The crucial role of identity in cloud security

The crucial role of identity in cloud security

As more and more businesses turn to cloud computing, it is increasingly important to understand the role of identity in cloud security. In this blog, we will explore why identity is crucial in cloud security and what measures businesses can take to strengthen their identity and access management practices.

 

The importance of identity in cloud security cannot be overstated. With cloud computing, businesses store and access their data and applications from remote servers. This means that the traditional perimeter-based security model of protecting a physical network perimeter is no longer adequate. Instead, identity and access management (IAM) have become central to securing cloud-based systems.

Identity and access management are essential because they ensure that only authorised users can access data and applications. By creating unique identities for each user and implementing policies that dictate access levels based on those identities, businesses can prevent unauthorised access and limit the damage if a breach does occur.

There are several reasons why identity is so important in cloud security:

Protects against data breaches

One of the biggest concerns for businesses when it comes to cloud security is data breaches. Hackers target cloud services because of the vast amount of data stored there. IAM helps prevent breaches by controlling access to data and applications, ensuring that only authorised users can view sensitive information.

Maintains compliance

Businesses operating in certain industries or regions may be subject to regulatory requirements governing how data is stored and accessed. IAM helps businesses maintain compliance with these requirements by tracking who has access to what data and monitoring user behavior.

Provides centralised control

In a cloud environment, access control is no longer confined to a physical network perimeter. Instead, businesses need to control access to resources across multiple environments and platforms. IAM provides centralised control, allowing businesses to manage user identities and access rights across multiple clouds and platforms from a single interface.

Enables segregation of duties

Segregation of duties is an important aspect of security, especially for businesses handling financial transactions. IAM allows businesses to create roles that have access to only the data and applications necessary for their specific job function. This limits the potential for unauthorised access to sensitive data and prevents employees from abusing their privileges.

To ensure effective IAM in a cloud environment, businesses must implement the following measures:

  1. Establish access controls
    Access controls determine who can access data and applications and what level of access they have. This should be based on a user’s identity, role, and need-to-know. Businesses should establish policies and procedures for granting, revoking, and reviewing access rights.
  2. Authenticate users
    To prevent unauthorised access, businesses must verify a user’s identity before granting access. This can be done through multi-factor authentication, which requires users to provide something they know (password), something they have (security token) or something they are (biometric).
  3. Monitor user behaviour
    Monitoring user behaviour can help detect suspicious activity, such as unauthorised access attempts or unusual patterns of data access. Businesses should use tools to monitor user behaviour and investigate any suspicious activity immediately.
  4. Enforce policies
    IAM policies should be regularly reviewed and updated to ensure they align with business needs and industry regulations. Policies should be enforced consistently across all platforms and cloud environments.

In conclusion, identity is critical in cloud security. IAM is the key to controlling access to data and applications in a cloud environment. Businesses should take steps to implement effective IAM policies and procedures to ensure that their data and applications are secure. By doing so, businesses can reduce the risk of data breaches, maintain compliance, and improve overall security posture.

Cloud in Crisis – Part 2

Cloud in Crisis – Part 2

We consider the four main cloud security archetypes available today and highlight why a practical approach to multi-cloud security needs to unify the strategies of these archetypes while addressing the security pain points.


In July, a blog by Ian Tinney explored where the responsibility for cloud security rests and highlighted some of the most common cloud security fails. In the second of this two-part blog series, Ian takes a closer look at the four main cloud security archetypes available today and explains why a practical approach to multi-cloud security needs to unify the strategy outlined by these four archetypes while addressing the security pain points.

The need to improve cloud confidence and create a cohesive approach to cloud security has seen several new archetypes emerge. Four cloud security pillars – CSPM, CIEM, CWPP, and CNAPP – identified by Gartner and are now used as the basis to classify third-party security solutions.

Let’s look briefly at these in turn.

