Cloud Services Under Attack: Closing the Virtual Open Doors to Cyber Crime

With the new hybrid-working model we see organizations increasingly moving more of their workload settings to the cloud. While this transformation offers great agility and scalability benefits, it comes with inherent and increased risks to security and compliance. A simple configuration error can result in your entire organization being exposed to threat actors who no longer need to break into your data center to access your critical data or conduct ransomware attacks.

Gartner predicts that by 2025, 99% of cloud security issues will be a result of human error when configuring assets and security in the cloud. At a time when organizations are becoming increasingly dependent on third-party cloud vendors such as AWS, Microsoft Azure, IBM and Google Cloud Platform to securely manage their data, concern around misconfigurations and other vulnerabilities in the cloud is likely to amplify quickly. What’s more, many of the organizations finding themselves at risk have had to accelerate their digital transformation initiatives at an uncomfortable pace over the past two years, resulting in knowledge and talent gaps that only add to their fears around cloud security.

Under the shared responsibility model – a security framework designed to ensure accountability for compromised data and other incidents – the cloud provider will offer basic cloud security, but it’s up to businesses themselves to secure their own data within the cloud. To put it another way, if cloud providers ensure the town gates are locked and the perimeter is well guarded, it’s still up to businesses to ensure their own doors are locked. That’s no mean feat, particularly when you consider that many large enterprises now rely on three or four cloud platforms as part of a multi-cloud strategy.

Attacks on cloud service providers are ramping up

As outlined in our 2022 Security Report, the previous year has seen a tidal wave of attacks that exploit flaws in the services of industry-leading cloud providers. For the cybercriminals involved, the end goal is to gain full control over an organization’s cloud infrastructure or, worse, an organization’s entire IT estate, including its proprietary code and customer records. Needless to say, this can have a devastating impact on the businesses affected and they’re quite right to be concerned.

The kinds of flaws we’re talking about here aren’t logic or permission-based flaws derived from an organization’s control policy that threat actors might use to gain unauthorized access and escalate privileges. This could at least be pinpointed and dealt with by the organization in question. Instead,

these flaws tend to be critical vulnerabilities within the cloud infrastructure itself that can be much more difficult to guard against.

Take the OMIGOD flaw, for example, which broke the floodgates when it came to attacking cloud services in 2021. In September, four critical vulnerabilities were discovered in the Microsoft Azure software agent that enabled users to manage configurations across remote and local environments. An estimated 65% of Azure’s customer base was made vulnerable by this exploit, putting thousands of organizations and millions of endpoint devices at risk. Through this OMIGOD flaw, threat actors were able to execute remote arbitrary code within an organization’s network and escalate root privileges,

effectively taking over the network. As part of its September 2021 update, Microsoft addressed the issue but the automatic fix that it released appeared ineffective for several days. Further flaws were exposed

in Microsoft Azure’s cloud services throughout the year, including the “ChaosDB” vulnerability which allowed cybercriminals to retrieve several internal keys used to obtain root privileges that would eventually enable them to manage the databases and accounts of targeted organizations. Businesses made vulnerable by this particular “open door” included Coca-Cola, Skype and even security specialist, Symantec.

It’s likely that there will be many more cloud provider vulnerabilities in 2022 but fortunately there are things within an organization’s control that can mitigate the risk.

Locking the doors and bolstering internal security

Tightening cloud security isn’t just about having the right products and services in place, it’s also about nurturing a security-first mentality within an organization as a whole. Regardless of what a service level agreement between an organization and cloud provider might say, the onus ultimately falls on the

organization to make sure its customers’ records and other important data are protected.

So, before moving mission-critical workloads into the cloud, organizations must ensure that the “doors” to their applications and data are firmly locked. That means getting identity and access management finely tuned, implementing the principle of “least privilege” so that data is only accessed by humans and applications on a strictly need-to-know basis. It also means better segmentation of networks and use of firewall technology to ensure that sensitive data can be appropriately siloed and guarded where necessary.

Cloud security is complex, and with multi cloud environments it gets even more complex. So, think about consolidating all your cloud security across all cloud vendors into one solution that monitors all malicious

activity and reduces the workload by automating common tasks like policy updates. In an ideal world this would mean a ‘single pane of glass’ approach to security management across all your cloud assets so that you can keep a closer eye on security incidents and focus your effort on those of greatest concern.

Any cloud security solution is only as good as the intelligence engine behind it so ask your vendor how they stay on top of emerging and Zero-day threats. At Check Point we have the ThreatCloud which monitors millions of network nodes across the world and uses over 30 AI technologies to identify threats in real time so that they can be blocked before they get onto your cloud, or indeed on-prem network or end user devices.

And finally introduce security at the earliest stage of application development. You do not want security checks to slow down your DevOps unduly and delay application rollout but equally you cannot afford to cut corners on security. A DevSecOps approach that allows you to scan code for misconfigurations or even malware as part of the DevOps process will ensure that you don’t ‘bake in’ vulnerabilities at the outset.

The shift to the cloud is only going to accelerate as organizations realize the benefits it brings in terms of competitive advantage, agility and resilience so now is the time to take a responsible approach to security and compliance and scale up your cloud security. It’s a challenging and complex task but the good news is that there are solutions to not only lock down your cloud network but also ways, using AI and automation, to reduce the workload of detecting and preventing threats, even the ones that have yet to be devised. Finally, this can be done at speed…. it’s all in the cloud!