President Joe Biden’s administration, as part of its recently released National Cybersecurity Strategy, said critical sectors such as telecommunications, energy and healthcare rely on the cybersecurity and resiliency of cloud service providers.
However, recent reports suggest that the administration has concerns that large cloud service providers present a huge threat surface—a surface through which an attacker could disrupt public and private infrastructure and services.
This concern is hard to dispute, given the monolithic nature of the field. Research firm Gartner, in its latest look at the global cloud infrastructure-as-a-service market share, put Amazon at the top, with revenue of $35.4 billion in 2021, with the rest of the market share broken down as follows:
- Amazon: 38.9%
- Microsoft: 21.1%
- Alibaba: 9.5%
- Google: 7.1%
- Huawei: 4.6%
Synergy Group reported that together, Amazon, Microsoft and Google accounted for two-thirds of cloud infrastructure revenue in the three months ended September 30, 2022, with the eight largest providers controlling more than 80% of the market, translating to to three-quarters of internet revenue.
Focus on cloud service providers?
The administration’s report noted that threat actors use the cloud, domain registrars, hosting and email providers, and other services to conduct exploits, coordinate operations, and spy. In addition, he advocated for regulations that would lead to the adoption of secure-by-design principles and that the regulations would define “minimum expected cybersecurity practices or outcomes.”
It will also “identify gaps in policies to promote better cybersecurity practices in the cloud computing industry and for other key third-party services and work with industry, Congress and regulators to close them,” according to the administration’s report .
Whether the administration is talking to CSPs that control traffic across vast parts of the world wide web with the goal of regulating their security practices may be moot, since CSPs already have strong security protocols in place, noted Chris Winkless, senior analyst director at Gartner.
“Cloud providers appear by all accounts to be extremely secure in what they do, but the lack of transparency about how they do it is a concern,” said Winckless.
I see: Cloud security, hampered by the proliferation of tools, has a “forest for the trees” problem. (TechRepublic)
But Winckless also said there are limits to durability, and the amount of money ultimately lands on the client’s desk.
“The use of the cloud is not secure, either by individual tenants, who do not configure well or design for resiliency, or by criminals/national actors, who can take advantage of the dynamism and pay for the flexibility model,” he added.
Cloud providers already offer enough
Chris Doman, chief technology officer at cloud incident response company Cado Security, said the big cloud service providers are already the best at managing and securing cloud infrastructure.
“To question their abilities and conclude that the U.S. government would ‘know better’ when it comes to safety regulations and guidelines would be misleading,” Doman said.
Imposing know-your-customer requirements on cloud providers may be well-intentioned, but risks pushing attackers to use services far removed from law enforcement, he said.
The biggest threat to cloud infrastructure is natural disaster, not technology failures, Doman said.
“The financial services industry is a great example of how a sector diversifies activity across multiple cloud providers to avoid single points of failure,” said Doman. “Critical infrastructure entities that are modernizing to the cloud need to think about disaster recovery plans. Most critical infrastructure entities are unable to fully transition to multi-cloud, limiting exposure points.”
Cloud customers must implement security
While the Biden administration said it would work with cloud and internet infrastructure providers to detect “malicious use of US infrastructure, share reports of malicious use with the government” and “make it easier for victims to report abuse of these systems and… more difficult for malicious actors to gain access to these resources in the first place,” this could pose challenges.
Mike Beckley, founder and chief technology officer of process automation company Appian, said the government is right to sound the alarm about the vulnerability of government systems.
“But it has a bigger problem, and that’s that most of its software isn’t from us or Microsoft or Salesforce or Palantir, for that matter,” Beckley said. “It is written by a low-cost bidder on custom contracts and therefore violates most of the rules and restrictions we operate as commercial providers.
“What the government thinks it’s buying changes every day, based on the least experienced or least qualified, or even the most nefarious contractor who has the rights and permissions to upload new libraries and code. Each of these custom code pipelines has to be built for each project and is therefore only as good as the team that makes it.”
It is up to customers to defend themselves against major cloud-based threats
Bad search is a big ask for CSPs like Amazon, Google and Microsoft, said Mike Britton, head of information security at Abnormal Security.
“Ultimately, the cloud is just another fancy word for external servers, and that digital space is now a commodity — I can store petabytes for pennies on the dollar,” Britton said. “Now we live in a world where everything is based on APIs and the Internet, so there are no barriers like there used to be.
I SEE: Top 10 Open Source Security and Operational Risks (TechRepublic)
“There is a shared responsibility matrix where the cloud provider handles issues such as hardware OS patches, but it is the customer’s responsibility to know what they are dealing with publicly and opt in or out. I think it would be nice if there was the equivalent of a “no” failsafe that asked something like “Did you want to do this?” when it comes to actions like making storage bins public.
“Taking your 50 terabytes in an S3 storage bucket and accidentally making it publicly available is likely to shoot yourself in the foot. So cloud security posture management solutions come in handy. And consumers of cloud services need to have good processes in place to ensure that.”
Major threats to your cloud operations
Check Point Security’s Cloud Security 2022 report listed the top cloud security threats.
A leading cause of cloud data breaches, organizations’ cloud security posture management strategies are inadequate to protect cloud-based infrastructure from misconfigurations.
Cloud-based deployments outside the network perimeter and directly accessible from the public Internet facilitate unauthorized access.
Insecure interfaces and APIs
CSPs often provide a number of APIs and APIs for their customers, according to Check Point, but security depends on whether a customer has secured the interfaces for their cloud-based infrastructure.
Not surprisingly, password security is a weak link and often involves bad practices such as password reuse and using bad passwords. This issue exacerbates the impact of phishing attacks and data breaches by allowing a stolen password to be used across multiple different accounts.
Lack of visibility
An organization’s cloud resources reside outside the corporate network and operate on infrastructure that the company does not own.
“As a result, many traditional tools for achieving network visibility are not effective for cloud environments,” Check Point noted. “And some organizations lack cloud-focused security tools. This can limit an organization’s ability to monitor its cloud-based resources and protect them from attacks.”
External data sharing
The cloud makes it easy to share data, either through an email invitation to a partner or through a shared link. This ease of data sharing poses a security risk.
Although paradoxical given that insiders are on the perimeter, someone with malicious intent may have authorized access to an organization’s network and some of the sensitive resources it contains.
“In the cloud, detecting a malicious user is even more difficult,” CheckPoint’s report said. “With cloud deployment, companies lose control of their underlying infrastructure, making many traditional security solutions less effective.”
Cyberattacks as big business
The goals of cybercrime are primarily driven by profitability. Cloud-based infrastructure that is publicly accessible from the internet may be inadequately secure and may contain sensitive and valuable data.
Denial of service attacks
The cloud is essential to many organizations’ ability to do business. They use the cloud to store business-critical data and run important internal and customer-facing applications.
Ethical breach can secure cloud and on-premises operations
It is important for organizations to secure their own perimeters and conduct a regular pace of internal and external vulnerability testing.
If you’re looking to brush up on your ethical hacking skills for web pen testing and more, check out this comprehensive TechRepublic Academy ethical hacking course pack.
Read next: How to minimize security risks: Follow these best practices for success (TechRepublic)