7 Critical Cloud Threats Facing the Enterprise in 2023
From shadow data to misconfigurations, and overpermissioning to multicloud sprawl, Dark Reading's cloud security slideshow helps security pros understand the threat horizon.
February 9, 2023
![Image shows a graphic of a cloud with a keyhole inside a globe Image shows a graphic of a cloud with a keyhole inside a globe](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt5272dceca4abf1a7/64f14ee825b2c6fc6627b82c/cloudsecurity_KanawatTH-AdobeStock.jpg?width=700&auto=webp&quality=80&disable=upscale)
Source: KanawatTH via Adobe Stock
Securing the cloud has been an unwieldy and daunting task since the beginning: The idea of using an enterprise architecture built on delivering computing services over the internet naturally represents a unique threat surface. But cloud computing is rapidly becoming a ubiquitous part of the IT landscape, with Gartner estimating that more than 95% of new digital workloads will be deployed on cloud-native platforms by 2025 — a dramatic increase from 30% in 2021.
This growing reliance on the cloud is bringing new security challenges to an already complex problem, experts say. That's because as enterprise IT stakeholders' understanding of and confidence in implementing the cloud has improved, so has the sophistication of threat actors that want to leverage its complexity for their own malicious intent.
Indeed, when it comes to cloud breaches, most IT professionals agree that it's not a case not of "if" one will happen at an organization, but "when" — and enterprises needed to be prepared for when that day will come, experts said. This is mainly because of the sheer scope of the cloud, which — although it has both positive and negative aspects — make its security posture precarious, Dan Benjamin, CEO and co-founder of Dig Security, notes.
"The average enterprise today uses close to 2,000 different cloud services," he says. "As a result, cloud footprints are exploding alongside the sheer volume of data stored in the cloud."
He adds, "Cloud assets are also easily deployed outside of an organization’s security policies, which creates misconfiguration risks. IT and security teams may not know that these assets exist."
The best security professionals can do to mitigate and respond to security threats to the cloud is arm themselves with the knowledge and expertise of the current threat horizon. To help enterprises better secure their diverse and complex cloud environments, Dark Reading has compiled a slideshow of seven critical cloud threats organizations will face in 2023:
In December, hackers compromised an Amazon Web Services (AWS) cloud server used by Tequivity, a third party that provides ride-sharing service Uber with asset management and tracking services. The attack exposed sensitive data from some 77,000 Uber employees as well as company data, and it demonstrated what can happen when third-party software and supply chain risks threaten the cloud.
While it's true that third-party access to code, infrastructure, or applications is common in the cloud model of modern IT environments, this scenario also provides a single point of failure that attackers can leverage as a jumping-off point to wreak havoc across the numerous interconnected and interdependent organizations and entities connected via the cloud.
When a third-party app on which a cloud relies is compromised by an attacker — as in the case of the Uber breach — it can be especially dangerous because it can take customers off guard, notes Mike Parkin, senior technical engineer for Vulcan Cyber. "The end user thinks things are fine until it's far too late," he says.
This scenario is further complicated because most typical security tools are looking for anomalies that might not appear in a third-party attack, which also delays a response, notes Shira Shamban, CEO and co-founder of Solvo.
"If we're using a third party that is legitimate and we connect it to our application because it's a service we're using, and that service gets exploited, it might not get detected as abnormal or malicious activity because the vulnerability lives outside our own security perimeter," she says.
Once a cloud is compromised in a third-party attack, exfiltrated data then can be used to carry out targeted phishing attacks that can acquire even more sensitive information, such as login credentials, to perpetrate sustained attacks. Since breaches like this can ultimately result in serious business disruption, eroded user/public trust, and revenue loss, it's a threat that enterprises in 2023 will need to keep top of mind.
Everyone knows how dangerous ransomware is to the enterprise, but now attackers are starting to create this type of malware specifically to target cloud services, security professionals said.
Security experts have identified three common types of ransomware tactics specific to cloud deployments. They include targeting file-sharing services that are synced to a cloud platform, as well as ransom cloud attacks that use phishing to target cloud email services for account takeover and to propagate even more ransomware.
