If your security strategy for cloud services is based on defending a single location, how will you handle the constantly changing borders of a cloud-based system? Your employees may access your cloud services and your sensitive data via any number of devices – desktops, laptops, notebooks, and smartphones – over everything from your internet provider to a 3G or 4G network in a café or airport. In effect, cloud services make traditional security controls much less manageable.
The scale of the threat landscape continues to grow. According to SANS, 19% of organizations experienced some type of unauthorized access to their cloud environment in 2017, but a whopping 31% in 2019. And in 2019, 28% of respondents reported an incident – or an actual breach – related to their cloud applications or data.
The most common type of attack is account- or credential hijacking, reported by a staggering 48.9% of respondents in SANS’s study. Other common threats include misconfiguration of cloud services, DoS attacks, and exfiltration of sensitive data. 11.1% of respondents also reported incidents where the attacker used an organization’s cloud services as a vehicle of accessing internal systems.
Malware, as always, is a significant threat – especially in the cloud, as employees can use the same device to roam the Internet for other than work-related purposes and then sign into work-related cloud services.
When one of your employees visits a malicious website, their device runs the risk of getting infected without the users even being aware of this. When the user later accesses your cloud services using the same device there is a risk that the attacker, unbeknownst to the user, is given access to your data.
This type of threat is no longer limited to situations where an attacker simply tricks an employee into visiting an infected website with a phishing scam. Many cyber criminals have botnets waiting to infect any device that happens to come across these, allowing the hackers to opportunistically target many organizations simultaneously.
While antivirus or endpoint protection software does offer protection, new malware is constantly being developed and existing malware is constantly evolving. Relying on antivirus alone can leave your organization exposed to the latest versions of malware.
Cyber criminals using ransomware are targeting companies that are the most likely to pay ransoms to recover their data. Just imagine what would happen inside your company if all of your cloud-hosted files, used by everyone in the company, we’re suddenly locked up and completely inaccessible?
Ransomware embedded into documents and files and uploaded to your cloud services pose a serious risk unless scanned for threats. Links to websites containing malicious code and/or illicit content will not generally be picked up by traditional antivirus solutions. Cloud service providers are relying on their customers to protect their content in accordance with the concept of Shared Responsibility.
Insider threats are also a concern. A disgruntled employee with access to your content on the cloud can abuse it for their own personal benefit – such as exfiltrating it and selling it.
The cloud provider’s own personnel may have privileged user access that can bypass whatever security controls you may have in place. In fact, privileged user abuse was the third most common type of attack in a recent SANS study.
Simple errors can also open the door to a cloud-native breach. This type of breach uses the functions native to the cloud to successfully complete a breach without using malware. If a cloud service is incorrectly configured, an attacker can use this to gain access to your resources. Once they’re inside, the attackers can then search for weaknesses that will allow them to expand their access, find your sensitive data, and exfiltrate it.
Misconfiguration can have very expensive consequences, as Capitol One discovered in summer 2019. A web-application firewall or WAF was misconfigured, allowing an attacker to get access to 80,000 bank account numbers and 140,000 social security numbers. The total cost for Capitol One is expected to be as much as $150 million.
Protecting your cloud applications
Considering the range of threats and their increasing scale, is there is anything you can do to protect your cloud environment? The answer is of course yes.
The four most important things to consider include managing access to your sensitive data, managing the configuration of your cloud services, using cloud applications’ native security tools, and scanning the content that’s uploaded to your cloud environments.
Manage Access: The best way to protect against an insider threat is simply to make sure that no insider is able to become a threat. How can you do this? By managing an employee’s access rights based on e.g. role, content type or method of access you can create a set of policies that can be managed effectively.
If an employee can only access content required to do their job, your risk of an insider attack is greatly reduced. Making sure you’re using the access control tools offered by your cloud provider and restricting permissions as narrowly as possible will further improve your security posture.
Access management includes multi-factor authentication procedures. The more difficult it is for an attacker to spoof an identity, the less likely it is the attack will penetrate your system.
Manage Configuration: Mistakes in configuring your cloud services can expose you to a cloud-native breach. Thus, making sure your cloud services are configured correctly is one of the most important defenses you can put in place.
Manual configuration increases the chances for this type of error to occur. Using out-of-the-box configuration management tools can help you by automatically adjusting your settings when needed. Always make sure you use the configuration settings recommended by your cloud services provider.
Use Native Security Tools: Cloud service providers offer logging tools that track details on who accessed the service that you may find invaluable in case of an attack. These details include information such as the IP address of every API caller and the time they called. Unfortunately, some organizations don’t see the benefit of using these tools, thus reducing their own visibility and consequently reducing their own ability to respond to a breach in the most efficient way.
Another recommended key defense mechanism is to encrypt your data. If data stored in the cloud is not encrypted anyone who succeeds in getting access to that data has unfettered access to it. However, if the data is encrypted, a successful attacker will have nothing they can use.
Check Content Uploaded by Users: Monitoring content that is uploaded to your cloud environments is extremely important. If one of your employee’s account is compromised and used to share a malicious file that gets passed around the whole organization, the consequences can be devastating.
You need a technology that can analyze all the URLs and files uploaded to and downloaded from your cloud environment and detect anything that’s threatening or even just suspicious. This adds a complementing layer of security on top of your other endpoint security solutions. Unfortunately, this type of functionality is often not included within most cloud software’s basic versions – or sometimes not at all.
To help our customers protect their cloud environments, we’ve created a solution like this for Salesforce, and are due to release our Office 365 product very soon. You can read more about our cloud protection approach here.