The COVID-19 pandemic didn’t just spread a new coronavirus, it also infected the cloud.
Global lockdowns and the sudden switch to remote work on every continent presented a new world of opportunities for hackers to exploit. Today, cloud services are one of the most common routes for successful cybersecurity attacks.
And the number of attacks is increasing, with no reason in sight for this trend to change, says Frank Ford, Partner and Head of the Global Cybersecurity Practice at Bain & Company.
“We can expect to see many more cyber breaches with ‘cloud’ as the attack route,” says Ford. “But the cloud itself is not the problem – rather it is how people use it. Cloud can be made adequately secure; just consider the number of online banking solutions in use, many of which are cloud-based.
“In simple terms, cloud providers like AWS and Azure provide robust security ‘of the cloud’, meaning the networks, computing environments, etc; whereas companies are responsible for their security ‘in the cloud’, meaning configuring their security solutions to properly protect what they put into the cloud, their applications and data.”
It is in this second part where things all too often go wrong, according to Ford, as many companies struggle to master the discipline across ‘non-cloud’ environments; they make mistakes while setting up their cloud security solutions and leave themselves exposed.
“Cloud adoption is also growing strongly, with COVID-19 rapidly accelerating the move as companies sought to provide solutions for large populations of suddenly remote workers,” says Ford. “So when you take the combination of rapidly increasing volumes going into the cloud, intrinsically weak cybersecurity practices, and a new complex environment to secure and configure, then mistakes are made and the opportunity for successful attacks grows.”
Rapid adoption of SaaS solutions attracts attackers
Del Heppenstall, Cyber Security Partner at KPMG UK, confirms that attacks against cloud infrastructure are increasing, as is the use of compromised cloud environments as an enabler for cyber-attacks against organisations and individuals worldwide. “The pandemic – and subsequent increase in remote working – accelerated cloud adoption, introducing new attack vectors for organisations used to protecting a traditionally defined perimeter,” he says.
KPMG are seeing attackers’ increased focus on compromising configuration errors in cloud environments and a lack of securely implemented API service integrations. “This is partially due to the rapid adoption of SaaS solutions during the pandemic, but also a lack of focus on protecting this important attack vector,” says Heppenstall.
To compound this problem, a shortage of digital skills among employees remains a crucial issue in cloud security, where the demand for cloud expertise far outstrips supply. Many underestimate the differences between cloud technology and traditional alternatives when implementing technical design and associated risk assessments.
“We often see organisations moving to the cloud at short notice in response to data centre contracts ending, resulting in the migration being performed with insufficient planning and support,” says Sarah Lyons, Deputy Director for Economy and Society Resilience at the National Cyber Security Centre (NCSC).
“The services and technologies that cloud environments rely on to deliver these benefits are constantly evolving and accelerating in their complexity and potential,” she explains. “It is important that those responsible for delivering services understand the implications of any changes made to the technology they are consuming and adapt accordingly.”
Container orchestration and automation introduce new risks
Cloud security incidents may involve complex attacks, but the simplest barely qualify as “attacks” and are more likely to involve data being left freely accessible to anyone who knows where to look, explains Stuart Green, Cloud Security Architect at Check Point Software. “More complex cloud architectures often use a large number of loosely coupled components, each with its own unique set of configurations and, consequently, the possibility for misconfigurations.”
While most of the core services in the cloud are generally well understood and often deployed in very secure manners, the more complex areas like container orchestration and automation can introduce new risks, says Green. On the automation side, as more focus moves into software and DevOps, this brings additional considerations such as software supply chain risks in bringing in external, potentially unverified code to corporate environments.
Cloud platforms are vast and cover several technology domains that usually involve multiple teams. When it comes to the cloud, many organisations will have a dedicated ‘cloud team’ that is responsible for everything in their choice of public cloud platforms, explains Green.
“In making their responsibilities far broader, there will be a cost of losing the in-depth expertise of how to properly and securely configure these services,” says Green. “For example, most cloud engineers can deploy a virtual machine with a public IP without much of a challenge, but fully understanding the consequences of making it publicly available, not applying network security controls, or configuring access privileges correctly could, in the worst case, mean someone has full remote access to the raw storage data.”
As more and more services are introduced and consumed in the cloud, the problem is exacerbated and can quickly become difficult to manage. “This type of scenario tends to align with smaller businesses whose teams are more resource-constrained and under pressure to ‘just make it work’ when it comes to new deployments,” says Green.
“In contrast, there are larger enterprises who show a lot of restraint when it comes to adopting new cloud services for this exact reason and try to ensure that before any new cloud service is adopted, the scope of any new risks it introduces is fully understood.”
- Elon Musk seeks to strengthen xAI as innovation continuesAI & Machine Learning
- Lenovo and Microsoft are boosting business cyber resiliencyCloud & Cybersecurity
- AWS announces AI tool Amazon Q to reimagine future of workAI & Machine Learning
- Carlsberg Group is using IoT to make data-driven decisionsData & Data Analytics