INTRODUCTION – CLOUD PROLIFERATION
There are many benefits of moving to the cloud, such as:
- business productivity,
- quick turnaround time to implement new business applications,
- low capital expense of resources,
- low maintenance cost,
- unlimited processing and storage resources to tap on,
- benefit from advanced PaaS and SaaS capabilities like big data/analytics/machine learning, IOT/real-time streaming etc., and
- “Pay-as-you-go” model
Moreover, with the further impetus of the pandemic COVID, more organizations, employees and meetings demand the flexibility to work remotely from home and public internet hotspots.
Table 1. Worldwide IaaS Public Cloud Services Market Share, 2020-2021 (Millions of U.S. Dollars) Company
| Company | 2021 Revenue | 2021 Market Share (%) | 2020 Revenue | 2020 Market Share (%) | 2020-2021 Growth (%) |
|---|---|---|---|---|---|
| Amazon | 35,380 | 38.9 | 26,201 | 40.8 | 35.0 |
| Microsoft | 19,153 | 21.1 | 12,659 | 19.7 | 51.3 |
| Alibaba | 8,679 | 9.5 | 6,117 | 9.5 | 41.9 |
| 6,436 | 7.1 | 3,932 | 6.1 | 63.7 | |
| Huawei | 4,190 | 4.6 | 2,681 | 4.2 | 56.3 |
| Others | 17,056 | 18.8 |
12,697 | 19.8 | 34.3 |
| Total | 90,894 | 100.0 | 64,286 | 100.0 | 41.4 |
Source: Gartner (June 2022)
However, the transition to cloud introduces changes to the security threat landscape. In this brief writeup, we will look at some of the changes of threat landscape in the cloud environment.
CHANGES OF THREAT LANDSCAPE WHEN ADOPTING CLOUD
Security Controls Need to Follow Wherever Applications and Data Go
Before moving to the public cloud, organizations have their applications and data on-premises within their datacenters or private cloud. Naturally, their security controls for traffic, applications and data are also physically located in the datacenters, within the four walls.
However, as more organizations are migrating their on-premises, organization applications and data to public cloud, there arises a need that the security controls follow wherever the data goes otherwise existing protection is no longer relevant and effective.
As an analogy, a castle is protected by a surrounding fort and moat. But when the castle moves to the cloud, it makes no sense for the surrounding fort and moat to stay behind.
Attack Surface is Increased Depending on the Complexity of the Cloud Environment
In a complex cloud environment, there could be a large mix of managed applications, unmanaged applications, public cloud, private cloud, hybrid cloud, different user groups and partners, different mobile devices, and different work instances such as personal and corporate instances. Depending on the cloud environment, this complexity can exponentially increase the attack surface if the cloud environment does not undergo proper review and security calibration.
Exposure to Internet potentially lead to more Attacks against Applications
As the attack surface increases, so does the number of attempts by hackers to breach it.
Even if the cloud environment is highly secure at the infrastructure level, applications that do not follow strict security guidelines during development are potentially left open to security exploits.
In a previous on-premises environment, the emphasis of internet communication is at network and transport layers. As a result, security controls like the traditional firewalls mostly focus their protection at these levels.
For cloud environments, the Open Web Application Security Project (OWASP) foundation identifies a list of common threats that application developers are not always aware of.
As an example, the common use of Javascript/REST API/JSON in recent years, with heavy adoption of cloud services, lead to an increasing number of cyber-attacks that traditional firewalls cannot easily address.
Setting up a Cloud landing zone is not difficult and can lead to security shortcuts
Traditionally, Ops and Developers used to work in isolated silos, mostly because of the required skills needed to setup IT infrastructure. Setting up a landing zone in a Cloud platform is much more accessible and faster to deploy for the developers themselves – but they are not always properly trained on security best practices.
Inadvertent & Intentional Cloud Misconfiguration are Not Uncommon
During the migration phase, a lot of changes and configurations on the cloud are taking place to ensure that the end-to-end applications and solutions work successfully. After the migration to the cloud, during the in-life phase, change requests, approvals and implementation continue to take place owing to changes of business needs. As such, it is not uncommon that inadvertent misconfiguration can take place. Therefore, there is a need to continuously check and monitor the compliance of the cloud configuration. For example, an access policy for a cloud application was not removed after a testing phase completed, leaving the application exposed to the internet. Another example is when a malicious insider, such as an administrator or authorized partner intentionally misconfigured a cloud policy, creating a back door into the cloud environment.
Traffic that is Inadvertently Not Steered to Security Cloud Tenant for Enforcement
One common threat in a cloud environment can take place when a traffic channel is accidentally and unknowingly left out during migration and subsequently not steered to the cloud security tenant for protection enforcement. Consequently, this un-steered traffic channel is open to attackers for exploitation or exfiltration of data.
SOLUTIONS TO MITIGATE THE SECURITY THREATS OF CLOUD ADOPTION
As explained above, the cloud threat landscape is vast and continuing to evolve. As a result, there are many solutions available to address your organization’s cloud risks, such as, implementing vendor security best practices, integrating security into the application development process or adopting a cloud security framework such as Secure Access Service Edge (SASE).
If your organization’s cloud risk exposure is keeping you up at night, please contact us and let Telstra Purple Security help you through this.