As public cloud utilization—specifically Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS)—continues to surge, questions around cloud security responsibility linger. Though public cloud vendors such as Amazon and Google emphasize customers’ shared responsibility in securing cloud workloads, too many organizations continue to place the onus on their infrastructure providers.
Organizations that rely solely on a cloud vendor’s built-in security potentially expose their organization to unnecessary risk and painful lessons have been learned. This is particularly true for the credentials and secrets that proliferate in cloud environments and automated processes. These secrets are dynamically created and assigned to provision, configure and manage hundreds of thousands of machines and microservices—but many are never secured. If they are compromised, these secrets and credentials can give attackers a crucial jumping-off point to achieve lateral access across networks, data and applications, and ultimately, provide access to an organization’s most critical assets.
In fact, the Cloud Security Alliance “2017 Treacherous 12” report notes insufficient identity, credential and access management as one of the top threats to enterprise cloud computing today. Without proper privileged account security in place, organizations can face potentially catastrophic damage. The report states that this can be caused by “malicious actors masquerading as legitimate users, operators or developers who can read/exfiltrate, modify and delete data…snoop on data in transit or release malicious software that appears to originate from a legitimate source.”
Underscoring this problem, our recently published Global Advanced Threat Landscape Report 2018 revealed that while 50 percent of IT professionals say their organization stores business-critical information in the cloud and 43 percent say they commit regulated customer data to the cloud, nearly half (49 percent) have no privileged account security in place for the cloud.
These findings indicate that while security teams may be comfortable with securing certain, more traditional components like the cloud admin console, when it comes to securing dynamic cloud environments, further education is critical and there is much more work to be done.
Now is the time to take ownership of your organization’s responsibility for protecting critical information in the cloud. One proactive step your organization can take to bolster its cloud security posture is to conduct Red Team exercises, in which ethical hackers simulate the techniques and behaviors of likely attackers. These exercises can help to uncover critical vulnerabilities in cloud (and on-premises) environments, identify effective responses and understand the motives and techniques of potential adversaries.
For additional information about security vulnerabilities associated with cloud-based infrastructure, download they CyberArk eBook that highlights six use cases and best practices organizations can follow to mitigate cloud risks and maintain a consistent, enterprise-wide policy throughout the cloud journey—regardless of the compute environment, development philosophy or complexity.