Companies face security risks, threats, and challenges every day. Some think these terms all mean the same thing. But they’re more nuanced. Understanding the subtle differences between them will help you better protect your cloud assets.
What are the differences between risk, a threat, and a challenge?
- A risk is a potential for loss of data or a weak spot.
- A threat is a type of attack or adversary.
- A challenge is an organization’s hurdles in implementing practical cloud security.
Let’s consider an example. An API endpoint hosted in the cloud and exposed to the public Internet is a risk.
The attacker who tries to access sensitive data using that API is the threat (along with any specific techniques they could try).
Your organization’s challenge is effectively protecting public APIs while keeping them available for legitimate users or customers who need them.
A complete cloud security strategy addresses all three aspects, so no cracks exist within the foundation. You can think of each as a different lens or angle with which to view cloud security. A solid strategy must mitigate risk (security controls), defend against threats (secure coding and deployment), and overcome challenges (implement cultural and technical solutions) for your business to use the cloud to grow securely.
3 Cloud Security Risks
You cannot completely eliminate risk; you can only manage it. Knowing common risks ahead of time will prepare you to deal with them within your environment. Let’s look at three.
1. Unmanaged Attack Surface
An attack surface is your environment’s total exposure. The adoption of microservices can lead to an explosion of publicly available workload. Every workloads adds to the attack surface. Without close management, you could expose your infrastructure in ways you don’t know until an attack occurs.
No one wants that late-night call.
Attack surface can also include subtle information leaks that lead to an attack. For example, CrowdStrike’s team of threat hunters found an attacker using sampled DNS request data gathered over public WiFi to work out the names of S3 buckets. CrowStrike stopped the attack before the attackers did any damage, but it’s a great illustration of risk’s ubiquitous nature. Even strong controls on the S3 buckets weren’t enough to completely hide their existence. As long as you use the public Internet or cloud, you’re automatically exposing an attack surface to the world.
Your business may need it to operate, but keep an eye on it.
2. Human Error
According to Gartner, through 2025, 99% of all cloud security failures will be due to some level of human error. Human error is a constant risk when building business applications. However, hosting resources on the public cloud magnifies the risk.
The cloud’s ease of use means that users could be using APIs you’re not aware of without proper controls and opening up holes in your perimeter. Manage human error by building strong controls to help people make the right decisions.
One final rule — don’t blame people for errors. Blame the process. Build processes and guardrails to help people do the right thing. Pointing fingers doesn’t help your business become more secure.
Cloud settings keep growing as providers add more services over time. Many companies are using more than one provider.
Providers have different default configurations, with each service having its distinct implementations and nuances. Until organizations become proficient at securing their various cloud services, adversaries will continue to exploit misconfigurations.
How To Manage Cloud Security Risks
Use this three-step process to manage risk in the cloud.
- Perform regular risk assessments to find new risks.
- Prioritize and implement security controls to mitigate the risks you’ve identified (CrowdStrike can help).
- Document and revisit any risks you choose to accept.
3 Cloud Security Threats
Top 4 Cloud Threats
Download this eBook to discover the top four threats to your cloud journey, and how to safely embrace the cloud and realize its benefits.Download Now
A threat is an attack against your cloud assets that tries to exploit a risk. Let’s consider three examples.
1. Zero-day Exploits
Cloud is “someone else’s computer.” But as long as you’re using computers and software, even those run in another organization’s data center, you’ll encounter the threat of zero-day exploits.
Zero-day exploits target vulnerabilities in popular software and operating systems that the vendor hasn’t patched. They’re dangerous because even if your cloud configuration is top-notch, an attacker can exploit zero-day vulnerabilities to gain a foothold within the environment.
2. Advanced Persistent Threats
An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network to steal sensitive data over a prolonged time.
APTs aren’t a quick “drive-by” attack. The attacker stays within the environment, moving from workload to workload, searching for sensitive information to steal and sell to the highest bidder. These attacks are dangerous because they may start using a zero-day exploit and then go undetected for months.
