Focus on these three risky behaviours to boost cloud security

Users of cloud computing resources have a tendency to make the same mistakes repeatedly, with the vast majority – approximately 80% – of alerts seen by security teams triggered by a scant 5% of security rules, according to findings set out in a report compiled by Palo Alto Networks’ Unit 42 research unit.

In Cloud threat report, navigating the expanding attack surface – the seventh in an ongoing series – Unit 42 analysed workloads drawn from 210,000 cloud accounts across 1,200 different organisations and examined multiple real-world security incidents that arose through cloud environments.

They repeatedly found that almost every organisation had a small set of risky behaviours that could be frequently observed in their cloud workloads. Out of these, the most regularly seen were unrestricted firewall policies, exposed databases, and unenforced multifactor authentication (MFA) policies – 76% of organisations don’t enforce MFA for console users, the report said.

“All of [these] likely originate from an isolated number of engineers and IaC [infrastructure-as-code] templates,” wrote lead researcher Jay Chen and his team. “These issues vary from organisation to organisation, but the takeaway is the same for all of them – a small number of repeatable issues drive the largest percentage of problems.”

The team also found that it takes 145 hours – around six days – for a security alert to be responded to on average, and that 60% of organisations take longer than four days to resolve a security alert. By prioritising remediation of these three issues, security teams can not only help their organisations maximise the return on their security investments, but potentially also eliminate many of their day-to-day headaches at a stroke.

“After two decades of rapid cloud adoption by organisations, 2023 could be considered a turning point for cloud security. The rate of cloud migration shows no sign of slowing down – from $370bn [£297.6bn] in 2021, with predictions to reach $830bn [£667.6bn] in 2025 – with many cloud-native applications and architectures already having had time to mature,” said Ankur Shah, senior vice-president of Prisma Cloud at Palo Alto Networks.

“The dynamic nature of cloud technology – with feature updates in public cloud services, new attack methods, and the widespread use of open-source code – is now driving awareness of the risks inherent to modern, cloud-native development. The more organisations that adopt cloud-native technologies, the higher the number of cloud-native applications becomes. The popularity and complexity of the technology then expands the attack surface with vulnerabilities and misconfigurations for cyber criminals to exploit,” he said.

Although user-generated issues, including insecure configurations, remain the primary concern when it comes to cloud security, the Unit 42 team also highlighted issues that stem from ready-to-use templates and default configurations offered by cloud service providers (CSPs).

They said that while these default options might seem to be quite convenient, they do not, to put it mildly “position users in the most secure initial state.”

The latest edition of the Cloud threat report highlights the use of open source software and components as one of the driving forces behind the cloud revolution and how this trend has increased risk by introducing more complexity, increasing the likelihood of problems such as depreciated or abandoned software, malicious content, and slower patching cycles, all adding to the pressure on organisational security.

Growing attack surface

As the report’s title would suggest, Unit 42 said that organisations should expect the attack surface of cloud-native applications to continue to expand going forward, and for threat actors to find “increasingly creative” ways to target them.

As such, the report also includes a number of practical tips, such as putting in place enforced MFA policies and enabling features such as automated alert triage and remediation, control plane audit logs, automated backups and data-at-rest encryption.

Security teams should also consider budgeting for software composition analysis (SCA) tools during the development process, data loss prevention (DLP) solutions and, of course, take care never to expose databases or services such as remote desktop protocol (RDP) or SSH to the public internet

“The bottom line to our findings is simple: your organisation may not be as secure as you think. You’re going to need to be vigilant, proactive and innovative to stay ahead of adversaries,” wrote Chen and his team.

Leave a Reply

Your email address will not be published. Required fields are marked *