  • CSPM (Cloud Security Posture Management) provides cross-platform control of the cloud infrastructure. CSPM security management automation tools address misconfiguration issues by analysing configurations and comparing these with other inputs to identify risks. Today, a good CSPM tool should facilitate security enforcement and operations, compliance assurance, investigation and incident response. According to Gartner, through 2024, organisations implementing a CSPM offering and extending this into development will reduce cloud-related security incidents due to misconfiguration by 80%.
  • CIEM (Cloud Infrastructure Entitlements Management) Understanding the importance of access and entitlements, analyst firms Gartner and Forrester have highlighted the need to focus on Identity Governance in the cloud by reiterating the importance of Cloud Identity Governance (CIG) and Cloud Infrastructure Entitlements Management (CIEM). CIEM is newer than CSPM and fills the Identity and Access Management (IAM) gap. CIEM solutions leverage analytics and machine learning to detect anomalies around identities and entitlements. CIEM technologies discover all identities, users and their entitlements, and enforce identity and access governance controls to reduce excessive entitlements and right-size privilege access across the multi-cloud.
  • CNAPP (Cloud-Native Application Protection Platform) is the latest addition to the Gartner cloud security fold and is a convergence of multiple disciplines such as CWPP, CSPM and some CIEM functionality that delivers a full stack multi-cloud overview. CNAPP has come about in response to the demand for ‘cloud native’ security that seeks to protect the apps rather than just the infrastructure. The reliance on Infrastructure as Code (IaC) meant that CNAPP became necessary in order to protect the code used to build this infrastructure from malicious intent. CNAPP sees security workload and configuration scanning performed during development so that technologies are then protected during run time. Misconfigurations are not just identified but are used to identify security risks in associated or connected cloud resources.
  • CWPP (Cloud Workload Protection Platforms) is focused on the protection of workloads – irrespective of type or location – and scans for vulnerabilities and configuration issues, among other things, within the workload. CWPPs are designed to detect and prevent app attacks without needing to know the input source. They profile the application function and its behaviour and look for deviations from these and enforce a zero-trust policy. A comprehensive CWPP should give you the ability to discover and manage any unmanaged workloads you discover. CWPP capabilities typically include system hardening, vulnerability management, host-based segmentation and system integrity monitoring. CNAPPs use CWPP to give them more visibility.

Although the four cloud security archetypes provide a much-needed cloud-centric approach to security, each focuses on one particular area: no one strategy provides a complete security solution. Over time, some of the archetypes have attempted to fill the gaps in security provisioning, which is why we see CIEM provide the IAM that CSPM lacks and CNAPP borrow from CWPP to gain more depth into application workloads. But they still largely operate independently. To draw upon the security benefits of all four strategies, we need to simplify them and focus on what security teams need in order to quickly detect, investigate, triage and resolve high-risk, high-impact vulnerabilities.

A practical approach to multi-cloud security needs to unify the strategy outlined by the four archetypes while addressing the following security pain points:

  • A multi-cloud security baseline
  • Context-driven security
  • Risk scoring based upon a standardised threat matrix
  • Real-time cross-platform threat detection
  • Enforcement of least privilege and use of JIT privileges
  • Infrastructure as Code (IaC) security to shift left

This can be achieved by using cloud-native technology such as Ermetic’s identity-first CNAPP solution. The platform provides comprehensive cloud security that dramatically reduces your cloud attack surface. By automating complex cloud infrastructure security operations, it unifies full asset discovery, deep risk analysis, runtime threat detection and compliance reporting, combined with granular visualisation and step-by-step guidance.

CNAPP (CSPM + CWPP) leaves a vast gap around identities and privileges that Gartner has identified as a leading cause of cloud security issues. However, through our partnership with Ermetic, we are able to deliver identity-first CNAPP by combining the very best of the different cloud security archetypes into a unified, multi-cloud security product which gives you better visibility, awareness and control over your data, across platforms. This enables you to monitor the security and assess and respond to alerts based on the risk level. It also allows you to set policies and assess compliance with industry standards and regulations in real time. And it can be used to automate incident response and remediation.

Talk to us today about securing your cloud – identity first. Call us on +44 330 128 9180 or email info@4datasolutions.com.

You can also find out more in our ‘Cloud in Crisis: solving the multi-cloud security problem’ white paper here. Developed in partnership with our vendor, Ermetic, the white paper takes a closer look at:

  • The state of the cloud
  • Top cloud threats
  • The data security disconnect
  • Cloud security fails
  • An overview of today’s security solutions
  • Unified multi-cloud, identity-first security management
Cloud in Crisis – Part 1

Cloud in Crisis – Part 1

With more and more businesses adopting a ‘cloud first’ strategy, and migration to multi-cloud already established as a key trend in 2023, security teams are struggling to get complete visibility of the cloud infrastructure.

