Cloud Security Alliance (CSA) recently published its 2022 Top Threats to Cloud Computing report, the sixth installment of an industry-wide survey that aims to raise awareness of threats, vulnerabilities, and risks in cloud computing.
This year's edition identified eleven threats, ranked below in their order of importance per the survey's results. CSA calls this list the Top Threats to Cloud Computing – Pandemic Eleven!
- Insufficient Identity, Credentials, Access, and Key Management
- Insecure Interfaces and APIs
- Misconfiguration and Inadequate Change Control
- Lack of Cloud Security Architecture and Strategy
- Insecure Software Development
- Unsecured Third-Party Resources
- System Vulnerabilities
- Accidental Cloud Data Disclosure
- Misconfiguration and Exploitation of Serverless and Container Workloads
- Organized Crime/Hackers/APT
- Cloud Storage Data Exfiltration
Rather than reproduce the report's contents verbatim, I wanted to create a handy, referenceable, and actionable summary of the top cloud computing security threats for data and security practitioner folks. To that end, I've narrowed down the report's original scope to focus on the threats' essential aspects.
The remainder of this post is organized into discrete per-threat sections, with each section highlighting the following threat-specific information:
- Threat overview
- Business impact
- Mitigation measures
- Recent incidents
- Threat summary including a
STRIDE threat model analysis
So, sit tight for a tour of the top cloud computing security threats!
Security Threat 1: Insufficient Identity and Access Management, Privileged Accounts
Identity and Access Management (IAM) encapsulates tools, policies, and processes to provision, authorize, and deprovision access to sensitive business data stored in files and databases, infrastructure resources such as physical machines and cloud virtual instances, and premises such as server rooms and data centers.
Credentials, keys, tokens, and certificates are how users and applications are granted access to a business' data, infrastructure, and premises.
Privileged accounts selectively grant elevated access rights to certain users and applications, which allows them to read, modify, delete, and destroy sensitive data, and infrastructure resources.
Insufficient management of credentials, keys, tokens, and certificates, coupled with weak authorization policies and loosely controlled privileged accounts, constitutes a threat to business in the form of malicious insiders, account takeovers, and supply chain attacks.
Business impact
- Data exfiltration or corruption by unauthorized or malicious users
- Loss of brand trust and market revenue
- Financial costs for incident response, forensics, and audits
Mitigation measures
- Zero trust implementation for authenticating users and applications
- Continuous monitoring of privileged account activity to identify suspicious user behavior
- Strong processes for account provisioning / de-provisioning, and need to know / least privilege-based policies for access authorization
Recent incidents
- July 2019: CapitalOne had a breach involving an outside individual who gained unauthorized access to the sensitive personal information of CapitalOne's customers. An EC2 instance, likely with excessive IAM role privileges, was used to gain access to CapitalOne's environment, followed by a lateral movement to the S3 bucket that contained the sensitive information.
- October 2021: Misconfigurations in SEGA Europe's cloud inadvertently stored sensitive files in a publicly accessible S3 bucket. In addition to the bucket being configured to be publicly accessible, multiple sets of AWS keys to access SEGA Europe's cloud services were found in the affected bucket.
Threat summary
Security Threat 2: Insecure Interfaces and APIs
As part of stack modernization, both new and rearchitected legacy apps alike are being built using microservices-based architectures. This has led to a growth surge in API usage across organizations as this paraphrased quote from a 2021 Akamai report shows:
In the previous year, Akamai delivered more than 300 trillion API requests, a 53% year-over-year increase!
At the same time, this surge in API usage has introduced new threats for organizations. Misconfigurations, weak authentication and authorization, and poor coding practices can leave APIs vulnerable to malicious insiders and outside attackers. Common issues include the following:
- Unauthenticated or weakly authenticated endpoints
- Over-privileged accounts
- Unmonitored APIs
- Unpatched vulnerabilities
Business impact
- Sensitive data exposure due to unsecured APIs
Mitigation measures
- Audits of the authentication and authorization models, and threat analysis of the attack surface for compromised APIs
- Automation and monitoring of API access patterns to detect anomalous behavior
Recent incidents
- May 2021: Broken API authentication and authorization exposed Peloton customers’ PII including user IDs, location, weight, gender, age, and more.
