Top 6 Cloud Vulnerabilities

Gui Alvarenga - June 28, 2022

As companies increase their use of cloud hosting for storage and computing, so increases the risk of attack on their cloud services. Companies must acknowledge this risk and defend their organization against potential cloud vulnerabilities. A 2021 study by IBM suggests that data breaches caused by cloud security vulnerabilities cost companies an average of $4.8 million USD to recover. This massive expense associated with data breaches includes the cost of investigating and repairing the breach, as well as any fines or penalties imposed by regulators.

But poor security can not only impact your organization financially. It can also cause reputational damage if customer data is compromised, leading to loss of business. The total cost of ineffective cloud security can therefore be significant, and companies must take steps to properly protect their data from any cloud vulnerability.

This article will cover the six most important potential cloud vulnerabilities your organization might face and suggest tips to mitigate them. Because in cybersecurity, proactive prevention is always preferred over required remediation.

How to Find and Eliminate Blind Spots in the Cloud

This guide covers some of the logging and visibility options that Amazon Web Services (AWS) and Google Cloud Platform (GCP) offer, and highlights their blind spots and how to eliminate them.

Download Now

# 1 Cloud Misconfiguration

Cloud misconfiguration is probably the most common vulnerability organizations face, as reported in a recent NSA study. Misconfigurations can take many forms and shapes, a few of which we cover below. They are often caused by a lack of knowledge of good practices or lack of peer review from your DevOps/infra team.

Identity and Access Management

Having unsecure identity and access management (IAM) is a common vulnerability in cloud systems. In a nutshell, it occurs when a user or service of your infrastructure has access to resources they should not be able to access and/or do not need.

To minimize this threat:

  • Enforce the principle of least privilege for all of your cloud resources and users; always avoid granting complete access to a resource if a service only needs read access or access to a subpart of the resource.
  • Use third-party tools to scan and detect misconfiguration of IAM policies; a cloud-native application protection platform (CNAPP) can help increase the visibility of a misconfiguration.
  • Frequently review access and privileges, as access requirements change over time.

Public Data Storage

This vulnerability occurs when a given data blob, like an S3 bucket or, less frequently, an SQL database, is partly or completely opened to the public, which then has access via either read-only or both read and write. A common cause of this issue is the misconfiguration of a resource.

Your DevOps team, sysadmins, and managers should follow some basic principles to minimize the risk of public data storage misconfiguration.

To minimize this threat:

  • Use third-party tools to scan your infrastructure and quickly detect this type of vulnerability.
  • Always have your data storage set to private by default for your cloud resource.
  • When using Terraform or other IaC framework, make sure to have the infrastructure-as-code files reviewed by another member of your team.

Other Misconfigurations

Many other vulnerabilities exist in this category; here is a quick rundown of good practices to reduce misconfiguration:

  • Always use HTTPS instead of HTTP (the same goes for any other protocol, e.g., FTP instead of SFTP); you should also use the latest version of SSL/TLS.
  • Restrict all inbound and outbound ports if not needed for a given machine fronted on the internet.
  • Keep secrets like API keys, passwords, etc. in one and only one place using a secure secret management solution (e.g., AWS Secrets Manager).

2022 Cloud Threat Report

Download this new report to find out which top cloud security threats to watch for in 2022, and learn how best to address them.

Download Now

#2 Insecure APIs

APIs are proliferating in modern software development, being used in microservices, application and website backends. They must handle requests received from mobile devices, applications, webpages and third parties, as well as bots, spammers and hackers. This is why having a secure API is critical to ensuring cyber threat mitigation and to protect against unwanted traffic.

These malicious requests can take a wide array of forms. Some of the most common are:

  • Code and query injection (SQL injection, command injection)
  • Taking advantage of a bad access control
  • Targeting a vulnerability due to an outdated component (software libraries, database engine, runtime environments, etc.)

Many cloud providers offer in-house solutions. Otherwise, there are a few easy steps you can take on your own to ensure API security.

To minimize this threat:

  • Have a web application firewall (WAF) to filter requests by IP address or HTTP header info, and to detect code injection attacks; WAFs also let you set response quotas per user or other metrics.
  • Implement DDoS protection (see more information below).

# 3 Lack of Visibility

As the use of cloud services increases, so does the scale of your infrastructure. When companies are using thousands of instances of cloud services, it can be easy to get lost in them or forget about some of those running instances. Visibility into the state of your entire infrastructure must be easy and convenient to access.

Lack of visibility of cloud infrastructure is a major issue that can delay action on a threat and result in a data breach. Managers, sysadmins and DevOps teams must therefore take a proactive security approach.

To minimize this threat:

  • Monitor for and detect threats.
  • Ensure visibility into your cloud infra.
  • Implement tools such as a CNAPP; this can minimize risk and shorten the response time in case of a breach.

# 4 Lack of Multi-factor Authentication

Multi-factor authentication (MFA) is an authentication method in which a user must present at least two forms of identification validation to access an account or data. For instance, a typical MFA is when a user has to enter a username and password. The user is then prompted to enter a second validation, such as a one-time password/code received via SMS, email or push notification on their cell phone.

Passwords and users are vulnerable to theft, making a lack of MFA a potentially critical vulnerability.

To minimize this threat: 

  • Implement MFA across your organization to benefit from an additional layer of authentication required to access systems (e.g., via a physical phone or email address).
  • Always enforce MFA for any employees granted cloud access to their accounts and data.

# 5 Malicious Insiders

Unauthorized access occurs when a user obtains access to some or all of your company’s cloud resources.

There are a few ways that these malicious insiders can gain access to your cloud accounts. As mentioned in the cloud misconfiguration section, this can result from too loose of rules or a former employee still having valid credentials to the accounts.

Malicious insiders can also access your cloud resources via account hijacking due to a successful phishing attack and/or weak credential security (e.g., too simple of a password or a password shared between accounts). This kind of vulnerability can be particularly dangerous, as not only data is at risk of being stolen or changed, but also intellectual property.

To minimize this threat:

  • Make sure MFA is activated.
  • Filter out phishing emails using an automated tool.
  • Educate employees about phishing attacks.
  • Make sure safe password practices are being followed.

# 6 Distributed Denial-of-Service Attacks

Distributed denial-of-service (DDoS) attacks are malicious efforts to take down a web service such as a website. It works by flooding the server with requests from different sources (hence distributed) and overcharging it. The goal is to make the server unresponsive to requests from legitimate users.

To minimize this threat:

  • Choose a cloud provider that protects against DDoS attacks; most do, e.g., AWS Shield comes with easy integration and no additional cost.
  • Make sure DDoS protection on your cloud service is always turned on.

Cloud computing vulnerabilities are increasingly common, and your organization must act to ensure mitigation. We discussed the most common cloud security threats, but there are many other vulnerabilities to be addressed.  CrowdStrike delivers advanced, unified and automated security to protect, prevent and address vulnerabilities. Learn more about CrowdStrike cloud security solutions.

The top Threats to your Cloud Journey

To safely embrace the cloud and realize its benefits, organizations need visibility into a larger and more complex landscape than ever before.

Download Now

GET TO KNOW THE AUTHOR

Guilherme (Gui) Alvarenga, is a Sr. Product Marketing Manager for the Cloud Security portfolio at CrowdStrike. He has over 15 years experience driving Cloud, SaaS, Network and ML solutions for companies such as Check Point, NEC and Cisco Systems. He graduated in Advertising and Marketing at the Universidade Paulista in Brazil, and pursued his MBA at San Jose State University. He studied Applied Computing at Stanford University, and specialized in Cloud Security and Threat Hunting.