Beating the Barbarians in the Cloud
As the cloud continues to be an essential asset for all businesses, developing and maintaining high levels of cybersecurity is essential. As threat actors expand their capabilities and widen their targets, learn how your enterprise can repel these attacks.
In an increasingly digital world, businesses rely more than ever on cloud-based services to store, process, and manage their data. The cloud offers unparalleled flexibility, scalability, and accessibility, empowering organisations to innovate and adapt to changing market dynamics.
However, this shift towards cloud computing also brings new security challenges, as threat actors seek to exploit vulnerabilities and compromise sensitive information.
In the latest findings by Sysdig, 91% of runtime scans prove ineffective. Embracing shift-left security, organisations prioritize early and frequent scanning during development, aiming to detect and rectify flaws pre-delivery. Yet, with the high failure rate, reliance on threat detection over prevention intensifies.
Meanwhile, a mere 2% of granted permissions see usage, with identity management—both human and machine—emerging as a neglected cloud security concern. Highlighted by prominent 2023 breaches exploiting excessive permissions, companies face a critical opportunity to bolster their security stance.
Despite the trend towards shorter container lifespans, attackers remain undeterred. The uniformity of cloud environments coupled with automated reconnaissance grants assailants rapid insights, exposing organisations to lateral movement threats. Even fleeting vulnerabilities pose significant risks in such dynamic landscapes.
The proliferation of internet-connected devices through the Internet of Things (IoT) has expanded the attack surface for cyber adversaries. From smart homes and industrial control systems to wearable devices and autonomous vehicles, IoT presents a myriad of vulnerabilities that malicious actors can exploit. Compromised IoT devices can be used to launch attacks and serve as entry points into more extensive networks, enabling attackers to escalate their activities and infiltrate more sensitive systems.
In the corporate sector, businesses must adopt a proactive approach to cybersecurity, viewing it as an integral part of their risk management strategy. This entails conducting regular risk assessments, implementing robust security controls, and investing in employee training to mitigate the human factor in cyberattacks. Collaborative efforts between industry partners, information-sharing platforms, and government agencies can also help strengthen collective resilience against cyber threats.
For all enterprises, the spectre of the barbarians in the cloud looms large over the digital landscape, posing a significant threat to individuals, businesses, and nations alike. The rapid evolution of cyber warfare presents complex challenges that require concerted efforts to address effectively. By embracing a proactive and collaborative approach to cybersecurity, we can navigate the risks posed by cyber threats and safeguard our digital future against the barbarians in the cloud.
For Teleport CEO Ev Kontsevoy, cloud security is all about the permissions and how these are managed, as he explained to Silicon UK: “The answer is to have a single source of truth for policy (for everything). It’s an inconvenient truth that the software industry has lost the plot on who has access to what infrastructure across applications and workloads. At best, it ordinarily takes infrastructure heads days on average to trace all access relationships attributed to a specific user or resource. In today’s world of rampant cyberattacks, however, that’s not agile enough to intervene in threat incidents.
“Computing environments are so complex now that ensuring every engineer has the minimal required permissions for every computing resource is expensive and prone to error. Some cybersecurity practitioners are convinced that “enforcement is impossible” (quoting not one but two of our customers here), so they invest in observability instead. I’ve seen many companies end up in situations where they get lost in a flurry of user permissions configurations scattered across endless amounts of places.
“The only way to fix that is to have centralised policy in one place – a problem I would say that Teleport has already solved. We already provide users with a single text box where you can just type “developers must not have access to production data”, and systematically enforce this rule across all protocols and resource types, for humans and machines, for all data centres and cloud accounts. ”
Repelling attacks
The rapid adoption of cloud services has expanded the attack surface for threat actors, providing them new opportunities to exploit vulnerabilities and gain unauthorised access to sensitive data. Misconfigurations, weak authentication mechanisms, and inadequate access controls are among the most common security weaknesses that threat actors exploit to compromise cloud-based assets.
One of the fundamental principles of cloud security is the principle of least privilege, which dictates that users should only be granted access to the resources and data necessary for their roles and responsibilities. By implementing strong access controls, businesses can limit the potential impact of a security breach and reduce the likelihood of unauthorised access to sensitive information.
This entails implementing multi-factor authentication (MFA) to add a layer of security beyond passwords, enforcing strong password policies, and regularly reviewing and updating user permissions to ensure they align with business requirements. Additionally, businesses should leverage identity and access management (IAM) solutions to centralise and automate the management of user identities and permissions across their cloud environments.