- April 2021: John Deere, a manufacturer of agricultural machinery, heavy equipment, and lawn care equipment allowed querying of usernames of Fortune 1000 customers without either authentication or rate-limiting.
Threat summary
Security Threat 3: Misconfiguration and Inadequate Change Control
Misconfigurations result from insecure setups of data or infrastructure resources that leave them vulnerable to unintended exposure or damage by malicious insiders and external attackers.
Following are examples of security misconfigurations common in the cloud:
- Unsecured virtual compute instances, containers, storage, and databases
- Over-privileged accounts, disabled security controls, and unrestricted network access
- Usage of default vendor-created credentials
- Unmonitored resource accesses
Inadequate change control refers to the fact that it's much harder to monitor, review, and approve configuration changes on the cloud compared to on-premises data centers. Most, if not all, cloud configuration is abstracted out as "code", supported by APIs. This makes it easy to spin up new resources, and modify existing resource settings, thus short-circuiting what used to take days, if not weeks, in static data center environments. Mistakes are easily made and get compounded further when multiple cloud providers are involved.
Business impact
- Sensitive data exposure, exfiltration, and tampering
- Degraded performance, and system outages
- Ransomware attacks, loss of revenue, and reputational impact
Mitigation measures
- Adoption of infrastructure-as-code, configuration-as-code, and security-as-code policies and frameworks
- Continuous monitoring and automated change management to track, review, and approve resource configurations
Recent incidents
- March 2022: Nearly 70% of ServiceNow instances had ACL (Access Control List) misconfiguration issues that led to over-provisioned privileges for guest users.
- January 2021: Microsoft misconfigured its Azure Blob Storage buckets, and ended up disclosing sensitive partner IP and source code stored in them.
Threat summary
Security Threat 4: Lack of Cloud Security Architecture and Strategy
Cloud security architecture and security strategy encompass various aspects of a runtime cloud environment. Considerations must be given to cloud service providers, cloud service models, cloud deployment models, region and availability zone determination, and failover and HA models. The decentralized, API-driven self-service model of the cloud often comes in the way of formulating a deliberate and concrete architecture and security strategy.
The absence of an architecture and security strategy leads to applications and services falling prey to vulnerabilities and cyber attacks.
Business impact
- Limited enterprise effectiveness in preventing and responding to cyber attacks
- Financial expenses for incident response, forensics, and audits
- Costly refactoring and migration exercises
Mitigation measures
- Consideration of business objectives, risk, security threats, and legal compliance in evaluating cloud providers, services, and infrastructure and application resiliency models
- Threat modeling, secure design principles, and 3rd party vendor security assessments of cloud infrastructure and services
Recent incidents
- January 2021: A threat actor known as ShinyHunters exfiltrated 7 million customer records of US clothing store Bonobos by compromising its backup data stored in an external backup service.
- July 2021: Attackers exploited a SaaS-based change management model to deploy ransomware on the endpoint devices of Kaseya's customers.
Threat summary
Security Threat 5: Insecure Software Development
Insecure software development could mean many things – poor handling of credentials, keys, and tokens, not sanitizing input values (exploited by SQL injection attacks), or zero-day vulnerabilities in 3rd party libraries and services. Cloud environments contribute additional complexity and exacerbate security problems.
Cloud service providers also simplify the problem in a way. This is due to the prevalent shared responsibility model, where the cloud provider is responsible for the security issues and vulnerabilities in the infrastructure/platform, while the application owner is responsible for the same within their application including any 3rd party libraries or services they might be using.
Business impact
- Loss of customer confidence in the product
- Loss of brand trust due to a data breach
- Financial expenses due to lawsuits
Mitigation measures
- Product design based on secure design patterns such as AWS' Well-Architected Framework
- Delegation of solving common problems to existing cloud technologies and external services to focus on core business problems
Recent incidents
- December 2021: A parsing bug in the log4j library allowed attackers to execute RCE (Remote Command Execution) on compromised services.
- January 2021: Several vulnerabilities in Microsoft Exchange provided opportunities for RCE and credentials theft.