In the first of a two-part blog, Ian Tinney explains where the responsibility for cloud security rests, and highlights some of the most common cloud security fails. 


Multi-cloud – the use of more than one public cloud service provider, typically a combination of AWS, Microsoft Azure and Google Cloud – continues to grow. According to Forrester1, 60% of organisations are using multi-cloud, with this number predicted to rise to 81% over the next 12 months.

Multi-cloud promises to allow organisations to use the best of what’s on offer without the fear of having to lock in to any one vendor. Forrester’s research also found that 90% of businesses find that multi-cloud is helping them achieve business goals.

However, there is a downside to the rapid adoption of cloud services. Security teams are struggling to get full visibility of the cloud infrastructure, and gaps and blind spots in the security posture are making it more susceptible to attacks. Although businesses recognise the benefits the cloud can bring, confidence in security is clearly a significant area of concern for businesses.

62% of organisations are not confident in their security posture and 58% are aware of fewer than 75% of the assets on their network. In addition, 83% of organisations do not have a unified view into cloud and on-premises assets.2

At the same time, cloud-based cyberattacks are increasing exponentially – there was a 48% year-on-year increase in 2022.3 The Cloud Security Alliance identified data breaches as the top cloud threat in 2022.4

Lack of clarity around cloud security responsibilities

Many businesses mistakenly believe that the cloud is secure by default and that cloud-native security tools will protect them against security breaches, but this results in a disconnect which leaves data exposed.

At the same time, there is widespread confusion around who is responsible for security within the cloud. In simple terms, cloud service providers are only responsible for the security ‘of’ the cloud, while security ‘in’ the cloud is the responsibility of the business. As such, businesses operating in the cloud must accept shared responsibility for security.

Let’s take a closer look at what each party is responsible for. The cloud provider has responsibility for:

  • Protecting the cloud provider’s physical premises, software, network and hardware
  • Service-level security, i.e. protection against attacks that would affect the entire cloud service
  • Ensuring their systems are always updated and have the necessary patches in place
  • Providing business continuity services and contingencies in case of an accident or system failure

The cloud customer has responsibility for:

  • Ensuring systems are properly configured
  • Security of traffic coming in and out of the server
  • Maintenance and protection of all platforms and applications running on the cloud
  • Patching their OS and applications
  • Configuring their OS, databases, and applications
  • Managing and handling all matters related to login, authentication and access permissions
  • Protection of the data that enters and exits the cloud service
  • Controlling what data is loaded to the cloud and ensuring an appropriate level of encryption
  • Enforcing security best practices for the cloud

While all cloud service providers have their own native security capabilities that can be easily configured and deployed, these capabilities only work well for businesses with minimal security aspirations. Native security capabilities are features rather than tools, and they don’t have the depth of coverage that a third-party cloud security platform can offer. This is why the business needs to have its own cloud security solutions.

Cloud security fails

According to analyst firm Gartner, through 2025, 99% of cloud security failures will be the customer’s fault. Today, an estimated 75% of security failures will result from inadequate management of identities, access and privileges, up from 50% in 2020.5

Understanding where the repeat failings lie can help to guide cloud security policy and investment.

Let’s take a closer look at some of the most common reasons for cloud security failures.

