Cloud in Crisis – Part 1

Multi-cloud – the use of more than one public cloud service provider, typically a combination of AWS, Microsoft Azure and Google Cloud – continues to grow. According to Forrester¹, 60% of organisations are using multi-cloud, with this number predicted to rise to 81% over the next 12 months.

Multi-cloud promises to allow organisations to use the best of what’s on offer without the fear of having to lock in to any one vendor. Forrester’s research also found that 90% of businesses find that multi-cloud is helping them achieve business goals.

However, there is a downside to the rapid adoption of cloud services. Security teams are struggling to get full visibility of the cloud infrastructure, and gaps and blind spots in the security posture are making it more susceptible to attacks. Although businesses recognise the benefits the cloud can bring, confidence in security is clearly a significant area of concern for businesses.

62% of organisations are not confident in their security posture and 58% are aware of fewer than 75% of the assets on their network. In addition, 83% of organisations do not have a unified view into cloud and on-premises assets.²

At the same time, cloud-based cyberattacks are increasing exponentially – there was a 48% year-on-year increase in 2022.³ The Cloud Security Alliance identified data breaches as the top cloud threat in 2022.⁴

Lack of clarity around cloud security responsibilities

Many businesses mistakenly believe that the cloud is secure by default and that cloud-native security tools will protect them against security breaches, but this results in a disconnect which leaves data exposed.

At the same time, there is widespread confusion around who is responsible for security within the cloud. In simple terms, cloud service providers are only responsible for the security ‘of’ the cloud, while security ‘in’ the cloud is the responsibility of the business. As such, businesses operating in the cloud must accept shared responsibility for security.

Let’s take a closer look at what each party is responsible for. The cloud provider has responsibility for:

• Protecting the cloud provider’s physical premises, software, network and hardware
• Service-level security, i.e. protection against attacks that would affect the entire cloud service
• Ensuring their systems are always updated and have the necessary patches in place
• Providing business continuity services and contingencies in case of an accident or system failure

The cloud customer has responsibility for:

• Ensuring systems are properly configured
• Security of traffic coming in and out of the server
• Maintenance and protection of all platforms and applications running on the cloud
• Patching their OS and applications
• Configuring their OS, databases, and applications
• Managing and handling all matters related to login, authentication and access permissions
• Protection of the data that enters and exits the cloud service
• Controlling what data is loaded to the cloud and ensuring an appropriate level of encryption
• Enforcing security best practices for the cloud

While all cloud service providers have their own native security capabilities that can be easily configured and deployed, these capabilities only work well for businesses with minimal security aspirations. Native security capabilities are features rather than tools, and they don’t have the depth of coverage that a third-party cloud security platform can offer. This is why the business needs to have its own cloud security solutions.

Cloud security fails

According to analyst firm Gartner, through 2025, 99% of cloud security failures will be the customer’s fault. Today, an estimated 75% of security failures will result from inadequate management of identities, access and privileges, up from 50% in 2020.⁵

Understanding where the repeat failings lie can help to guide cloud security policy and investment.

Let’s take a closer look at some of the most common reasons for cloud security failures.