Threat summary
Security Threat 6: Unsecure Third-Party Resources
Modern applications increasingly depend on 3rd party resources to get things done outside their core business logic. These 3rd party resources could be one or more of the following:
- An open-source library
- A SaaS product available as a set of APIs
- A cloud provider-specific functionality for authentication, authorization, and data storage
Vulnerabilities in any of an application's 3rd party resources may result in a compromise of the application itself as they become the weakest link in the "supply chain" of the service delivered by the application to its consumers and users.
According to research from Colorado State University, two-thirds of breaches are a result of supplier or 3rd party vulnerabilities.
Business impact
- Loss of key business processes
- Unauthorized access of business data by outside users
- Application impact due to delays in patching vulnerabilities by responsible 3rd party providers
Mitigation measures
- Diligent evaluation of 3rd party libraries and SaaS endpoints before incorporating them into applications
- Continuous tracking and monitoring of vulnerabilities in all 3rd party resources used in applications
- Periodic reviews of all applications dependencies to determine necessity, permissions, and access privileges
Recent incidents
- December 2020: Solarwinds was impacted due to a supply chain attack that gave attackers access to Solarwinds customers' networks, credentials, and private data.
- August 2021: Volkswagen suffered a data breach of around 3.3 million customers' PII and financial data because a storage service was left unprotected for almost two years by one of its vendors.
Threat summary
Security Threat 7: System Vulnerabilities
System vulnerabilities are flaws in a service provider's platforms, such as SaaS, DBaaS, PaaS, or IaaS, whose knowledge may be exploited by malicious users to compromise the confidentiality, integrity, and availability (CIA) of data.
Following are examples of system vulnerabilities:
- A zero-day vulnerability (a newly discovered security issue for which a fix isn't available yet) in a managed database-as-a-service (DBaaS), which allows a malicious user to bypass database authentication
- Missing security patches for known issues that leave an application vulnerable to attacks
- Configuration vulnerabilities, such as the usage of legacy security protocols (TLS 1.1), weak encryption ciphers, or weak permissions
- Default credentials usage that allows attackers easy access to sensitive data and critical resources
IBM’s Cost of Data Breach 2021 Report shows that vulnerabilities in third-party software were responsible for 14% of the data breaches studied, while cloud misconfiguration and compromised credentials accounted for 20% and 15%, respectively.
Business impact
- Operational disruptions that prevent customers from using business services
- Challenges with customer acquisition and retention due to erosion of trust
- Financial expenses of dealing with detection, escalation, and incident response
Mitigation measures
- Periodic system monitoring to identify unpatched vulnerabilities and zero-day exploits
- Timely patch deployments, and updates to the latest software versions
Recent incidents
- August 2021: Security flaws in Azure's CosmosDB allowed data downloads and modifications without requiring credentials.
- September 2021: A cyber espionage group deployed a backdoor in Active Directory Federation that allowed the theft of configuration databases and security tokens.
Threat summary
Security Threat 8: Accidental Cloud Data Disclosure
Cloud platforms make it easy to spin up new infrastructure, containers, and databases using infrastructure-as-code tools and APIs. While this makes teams more agile, it also increases the likelihood of misconfigurations and unintended data exposure.
Inventory management, which is the problem of tracking all provisioned cloud resources, including sensitive data and compute workloads, becomes more challenging. As an example, a developer may spin up a new cloud database instance on the cloud for new feature development, and populate it with a slice of production data, resulting in an unintentional spillover of sensitive customer PII from production to dev environments.
It's not uncommon for security leaders to worry about such accidental data sprawl, which leaves their businesses vulnerable to data exfiltration and disclosure attacks.
Over 55% of companies have at least one database that is currently publicly exposed to the internet.
Business impact
- Unexpected financial expenses to deal with forensic efforts, customer support processes, and compensation to affected customers
- Challenges with customer acquisition and retention due to erosion of trust
Mitigation measures
- Periodic review of all provisioned cloud resources, including VMs, containers, databases, storage, and workloads
- Automated scanning of cloud environments to detect unexpected resources, misconfigurations, and exposed access points
- Implementation of least-privilege access policies to minimize the attack surface
Recent incidents
- January 2021: A VIP Games cloud misconfiguration exposed 23 million records of customer PII containing names, email addresses, and player data.
- September 2021: UK newspaper The Telegraph exposed a 10TB subscriber dataset.