  • Misconfiguration: The cloud has tens of thousands of configurations, and if one or a combination of these is misconfigured, it can affect or contribute to the risk of a cloud resource. Cases of misconfiguration will rise as businesses become more agile and take advantage of cloud services. Today, most solutions only look at misconfigurations that affect a resource and do not report on risks from associated or connected cloud resources.
  • Quantify risk posture: The business needs to be able to baseline its cloud environment by assessing its infrastructure, identifying threats and correcting any risks and violations of compliance or best practice to understand its risk posture. It also needs to perform this discovery and inventory on a regular basis to control its cloud security and compliance.
  • Privilege creep: Failing to implement least privilege, whereby restrictions are put in place to assign the least access needed to perform certain tasks, is the number one cause of security breaches. During audits, we found almost 90% of cloud accounts had too many users assigned administrator privileges that were not needed. Privilege creep is where your least privilege policy is slowly eroded and undermined as more identities are added. A typical cloud environment has multiple human and non-human identities with tens of thousands of associated entitlements. It quickly becomes impossible to manage and govern these identities and their entitlements manually, so access can become granted by default. Once compromised, the attacker can then leverage entitlements attached to the identity to laterally move within the infrastructure and access services or exfiltrate data.
  • False positives: Approximately 75% of security teams spend the same amount of time or more investigating false positives as they do investigating genuine threats, and the sheer volume of alerts can be overwhelming. About 45% of all cybersecurity alerts are false positives. False positives cause the same amount of downtime as real cyberattacks.6 As new cloud providers are brought on board under multi-cloud, the business ends up with incompatible software, which is then run simply in log/monitor mode or is disabled, with 91% of businesses hobbling their software in some way due to coping with alert volumes.7
  • Threat management: In an ideal world, security teams would be able to detect and apply importance to alerts so that the most critical vulnerabilities could be dealt with and resolved first. But in reality, they can’t. There is a huge disconnect between the security alerts being generated and the ability to grade and manage them effectively. Key to threat management is being able to prioritise alerts. Without this, security management becomes a game of whack-a-mole as you cannot determine which incidents are the most pressing and require attention first. Without a good grip on threats, risk and remediation, it becomes impossible to move towards a mature cloud operating model where auto-remediation can be considered.
  • Lack of oversight and cloud sprawl: As businesses have built out their cloud presence, moving to either hybrid or multi-cloud models, so complexity has increased, making it harder to maintain visibility of all the identities across the cloud infrastructure, for instance. As more security systems are brought online, so more alerts are generated, particularly if these third-party solutions aren’t integrated adequately. Unless the business has cross-cloud visibility, it cannot create an accurate inventory across Compute, Network, Storage and IAM components; or gain contextual insights into the security posture, all resources, alerts, and the compliance status; or gain real-time security and operational intelligence and check the configuration of resources.
  • Compliance challenges: Businesses and their cloud providers now share responsibility for security, and this, together with a lack of visibility, the ephemeral nature of resources, and a multi-cloud environment, make compliance in the cloud challenging, particularly for those in regulated industries and with contractual requirements. Cloud infrastructure should be continuously monitored for the risks of non-compliance with security requirements, standards, and regulations such as ISO 27001, CIS, NIST, GDPR, POPIA, Fedramp, HIPAA, HITRUST etc. 
  • High MTTD and MTTR: The Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) to a potential security threat are the most important metrics for the security team when it comes to resolution. Both are now on the rise due to increasing threat volumes and the working-from-home trend. According to IBM, the average breach lifecycle takes 287 days, with organisations taking 212 days to initially detect a breach and 75 days to contain it.8 Other reports suggest dwell time (the time between the start of a cyber intrusion and it being identified) stands at 30 days for those self-detecting, although 12% of internal investigations have a dwell time in excess of 700 days.9 To reduce MTTD and MTTR, the business must adopt a more holistic, proactive approach that sees technologies combined to provide a single view, enabling quicker decision-making.

Look out for the second part of this blog where I’ll dig deeper into the security solutions available today and review the four cloud security pillars identified by Gartner that are now used as the basis to classify third-party security solutions – CSPM, CIEM, CWPP and CNAPP.

 

  1. Forrester Consulting Thought Leadership Paper (commissioned by HASHICORP in January 2022)
  2. Balbix 2022 State of Security Posture Report 
  3. Check Point Research (CPR) 
  4. CSA’s 2022 Cloud Security Alliance Top Threats research 
  5. Gartner ‘Is the Cloud secure?’ blog
  6. Fastly – Unified web app and API security, anywhere
  7. Fastly and the Enterprise Strategy Group, Reaching the tipping point of Web Application and API security blog
  8. Blumira and IBM 2022 report 
  9. FireEye Mandiant M-Trends 2020 Report
Navigating cloud security

Navigating cloud security

In this blog we take a closer look at why segregation in cloud environments is important for security, and share some best practice tips for implementing segregation in different environments.


With more and more organisations moving their applications and data to the cloud, security is becoming an increasingly important concern. Knowing how to segregate their cloud environment is one of the key challenges that organisations face, particularly when it comes to development, testing and production. However, as we’ll see, it’s well worth overcoming the challenge as segregation offers many security benefits. 

