A persisting myth is that cloud platforms are inherently secure — but in reality, the next cyberattack could always be around the corner, no matter if you’re in the cloud or on prem.
Moving to the cloud certainly has its benefits — especially during this new era of remote work. Cloud services offer flexibility and scalability, due to the ability to quickly spin up new users and instances as needed. There’s also the possibility of significant cost savings, depending on your existing infrastructure and requirements.
Many cloud providers list security as a major benefit, and that’s true — cloud storage vendors implement some baseline protections that can protect you against some security threats. However, you’d be mistaken to assume that those security measures are all you need to protect your organization.
The popularity of remote work has introduced new cybersecurity threats to both cloud and on-prem environments. Malicious actors are taking advantage of the increased opportunities for attack due to the increased usage of remote work tools such as RDP (Remote Desktop Protocol) — hence the surge of critical vulnerabilities such as BlueKeep and DejaBlue.
Let’s dive into the five biggest cloud security threats to watch out for in 2021, and what you can do about it.
Misconfigured cloud services
One of the biggest cloud security threats is simply due to human negligence, so it’s completely preventable. A cloud misconfiguration happens when a user or admin fails to properly set a cloud platform’s security setting. For example, an admin could accidentally allow unrestricted outbound access, causing unprivileged applications and servers to communicate with each other. One real-life example of misconfigured cloud services is the Alteryx breach in 2017, during which the online marketing firm exposed data from millions of households by misconfiguring an AWS S3 Bucket.
Despite its preventability, misconfiguration is a major problem. From 2018 to 2019, the number of records exposed by cloud misconfigurations increased by 80%, according to a study by DivvyCloud. In addition to data exposure and breaches, misconfiguration can result in brute-force attempts and exploits.
What you should do:
- Deploy MFA (multi-factor authentication) to reduce the risk of unauthorized access due to credential compromise. When you haven’t enabled MFA or you’ve applied a bypass setting, you’ve significantly increased your organization’s risk, making it susceptible to threats like phishing, brute-force attempts and stolen passwords.
- Practice RDP security best practices. If you absolutely have to use RDP, always make sure to abide by security best practices by implementing least-privilege principles, enabling network-level authentication, and always putting RDP-enabled services behind a VPN.
- Deploy a cloud-based SIEM. A SIEM can detect risky connections from the internet, like RDP and FTP. If you already subscribe to cloud services, a cloud-based SIEM like Blumira’s can more easily integrate with your existing environment.
Cloud vendors boast collaboration and shareability as benefits, but sometimes cloud environments make it too easy for users to share data, either with internal employees or external third-parties. Plus, when companies move their data to cloud storage, they often struggle to perform regular backups, because backing up such a large amount of data can be costly and difficult.
These factors make data loss a real threat to many companies that run systems in the cloud. In a 2019 Cloud Security Report by Synopsys, 64% cybersecurity professionals cited data loss and leakage as their top cloud security concern.
Recovering lost data sucks a lot of time, energy and money resources — and sometimes, those efforts are futile. That often requires your company to recreate that data or convert it from hard-to-copy formats, which completely disrupts workflow.
Plus, without performing regular backups, you’ll expose your company to an increased risk of ransomware. Many hackers encrypt cloud storage and demand payment in exchange for returning the data.
What you should do:
- Perform regular (and thorough) backups. Cloud backups, such as Backblaze, Carbonite and Acronis, are secure options that can help maintain business continuity.
- Test backup solutions. Cloud backup shouldn’t necessarily be a ‘set it and forget’ product. It’s easy to wait until an emergency to see how it works, but you should practice reconstituting critical systems from your backup solution of choice to ensure that it works smoothly and properly.
- Use a cloud-based SIEM. On-premises SIEM platforms can allow for attackers to go back in and change log data to hide audit trails of their activity, whereas a cloud SIEM will make sure that copies of your raw data are intact, no matter what.
Cloud applications typically interact with each other via APIs (application programming interfaces), and it’s tempting to put all of your faith and trust in those APIs.
Unfortunately, companies haven’t historically been successful at securing their APIs. Take Nissan, for example — an API flaw resulted in the ability for hackers to remotely control some features of the Nissan LEAF. When developers create APIs with inadequate authentication, they can contain security vulnerabilities that allow anyone to access your corporate data.
Malicious actors can exploit insecure APIs by launching denial-of-service (DoS) attacks and code injections, both of which allow them to access company data. And the problem is only getting worse — by 2022, APIs will become the most targeted attack vector, according to Gartner.
