The Elephant in the Cloud
Published 03/29/2024
Originally published by Pentera.
Written by Aviv Cohen.
As much as we love the cloud, we fear it as well.
We love it because cloud computing services of Amazon, Azure, and Google have transformed operational efficiency and costs, saving us money, time, and alleviating much of the IT burden. We also fear it because as companies moved to the cloud, they found that their existing tools were not equipped to handle the new security challenges of the cloud environment.
In a perfect world, cloud security would have been the responsibility of the cloud providers. However, that is not the case. The responsibility for cloud security, as well as the responsibility for testing our security’s effectiveness against today’s cyber threats, remains with us.
It’s the “elephant in the cloud” or if you will – the “mammoth in the cloud.”
Meeting the Cloud Security elephant
Cloud environments are becoming more and more of a target for cyberattackers. It’s enough to glance at IBM’s 2023 Cost of a Data Breach Report to see that 82% of breaches involved data stored in the cloud—public, private or hybrid environments. Also stated in the report was that 39% of breaches spanned multiple environments, causing higher-than-average costs of USD 4.75 million per breach.
A classic example of the risks involved can be found in the Capital One data breach, where firewall misconfiguration was exploited using a technique called Server-Side Request Forgery (SSRF) to gain access to Capital One’s cloud data storage buckets. With an estimated 100 millions records jeopardized, the breach highlights the vulnerabilities of cloud environments and the importance of proper configuration and access controls. It serves as a wake-up call for all organizations to prioritize cloud security and data protection.
Traditional pentesting falls short when it comes to the cloud. We’re tempted to say “same old, same old, let’s just run our annual pentest in the Cloud environment and be done with it.”
Given the nature of the cloud, yesterday’s pentest is as meaningless as yesterday’s newspaper. Native Cloud computing lifecycle is speedy, introducing new environments, and applications. This pace makes it hard for security to keep up, and results in higher risk of misconfiguration or permission errors.
Cloud computing human and machine identities and roles adds another layer of complexity to its microservices-based distributed environment. Cloud-specific security validation solutions are needed to address these challenges.
Hello, cloud-native penetration testing
The need to define cloud-native penetration testing led to three guiding principles – Automated, Continuous, and Encompassing (ACE). All three are interconnected:
- Automated – The only way to effectively cover millions of possible attacks on assets, protocols, payloads, and identities is through software-based automation. Manual Pentesting requires hundreds of red teams to cover all this, if even possible, and who can afford that?
- Continuous – and even if you are the lucky one that can put to the work tens of pentesters, will they be able to cover the entire network time and again, aligning their coverage to the speed of the changes in your environments? Realistically, the only way of doing it is programmatically. Essentially, we should be looking to make it part of our DevSecOps or CloudOps processes so that all VNETs and VPCs are tested before they go live and then regularly thereafter.
- Encompassing – Traditional penetration tests are by definition sampling exercises that look for anomalies, for the one fluke out of the ordinary. However, in a cloud environment the concept of ‘test the golden image and you’ll be fine’ doesn’t hold water.
Don’t Assume. Validate.
Cloud Security without Pentesting means playing a game of assumption. You assume that your security controls are effective. You assume that the architecture you devised is hacker-proof. You assume your CIEM measures are sufficient for authentication and authorization. You assume a great deal.
Embrace change and confront the elephant in the cloud. Proactive measures, including the adoption of automated penetration testing technologies, are essential to stay one step ahead of cyber attackers. In this ever-evolving digital landscape, complacency is a luxury no organization can afford.
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024