By Nick Bourke, Senior Security Engineer, Tenable
A multi-cloud strategy involves utilising services from different cloud providers, which can lead to a more extensive attack surface because the potential for vulnerabilities also expands. Additionally, integrating multiple cloud providers may require connecting various networks, which can create potential entry points for attackers. It is not surprising then that Indian organisations have identified the potential for security and risk management among the most pressing challenges when adopting multi-cloud environments.
In fact, 59% of organisations in India stated that cloud-based pathways are a major concern. The infamous Log4j vulnerability was regularly abused by various malware families and threat actors. For example, the Kinsing Trojan exploited the Java Log4j package vulnerability CVE-2021-442289 to disable a device’s security and cloud service agents and kill any rival malware and cryptocurrency miners on the target system before deploying its own crypto miner. The use cases keep growing. Cloud security is often riddled with misconceptions about who is responsible for security, leading to a lack of attention to the most concerning areas that require the CISO’s focus.
Misconceptions about shared responsibility
Inadequate security measures: Cloud security has relied on the shared-responsibility model and often, organisations may assume that the onus of security lies with the provider alone. This assumption can result in the neglect of critical security tasks that can leave the organisation’s data and applications vulnerable to cyber threats. Besides, cloud providers may not be able to provide the level of security required by specific compliance regulations or internal security policies. Organisations must ensure that they understand the compliance requirements and security policies that apply to their data and applications, and that they work closely with the cloud provider to ensure that these requirements are being met.
Inaccurate security assessments: As common misconceptions about who is responsible for security prevail, organisations may not end up conducting regular security assessments of their cloud environment to identify cloud misconfigurations and vulnerabilities. Without regular and continuous assessments, they will miss identifying existing security gaps and end up in a position where they cannot effectively mitigate risks in their cloud environments. This could lead to failure in monitoring cloud environments for security incidents and data breaches, resulting in delayed response times and increased damage from cyberattacks.
What aspects of security are cloud service providers responsible for?
There is often a misconception that public cloud services aren’t secure enough. Contrary to popular belief, public cloud service providers have invested heavily in security measures and have teams of security experts working to protect their infrastructure and customers.
While data breaches can occur in any environment, public cloud providers typically have more robust security measures in place than many organisations have in their on-premises environments.
It is true that organisations are responsible for securing their own data and applications in the cloud. But public cloud providers offer a range of security measures including the physical security of data centres, network security, and the virtualization layer. They typically offer compliance certifications for a wide range of industry regulations, including HIPAA, PCI DSS, and GDPR too.
While cloud service providers offer a layer of security, it doesn’t cover all aspects as these are subject to the type of organisation, and their specific compliance norms and because the criticality of assets varies with each organisation. When it comes to cloud security, organisations need to focus on:
Remediating misconfigurations: Cloud misconfigurations are a common issue that can result in security vulnerabilities. Many organisations assume that the cloud service provider will configure their environment to be secure by default, but this is not always the case. Organisations need to continuously monitor the cloud and properly configure their own cloud environment to ensure that they are secure.
Compliance: While cloud providers offer many compliance certifications, it’s the responsibility of organisations to ensure that they are compliant with regulations and standards that apply to their own data and applications. Simply moving to the cloud does not automatically make an organisation compliant.
Gaining complete visibility: One of the reasons why multi-cloud environments are challenging to secure is due to the lack of visibility into their environment, as it is often more distributed and dynamic than on-premises. This can make it harder to identify security issues and take remedial action. But the onus is on organisations to gain full visibility into their attack surface and the best way to go about it is exposure management. Security teams are often constrained by siloed, incomplete attack surface views, and must rely on just-in-time detection and response to react to attackers’ moves. With exposure management, organisations can gain a holistic view of their attack surface and also prioritise security efforts accordingly.
Among the major reasons why cloud security seems daunting is that organisations may not fully understand the security risks associated with their cloud environment and are unable to prioritise security controls and policies. Organisations often believe that cloud security is too complex and may not allocate the necessary resources to properly secure their cloud environment. This also leads them to prioritise convenience over security, which can result in a lack of proper security controls, leading to incomplete visibility into the attack surface.
Organisations cannot secure what they don’t know, leaving them vulnerable to new and evolving security threats. Organisations need to understand the shared responsibility model to know which areas of cloud security to invest in and how to craft security strategies accordingly. While the provider is responsible for the security of the cloud infrastructure, including the physical security of data centres, network security, and the virtualization layer, organisations are responsible for the security of data, apps, and operating systems running on the cloud infrastructure. Cyber adversaries are well aware of these misconceptions and they will not shy away from leveraging the gaps that arise. Organisations need to make the necessary changes in technologies and policies to ensure their cloud environments are secure or risk being a target.