What you should do:
- Review logs from the APIs your company uses. For example, Blumira can fetch logs from GCP’s (Google Cloud Platform) API by using service accounts and can identify plaintext passwords.
- Implement centralized cloud monitoring. Major cloud storage providers use a plethora of unique APIs under the hood, making it difficult for even sophisticated security teams to fully understand those threats — much less continuously monitor them. A centralized cloud monitoring solution like Blumira’s can notify you about the highest priority threats and give recommendations on how to handle them.
Security teams often assume that malware isn’t an issue in the cloud — especially if they’ve already implemented endpoint security software and client-side firewalls. However, malware is a real threat in the cloud, and security teams must have multiple layers of security to detect it.
The data accessibility of cloud services is a double-edged sword, because that means that malware is also easily accessible. Data and documents constantly travel to and from the cloud, which means there are more opportunities for that data to be compromised.
Cloud malware, once it has infiltrated your system, spreads quickly and opens the door to even more serious threats. As the malware executes, it can funnel out protected data or find ways to steal access credentials via keyloggers. If left undetected, malware’s damage will only increase.
Malware in the cloud can take the form of several types of attacks, such as DoS attacks, hyperjacking, and hypervisor infections. One example of cloud malware, Cloud Snooper, infected cloud infrastructure servers hosted in the AWS cloud, using sophisticated techniques to evade detection and communicate with its servers through a firewall.
What you should do:
- Abide by a zero-trust model. A zero-trust model means that you should always assume that there’s a breach and secure all access to systems using multi-factor authentication and least privilege.
- Segment your network. If you do suffer from a malware attack, network segmentation will ensure that it will only affect a small segment of your network. It’s not a perfect method, though, because cloud hopping — the act of infiltrating user accounts via access to a cloud application — can render network segmentation useless.
- Implement a threat detection solution. A threat detection platform like Blumira’s can integrate with threat intelligence feeds and endpoint security tools to detect malicious executables, files and applications that are indicative of malware.
Insufficient identity and access management controls
Cloud storage providers encourage companies — especially small companies — to move all of their data to the cloud, promising lower costs and free service plans. Some companies move data hastily, without thinking through access and identity policies.
Having insufficient identity and access management policies can introduce a number of threats. One example is password spraying, which is a variant of a brute-force attack method in which a perpetrator attempts to gain unauthorized access by “spraying” the same password across multiple accounts. Password spraying can even circumvent common countermeasures, like a lock-out after multiple failed attempts, by using the same password across multiple accounts before trying another password. This security threat can be more common with cloud applications and services, since users can login remotely from any location.
The detrimental effects of password spraying don’t stop at one account. After gaining access to one system, threat actors move laterally to take hold of critical applications and data. Many cloud-enabled organizations use federation services, like Active Directory Federation Services, which can increase the damage of password spraying attacks since the attacker can compromise the authentication mechanism.
It’s important to be vigilant about access policies, too. Domain admin accounts in particular are high-value targets for malicious users. Once a threat actor gains domain access, they can perform irreparable damage on the entire company.
Access management becomes even trickier with hybrid environments. An intruder can access an exploited system through traditional means, and then exploit poorly designed access controls to pivot into the company’s cloud environment.
What you should do:
- Use biometric or multi-factor authentication (MFA). Duo Security and Okta both provide MFA and integrate with a variety of different cloud services.
- Implement a strong password policy. Users should be aware of password best practices — like the importance of choosing a passphrase with a mixture of numbers, upper-case and lower-case letters and special characters.
- Conduct regular access audits. As a security pro, you should always know which employees have access to certain files or systems — and whether they truly need access. If they don’t, then you should revoke access.
- Deploy a detection and response tool. A detection and response tool like Blumira’s can detect the use of password spraying and allow you to investigate.
- Limit domain access to small groups. This will limit exposure and lower your chances of a malicious actor gaining access to domain accounts.
Learn More About Cloud Security Threats
Traditionally, cloud security has been complicated and ineffective. But there are ways to simplify your approach to cloud security.
In our recent roundtable with Cybrary’s Director of Content Will Carlson, Blumira’s Director of Security Mike Behrmann and VP of Operations Patrick Garrity, you’ll learn more about the latest cloud security threats and how to easily identify and contain them.
Watch on-demand to learn from seasoned security experts and start building a cloud security strategy with Blumira’s Cloud Security Monitoring.