Segregating cloud environments is important for several key reasons. Firstly, it helps prevent unauthorised access to sensitive data and applications. A developer should not, for example, have access to production data or systems as such access could lead to accidental or intentional data breaches. Secondly, segregation helps to minimise the blast radius and potential impact should a data breach occur. For example, an attacker gaining access to a development environment should not be able to use those access rights to compromise production systems; you’ll want guardrails that prevent this. Also, applying segregation can streamline compliance efforts. Different environments may have different compliance requirements; by separating them, you can make it easier for teams to manage and demonstrate compliance.

And while segregating your cloud environments, consider making the lower environments, such as testing and staging, identical to the production environment. This approach gives you an excellent way to test that security controls, such as service control policies (SCPs) in AWS, do not break functionality in pre-production environments. Being able to ensure smooth sailing in lower environments gives greater security confidence when deploying to the production environment.

Six tips for segregating and otherwise securing your dev, testing and production environments

Following these six tips will help make your different cloud environments more secure. 

1. Segregate cloud environments

It’s crucial to segregate your different cloud environments to avoid unwanted changes or interference between them. This means that each environment should have its own resources, such as computing, storage and network. Doing so minimises the risk of a malicious actor moving from low-level accounts to critical high-level production accounts.

2. Cloud Access Control

One of the most important aspects of securing a cloud environment is access control. As a cardinal rule, you should be giving users access to only the environments and resources needed to do their jobs. For example, developers should only have access to development environments, and only authorised personnel should have access to production systems. It is also highly recommended that you utilise fine-grained permission control, which enables you to grant or revoke access to critical systems and data according to multiple conditions.

3. Encrypt your sensitive data

Encryption can help protect data in transit and at rest. You should encrypt all sensitive data, using strong encryption algorithms – and take care to manage your encryption keys carefully. 

4. Network Segmentation

Network segmentation involves dividing a network into smaller subnetworks to isolate different groups of users and resources. This segmentation can help prevent lateral movement by attackers and minimise the impact of any security incidents.

5. Monitoring and logging for incidents detection

Monitoring and logging can help teams detect and respond to security incidents quickly. Try to automate monitoring of all environments for suspicious activity and retain logs for a sufficient period of time (at least six months, depending on the type of log​​) to allow for forensic analysis.

6. Patch Management

Let’s face it: no matter how tight your cloud security ship is, vulnerabilities are going to slip through. Keeping systems and applications up to date with the latest security patches is essential for preventing known vulnerabilities from being exploited.

A few final thoughts

As we have seen, segregating cloud environments is critical for ensuring the security of sensitive data and applications. By following the security best practices of access control, encryption, network segmentation, monitoring and logging and patch management, organisations can help minimise the risk of security incidents in their cloud environments and demonstrate compliance with regulatory requirements. 

By segregating your cloud environments and implementing relevant security processes and automation, you can prevent unauthorised access, minimise the impact of security incidents, such as by reducing the blast radius, and streamline compliance. 

With careful planning and implementation of these best practices, as well as collaboration among all involved, you can handily navigate the rough seas to continuously secure your cloud environments from development to production.

Find out more about how 4Data and Ermetic can help you with your cloud security challenges here or get in touch by email ian.tinney@4datasolutions.com

Credentials, OPSEC and you

Credentials, OPSEC and you

With CyberSecurity Awareness Month in full swing and every vendor in the market pitching their particular solutions, I thought it might be fun to buck the trend and get back to some good old-fashioned vendor-agnostic ways of improving your cybersecurity posture.


Operational Security, or “OPSEC”, has been a concept in military circles for as long as military circles have existed. The thought that an adversary could collect and weaponise your own information against you has kept many defenders up at night, and the exploitation of poor OPSEC has led to many a defeat. 

In the context of modern business, OPSEC can be thought of as any practices, habits, rules and rituals performed on a day-to-day basis with the intent to make an attacker’s life more difficult. These could range from high-level policies around corporate vulnerability management to a policy forbidding staff from putting passwords on POST-IT notes under keyboards (we’ve all seen it). 

For the purposes of this article, I’d like to take a medium-depth dive into the concept of OPSEC as it pertains to credentials. We’ll explore how credentials are created, stored, stolen and abused and, more importantly, the little things that you, the user, can do to frustrate attackers in their efforts to abuse them.

Before going any further, we should establish who is responsible for good OPSEC. No surprises here; the answer is “you”. 