Threat summary
Security Threat 9: Misconfiguration and Exploitation of Serverless Workloads
Serverless platforms, such as AWS Lambda and GCP Cloud Functions, pose unique security challenges for workloads running on them. Lack of adequate knowledge of the shared responsibilities with the cloud provider can lead to insecure workloads that can be easily exploited to gain unauthorized access to sensitive data.
Serverless platforms are shared execution environments. Consequently, poor coding and configuration practices, such as storing IAM keys and database credentials in a temporary file system or shared memory, or configuring serverless containers to start-up "warm" (thus, forcing retention of program state from previous runs), can all lead to sensitive data exposure by malicious actors.
A Netskope analysis found that 4% of analyzed IAM policies had full administrative access, and 60% had the AWS AdministratorAccess role.
Business impact
- Breaches and data loss due to misconfigurations and insecure coding practices
- Financial expenses to deal with forensic efforts, and infrastructure and workload refactoring
Mitigation measures
- Cloud security, governance, and application design patterns training for developers and DevOps teams
- Automated checks for Cloud Security Posture Management, Cloud Infrastructure Entitlement Management, and Cloud Workload Protection Platforms
Recent incidents
- As of 2021: Denial of Wallet (DoW) attacks, similar to Denial of Service (DoS), send a large volume of requests to a serverless application to exploit the auto-scaling properties of serverless platforms, resulting in high cloud costs incurred by the cloud customer.
- February 2022: Denonia, the first known malware to target AWS Lambda, is an example of how an attacker can use serverless environments for financial gain at an organization's expense.
Threat summary
Security Threat 10: Organized Crime, Hackers & APT
Advanced persistent threats (APTs) are an attack, where an attacker, or a group of attackers, establishes a long-term presence in an organization's environment. Often, their presence goes unnoticed for months, during which time, the attackers move laterally in incremental steps to get close to where the organization's "crown jewels" are stored.
Both APTs, and Organized Crime, may include politically motivated nation-states as well as financially motivated organized criminal gangs. They may use sophisticated tactics, techniques, and protocols (known as TTP) to gain entry to a target and infiltrate its environment.
Business impact
- Depends on the nature of the business' assets, and the motivations of APT groups
- Impact analysis of the assets will determine the fallouts of a potential breach
Mitigation measures
- Cybersecurity information sharing with other practitioners to understand relevant APT groups, their motives, and their TTP
- Offensive security drills and exercises to simulate TTP used by ATP groups to ensure security monitoring tools and processes are tuned for intrusion detection and remediation
Recent incidents
- February 2016: The Lazarus group's heist of Bangladesh's national bank.
- January 2022: LAPSUS$ group's compromise of Nvidia's internal networks and confidential data.
Threat summary
Security Threat 11: Cloud Storage Data Exfiltration
Cloud storage is a class of cloud resources and includes services like blob storage (AWS S3, Azure Blob Store), file systems (AWS EFS), or even structured and semi-structured databases (AWS RDS, AWS Dynamo).
Data exfiltration involves incidents where a malicious insider, or an external attacker, gains access to sensitive data, which they can view, copy, or download. Often, due to a lack of activity logging and monitoring, exfiltration attempts go unnoticed until the attackers themselves decide to notify the victim for direct financial gain, depletion of public trust, or ransomware. Most mitigation techniques do not usually work against exfiltration for this reason.
Business impact
- Loss of IP, and sensitive data belonging to customers and business partners
- Loss of customers', partners', and employees' trust
- Regulatory actions and financial fines
Mitigation measures
- Logging, monitoring, and detection capabilities to prevent exfiltration per the cloud service provider's best practices guides
- Employee awareness training on cloud storage provisioning, usage, and privilege management
- Client-side encryption to ensure sensitive data is never stored in the clear
Recent incidents
- June 2021: More than 533 million Facebook accounts' data was exfiltrated and posted for free download on a hacker forum.
- April 2022: An AWS RDS vulnerability, though addressed now, could have exposed internal credentials.
Threat summary
Summary
Congratulations, you've made it this far!
We've examined all eleven threats from the Top Threats to Cloud Computing report. We looked into what each threat means, its business impact, potential mitigation measures against it, and some recent examples of incidents related to it. Hope you find them useful for your cloud-related projects!
Also Published Here