Attackers also are targeting large cloud-hosting providers such as Google and Amazon Web Services to guarantee themselves bigger and more predictable payouts by threatening to encrypt data across their entire cloud infrastructure.
"As more enterprises continue to move their infrastructure, applications, workloads, and data to the cloud, they must prioritize protecting their businesses against ransomware," Dig Security's Benjamin says. "These crown jewels of a modern enterprise are equally valuable to cybercriminals."
Since ransomware has such a high price tag even beyond paying the extortion fee — including fines imposed by regulatory bodies and even potential bankruptcy for an organization — enterprises need to be aware of the threat of specific cloud-related ransomware, he notes.
"Each year, ransomware attacks increase in number and the value of ransoms increase," Benjamin says. "Don't expect 2023 to be different."
While the dynamic nature of cloud environments is one reason enterprises find cloud an attractive proposition for their networks, it's also the perfect setting for APT groups to lurk in for long periods of time.
Sophisticated threat groups such as Fancy Bear, Cozy Bear, and Gadolinium are notorious for using cloud infrastructure to maintain a persistence that can plague an enterprise with numerous attack scenarios. These include brute-force attacks, the compromise of container images to spread malware, and piggybacking on cloud infrastructure to host command and control servers, experts said.
"Threat groups will continue to target and use cloud infrastructure for the same reasons legitimate organizations do," Parkin says.
"It offers them scale and capability for their operation, while it's a broad threat surface for their many targets," Solvo's Shamban says.
Indeed, APTs "have been around longer than the cloud" and aim to take full advantage of the new threat opportunities the cloud represents, she adds.
"As cloud adoption continues among state organizations and large enterprises, APTs and adversarial nation-state organizations see this as an opportunity to gain profit or to hurt different functions in the state, or in an organization that is associated with the state," she says.
This means that enterprises and threat actors will engage in a "perpetual cat-and-mouse game" as both cloud security defenses and operations and attackers alike evolve, Vulcan Cyber's Parkin says.
Indeed, the two will likely remain locked in the security equivalent of a deuce point in tennis throughout the year, with the "advantage shifting back and forth as APTs develop new tools and techniques and the cybersecurity community identifies the new attacks and deploys countermeasures," he notes.
One key issue with most modern cloud deployments is that they aren't comprised of merely one centralized cloud. Statistics vary in terms of how many companies have a multicloud strategy, with Flexera claiming that nearly 92% of companies have a multicloud strategy and Nutanix saying that 64% of organizations are deploying multiple cloud models.
No matter, any adoption of more than one cloud in an enterprise creates security complexities, resulting in what professionals call multicloud sprawl. This means that data is growing constantly and being stored in dynamic locations across these multiple clouds, making it difficult to track and secure.
"It can be hard enough to track everything when it's dynamic in a single environment, but when it's spread across multiple platforms, each with its own security requirements, the challenge can be insurmountable," Vulcan Cyber's Parkin says.
Indeed, maintaining situational awareness and proper security practices for sprawling cloud environments poses a significant challenge, Dig Security's Benjamin agrees.
"It is difficult to track data lineage and movement between clouds, and there is no data normalization across logs," he says. "From a data security perspective, it's nearly impossible to gain full visibility into assets without data normalization in a centralized, single pane of glass."
Losing this visibility into and control over data in a cloud is a recipe for disaster that invites all kinds of risks, including the likelihood of exposure and compliance oversights that result in fines, data loss, and/or business disruption, the experts note.
Organizations will face this challenge in 2023, and they can combat it by knowing what sensitive data they have and where they store it, understanding how data moves, and tracking who uses it and how they use it, Benjamin says.
"Then you can strengthen access permissions and make sure data is encrypted in transit and at rest," he explains.
When implementing a cloud, especially at an enterprise that's updating from a more traditional on-premises software model, it's understandable that some data will get lost in the shuffle.