“Keeping cloud-based applications secure requires several layers of safeguards. Implementing zero trust principles that verify all users and devices trying to gain access, regardless of their location or profile is a priority as well as putting least privilege permission controls in place so that users are only granted access needed to perform essential job functions,” Pravesh Kara, Security and Compliance Product Director at Advania, told Silicon UK.
“Enabling multi-factor authentication for logins, such as entering a code from an app in addition to a password, is also a great strategy for securing cloud-based applications. It also involves regularly patching by updating applications to address vulnerabilities as soon as possible and scrutinising the software supply chain “behind” applications, as these interdependencies can introduce hidden risks.”
Proactive protection
The impact of cloud technology on business operations has been significant. However, according to a recent study conducted by Citrix, a business unit of the Cloud Software Group, 25% of surveyed organisations in the UK have either relocated half or more of their cloud-based workloads back to on-premises infrastructures or are contemplating such a move, in a phenomenon known as cloud repatriation.
The primary drivers behind this shift were unexpected security issues and lofty project expectations, cited by 33% of respondents. Additionally, 24% reported the failure to meet or establish internal expectations as a significant factor. Reflecting on their experiences, IT leaders identified security concerns, unforeseen costs, performance challenges, compatibility issues, and service downtime as the most common reasons for initiating cloud repatriation projects.
Despite past setbacks in cloud initiatives, 67% of respondents remain optimistic about embarking on new projects in the future. Rather than advocating for a solely cloud-based approach, IT leaders recommend a hybrid model that combines cloud and on-premises infrastructure elements for the CIO. Calvin Hsu, Vice President of Product Management at Citrix, highlighted the benefits of hybrid cloud infrastructures, stating, “Hybrid cloud infrastructures offer the best of both worlds, blending public and private models. Organisations can optimise costs, seamlessly integrate systems, and experiment with innovation projects without sacrificing agility or flexibility.”
Securing cloud-based assets requires a multi-faceted approach encompassing strong access controls, data encryption, network security, monitoring, and incident response capabilities. By understanding the threat landscape, implementing robust security measures, and fostering a security-aware culture, businesses can effectively defend against attacks by threat actors and protect their valuable data and resources in the cloud.
Crystal Morin, cybersecurity strategist, Sysdig.
Crystal Morin is a Cybersecurity Strategist at Sysdig tasked with bridging the gap between business and security through cloud and container-focused webinars and papers for everyone from executives to technical practitioners. She was initially a threat research engineer on the Sysdig Threat Research Team, where Crystal spent her time discovering and analysing cyber threat actors who took advantage of the cloud. Crystal started her career as a linguist and intelligence analyst in the United States Air Force. Before joining Sysdig, she spent four years as a contractor for Booz Allen Hamilton, researching and reporting on terrorism and cyber threats. Crystal was responsible for helping to develop and mature Booz Allen’s cyber threat intelligence community and threat-hunting capabilities.
What strategies can we employ to secure our cloud-based applications against unauthorised access?
“Cloud applications and services use role-based access controls and permissions to manage who has access to which functions. Some users, like developers and IT administrators, have many accesses and the highest privileges in a cloud environment, making them valuable targets for attackers looking to enter and move through an environment quickly.
“Reducing granted permissions and controlling access is one way to protect cloud environments and stop privilege escalation and lateral movement. In Sysdig’s annual 2024 Cloud-Native Security and Usage Report, we found that 98% of granted permissions went unused in 90 days. This doesn’t just apply to developers and administrators; it pertains to all human and machine cloud accounts. Identity management can get quite complex, and there’s a fear that stripping access may slow down development processes, but it is a price worth paying when most cloud attacks involve overly permissive accounts.
“Understanding and having a baseline of activity and actions for your human and machine users in conjunction with real-time threat detection will also help you secure your environment from unauthorised access. An alert on abnormal user activity could indicate the presence of a malicious actor, so it’s important to reduce permissions down to only what’s necessary and pay attention to these alerts.”
How do we strike the right balance between convenience and security when configuring cloud services?
“There’s a Mark Zuckerberg quote about innovation: “move fast and break things.” The risk is that when you let developers move fast, you risk attackers breaking things.
