The Biden administration may eye CSPs to improve security, but the real caveat emptor? Secure thyself
President Joe Biden’s administration, as part of its recently released National Cybersecurity Strategy, said critical sectors such as telecommunications, energy and healthcare rely on the cybersecurity and resilience of cloud service providers.
Yet, recent reports suggest the administration has concerns that major cloud service providers constitute a massive threat surface — one through which an attacker could disrupt public and private infrastructure and services.
That concern is hard to argue with given the monolithic nature of the sector. Research firm Gartner, in its most recent look at worldwide cloud infrastructure-as-a-service market share, put Amazon on top, leading with revenue of $35.4 billion in 2021, with the rest of the market share breakdown as follows:
- Amazon: 38.9%
- Microsoft: 21.1%
- Alibaba: 9.5%
- Google: 7.1%
- Huawei: 4.6%
The Synergy Group reported that together, Amazon, Microsoft and Google accounted for two-thirds of cloud infrastructure revenues in three months ending Sept. 30, 2022, with the eight largest providers controlling more than 80% of the market, translating to three-quarters of web revenue.
A focus on cloud service providers?
The administration’s report noted that threat actors use the cloud, domain registrars, hosting and email providers, as well as other services to conduct exploits, coordinate operations and spy. Additionally, it advocated for regulations to drive the adoption of secure-by-design principles and that regulations will define “minimum expected cybersecurity practices or outcomes.”
Also, it will “identify gaps in authorities to drive better cybersecurity practices in the cloud computing industry and for other essential third-party services and work with industry, congress and regulators to close them,” according to the administration report.
If the administration is speaking to CSPs controlling traffic through vast swaths of the global web with an eye to regulating their security practices, it may be moot, as CSPs already have strong security protocols in place, noted Chris Winckless, senior director analyst at Gartner.
“Cloud providers appear from all evidence to be highly secure in what they do, but the lack of transparency on how they do so is a concern,” Winckless said.
However, Winckless also said there are limits to resilience, and the buck ultimately lands on the customer’s desk.
“The use of the cloud is not secure, either from individual tenants, who don’t configure well or don’t design for resiliency, or from criminal/nation-state actors, who can take advantage of the dynamism and pay for flexibility model,” he added.
Cloud providers already offering enough
Chris Dorman, chief technology officer of cloud incident response firm Cado Security, said major cloud service providers are already the best at managing and securing cloud infrastructure.
“To question their abilities and infer that the U.S. government would ‘know better’ in terms of regulation and security guidance would be misleading,” Dorman said.
Imposing “know-your-customer” requirements on cloud providers may be well intentioned, but it risks pushing attackers to use services that are further from the reach of law enforcement, he said.
The biggest threat to cloud infrastructure is physical disaster, not technology failures, Dorman said.
“The financial services industry is a great example of how a sector diversifies activity across multiple cloud providers to avoid any points of failure,” said Dorman. “Critical infrastructure entities modernizing towards the cloud need to think about disaster recovery plans. Most critical infrastructure entities are not in a position to go fully multicloud, limiting points of exposure.”
Cloud customers need to implement security
While the Biden administration said it would work with cloud and internet infrastructure providers to identify “malicious use of U.S. infrastructure, share reports of malicious use with the government” and “make it easier for victims to report abuse of these systems and … more difficult for malicious actors to gain access to these resources in the first place,” doing so could pose challenges.
Mike Beckley, founder and chief technology officer of process automation firm Appian, said that the government is rightly sounding the alarm over the vulnerability of government systems.
“But, it has a bigger problem, and that is that most of its software isn’t from us or Microsoft or Salesforce or Palantir, for that matter,” said Beckley. “It’s written by a low-cost bidder in custom contracts and, therefore, sneaks by most rules and constraints we operate by as commercial providers.
“Whatever the government thinks it’s buying is changing every day, based on least experience or least qualified, or even the most malicious contractor who has the rights and permissions to upload new libraries and codes. Every single one of those custom-code pipelines has to be built up for every project and is therefore only as good as the team that is doing it.”
It’s on customers to defend against major cloud-based threats
Seeking out malefactors is a big ask for CSPs like Amazon, Google and Microsoft, said Mike Britton, chief information security officer at Abnormal Security.
“Ultimately, the cloud is just another fancy word for outside servers, and that digital space is now a commodity — I can store petabytes for pennies on the dollar,” said Britton. “We now live in a world where everything is API- and internet-based, so there are no barriers as there were in the old days.
SEE: Top 10 open-source security and operational risks (TechRepublic)
“There is a shared responsibility matrix, where the cloud provider handles issues like hardware operating system patches, but it is the customer’s responsibility to know what is public facing and opt in or out. I do think it would be good if there were the equivalent of a ‘no’ failsafe asking something like ‘Did you mean to do that?’ when it comes to actions like making storage buckets public.
“Taking your 50 terabytes in an S3 storage bucket and accidentally making it publicly available is potentially shooting yourself in the foot. So, cloud security posture management solutions are useful. And consumers of cloud services need to have good processes in order.”
Major threats to your cloud operations
Check Point Security’s 2022 Cloud Security report listed leading threats to cloud security.
A leading cause of cloud data breaches, organizations’ cloud security posture management strategies are inadequate for protecting their cloud-based infrastructure from misconfigurations.
Cloud-based deployments outside of the network perimeter and directly accessible from the public internet make unauthorized access easier.
Insecure interfaces and APIs
CSPs often provide a number of application programming interfaces and interfaces for their customers, according to Check Point, but security depends on whether a customer has secured the interfaces for their cloud-based infrastructures.
Not a surprise, password security is a weak link and often includes bad practices like password reuse and the use of poor passwords. This problem exacerbates the impact of phishing attacks and data breaches since it enables a single stolen password to be used on multiple different accounts.
Lack of visibility
An organization’s cloud resources are located outside of the corporate network and run on infrastructure that the company does not own.
“As a result, many traditional tools for achieving network visibility are not effective for cloud environments,” Check Point noted. “And some organizations lack cloud-focused security tools. This can limit an organization’s ability to monitor their cloud-based resources and protect them against attack.”
External data sharing
The cloud makes data sharing easy, whether through an email invitation to a collaborator, or through a shared link. That ease of data sharing poses a security risk.
Although paradoxical since insiders are inside the perimeter, someone with bad intent may have authorized access to an organization’s network and some of the sensitive resources it contains.
“On the cloud, detection of a malicious insider is even more difficult,” said CheckPoint’s report. “With cloud deployments, companies lack control over their underlying infrastructure, making many traditional security solutions less effective.”
Cyberattacks as big business
Cybercrime targets are mostly based on profitability. Cloud-based infrastructure that is accessible to the public from the internet can be improperly secured and can contain sensitive and valuable data.
The cloud is essential to many organizations’ ability to do business. They use the cloud to store business-critical data and to run important internal and customer-facing applications.
Ethical hacking may secure operations in the cloud and on-premises
It’s important for organizations to secure their own perimeters and conduct a regular cadence of tests on vulnerabilities internal and external.
If you want to hone your ethical hacking skills for web pen testing and more, check out this comprehensive TechRepublic Academy ethical hacking course bundle.
Read next: How to minimize security risks: Follow these best practices for success (TechRepublic)