• Misconfiguration: The cloud has tens of thousands of configurations, and if one or a combination of these is misconfigured, it can affect or contribute to the risk of a cloud resource. Cases of misconfiguration will rise as businesses become more agile and take advantage of cloud services. Today, most solutions only look at misconfigurations that affect a resource and do not report on risks from associated or connected cloud resources.
• Quantify risk posture: The business needs to be able to baseline its cloud environment by assessing its infrastructure, identifying threats and correcting any risks and violations of compliance or best practice to understand its risk posture. It also needs to perform this discovery and inventory on a regular basis to control its cloud security and compliance.
• Privilege creep: Failing to implement least privilege, whereby restrictions are put in place to assign the least access needed to perform certain tasks, is the number one cause of security breaches. During audits, we found almost 90% of cloud accounts had too many users assigned administrator privileges that were not needed. Privilege creep is where your least privilege policy is slowly eroded and undermined as more identities are added. A typical cloud environment has multiple human and non-human identities with tens of thousands of associated entitlements. It quickly becomes impossible to manage and govern these identities and their entitlements manually, so access can become granted by default. Once compromised, the attacker can then leverage entitlements attached to the identity to laterally move within the infrastructure and access services or exfiltrate data.
• False positives: Approximately 75% of security teams spend the same amount of time or more investigating false positives as they do investigating genuine threats, and the sheer volume of alerts can be overwhelming. About 45% of all cybersecurity alerts are false positives. False positives cause the same amount of downtime as real cyberattacks.⁶ As new cloud providers are brought on board under multi-cloud, the business ends up with incompatible software, which is then run simply in log/monitor mode or is disabled, with 91% of businesses hobbling their software in some way due to coping with alert volumes.⁷
• Threat management: In an ideal world, security teams would be able to detect and apply importance to alerts so that the most critical vulnerabilities could be dealt with and resolved first. But in reality, they can’t. There is a huge disconnect between the security alerts being generated and the ability to grade and manage them effectively. Key to threat management is being able to prioritise alerts. Without this, security management becomes a game of whack-a-mole as you cannot determine which incidents are the most pressing and require attention first. Without a good grip on threats, risk and remediation, it becomes impossible to move towards a mature cloud operating model where auto-remediation can be considered.
• Lack of oversight and cloud sprawl: As businesses have built out their cloud presence, moving to either hybrid or multi-cloud models, so complexity has increased, making it harder to maintain visibility of all the identities across the cloud infrastructure, for instance. As more security systems are brought online, so more alerts are generated, particularly if these third-party solutions aren’t integrated adequately. Unless the business has cross-cloud visibility, it cannot create an accurate inventory across Compute, Network, Storage and IAM components; or gain contextual insights into the security posture, all resources, alerts, and the compliance status; or gain real-time security and operational intelligence and check the configuration of resources.
• Compliance challenges: Businesses and their cloud providers now share responsibility for security, and this, together with a lack of visibility, the ephemeral nature of resources, and a multi-cloud environment, make compliance in the cloud challenging, particularly for those in regulated industries and with contractual requirements. Cloud infrastructure should be continuously monitored for the risks of non-compliance with security requirements, standards, and regulations such as ISO 27001, CIS, NIST, GDPR, POPIA, Fedramp, HIPAA, HITRUST etc. 
• High MTTD and MTTR: The Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) to a potential security threat are the most important metrics for the security team when it comes to resolution. Both are now on the rise due to increasing threat volumes and the working-from-home trend. According to IBM, the average breach lifecycle takes 287 days, with organisations taking 212 days to initially detect a breach and 75 days to contain it.⁸ Other reports suggest dwell time (the time between the start of a cyber intrusion and it being identified) stands at 30 days for those self-detecting, although 12% of internal investigations have a dwell time in excess of 700 days.⁹ To reduce MTTD and MTTR, the business must adopt a more holistic, proactive approach that sees technologies combined to provide a single view, enabling quicker decision-making.

Look out for the second part of this blog where I’ll dig deeper into the security solutions available today and review the four cloud security pillars identified by Gartner that are now used as the basis to classify third-party security solutions – CSPM, CIEM, CWPP and CNAPP.

1. Forrester Consulting Thought Leadership Paper (commissioned by HASHICORP in January 2022)
2. Balbix 2022 State of Security Posture Report 
3. Check Point Research (CPR) 
4. CSA’s 2022 Cloud Security Alliance Top Threats research 
5. Gartner ‘Is the Cloud secure?’ blog
6. Fastly – Unified web app and API security, anywhere
7. Fastly and the Enterprise Strategy Group, Reaching the tipping point of Web Application and API security blog
8. Blumira and IBM 2022 report 
9. FireEye Mandiant M-Trends 2020 Report