With the cloud now widely adopted, many still appear to be unaware of the vulnerabilities they’re encountering and the steps to take to prevent them. Amit Tailor, Director, Systems Engineering, Palo Alto Networks, says that cloud security is possible but will only be achieved by taking systematic steps to strengthen your cloud cybersecurity posture.
It’s undeniable that rapid cloud adoption by organisations across all continents is not slowing down. Yet, even as cloud computing capabilities mature and expertise is accumulated, the complexity of the technology is increasing inadvertent cybersecurity risks by introducing vulnerabilities and misconfigurations.
An insight into this challenge comes from Unit 42’s seventh study into the cloud cybersecurity of thousands of organisations worldwide, which revealed unpatched vulnerabilities continue to plague cloud computing. The study found nearly two-thirds (63%) of the codebases in production have unpatched vulnerabilities rated high or critical and 11% of the hosts exposed in public clouds also have high or critical vulnerabilities.
What lies behind these shortcomings in cloud cybersecurity is how technology and security teams are struggling with the technology. The same set of risky behaviours is repeated even among experienced teams, which include unrestricted firewall policies, exposed databases and unenforced Multi-Factor Authentication (MFA).
The reason for the persistence of these security errors is doing the security remediation work is time consuming and problematic. From what security teams have shared with us, over half (60%) of organisations take more than four days to fix security issues. When a security alert appears, security teams can often take several days to resolve it. Given how a threat actor can exploit newly disclosed vulnerabilities in a matter of hours, the fact that it can take days to remediate an alert is a cause for serious concern.
As organisations evolve from their early steps into cloud via the lift and shifting of on-premises applications to adopting properly cloud-native applications, there is an opportunity for revisiting cloud cybersecurity. However, this will only happen with organisations taking systematic steps to strengthen their cloud cybersecurity posture, on top of dealing with persistent cyber hygiene issues that have bedevilled cloud cybersecurity for years.
A prime difference in cloud-native computing is how it adds incredible dynamism to cloud workloads. The most recent data we have on this is striking. In our State of Cloud-Native Security report, two-thirds of all organisations surveyed say that deployment frequency has increased or significantly increased over the past year. Also, 38% of enterprises deploy code to production or release to end-users every day, with 17% deploying multiple times a day.
To ensure these updates and deployments are secure, security needs to be embedded in a fast-moving development environment. Most developers are aware of their greater security responsibilities, but clearly, their prime job is to deliver new code that answers commercial needs and must be deployed rapidly. These dual demands are exposing a new tension in cloud cybersecurity where security and developer teams are rightly turning to tools for security assurance but are finding that over-tooling is making life harder and even creating security problems.
Again, our State of Cloud-Native Security survey shows that almost three-quarters of organisations feel the number of cloud security tools they use creates blind spots that affect their ability to prioritise risk and prevent threats. What makes this even more concerning is that more than 60% of the organisations surveyed have operated in a cloud environment for more than three years.
So how can organisations who are growing their cloud environments keep pace with cybersecurity?
Any solution needs to recognise the challenge faced by everyone involved. Security teams must help app teams secure their workloads while also securing a cloud environment that is getting ever more complex and made up of multiple layers including infrastructure, networks, VMs, containers, serverless functions, data, APIs, web apps, code, open-source libraries and much more.
With all that in mind, there are five steps that I would recommend:
- The payoff from embedding security early in the application life cycle is huge because it cuts the risks in production massively. However, for it to be successful, security teams need to clearly understand how their organisation builds and deploys code and applications in the cloud. Knowing this, they can identify where it is least disruptive to inject security into a CI/CD pipeline.
- Eliminating blind spots is crucial and can be achieved through ensuring comprehensive visibility over cloud environments. This starts with discovering cloud assets and identifying and fixing misconfigurations and vulnerabilities. But there also needs to be constant vigilance to track strange or suspicious behaviours that suggest a security compromise. Visibility is continuous and near real time, so a team can answer security questions relating to who, what, when and where.
- Research keeps on telling us there remains too many unpatched vulnerabilities in cloud environments but a crusade to fix these will not be enough to prevent threats. This means applying threat prevention tactics that block zero-day attacks and when there is a breach prevent lateral movement by hackers. Calculate permissions across your cloud resources to follow best practices for least-privilege access and wrap prevention solutions around all mission critical applications.
- Avoid falling into the trap of getting a new piece of security technology for each new immediate use case. This increases the sprawl of security tools that don’t interoperate that well, which burden rather than empower security teams and make it harder to see what is really going on. A better approach is to step back and review an organisation’s cloud adoption goals over the coming years to find solutions that can truly meet priorities both today and in the future.
- Over-tooling is a growing problem in cloud cybersecurity. Consider tool consolidation to progress all the above steps. For security teams this can help automate correlation and tackle the most important security issues across the application life cycle. It should also lead to faster identification and resolution of security issues and alerts, slashing the time needed to respond to threats. Unifying data and security controls onto one platform helps align an organisation’s cloud journey with security. A common platform brings together security and developer teams on a common goal of building, improving and running successful cloud environments.
Migrating to public cloud providers offers organisations not only agility and scalability, but also better security than on-premises data centres can replicate. Modern security features do a great job in securing cloud workloads but only if implemented correctly and managed well.
The challenges of cloud cybersecurity are arising from how the speed of adoption is hitting up against the increasing complexity of managing hybrid and multi-cloud technology stacks. Some organisations are finding it hard to keep pace and inadvertently introducing security weaknesses. The good news is that modern approaches to cloud cybersecurity can remedy these issues and be an enabler for organisations to thrive in their chosen cloud environments.