, detecting malware in base images before container deployment, and integrating with developer toolchains. By automating protection, organizations can empower DevSecOps to deliver secure applications without slowing the build cycle.