Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Prioritizing Cloud Security Threats: What You Need to Know

Published 05/18/2022

Prioritizing Cloud Security Threats: What You Need to Know

This blog was originally published by Vulcan Cyber here.

Written by Roy Horev, Vulcan Cyber Co-founder and CTO.

As enterprises across the globe continue to leverage cloud technologies in order to improve business efficiency, cloud service providers (CSPs) looking to gain a competitive edge are expanding their offerings to meet this demand. In order to keep up with the market and ever-changing customer requirements, CSPs must accelerate their development efforts. But in many cases, the result is that cloud security threats become less prioritized, with development teams skimping on testing prior to software release.

This can lead to configuration issues and system flaws. While vulnerabilities can exist in any system—not only in the cloud—unidentified attack surfaces in the cloud mean that if vulnerabilities are not caught, this brings possible risks to multiple environments, especially in cases with complex multi-cloud set ups.

In this blog post, we discuss common cloud vulnerabilities, the importance of vulnerability prioritization and remediation, and the main sources of prioritization for cloud security risks.

Cloud Shared Responsibility Model

Regardless of the cloud model—whether IaaS, PaaS, SaaS deployed as a public cloud, hybrid, or multi-cloud—the CSP is charged with certain security responsibilities. As the cloud shared responsibility model shows, these obligations can vary depending on the cloud model, but:

  • Data and authentication are always the customer’s responsibility
  • The CSP will always be responsible for the physical infrastructure including networks, data centers, and hosts.

Organizations should be aware of the division of security responsibilities in order to understand where they must invest their efforts when it comes to system hardening as well as creating policies and procedures.

Cloud Security Traps

Cloud brings with it many challenges and security traps that companies can easily fall prey to.

When an organization’s key focus is the business as opposed to strategies to keep their infrastructure stable and secure, this often leads them to neglect important security aspects, resulting in:

  • Access management issues: In cases where there are multiple integrations in the cloud, either with third-party services, between cloud environments, or within the cloud environment, permissions configurations may not always align with the principle of least privilege. This may be due to technical issues or a misconfiguration.
  • Lack of visibility across the cloud: This issue is especially pertinent to multi-cloud setups due to their complex architectures, which can also make collaboration across teams and platforms difficult.
  • Failure to meet security compliance regulations: For businesses bound by compliance regulations, especially ISO standards (particularly relevant to the financial and healthcare industries), effective vulnerability management is a key requirement. But lack of visibility and/or inadequate knowledge of cloud responsibilities can lead companies to neglect certain systems and/or assets. And these unidentified or “invisible” systems or assets could in turn lead to missed vulnerabilities thus posing serious threats.

Whether passing a security compliance certification or to maintaining good cyber hygiene, identifying vulnerabilities and remediating the cloud security threats within a reasonable time frame is key.

The Importance of Prioritization and Remediation of Cloud Security Threats

Every organization needs to find the right program to facilitate its specific vulnerability management requirements. And the overwhelming majority of companies recognize the importance of having a formal system in place to identify vulnerabilities: According to the 2021 SANS cloud vulnerability management survey, 75% of companies reported having a formal, internally managed vulnerability management program running or had plans to establish one in the next year; 11.4% of organizations relied on a third-party formal program. The remainder either had an informal procedure or nothing at all.

Identifying vulnerabilities is key, and this is generally not difficult to implement. But what organizations need to understand is that identification alone is insufficient. The identified vulnerabilities need to be prioritized. And they need to be remediated, which can be challenging for a number of reasons:

  • Lack of budget and resources.
  • An overwhelming number of vulnerabilities to fix and lack of a streamlined process for easy tracking and reporting.
  • Not a functional requirement, so remediation efforts often go unrecognized and unrewarded.
  • Security teams are not held responsible for implementing fixes (even if they are held accountable when something goes wrong).

Vulnerabilities in the Cloud

With any asset, Identifying vulnerabilities early on is key, as this enables organizations to develop prioritization strategies to mitigate these weaknesses.

Below we cover five of the most common vulnerabilities in the cloud to watch out for.

