Common Threats to Cloud Security

Let’s start with the elephant in the (Zoom) room: Work from home. It has pushed more organizations to the cloud and is increasing usage by those already there. That widespread adoption makes cloud more of a target for attackers, and the rapid pace of the transition to remote work has left some security gaps in their wake.

So what are the security risks around cloud computing? To answer that question, let’s go through some of the biggest cloud threats, learn about common attack types, and overview potential solutions.

Common Cloud Security Threats

Cloud Identity and Access Management Issues

At the risk of sounding obtuse, cloud resources are complicated. You might have a complex array of microservices communicating with various databases, APIs, and so forth. So controlling who is allowed to talk to whom is both really important and really difficult. The most secure cloud is one where every door is closed and locked by default, and those doors will only open for the right user with a legitimate reason to go through.

For Example, SSRF Attacks

SSRF attacks are designed to prey on trust and privilege within a network—cloud or otherwise. They use a malicious client to send a request to a server. Hidden within that request is a trigger which causes the server to take some action within the network. Because the server can communicate with any resource, including internal sources inside the network, information that would ordinarily be protected inside the perimeter may be leaked. Alternatively, the internal server can be forced to communicate with an external resource, which it may assume is within its trust boundary.

It’s a powerful combination of leaking internal information and subverting the boundary of trust. What makes SSRF attacks particularly insidious is that they are usually combined with other vulnerabilities, allowing attackers to establish a foothold on the server which can then be exploited for remote code execution. This was true in the case of the widespread Exchange server vulnerability exploitation which came to light in 2021. Unfortunately, this type of attack is possible regardless of which public cloud provider you use.

Cloud metadata services are frequently targeted for SSRF attacks, since they have broad privileges in the cloud. They allow for easy management of cloud instances, often accessible via HTTP, making them a tempting target. SSRF attacks can trick an instance into connecting with its metadata service, providing a potential avenue of access to it—or convince it to expose valuable information like account credentials.

Unsecured Credentials

For something so central to security, there are an alarming number of ways to go wrong with credential management. From human error to insecure, decades-old authentication protocols, there are plenty of ways to go astray.

Common Credential Issues

  • Using weak passwords
  • Hard coding credentials without realizing that the code could end up in a publicly-accessible repository—as will those credentials
  • Unencrypted passwords sent across the network (or easily crackable hashes)
  • Static passwords and certificates—these should change regularly
  • Missing multifactor authentication

Further, initial access brokers have started to acquire and sell cloud credentials—these cybercrime specialists focus on gaining access and sell it to the highest bidder.

Misconfiguration

The multitude of configuration settings in the cloud environment and it’s ephemeral nature can make it an uphill challenge to ensure tight security rules. As far as human error goes, cloud misconfiguration is the most common cause of data breaches according to the Identity Theft Resource Center. If you dig into all those headlines about big breaches, you’ll notice it comes up a lot.

Misconfigured storage buckets are top of the list, as weary headlines like this one confirm. Other common ones are:

  • No encryption of data storage
  • Inappropriate ports open to the internet
  • Poor credential practices like leaving them in their default state
  • Overly permissive firewall rules
  • Turning off security tools—on purpose, by accident, or maliciously

Insecure APIs

APIs are intended to streamline cloud computing processes but, when left unsecured, can open lines of communication which can be exploited by bad actors. This one makes it into the headlines a lot too.

One reason cybercriminals are drawn to cloud APIs is that they have become the norm in IT infrastructures. As dependency on APIs increases, attackers have found two common ways to leverage them for malicious purposes.

Exploiting Inadequate Authentication

In some cases, developers create APIs without authentication. As a result, these interfaces are completely open to the internet, and anyone can use them to access enterprise systems and data. Think of it as walking around a neighborhood trying doors until you find one left unlocked.

Exploiting Open Source Software

A component-based approach to software development has become commonplace in the IT world. To save time, many developers incorporate open-source software into their code. This can leave many applications open to supply chain vulnerabilities. There was recently just a small incident involving open source software that you may have heard of: Log4j.

 

Cloud Software Supply Chain Vulnerabilities

While commonly discussed in the context of APIs (as mentioned above), supply chain vulnerabilities can be introduced through a variety of cloud components. Software, whether destined for the cloud or not, is often composed of reused blocks of code pulled from open source libraries. If there’s a vulnerability in the open-source software you used, it’s now in your software.

For example, near the end of 2021, a vulnerability was discovered in the open source Apache utility Log4j. This software was used so widely—from Minecraft to iCloud—that the Log4Shell exploit almost broke the internet.

It’s a daunting challenge to secure the cloud from supply chain vulnerabilities. Vulnerable software may have been in existence for years or decades and can make its way into countless other applications and systems. Many organizations may not even realize that they have a vulnerability in their environment.

