To say that cloud adoption is accelerating is an understatement. You can almost sense the “uplift” of applications and data into the cloud evidenced across the massive growth in the volume of accounts, files, collaboration, and connected third-party cloud applications. Enterprises have begun to standardize on SaaS applications. Meanwhile, users are speeding by, taking advantage of self-provisioning capabilities enabled by the BYOD and cloud phenomena. In 2015, it was reported that external collaboration via public cloud applications increased four times, and there were ten times as many files are being stored in public cloud applications.
As data, apps, and users shift to the cloud, we must ask ourselves what is the impact to our threat surfaces and what new attack opportunities will emerge. While most security professionals are aware of how traditional data breaches happen, few have dissected the who, what, when, where, and how a breach takes place in the cloud. The traditional “kill chain” used by outside bad actors or the vehicle used by insider bad actors changes significantly. This presents a challenge to security teams as they must adjust their approach to identifying and evaluating breaches in this new environment.
Breaches Outside of Traditional Borders
The conventional security model was physical in nature and relied on perimeter defenses. The goal was to erect fences around assets and resources and grant users access to specific, designated zones. To attack this paradigm, adversaries focused on getting into the desired perimeter or zone. More often than not, the exploit is the user who can enter that perimeter.
When the sensitive assets are behind the firewall, an attacker follows typical patterns: find a way to deploy a weapon onto a users’ machine, user (with machine) gets the attacker inside the perimeter, then craft various sophisticated techniques to establish a control channel with the outside world and attempt to syphon off sensitive assets directly, or through lateral movement, all the while remaining undetected and avoiding the multitude of cyber technologies that have been deployed on the network.
As we move our critical assets to the cloud and access it from anywhere, and while workers can operate more freely, the borderless environment creates new threat vectors.
The first two threat vectors fall under the category of insider threat. Most cloud applications provide value when they drive productivity, collaboration, and business workflows. The ease of getting things done together is transformational. SaaS applications like those from Salesforce.com and Office 365 facilitate an exchange of information, making it easy to share with people external to companies or with personal, non-corporate accounts.
This is an entirely new threat vector. The typical scenarios encountered are oversharing due to inadvertent or malicious extraction of data. Sharing through cloud applications is a risk that needs to be modeled and addressed. In fact, findings indicate that the average organization has 12% of files shared organization-wide, while another 10% of files are exposed externally, and 2% are accessible publicly or searchable on the public Web.
Another important dimension of cloud applications is that the most successful applications create an ecosystem of third-party apps that can be connected via APIs to provide additional value and extend the apps inherent, core capabilities. These third-party applications are great for many reasons and serve many different purposes at work and at home. What organizations must realize is when you authorize these applications to access your identities in the cloud, or the data in the cloud apps, a connection is established between the user and a third-party entity -- your corporate environment. Effectively, their security is now your security, because through this connection you have possibly granted access to read your emails, view and manage your files, and perform operations even while you’re not using the application.
This is a new threat used today as a new form of malware: Cloud Malware. An attacker can deliver malware through such a third-party app and gain access to users’ data immediately. The cyber technologies that are deployed on-premises do not exist here, as this vector is outside the enterprise network, beyond the firewall. In fact, without a modern cloud security technology, this type of attack will go completely unnoticed and untraceable.
The last threat vector of interest is that as cloud applications are out in the wild, they are being attacked through brute-force password attacks or through attempts to login with stolen credentials under the premise that many users use the same password everywhere. And they’re right. While this isn’t necessarily new, it is important to highlight as cloud apps contain our sensitive data.
Reducing the Cloud Threat Surface
So how do we address these new threats? It’s important to realize that cloud presents an opportunity for better security. In the cloud, you operate under a shared responsibility model: The cloud vendor provides security of the cloud while you (the customers) provide security in the cloud.
This means that you can focus on how to enable and configure cloud applications and services as opposed to spending time patching systems. You can focus on user education and enablement and not blocking, which tends to lead to shadow IT. In addition, consolidating users and data in several major cloud applications can actually lead to an overall reduction of your threat surface in comparison to the distributed and heterogeneous IT environment on premises. You do, however, need to model these threats, assess their impact on your company, and prioritize which ones to deal with.
Good news is that you can use the cloud itself to help. You can use the ultra-elastic and scalable cloud and the availability of APIs to connect cloud apps and platforms to build an intelligent, adaptive cloud security system that runs in the cloud and protects the cloud.