1. Misconfiguration

Misconfigurations have played a major role in cloud data breaches in the past. These could be on the system, network, or access level, for example. In some cases, these misconfigurations can go undetected for months before being exploited.

2. Poor access management and control

Multi-factor authentication (MFA) plays a key role in access management, but not all systems support collaborative platforms. In addition, as industries become heavily reliant on automated systems, accounts are gaining root access and higher privilege access, going against the principle of least privilege (PoLP).

3. User of insecure APIs

The majority of applications today are integrated with cloud-native infrastructure,with APIs commonly used to enhance efficiency. An unprotected API could make it easy for attackers to gain access to the environment.

4. Incomplete systems/data deletions

When it comes to data and systems, best practices call for keeping the environment clean. When unmanaged data and systems exist in the environment without proper monitoring, it not only clutters the environment, but also increases the attack surface. This also poses risks to interconnected environments.

5. Lack of policies and procedures

No matter how well your infrastructure is hardened, it is important to establish clear boundaries and outline the security responsibilities of all parties involved in official documentation. When organizations fail to clearly define cloud-specific policies, this leads to gray areas and poor remediation outcomes among teams, especially during incident handling.

Top Inputs for Prioritization of Cloud Security Threats

So what are the main sources of data and information used when it comes to prioritization of cloud security risks?

  • Scoring vulnerabilities based on CVSS: This publicly available scoring system presents the severity of the vulnerabilities with a metric value. The higher the CVSS score, the more critical the vulnerability will likely be.
  • Availability of exploits: Sometimes the vulnerabilities are identified but a public exploit is unavailable. If there is an available exploit, these types of vulnerabilities require more attention.
  • Threat intelligence: Dedicated teams conduct threat intelligence research to identify new threats in systems, shedding light on unknown vulnerabilities and threats. Companies can either check these threat feeds themselves and/or use security tools already integrated with threat intelligence feeds.
  • Basis of asset prioritization: Assets can be prioritized based on their value—whether they are critical or non-critical—thus helping vulnerability teams decide which to fix first.
  • External databases: There are a number of publicly available databases—some public; some vendor-specific—that publish information about vulnerabilities. These include exploit databases, NIST, and NVD, as well as vendor-based intelligence like AWS, Redhat, Microsoft, or Google Cloud.
  • Bug bounty programs: Organizations invite security researchers to identify and expose security issues in the environment. This, however, should not be viewed as a complete security solution, as bug bounties don’t always work. The two main bug bounty platforms are those of Hackerone and BugCrowd.

Risk-Based Vulnerability Management Vs. Vulnerability Prioritization

Many risk-based vulnerability management programs are not effective and might not work for every environment, and so it is the organization’s responsibility to find the program or strategy best suited to their needs. Risk-based vulnerability management needs to capture the unique cloud security threats related to the enterprise. Since vulnerability management is not only a cyber-security practice but in some cases a mandatory requirement for compliance and regulations, understanding the vulnerability management model specific to the organization is key.

The vulnerability management maturity model calls for:

  • Preparing standards such as policies
  • Identifying vulnerabilities
  • Conducting an analysis to find the root causes and to prioritize
  • Implementing alerting as a way of communication
  • Remediating the findings

Vulnerability program maturity depends solely on the organization. Some companies may lack standard vulnerability management procedures altogether. But mature companies rely on an asset-centric automated approach offering proactive controls and streamlined remediation.

While cloud vulnerabilities can be prioritized based on the severity score provided by the scanning tool being used as well as the threat intelligence matrix, business impact and asset exposure must also be considered. Not every asset needs the same level of protection.

Conclusion

An organization may be focused on building a vulnerability management model suited to their needs, but even when policies are well documented, there can be a lack of maturity when it comes to detection, remediation, and reporting of cloud security threats. Teams may not always understand what needs to be done first, and so effective prioritization is a must. But making decisions based on common vulnerability information alone is insufficient. Rather, prioritization needs to be business specific and customized to cater to the organization’s needs.


About the Author

Roy believes if you choose a job you love you will never have to work a day in your life. Se he co-founded Vulcan Cyber and the rest is history. Before Vulcan, Roy was VP R&D at BackBox and was a systems engineer at Safeway Israel.