One of the hallmarks of organisations with poor OPSEC is the assumption that somebody else is taking care of things. This type of organisation tends to push responsibility (and culpability) up the food chain until it reaches a plateau where, unable to move any higher, it starts moving laterally, usually between department heads. Don’t be this type of organisation. 

Bringing it back to credentials and a more concrete example of how putting your faith in systems administrators to manage your credentials securely is probably a bad idea; take a second to head over to Troy Hunt’s excellent-if-terrifying website, haveibeenpwned.com. Enter your personal email address. Go on, I’ll wait. 

Sufficiently horrified? Thought so. Some of your credentials are almost certainly already in the public domain; worse, if you’ve reused these credentials on other sites or services, it’s probably safe to say that they’ll eventually be compromised too.

Those websites, databases and services were run by professional systems administrators, often with dedicated cybersecurity staff at hand. If your list of breaches is anything like mine, we can deduce a few common themes about how credentials are stored in the real world. 

Firstly, despite most modern databases having decent implementations of hashing functions and encryption algorithms, systems administrators often either don’t use them, or misuse them in such a way as to make it trivial for an attacker to extract unencrypted passwords.

Secondly, simple misconfigurations (or permissions given out of frustration) regularly expose these poorly encrypted databases of credentials to the internet at large. 

Thirdly, many systems administrators interpret the request to delete an account as a request to disable or suspect an account. These are not the same thing. 

These three points highlight just how easy it is for your credentials to fall into the wrong hands through no fault of your own, but understanding and acknowledging them also hints at a few things that you, the user, can do to make things somewhat more difficult for potential attackers. 

Credentials and Crime

Before we get into making yourself a difficult mark for cybercriminals, we’ll need to look at how they go about their business. Dispelling a few commonly held myths should help frame the conversation. 

Myth number one: “It’s just teenagers in hoodies.”

Cybercrime today is a multi-billion dollar industry. Criminal organisations have offices, helpdesks, holiday schedules and even the dreaded “middle management”. While the stereotype of the “hacker in a hoodie” does still exist, they primarily serve to feed credentials upstream to more traditional criminal organisations. These organisations bring resources, infrastructure and an increased risk appetite. A teenager with your bank details would be taking a significant personal risk by emptying your account. A global syndicate with a network of intermediate bank accounts in poorly regulated jurisdictions, less so. Criminal gangs pay good money for credentials; a complete set of bank details, including debit cards, could sell for as high as $250. Amazon accounts retail for around $30, eBay for approximately $20 and passports are $18 a piece. Given these prices, the breach of a relatively modest online store with only a few thousand users could mean a massive payday for the seller.

Myth number two: “No real criminal would be interested in me personally.”

In a sense, this is true, but unfortunately, not in a good way. Gone are the days when a cybercriminal would spend hours or even days trying to get into somebody’s accounts. Today accounts are found, stolen, sold, traded and compromised at industrial levels. While it’s true that a modern attacker may never see your name on their screen, rest assured that your details are somewhere on a very long list. Eventually, the automated tools criminals employ to validate stolen credentials will get to your name. 

Myth number three: “Having my credentials stolen is just an inconvenience.”

At first blush, having your Facebook account compromised might not seem like a life-changing event, but in many cases, it could be. Suppose you’ve used the same credentials for both Facebook and Gmail. In this case, it’s a matter of time before an attacker confirms this reuse of passwords through a technique called “Credential Stuffing”, in which known credentials for one website are automatically tested against hundreds or thousands of other websites. With your email credentials in hand, it’s a quick search of your inbox to see who you do your banking with, and if you’ve set up your bank account to use email as your multi-factor authentication, you can see where this is going. It’s also worth considering the treasure trove of personal details that social media accounts contain and how they might be used by an attacker to impersonate you to loved ones, online retailers and credit card companies. Account takeover attacks (ATOs) have become “bread and butter” in the cryptocurrency scammer world, ranging from the takeover of verified celebrity “blue check” Twitter accounts to simply impersonating friends and family to promote crypto fraud.

Myth number four: “Website administrators will secure my credentials.”

