- Which databases are in the clouds? Review your platform-as-a-service (PaaS) databases, storage and compute workloads hosting databases, including virtual machines (VMs), containers, and the database software installed on them.
- What is effectively exposed from the cloud environment? Choose exposure engines that have full visibility of your cloud environment to identify any routing or network services that allow traffic to be exposed externally. This includes load balancers, application load balancers, content delivery networks (CDNs), network peering, and cloud firewalls.
- Assess external exposure from a Kubernetes cluster. The exposure engine must factor in many Kubernetes networking components, including cluster IPs, Kubernetes services, and ingress rules.
- Reduce access exposure by ensuring that the database is configured to the least-privileged IAM policy, and that assignments of this policy are controlled and monitored.
9. Misconfiguration and exploitation of serverless and container workloads
Managing and scaling the infrastructure to run applications can still be challenging to developers, the report pointed out. They must take on more responsibility network and security controls for their applications.
While some of that responsibility can be offloaded to a CSP through the use of serverless and containerized workloads, for most organizations, lack of control of cloud infrastructure limits mitigation options for application security issues and the visibility of traditional security tooling. That's why the report recommended building strong organizational practices around cloud hygiene, application security, observability, access control, and secrets management to reduce the blast radius of an attack.
Key takeaways about misconfiguration and exploitation of serverless and container workloads include:
- Companies should implement cloud security posture management (CSPM), CIEM, and cloud workload protection platforms to increase security visibility, enforce compliance, and achieve the least privilege in serverless and containerized workloads.
- Investments should be made into cloud security training, governance processes, and reusable secure cloud architecture patterns to reduce the risk and frequency of insecure cloud configurations.
- Development teams should put extra rigor around strong application security and engineering best practices before migrating to serverless technologies that remove traditional security controls.
10. Organized crime, hackers and APT groups
Advanced persistent threat (APT) groups typically focus their thieving ways at data acquisition. Those groups are closely studied by threat intelligence outfits, who publish detailed reports on the groups' methods and tactics. The CSA report recommended organizations use those reports to stage "red team" exercises to better protect themselves from APT attacks, as well as perform threat-hunting exercises to identify the presence of any APTs on their networks.
Key takeaways from the report in the APT area include:
- Conduct a business impact analysis on your organization to understand your information assets.
- Participate in cybersecurity information sharing groups.
- Understand any relevant APT groups and their tactics, techniques and procedures (TTPs).
- Conduct offensive security exercises to simulate the TTPs of these APT groups.
- Ensure security monitoring tools are tuned to detect TTPs of any relevant APT groups.
11. Cloud Storage Data Exfiltration
Cloud storage data exfiltration occurs when sensitive, protected or confidential information is released, viewed, stolen or used by an individual outside of the organization’s operating environment. The report noted that many times data exfiltration may occur without the knowledge of the data's owner. In some cases, the owner may not be unaware of the data's theft until notified by the thief or until it appears for sale on the internet.
While the cloud can be a convenient place to store data, the report continued, it also offers multiple ways to exfiltrate it. To protect against exfiltration, organizations have begun turning to a zero-trust model where identity-based security controls are used to provide least privileged access to data.
Key takeaways about cloud storage exfiltration in the report include:
- Cloud storage requires a well-configured environment (SaaS security posture management [SSPM], CSPM), remediation of vulnerabilities in infrastructure as a service (IaaS), which is still a major threat vector, and strong identity and access control of both people and non-human personas.
- To detect and prevent attacks and data exfiltration, apply the CSP's best practices guides, monitoring and detection capabilities.
- Employee awareness training on cloud storage usage is required, as data is scattered in various locations and controlled by various personas.
- Evaluate a cloud providers’ security resilience and, at minimum, security standards adherence, legal agreement, and service level agreement (SLA).
- If not limited by business, client-side encryption can provide protection from external attackers or CSP malicious insiders. Overall, encryption is not always feasible, due to implementation considerations.
- Classifying data can help in setting different controls, and if exfiltration happens, assessing the impact and recovery actions required.
Shifting focus of cloud security
The CSA report noted that its 2022 edition continued a nascent trend found in its previous version: a shift away from the traditional focus on information security, such as vulnerabilities and malware. Regardless, these security issues are a call to action for developing and enhancing cloud security awareness and configuration, and identity management. The cloud itself is less of a concern, so now the focus is more on the implementation of the cloud technology.
Editor's note: This article, originally published on March 11, 2016, has been updated to reflect the latest research.