Cloud Insider Threats

The phrase is used to refer to both negligent and malicious actions by employees that compromise an organization’s security. Unintentional threats can arise through anything from weak passwords to misconfigurations. While well-intentioned human error is likely the more common source of insider threats, there are still examples of employees making some shady choices.

Shoring up defenses against all the cloud threats we’ve already discussed will help defend against insider threats—limiting access and permissions, checking for misconfigurations, and, additionally, monitoring for suspicious activity.

Common Attacks on Cloud Environments

Distributed Denial of Service Attacks (DOS)

A denial-of-service (DoS) attack is a tactic for overloading a targeted system to make it unavailable. DoS attacks overwhelm the target by sending more traffic than it can handle, causing it to fail—making it unable to provide service to its normal users. A distributed denial-of-service (DDoS) is a type of DoS attack where the traffic used to overwhelm the target is coming from many distributed sources. This method means the attack can’t be stopped just by blocking the source of traffic.

While cloud systems tend to have more resources (making them harder to take down) they also may have vastly more users. If a cloud system is disrupted it can have widespread impacts.

Cryptomining

Cryptomining malware co-opts the target’s computing resources in order to mine cryptocurrencies like bitcoin. The process is sometimes referred to as cryptojacking. Over the last few years, it has become one of the most common attacks on cloud infrastructure. Services like container management platforms are a common target for attackers, who often use poorly secured APIs to gain access.

Targeting cloud infrastructures for cryptomining attacks appears to be trending upward. In late 2021, Google shared that a number of Google Cloud accounts had been compromised, 86% of which were then used for cryptomining. Some of them were also used to scan for other vulnerable systems in an attempt to spread the infection further. These accounts were compromised by taking advantage of some of the security gaps we’ve discussed—predominantly weak (or absent) passwords and supply chain vulnerabilities in installed software.

The Shared Responsibility Model

One unique complication of defending cloud environments is that squiggly line dividing what the cloud service provider (CSP) is responsible for and what the individual organization must secure for themselves, as defined by the shared responsibility model.

In (extremely) simplified terms, the cloud shared responsibility model means that CSPs are responsible for the security of the cloud and customers are responsible for securing the data they put in the cloud. Depending on the type of deployment—IaaS, PaaS, or SaaS—customer responsibilities will be determined.

 

This can also present challenges in terms of detection and visibility, as attacker behavior may move between cloud layers maintained by the organization (where you can see and detect it) and layers that belong to the CSP. It’s a bit like trying to keep an eye on a seal that occasionally dives out of view. You’re never quite sure where it might pop back up or what it did while out of view.

Cloud Security Solutions

Now that we’ve gone over the biggest cloud security threats, let’s look at solutions. Here are the primary cloud security solutions and what they each do.

Cloud Workload Protection Platforms (CWPP)

CWPPs check for vulnerabilities in static code, perform system hardening, and identify workload misconfiguration, all of which can help to reduce security risk. Use cases can include system file integrity monitoring, application whitelisting, host-based firewalling, patching and configuration management, anti-malware scanning, and endpoint threat detection and response.

Typically, CWPPs are agent-based tools that use a combination of tactics, including network segmentation, system integrity protection, host-based intrusion prevention and detection, and anti-malware capabilities. Although they provide security at a workload level, CWPPs do not offer coverage at the data or application layer. When defending containers, CWPP tools exclude runtime security, a crucial component of advanced threat detection and response.

Network Detection and Response (NDR)

Network detection and response (NDR) tools take a network-based approach to cloud threat defense, including securing containers. It enables defense-in-depth strategies given its ability to detect post-compromise behaviors inside the perimeter. Every workload uses the network to communicate, making network data useful for security analysts, incident responders, and forensic investigators.

Although network-based tools have been used for on-premises security for years, in the past it was often difficult to gather network data in cloud environments. With the introduction of network taps from major cloud service providers (CSPs) as well as third-party packet brokers, much of the friction and complexity previously associated with NDR in the cloud has been removed.

Cloud Access Security Brokers (CASB)

CASB tools can be on-premises or cloud-hosted solutions that monitor cloud users and enforce policies like SSO, authentication, credential mapping, and encryption.They sit between the CSP and user. They can extend existing security policies into the cloud and create custom controls specific to cloud environments. They’re often used for visibility into SaaS applications.

Static Application Security Testing (SAST)

SAST tools scan application code to identify potential vulnerabilities. They’re a scalable way to detect common vulnerabilities, but may struggle to identify the broader range of potential vulnerabilities. They’re also commonly used in software development.

Cloud Security Posture Management (CSPM)

CSPM is an automated way to identify cloud misconfigurations. It evolved from cloud infrastructure security posture assessment (CISPA) tools.

Cloud Infrastructure Entitlement Management (CIEM)

CIEM (not to be confused with SIEM) is a solution that manages and enforces access rights in the cloud. A tool of many names and forms, they can also be referred to as cloud entitlements management solutions or cloud permissions management solutions.

This post is also available in: Danish