Security professionals have a name for that — it's called shadow data, also known as dark data or ghost data. The terms refer to business data that's copied, backed up, or housed in an ungoverned store, or one that hasn't been properly maintained or updated by security or IT teams.
"Expect to hear more about shadow data and cloud data security in the coming year," Solvo's Shamban says. "We have been storing data in the cloud for years, but now we have more cloud-native and cloud-centric organizations storing sensitive data in the cloud."
One reason for that is the fact that data storage has gotten less and less expensive over time, enabling more archive storage and easier access to it, Vulcan Cyber's Parkin adds.
"That led to organizations simply archiving more and more data without worrying about how much they were keeping and where they were keeping it," he says. "Unfortunately, that's also led to them often losing track of just how much data they have and exactly where they have it stored."
Indeed, while the flexibility, agility, and expansiveness of the cloud provides a lot of benefits for an enterprise, greater access to data also introduces greater risk. In fact, experts estimate that shadow data that exists in an enterprise cloud can comprise up to 90% of business stores.
Moreover, risks enterprises face from the presence of shadow data include lapses not only in data security but also compliance, which could result in fines and reputational damage alongside the weakened security posture that results from exposed data, experts said.
Given these significant implications, enterprises deploying clouds should give serious thought to shining a light in the shadows and cleaning up their cloud-data act in 2023.
One of the best things about the cloud is that IT administrators can easily decide which corporate users have access to which services within it depending on their role in the organization. That's because since there's no physical control over the environment, cloud workload security is defined by permissions that users, devices, and entities have within that environment.
In theory, this should mean the cloud is more secure because this scenario limits the amount of access people have to applications — thus also limiting access that threat actors have if they steal someone's credentials for the network.
In reality, however, cloud environments currently suffer an overwhelming overpermissioning problem — with 99% of cloud users, roles, services, and resources granted excessive permissions that are ultimately left unused, according to Palo Alto Networks' Unit 42.
"Permission creep shouldn't be a thing, but it is," Vulcan Cyber's Parkin notes. "Giving the right users the right access to the right applications is vital and is often mishandled in day-to-day operations."
At the core of the issue is that ensuring cloud assets have the proper permissions isn't exactly the top priority of the developer responsible for developing and deploying a new resource on the cloud successfully, Solvo's Shamban says.
"When they do that, they usually just want to make sure that the application is working correctly," she observes. "They will not have access permissions and security in their mindset. As a result, they might grant full access or very broad permission settings, instead of creating it in a least privileged kind of way."
Needless to say, this state of affairs is posing a lot of risk to the cloud, allowing threat actors to take advantage of credentials even if the person whose identity they're using is at the lower end of an organizational hierarchy. In fact, this year will see 75% of all cloud security breaches happen because of inadequate permission management, according to Gartner.
As more organizations adopt native cloud environments, permission management needs to be a top priority and one of the first things companies plot out before building and deploying the environment, Parkin says. "The days of setting permissions by simply copying a colleague's profile should be long over," he notes.
Human beings are flawed creatures, and perhaps nowhere is this more evident than in the security world, where most data breaches still occur because someone somewhere in an organization messed up.
The cloud landscape is no different, with human error in the form of misconfigurations, weak or overly used passwords, and insecure key storage representing huge risk.
Indeed, given the ease of cloud deployment, it's quite possible that someone with limited cloud and security experience and just enough knowledge to be dangerous launches a cloud service and amasses volumes of sensitive and misconfigured assets, Dig Security's Benjamin notes. Threat actors are actively looking to exploit this; last year, for instance, cyberattackers were found bombarding misconfigured Elasticsearch cloud buckets exposed on the public Internet to steal the wide-open data, replacing it with a ransom note.
Sometimes it's the experts that have the problem. Last fall, top public cloud players Microsoft and Amazon both acknowledged issues related to misconfigurations that caused data leaks from their respective cloud environments.
Indeed, even a minor cloud misconfiguration can have major ramifications, including "data leakage, a service outage or account takeover — all things that could cause serious damage to an organization as the result of a simple action someone forgot to take," Solvo's Shamban says.