Modern websites are complicated machines with many technologies, frameworks and programming languages. The opportunity for mistakes or misconfiguration is endless, even for seasoned developers and administrators. When this complexity is combined with tight deadlines, a “Just make it work!” business culture and the fact that for most developers, security is a relatively small part of their job, it’s easy to see how mistakes could happen. These mistakes can, unfortunately, have serious consequences; a quick search on shodan.io lists 4,682,924 MySQL databases currently exposed to the internet. In a number that large, the chance that some of them will have weak, default or easy-to-guess administrative passwords is pretty high – and the malicious scripts that continuously probe them know this. The only question remaining is: How long before a database containing your details gets “popped” and sold on the Darknet. 

Myth number five: “My password is difficult to guess.”

I hate to be the bearer of bad news, but your password is probably not as complex as it should be. According to research by Hive Systems, a password of 7 random characters or less is essentially useless. 

Part of the problem with the password complexity arms race is that we’re pitting 1970s methods of manufacturing password complexity against 2020s technologies. Passwords of 8 or 9 random characters require a bit of effort, but are still entirely crackable by an enthusiast on current generation over-the-shelf hardware. A middling modern laptop can test hundreds of thousands of passwords per second, and a decent-sized cloud instance, millions (while being far more cost-effective). 

Things skew even more to the attacker’s side when you factor in the potential of “Rainbow Tables”. Rainbow tables are pre-computed cryptographic hashes of trillions of random character combinations available for download on your local hacker forums. If a website you frequent uses MD5 hashing to obfuscate user passwords, you can reasonably assume that your credentials were cracked long before you even signed up.

Making it difficult for them.

Now for the good news. Despite it looking like the odds are stacked against you, there are some straightforward and cost-effective ways of subverting the tools and processes of the credential theft industry. 

Use a password manager. Password managers make some of the more challenging elements of credentials OPSEC easy. Firstly, they make it possible to have a unique password for every site you frequent through the magic of auto-fill. I can proudly say that I have no idea what my Netflix password is; I only know that it’s over 32 characters long and isn’t used for anything else (limiting the “blast radius” if Netflix gets hacked). That’s not to say that password managers are perfect; they make juicy targets for hackers and have been compromised before. That said, the safety of having ludicrously complex, unique passwords for everything is probably worth it. Just be sure to secure your password manager with a complex password and multi-factor authentication. 

Use multi-factor authentication. Once a novelty, multi-factor authentication is slowly becoming the standard, particularly for sites and services that require credit card details. MFA means that even when your credentials are compromised, the criminals attempting to use them won’t be able to do too much damage in your name. Adding “something temporarily displayed on something you are physically close to” into the usual mix of username and password significantly increases the chances of an attacker moving on down the list of names in the hope of finding an easier target. One caveat on using SMS as your second authentication factor – It’s better than nothing, but not the best. Criminals have been known to manipulate telephone company support staff into shipping them duplicate SIM cards (or simply stealing them from post boxes), allowing them to effectively hijack users’ second authentication factors. Where possible, instead, use a mobile application such as Google Authenticator. 

Include commas in your passwords. Okay, admittedly this is more of a trolling exercise than actual OPSEC, but it is fun. Quite often, credential dumps are traded in the form of comma-separated value text files (CSVs). A well placed comma in your credentials might just break CSV formatting, ensuring a little extra work and frustration for your would-be attacker. No point making it easy for ‘em, right?

Good Operational Security isn’t any single practice, process or technology. It’s the stacking of multiple small, everyday things that result in something far greater than the sum of their parts. Hopefully this post has provided a bit of insight into how attackers go about their business, and how, just like any legitimate workflow, they can be subject to disruption.

Have a great Cybersecurity awareness month all!

Peering into the cloud: a round-up of the latest industry research

Peering into the cloud: a round-up of the latest industry research

The cloud offers businesses accessibility and scalability but those very benefits make security a prime concern.


Securing data in the cloud is very different to on-prem, as many of those who have migrated their data and sought to do the same with their security solutions have found out. According to the Cloud Security Report 2022 from ISC(2), 78 percent of respondents said traditional security solutions don’t work or have limited functionality in the cloud.  

The same report determined that 76 percent of organisations are now using two or more Cloud Service Providers (CSPs) and 72 percent have a hybrid or multi-cloud strategy. There’s also been a proliferation in the number of platforms being used, with 90 percent using three or more while 17 percent are using eight or more, leading to ‘cloud sprawl’. Many are now confident enough to entrust the cloud with business-critical functions, with 66 percent of those surveyed in Splunk’s The State of Security 2022 report saying their business-critical apps are now cloud-hosted, up by a whopping 25 percent from a year ago.

