Marauding Through The Shadows
As we have been trying to point out this and last week, the cloud as an opportunity gateway for cybercrime and broad vulnerability exploit places it squarely in the first place as human error targets – folks who use the cloud in private contexts (with data and credit cards) continually, while unwittingly raise the stakes for cybersecurity failure.
The Shadow IT Brokers.
We spend online learning calories in security awareness training, but are these the guys doing the bulk of the damage?
How about in addition, we start spending on Shadow IT training? Today, based on the training and competency of our shadow IT operators, we create myriad blind spots in, among other places, access management.
Identity in the Cloud
Cloud providers offer lots of assistance in IAM layer configuration, but even experienced practitioners fall prey to misconfigurations, poor credentialing practices, unpatched security bugs or other hidden doors to our assets. Now, as we continue our progressive march to the cloud, we need to step up our game or bad actors will simply and easily take advantage of access flaws, excessive trust and misconfigurations and will soon be camping out everywhere along our network corridors.
Don’t think so?
Perhaps you believe that Xi Jinping is only a business partner.
We must all be bored now with the reminder that COVID-19 changed everything we knew about perimeters and network layers – now, IAM is our only hope and as with all things security, we stood by watching while the conditions gave rise to a blanket IAM began to materialize.
We have the conditions. We don’t have the solution.
The enthusiasts among us sing the praises of cloud security loudly enough so that even the hearing impaired can’t avoid it, yet lifting the covers only so slightly reveals a world of intense complexity, difficult rules, exploding permissions and expanding access all created by the Internet, open-source, and APIs for which software-as-a-service (SaaS) apps have created demand. We ignore it and hope for the best or are completely unaware of it and accept the outcome (not sure which was the case with Cap-1, but either way, a really bad day for everyone involved).
Complexity and Permissions
And, by the way, Cap-1 spent well over the amount incurred by its loss ($150 million) in recovery from what was nothing more sinister than an improperly configured cloud server. This enabled the attacker to provide herself free-roaming credentials with unlimited access across all Cap-1 systems.
What has changed with the cloud is that while we have always inadvertently provided bad guys with tokens or credentials, either via phishing or some other approach, the on-prem world essentially limited damages to what was accessible locally. Cloud resource changed that whole game.
The complexity issue is hugely frightening because not only do we not understand what we have now, but in addition, the space continues to expand – every minute/hour/day/week/etc., and affects machine entities, not just humans. Machine entities are used to access cloud APIs using API keys; enable serverless applications; automate security roles (i.e., cloud access service brokers or CASBs); integrate SaaS apps and profiles with each other using service accounts; and the identities and permissions of every virtual machine, container and other cloud workloads also have to be managed.
Identities: Not Just Human
Most companies have more machine identities than employees, yet they don’t have good visibility into what those workloads are doing. Microsoft currently sees its customers’ workload identities growing at twice the pace of humans.
Microsoft claims to have blocked almost 26 billion identity attack attempts in 2021, while Akamai blocked 193 billion credential attacks in 2020, an increase of 310% from 2019.
Identity attacks go beyond credential stuffing and phishing. As companies move to adopt multiple cloud platforms for redundancy and resilience, attackers are exploiting the seams between clouds and looking for weaknesses presented by the massive surge in workload identities.
The capabilities of those workloads are also not well managed. The vast majority of Amazon workloads — 90% — are using less than 2% of their granted privileges, which means that companies have to factor in human and non-human identities and it’s no longer adequate to say, well, I am covered by MFA, so it’s all good.
No, you’re not and no, it isn’t.
Feed the Beast
In case our threat landscape is not sufficiently compromised, we now know that more than 9 in 10 businesses have committed to a multi-cloud strategy, according to “2021 State of the Cloud Report,” released by cloud management firm Flexera last year.
Asking to solve for the management of a giant attack surface with a Frankenstein assembly of Azure, AWS, Oracle, VMware on-premise alongside whatever GCP is doing sounds suicidal to us.
But doing all of that while Mr. Shadows roams the halls in search of some more hybrid cycles and storage moves it to another whole level.
To learn more about what you need to know in cloud computing, join us in our upcoming launch, learn some cool stuff that will keep you safe, and get insider news before it’s public: https://cybered.io/.
Managing Director, CyberEd
King, an experienced cybersecurity professional, has served in senior leadership roles in technology development for the past 20 years. He has founded nine startups, including Endymion Systems and seeCommerce. He has held leadership roles in marketing and product development, operating as CEO, CTO and CISO for several startups, including Netswitch Technology Management. He also served as CIO for Memorex and was the co-founder of the Cambridge Systems Group.