The challenge, then, from a cybersecurity perspective is to find ways to reduce the chances of human error and minimize the impact when it inevitably happens, Vulcan Cyber's Parkin says. Training can go a long way to reducing the risk from human error, but it can't mitigate it completely. "Organizations need to apply configurations and architectures that can reduce the impact of a user mistake, a malicious act, or a user compromise," he says.
Still, security experts seem resigned to the fact that this problem won't be resolved anytime soon. "Controlling data has been an issue for years and will remain one going forward," Dig Security's Benjamin says.
That means despite organizations' best mitigation efforts, cloud misconfigurations are likely to plague deployments and cause breaches and other security risks throughout 2023.
Human beings are flawed creatures, and perhaps nowhere is this more evident than in the security world, where most data breaches still occur because someone somewhere in an organization messed up.
The cloud landscape is no different, with human error in the form of misconfigurations, weak or overly used passwords, and insecure key storage representing huge risk.
Indeed, given the ease of cloud deployment, it's quite possible that someone with limited cloud and security experience and just enough knowledge to be dangerous launches a cloud service and amasses volumes of sensitive and misconfigured assets, Dig Security's Benjamin notes. Threat actors are actively looking to exploit this; last year, for instance, cyberattackers were found bombarding misconfigured Elasticsearch cloud buckets exposed on the public Internet to steal the wide-open data, replacing it with a ransom note.
Sometimes it's the experts that have the problem. Last fall, top public cloud players Microsoft and Amazon both acknowledged issues related to misconfigurations that caused data leaks from their respective cloud environments.
Indeed, even a minor cloud misconfiguration can have major ramifications, including "data leakage, a service outage or account takeover — all things that could cause serious damage to an organization as the result of a simple action someone forgot to take," Solvo's Shamban says.
The challenge, then, from a cybersecurity perspective is to find ways to reduce the chances of human error and minimize the impact when it inevitably happens, Vulcan Cyber's Parkin says. Training can go a long way to reducing the risk from human error, but it can't mitigate it completely. "Organizations need to apply configurations and architectures that can reduce the impact of a user mistake, a malicious act, or a user compromise," he says.
Still, security experts seem resigned to the fact that this problem won't be resolved anytime soon. "Controlling data has been an issue for years and will remain one going forward," Dig Security's Benjamin says.
That means despite organizations' best mitigation efforts, cloud misconfigurations are likely to plague deployments and cause breaches and other security risks throughout 2023.
Securing the cloud has been an unwieldy and daunting task since the beginning: The idea of using an enterprise architecture built on delivering computing services over the internet naturally represents a unique threat surface. But cloud computing is rapidly becoming a ubiquitous part of the IT landscape, with Gartner estimating that more than 95% of new digital workloads will be deployed on cloud-native platforms by 2025 — a dramatic increase from 30% in 2021.
This growing reliance on the cloud is bringing new security challenges to an already complex problem, experts say. That's because as enterprise IT stakeholders' understanding of and confidence in implementing the cloud has improved, so has the sophistication of threat actors that want to leverage its complexity for their own malicious intent.
Indeed, when it comes to cloud breaches, most IT professionals agree that it's not a case not of "if" one will happen at an organization, but "when" — and enterprises needed to be prepared for when that day will come, experts said. This is mainly because of the sheer scope of the cloud, which — although it has both positive and negative aspects — make its security posture precarious, Dan Benjamin, CEO and co-founder of Dig Security, notes.
"The average enterprise today uses close to 2,000 different cloud services," he says. "As a result, cloud footprints are exploding alongside the sheer volume of data stored in the cloud."
He adds, "Cloud assets are also easily deployed outside of an organization’s security policies, which creates misconfiguration risks. IT and security teams may not know that these assets exist."
The best security professionals can do to mitigate and respond to security threats to the cloud is arm themselves with the knowledge and expertise of the current threat horizon. To help enterprises better secure their diverse and complex cloud environments, Dark Reading has compiled a slideshow of seven critical cloud threats organizations will face in 2023:
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024