Yet security is still a secondary consideration during this rapid expansion. As Splunk’s Ryan Kovar puts it: “Three years ago, I was hearing ‘Wait, I have to monitor the cloud?’ Now its ‘Of course, I have to monitor the cloud. But how?’ He suggests security teams are only now “figuring out the scope of their security challenges” as deployments mature. Unfortunately, in the interim, the number of organisations that are falling victim to attacks or who are found to be non-compliant with industry regulations, is on the rise. 

Breach statistics

The Thales Global Cloud Security Report 2022 found over a third of organisations (35 percent) have experienced a data breach or failed an audit involving data and applications in the cloud-based breach over the course of the past year. Nearly a third (32 percent) had to issue a breach notification to a government agency, customer, partner or employee, revealing that even those in highly regulated industries are being caught out. Respondents said that cyber-attacks are up, with web, cloud-delivered and cloud-hosted applications as well as cloud-based storage among the top targets. 

Worryingly, Splunk’s findings were even more stark as it found almost half (49 percent) of businesses had suffered a data breach over the course of the past two years, up 10 percent from its previous survey, and that 40 percent had violated regulations. Consequently, security teams are coming under even more pressure. The report found that 59 percent of teams had to devote more time and resources to remediation, an increase of 17 percent over the year, while 44 percent reported disruption to the business and 44 percent saw the loss of sensitive data.

On the plus side, there’s now evidence of the market maturing. The Cloud Security Alliance (CSA) draws attention to the fact that there’s been a move away from the more generic security threats, risks and vulnerabilities. But that’s where the good news ends as these have been replaced in its latest Top Threats to Cloud Computing: The Pandemic 11 report by control plane weaknesses, metastructure and applistructure issues, as well as a lack of cloud visibility.

Topping the list are insufficient identity, credential, access and key management at #1 (up from #4 in the last report), revealing the need for cloud-tailored Identity and Access Management (IAM). Insecure interfaces and APIs came in at #2 (up from #7), indicating our growing dependency on APIs rather than web applications and the need to monitor and secure these. In third place were misconfiguration and inadequate change control (bumped down from #2 previously), which shows that organisations are still failing to properly deal with configuration and change management.

Where it’s going wrong

To counter this, organisations should look to improve cloud visibility through Cloud Security Posture Management (CSPM) and be more assertive over data security. The ‘shared responsibility model’ delineates responsibility to the CSP for infrastructure and to the business for the security of accounts and data, but the consensus is that many organisations are failing to keep up their end of the bargain by protecting their applications and data. It’s worth noting that CSP system vulnerabilities have now fallen off the CSA list, suggesting CSPs are honouring their part of the deal.

Interestingly, the Splunk report found it’s not the types of attack or their sophistication that are proving to be the problem but the scale and complexity involved. Just over a quarter (28 percent) said they were too busy fighting attacks to refine their security tools and processes to better address these threats, and 27 percent said they were overwhelmed by alerts. This suggests teams are so busy firefighting they’re unable to step back and reassess whether their tools are meeting their needs.

Breaking the cycle

So how can we make these statistics go down? Security teams know they need to do better. In The State of Cloud-Native Security 2022 by Palo Alto Networks, the 55 percent who regarded their organisation as having a weak security posture knew they needed to improve their multi-cloud visibility, governance across accounts and streamlining of incident response. DevSecOps integration and cloud security automation were also flagged as key to achieving a stronger security posture.

But organisations must fundamentally reassess their cyberstack and their approach to security in the cloud. They need to look at the preventative measures they can put in place to guard against misconfiguration, how they can protect the apps and services and every piece of data under their control, and improve visibility in the cloud through the use of observability.

To do that, they need to move away from traditional security solutions and embrace cloud-native tools that offer CSPM for cross-platform control, Cloud Infrastructure Entitlements Management (CIEM) for access control, Cloud Native Application Protection Platform (CNAPP) for the applistructure, and Cloud Workload Protection Platforms (CWPP) for the protection of workloads within the cloud 

To find out more about these technologies, check out our ‘Cloud in Crisis’ whitepaper here or to speak with us about how you can improve your cloud security posture, contact us today.