[BreachExchange] The Security Challenges of the Cloud

[Destry Winant]

https://securityboulevard.com/2020/03/the-security-challenges-of-the-cloud/

As more companies transition to the cloud, their sensitive corporate-
and compliance-related data are no longer stored and used behind
multiple layers of perimeter security. Instead, security teams are
faced with multiple cloud services, each with its own type of
privileges and actions and where each user has multiple identities
across those different services. This is creating new challenges for
security teams responsible for protecting their organizations from
external cyberattacks while monitoring for internal human errors,
including both intentional data leakage and inadvertent
misconfigurations and oversharing. A prime example is when a Box leak
exposed data from dozens of companies due to a misconfiguration in the
sharing settings.

Today, companies make their best effort to secure their cloud
environments. But the fact is their security teams lack cloud
experience and the proper identity management tools to make informed
decisions around permissions, identities and resources. This, in turn,
makes it difficult for security teams to respond quickly to potential
threats.

In addition, security teams need to constantly reaffirm their security
posture with regard to user privileges, resource permissions and cloud
usage in ways that don’t disrupt business operations. This includes
determining where to step in, when to re-evaluate access privileges
and how to intervene when there’s a potential security threat.
Striking this balance presents a significant challenge for security
teams who must continually add expertise to stay current with every
service and remain fully equipped to identify risky privileges and
actions, as well as assess user privileges.

Even though supplementing your internally managed cloud infrastructure
with externally managed SaaS and IaaS services can reduce management
costs and misconfigurations, it can also significantly increase your
organization’s attack surface. This played out dramatically in April
2019 when a former AWS employee posted Capital One credit application
data that she leaked most likely by using an SSRF attack and a
misconfigured role. Capital One determined that one of their roles,
which probably belonged to a web application firewall, was compromised
by this former AWS employee.

Fully securing your cloud environment means knowing your
infrastructure across cloud services; being able to define and
identify strong permissions and risky actions cross-service; managing
all of your entities across each cloud service; and staying up to date
with the latest security guidelines and tools offered by your cloud
providers.

To manage users in the cloud from a single interface, SecOps teams
commonly use an external authentication service. They give it
credentials to an account that can create temporary roles or manage
accounts on each other cloud service their organization’s employees
use. By taking this approach, users and identities can be defined on a
single platform.

Single sign-on solutions have made great progress in helping
organizations securely manage the initial authentication process. But
that’s just one piece of the puzzle. These solutions still require you
to monitor the activity of the users and roles on each cloud
application separately. That’s because they can leave blind spots
where a single role is used by multiple users, making it difficult to
identify where a breach started. Each employee must know what keys to
provide and to whom. A shared link can suddenly make confidential
information public, and exposing the token provided to any IDaaS can
potentially compromise your entire cloud infrastructure.

The bottom line is that to be secure in a public cloud environment,
many security teams may be tempted to deploy the latest security tools
provided by each cloud service, then hire experts in the bigger
services used by their organization. A better solution is to invest in
authorization platforms that can help manage and monitor cloud
permissions and entities more efficiently and, if possible,
consistently across their most-used cloud services.