Challenges of Cloud Security (5 Traps to Avoid)
Originally published by Vulcan Cyber here.
Written by Gal Gonen, Vulcan Cyber.
It’s no surprise that one of the biggest concerns for companies using the cloud - whether they were born in the cloud or migrated to one - is the attached challenges of cloud security, specifically when “operating in the dark”.
There are many reasons for cloud security blind spots: poor infrastructure visibility, dark data, misconfigurations, or organizational and management problems. In this blog post, we will cover the potential cloud security traps you might face before, when and after choosing a cloud vendor, or while trying to own your cloud security program.
1. Lack of awareness about security responsibility
The cloud service provider might offer some security controls, but they are not responsible for all security processes. All too often, organizations have blind faith in their CSPs and fail to recognize their own considerable security responsibilities. Understanding their CSP’s security responsibilities as laid out in their SLA is critical.
2. Lack of visibility in the environment
In larger organizations, collaboration among teams does not always happen as flawlessly as it should for many reasons, whether it be due to poorly defined processes, lack of documentation, or other issues. This often leads to access management and identity issues.
Lack of visibility within the organization’s culture thus leads to a blind spot in the cloud environment. And this failure to protect the data in your environment could pose serious risks.
3. Complexities in multi-cloud setups and cross-functional teams
While multi-cloud integration allows organizations the flexibility to choose the services that suit them, the business value of this model is countered by the added complexity. Teams may struggle with cross-team collaboration - vulnerabilities might be detected by one team, but need to be fixed by another. And, with no proper mechanism to track the progress of the teams, it’s easy for security issues to fall through the cracks.
As companies scale, the multi-cloud environment grows more and more common, running the risk of unmanaged resources and dark data. This can result in unidentified risks to the organization, far more alarming than any known risks.
4. Dark data
In any organization, the data it holds is one of its most valuable assets. As organizations scale, there may be resources existing in the environment that are not accounted for and identified. This may include projects that were created in the initial stages, testing VMs, or an insecure connection to another environment.
An identified risk is always better so the company is aware of the consequences. Unmanaged dark data, on the other hand, poses a serious risk, as the organization will not have any visibility or be able to evaluate what could go wrong. With no monitoring or alerting set up for the resources where the data resides, in the case of an attack, it could last for weeks.
5. Access management
The principle of least privilege (PoLP) is a general security concept relevant to the cloud as well. Within an organization, employees should only have the necessary access within the framework of their roles and responsibilities. In cases where a person has more access than required, they could perform actions that could cause irreversible damage or that could simply lead to misconfigurations due to a lack of skills. Higher access should be given only to those who require it or who have the necessary skillset. . In all other cases, access should require approval—most critical operations have built-in approval processes to avoid any mistakes.
How to avoid cloud security blind spots
Cloud adoption continues to grow at an impressive pace, but along with technological improvements, the cloud also brings complexities. Cloud security mistakes can happen at both the technical and organizational level. Among organizations working in the cloud, common mistakes include a lack of knowledge, uninformed decisions, misconfigurations, and neglecting cloud security responsibilities. Here is how to overcome - or avoid altogether - some of the challenges of cloud security.
1. Asset management
Because risks are calculated based on assets, proper asset visibility is essential. However, in most large and multi-cloud environments, asset visibility is often minimal in absence of a central platform to manage and monitor this. Architectural complexities may also result in hidden assets, creating an even larger attack surface due to its unmanaged nature.
2. Code-level security checks
As data flows through the cloud environment, code-level security checks are a powerful measure in identifying application-related security issues before they are released to production. Infrastructure as code (IaC) can also help organizations implement best practices within infrastructure along with the use of DevOps tools to avoid network and privilege issues. But IaC should be thoroughly checked to avoid any resulting insecure configurations.
3. Preventing data leaks
To prevent data leaks, IT teams should make sure that systems are hardened according to best practices and provide least privileges. Even with the network- and system-level segregation and continuous monitoring, attacks can still happen due to human error. This, however, can be minimized with the use of automation tools.
There have been many scenarios where data has been leaked from cloud components such as S3 buckets or databases. And root cause analysis clearly shows that the responsibility does not fall under the CSP’s territory. One example to help understand the depth of the problem is the case of Veeam, which in 2018 exposed 445M customer records due to a misconfiguration in MongoDB.
Each of the three main cloud vendors offers vendor-specific security hardening that can be used for system hardening and continuous monitoring. Yet while the use of the native cloud tools offered by AWS, Azure, and GCP can certainly minimize blind spots to an extent, they only protect part of the system. Moreover, they don’t guarantee the security of multi-cloud architectures.
Minimizing cloud security blind spots
Security maturity requires the combined efforts of all parties involved. But even following all the above recommendations cannot help you fully overcome the challenges of cloud security. Identifying and prioritizing assets critical to your business, ensuring personnel is properly trained and working in a collaborative environment, and tracking the progress of the various teams, are all vital parts of an effective cyber security workflow.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.