The growth of the cloud has brought with it challenges in tracking the status of key digital assets – or indeed knowing where they actually are – as well as ensuring they are appropriately secured when sitting on or being accessed by a cloud service.

Cloudy with a Chance of BreachesCloud security is a behemoth of an undertaking for organizations today. Cloud adoption and migration is moving at light speed, faster than cybersecurity and IT teams can often keep pace with. As a result, risks such as shadow systems and access privilege sprawl are among the common occurrences exacerbated by the growth of cloud. At ISC2 Security Congress 2024 in Las Vegas, Anton Abaya of Converge Technology Solutions and his vCISO colleague Chris Bullock, CISSP, addressed these and other related issues in Cloudy with a Chance of Breaches: Where Company Crown Jewels May Be Hiding and At Risk.

Are the company crown jewels at risk? “Most certainly,” said Abaya. Reflecting on his past life as a pen tester, he made it absolutely clear that the growth of cloud has brought with it a growth in threats. “During a lot of the penetration testing engagements I was seeing,” he said, “one thing that I found was that every time I was domain admin or global admin, I found that part of the root causes and some of the issues that we were seeing were cloud security issues. And that was really just the tip of the iceberg”. These observations led to Abaya creating a new cloud security assessment methodology.

The numbers presented backed up Abaya’s observations, estimating that by 2029 the cloud security market will easily have topped $100billion, with a growth rate around 18% per year. But he expressed surprise – and concern – that many of the cloud-based application providers he had spoken to had admitted to a lack of certification: the common theme he cited of SaaS-based application providers whom he asked whether they held, say, CMMC level 2 or PCI-DSS certification was “No, but we’re working on it”. There was a similar story with companies consuming cloud services: one survey said that 45% of breaches were cloud-based. “43% of organizations are in their early stages or had not started applying security practices to safeguard their cloud environment. That is truth, and that is what we are seeing as well, from a pen testing perspective, that's how we're getting in from an attacker perspective, in every breach that you see right now, that’s really it”.

Statistics aside, though, why is cloud insecurity happening? First on the list was credential compromise. Some 35% of breaches in Abaya’s data came from compromised credentials. A further 27% were down to cloud misconfiguration – something that is easy to believe in the latter case, incidentally, because system administrators used to “traditional” physical and on-premise virtual hosting have a learning cliff to scramble up in order to use the cloud securely.

Speed over Security

The desire for fast deployment was also cited as a threat. Spinning up servers and virtual infrastructure in the cloud is far easier than we were used to in the days when waiting for equipment to arrive, racking and cabling it, installing the operating system and so on. Right click, new server, done. “There's a lot of things happening very quickly”, said Abaya, “and with that, as we know, comes risk. We [pen testers] love it when developers do Agile methodologies, because I have a lot of findings, usually from a pen test perspective or even from an audit perspective”. Fast deployment equals market advantage, after all, and the ballooning number of companies with “cloud first” strategies contributes greatly.

Police-detective-turned-pen-tester-turned-CISO Bullock explored the audience’s attitude to data. “How many people are actually discovering the data that they have and have a data classification handling standard and policy?” he asked, observing the number of hands that went up as “definitely not enough”. He went on: “You want to make sure that you actually implement that data classification handling piece and then operationalize it to make sure that you actually are protecting your data”, noting that there are plenty of automated tools around to help organizations do that.

Shared responsibility matrices also got a mention: all the major cloud providers have documentation explaining to customers who is responsible for what – that is, where the cloud provider’s security responsibilities end and the tenant’s begin. A common mistake is for tenants to miss out elements that are actually down to them.

Bullock dug into the data element a little further – specifically data flows. Having established what data we have, and where it resides, do we have diagrams of how it flows in, out and around our systems? “When you look at all these different services that are being used, multiple cloud services,” he said, “you’ve got to know where your data is going”.

IT Hiding in the Shadows

Everyone’s old favorite also got a mention: shadow IT. Abaya reflected on a pen test from a while ago: “[The client’s] on prem was really good, right, because we solved this a long time ago … cloud not so much. Why? Shadow IT. They set it up. They just want their app to work. And they were able to get away with it because they had a bigger budget, right? Usually, marketing! They have all these brilliant ideas, all these new ways to make money for the company, and nothing's going to stop them, because at the end of the day, the board wants revenues, right? But they were gambling there, right?”. Examples abound of this kind of shadow IT – or we could call it shadow data: one example cited was of 20million+ pieces of personally identifiable information (PII) in the cloud with the security team knowing nothing of its existence.

Abaya had a clear focus on the downsides of allowing non-technical people to have privileged access to systems. “We love marketing,” he smiled, “They usually have full admin rights to the CMS that controls the website … great place for an attacker to start. Compromise their accounts, and now you have a way in to inject new code on their website”.

Technical personnel did not escape Abaya’s criticism, though. “Developers love to use personal accounts on GitHub, right? What we found was they had a lot of developers publishing company code on public, publicly accessible repos”. And this means not just code but also sensitive security elements such as API keys. There are tools that make it trivial to search for such secrets so they can be misused.

The undertone of Abaya and Bullock’s presentation was clear: on-premise systems and cloud systems are wildly different, and this brings benefits to attackers. Aside from the presenters’ list of takeaways (do proper identity management, govern data properly, log plentifully, use tools to help you, and so on) the CISOs watching will have finished up with one or more of several thoughts going through their minds.

Cloud Security Considerations

First, the cloud is connected to the internet: it is much easier to configure a cloud service – deliberately or accidentally – to be visible from the internet than it is to poke a hole through the firewall of an on-premise infrastructure.

Second, it is unwise to allow non-technical people to run cloud services – it is trivial to sign up to a SaaS application that would be impossible for a non-techie to run up on-prem, but doing so securely is impossible for people who don’t understand security.

Third, there is a difference between dropping a sensitive file (sensitive data, hard-coded keys, even PCAP files of recorded network traffic) on a LAN-based server and doing the same on a cloud server – because of the potential for accidental exposure in the first item, above.

Fourth, cloud services are different from on-prem services, so even a skilled on-prem system engineer will have a lot to learn before he or she can work securely with cloud services.

Fifth, pen testers love the marketing team … but for all the wrong reasons.