“Developers need a hefty list of permissions and access to carry out their work, and applications can be developed faster when they have more permissions. However, this can quickly lead to problems if you don’t manage accounts and credentials properly or alert on and analyse odd behaviours and actions in real-time. For example, we have seen attacks carried out following credentials being discovered in code uploaded to GitHub and other public repositories. Attackers regularly scan public repositories for account and credential information. Similarly, credential discovery within tooling applications in an environment allows privilege escalation and lateral movement when an attacker has access to an environment.
“One way to strike a balance between developer needs and a secure cloud is to ensure that credentials are never hard-coded in any applications. Secrets management and CIEM tools will help by highlighting these errors to be corrected. Alongside this, there are tools that you can use to detect any instances of accounts and credentials that are installed. However, threat actors are going to use those tools against you too, so consider understanding them and using them yourself. For example, an open source tool called SSH-Snake was developed and released in January 2024 to automatically find SSH accounts in your environment so that you can remove them before going to production. The Sysdig Threat Research Team found evidence that SSH-Snake was used by threat actors against more than 100 victims in February 2024.”
What measures should we take to prevent data breaches and unauthorised data exposure in the cloud?
“Locking down environments and hardening public-facing IT components should be a standard approach for any deployment. Alongside this, you can look at the software development pipeline and ensure that you are regularly scanning all containers, workloads, and cloud instances for potential issues, including vulnerabilities, misconfigurations, and account credentials. Furthermore, security best practices should always be ingrained in your processes, like encryption and resource use limits.”
How can we effectively manage access controls and permissions for cloud resources?
“Secrets management is essential for access control. Use vendor-managed or open-source tools to manage credentials and application permissions rather than relying on user email addresses and password logins. At the very least, ensure no credentials are stored in plain text.
“Consider how you provision access: what accesses are standard, what can you provision on a case-by-case basis, and how do you determine when access is no longer needed and can be removed? This is one of those jobs that can be easy to overlook because it is tedious, but it should be included in your overall approach to identity management. Automate where you can and establish a regular cadence for identity management hygiene and revisions across your organisation.”
What role does encryption play in safeguarding sensitive information stored in the cloud?
“Encryption is essential — all your data should be encrypted as standard practice. There is no excuse for not using encryption tools that are available as part of any cloud deployment process. It is a powerful security effort to implement that will deter attackers.”
Are there specific security challenges related to multi-cloud environments, and how can we address them?
“When it comes to security across cloud environments, you should look at tools or projects that can support different platforms and carry out the same role across them all, rather than relying on multiple different tools across each cloud environment that must be correlated manually. Correlation across cloud environments is critical for security.
“As an example, the open source project Falco can provide insight into what is happening at runtime across cloud service providers as well as into software containers and Kubernetes environments. Falco can then correlate all the data coming in from every angle and apply detection rules, so you have full visibility for potential attacks. As it is an open source project supported by the CNCF based on eBPF and examining Linux kernel activity, it can run across all these different environments at the same time regardless of where they happen to be running.”
How can organisations ensure compliance with relevant regulations while using cloud services?
“To maintain a regulatory-compliant cloud, you must first ensure that the implementation of your cloud environment is within the regulations your company must adhere to. Your cloud provider should be able to point you to its compliance standards.
“What exactly you need to do to remain compliant varies greatly depending on where your organisation is established or does business, what industry you are in, and what kind of customer data you handle. Best practices include access control management, data encryption, continuous real-time monitoring, and of course regular audits to ensure all of these efforts are ongoing and you are meeting your required regulations.”
How do we handle incident response and recovery in case of a security breach in the cloud?
“Our Threat Research Team has proven that cloud attacks can happen in ten minutes or less, so your incident response efforts need to be just as fast. We are using what we call the 5/5/5 Benchmark to highlight this need for speed in cloud threat detection and response. Within five seconds, you need to receive an alert that there is a deviation. You now have five minutes to correlate related data and intelligence from across your environment and five minutes to triage and remediate, which may include siloing a user account or turning off a workload.”
What emerging trends or technologies are shaping the future of cloud security?
“With the speed and frequency at which cloud attacks are happening, there are two critical words for the future of cloud security: proactive and automation. The bad guys are smart, but so are we. We, the defenders, must think like the bad guys to protect ourselves and proactively stop their chances of getting in. Red teams and threat hunters are influential on security teams to help support this.
“One of the reasons attacks are gaining speed is because attackers are automating tedious and time-consuming tasks, such as reconnaissance and discovery. We need to do the same to be able to stop them in their tracks.”