Cloud

2/28/2018
05:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Zero-Day Attacks Major Concern in Hybrid Cloud

Hybrid cloud environments are particularly vulnerable to zero-day exploits, according to a new study.

Securing cloud-based and legacy systems is a balancing act, and businesses have a tough time staying upright. As the race to the cloud picks up speed, many are struggling to fully protect their hybrid environments from zero-day attacks.

Researchers at Enterprise Strategy Group (ESG) polled 450 IT and security pros in North America and Western Europe on hybrid cloud environments and containers. The results demonstrate concern around zero-day attacks and increased container adoption.

"The thesis for the study was the multidimensionality of hybrid clouds is shifting cybersecurity priorities," explains Doug Cahill, senior analyst covering cybersecurity for ESG and leader of this research, which was commissioned by Capsule8.

Hybrid infrastructures have become the major architecture in enterprise environments, a shift that has come with "major headaches and concerns," says Bogdan "Bob" Botezatu, senior e-threat analyst at Bitdefender.

"The move to hybrid happened because increasingly more organizations want to enjoy the benefit of public cloud - scalability, pay-as-you-go rates and flexibility - but also maintain control over the key infrastructure," he explains. The hybrid approach is a necessary step toward public cloud adoption, especially for companies hesitant about cloud security.

Complexity in the Cloud

"Hybrid clouds are comprised of disparate environments," Cahill says, adding that more than 80% of organizations using infrastructure-as-a-service (IaaS) consume services from multiple providers. "This tells us more workloads are moving to public cloud platforms," he adds.

More than half (56%) of respondents have already deployed containerized production applications; 80% report they will have containers in production within the next 12- to 24 months.

The adoption of new technology is a gradual, phased process and many companies are in the middle of migrating old applications to the cloud. Three-quarters (73%) or organizations use, or will use, containers for both new applications and preexisting legacy applications, Cahill says.

Despite their growing reliance on containers, many businesses will continue to at least partially rely on legacy systems for years to come, he continues. Security becomes a challenge when multiple users are accessing multiple environments from multiple different locations.

The biggest hybrid cloud security challenge is maintaining strong, consistent security across the enterprise data center and multiple cloud environments, says Cahill. Businesses want consistency; they want to be able to centralize policy and security controls across both.

Security teams also struggle to maintain the pace of cloud, an increasingly difficult challenge as cloud continues to accelerate. It used to be that cloud adoption was slowed by security, Cahill points out. Now, containers are driven by the app development team. Security has to keep up.

"One of the things we know about cloud computing in general, and about DevOps, is it's all about moving fast," he points out. "They need to keep pace with the rapid rate of change."

Compliance is a major concern for companies using hybrid cloud, adds Botezatu, who says Bitdefender polled CISOs about their biggest fears related to hybrid cloud in late 2016.

"Lack of visibility into what is happening in the big hybrid datacenter, the increased attack surface, security of backups and snapshots and security of data (either at rest or in transit) were the top five answers," he says.

More Complexity = Larger Attack Surface

The complexity of hybrid cloud environments puts organizations at risk for several types of attack. Forty-two percent of businesses reported an attack on their cloud environment in the past year; 28% said a zero-day exploit had been the attack origin.

"Part of [the reason] is the elastic nature of these environments," says Cahill of the critical zero-day threat. "Servers are so rapidly deployed and sometimes they're put into production without going through assessments and vulnerability scanning."

Common threats include taking advantage of known flaws in unpatched applications (27%), misuse of privileged accounts by inside employees (26%), exploits taking advantage of known flaws in unpatched operating systems (21%), misuse of privileged account via stolen credentials (19%), and misconfigured cloud services, workloads, or network security controls (20%).

"The security in many hybrid cloud environments is focused on the perimeter, while totally missing in-depth defenses," says Ofri Ziv, vice president of research and head of GuardiCore Labs. "This leads to environments with weak network segmentation, which is heaven for attackers and worms."

John Viega, cofounder and CEO of Capsule8, says zero-days will always be a real and unpredictable threat. "This is particularly true in production due to the impact of open source," he adds. A zero-day that appears in production from open-source software will affect a huge number of companies.

Move to Unify Security

Part of the reason security is difficult with hybrid cloud is because the majority (70%) of companies currently use separate controls for public cloud-based resources and on-premise virtual machines and servers. Only 30% use unified controls, Cahill explains.

"It's very siloed today," he says. "There are different tools for different environments managed by different people … but that's not sustainable over time. It doesn't afford the consistency of security policies across disparate environments."

This is poised to dramatically change within the next two years. By that time, 70% of respondents claim they will focus on unified controls for all server workload types across public cloud(s) and on-premise resources.

"One of the most important things a company can do is be disciplined about keeping applications on-premise or in a data center and not moving it until it is absolutely mature enough to be seamlessly be deployed in either environment," adds Viega. One way to control this is to focus on containerization in the software development process.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
2/28/2018 | 7:34:46 PM
Major Concern in Hybrid Cloud
This is an important topic, worthy of attention and consideration.  However, I think there are a number of false premises or assumptions, either in the report or in the minds of those that responded to the poll. 

There is always room for ambiguity to play, when we over-commit complicated ideas to simple expressions, such as "the cloud".  To begin with, cloud is style as well as place.  Many of the desirable attributes of public cloud derive from cloud as style - so are available when cloud style is applied to a private place.  Many of the less desirable features of public cloud can be avoided by not putting everything in the public place (or using "public transportation" of data). 

The article and the report seem to suggest hybrid cloud as a combination of public cloud (style, place and transport), and legacy style and infrastructure in a private place - a place soon to be abandoned as soon as the moving van is ready to roll on to "The Cloud".  However, hybrid cloud can also be a reimagining of information systems to utilize the best tools for the various tasks required to properly inform those you authorize - and not inform those you don't.  
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.