3. Data Breaches
A data breach occurs when sensitive information leaves your possession without your knowledge or permission. Data is worth more to attackers than anything else, making it the goal of most attacks. Cloud misconfiguration and lack of runtime protection can leave it wide open for thieves to steal.
The impact of data breaches depends on the type of data stolen. Thieves sell personally identifiable information (PII) and personal health information (PHI) on the dark web to those who want to steal identities or use the information in phishing emails.
Other sensitive information, such as internal documents or emails, could be used to damage a company’s reputation or sabotage its stock price. No matter the reason for stealing the data, breaches continue to be an imposing threat to companies using the cloud.
How to Handle Cloud Security Threats
There are so many specific attacks; it’s a challenge to protect against them all. But here are three guidelines to use when protecting your cloud assets from these threats and others.
- Follow secure coding standards when building microservices
- Double and triple check your cloud configuration to plug any holes
- With a secure foundation, go on the offensive with threat hunting. (CrowdStrike can help)
3 Cloud Security Challenges
Challenges are the gap between theory and practice. It’s great to know you need a cloud security strategy. But where do you start? How do you tackle cultural change? What are the daily practical steps to make it happen?
Identity and Access Management are critical. But how do you scale it for a company with tens of thousands of employees? Skilled business leaders must navigate the path from knowing what to do to understand how to do it.
Let’s examine three challenges every company faces when embracing the cloud.
1. Lack Of Cloud Security Strategy And Skills
Traditional data center security models are not suitable for the cloud. Administrators must learn new strategies and skills specific to cloud computing.
The promise of agility is attractive for many organizations. But lack of understanding in the knowledge and skills to effectively secure cloud environments can open up vulnerabilities.
Cloud may give organizations agility, but it can also open up vulnerabilities for organizations that lack the internal knowledge and skills to understand security challenges in the cloud effectively. Poor planning can manifest itself in misunderstanding the implications of the shared responsibility model, which lays out the security duties of the cloud provider and the user. This misunderstanding could lead to the exploitation of unintentional security holes.
2. Identity and Access Management
Identity and Access Management (IAM) is essential. While this may seem obvious, the challenge lies in the details.
It’s a daunting task to create the necessary roles and permissions for an enterprise of thousands of employees. There are three steps to a holistic IAM strategy: role design, privileged access management, and implementation.
Begin with a solid role design based on the needs of those using the cloud. Design the roles outside of any specific IAM system. These roles describe the work your employees do, which won’t change between cloud providers.
Next, a strategy for privileged access management (PAM) outlines which roles require more protection due to their privileges. Tightly control who has access to privileged credentials and rotate them regularly.
Finally, it’s time to implement the designed roles within the cloud provider’s IAM service. This step will be much easier after developing these ahead of time.
3. Shadow IT
Shadow IT challenges security because it circumvents the standard IT approval and management process.
Shadow IT is the result of employees adopting cloud services to do their jobs. The ease with which cloud resources can be spun up and down makes controlling its growth difficult. For example, developers can quickly spawn workloads using their accounts. Unfortunately, assets created in this way may not be adequately secured and accessible via default passwords and misconfigurations.
The adoption of DevOps complicates matters. Cloud and DevOps teams like to run fast and without friction. However, obtaining the visibility and management levels that the security teams require is difficult without hampering DevOps activities. DevOps needs a frictionless way to deploy secure applications and directly integrate with their continuous integration/continuous delivery (CI/CD) pipeline. There needs to be a unified approach for security teams to get the information they need without slowing down DevOps. IT and security need to find solutions that will work for the cloud — at DevOps’ velocity.
How to Overcome Cloud Security Challenges
Each challenge is different and therefore requires unique solutions. Take the time to plan before making use of any cloud services. A sound strategy takes into consideration any common cloud challenges like the ones we’ve discussed here. Then you’ll have a plan of action for each anticipated challenge.