Hybrid and multi-cloud architectures are all the rage in enterprise IT infrastructure. But enabling the flexibility to deploy the right tool for each task requires a complex set of technologies that interlinks all the varied assets. That creates a bigger attack surface for hackers. The more services you rely on to run your business, the harder it is to keep track of how secure they all are.
Some of the most recent examples of this problem have been tied to APIs (Application Programming Interfaces). In the past few months, Peloton, Clubhouse, Experian, Equifax, Instagram, Amazon, and PayPal have all been in the news for API-related cybersecurity problems.
APIs are how applications talk to one another. A mobile app or a web frontend, for example, might use an API to communicate with a backend database. That means the backend database is vulnerable if the API is exploited. An API used by Clubhouse, for example, let anyone query the entire database of the social network’s public user profiles.
According to a report released in February by Salt Security, 91 percent of companies reported API-related security problems last year. More than 80 percent weren’t sure whether the APIs they used exposed personally identifiable information, and about one fifth said they had no way of finding out which APIs exposed sensitive data.
APIs are just one example of potential attack surfaces for cloud-based infrastructure, and it's not a surprise that cybersecurity incidents involving cloud infrastructure have now surpassed those involving on-prem resources.
Cloud Attack Surface Is an Old Problem
Attacks on cloud architectures have been accelerating, as cybercriminals become more aware of the vulnerabilities. But the exposure has been there for a while.
Software-as-a-Service applications like Dropbox, Office 365, and Salesforce can be used to exfiltrate data via rogue fileshares or spread malware in an enterprise; compromised accounts can be used to access sensitive data. Those are just a few examples of SaaS platform attack vectors.
Cloud storage is another vulnerable category. Poorly secured AWS buckets, for example, have been at the heart of many major data breaches over the years.
Then there's cloud compute infrastructure, everything from virtual machines to containers to serverless. It is vulnerable to malware, from rogue crypto mining to ransomware, and can be used to launch attacks on other systems.
Finally, there's the API layer, the links that hold everything together.
"Most organizations have had a cloud attack surface for years and didn't know about it," said Andrew Douglas, managing director in cybersecurity at Deloitte & Touche. "They were using SaaS applications and piloting different cloud providers going back a decade."
Companies are under increasing pressure to move to the cloud, which the pandemic has accelerated. While security technologies are becoming more comprehensive and robust, IT managers are tempted to skip over the security planning steps and jump straight into putting new solutions into production.
"There's been a lot of temptation to move quickly," said Douglas. "Our clients are trying to accelerate their organizations' move to the cloud, but whether they put in the time and investment in implementing security – well, that has been lagging."
The biggest challenge faced by those that do want to invest in security planning upfront is getting an accurate view of all their assets. "What do we have out there? What are we spinning out on a daily basis? What are the subscriptions we have in the cloud? What infrastructure as code? What serverless functionality? And knowing the individual components within each of those subscriptions and how they're being used, that is challenging, especially as the cloud service providers all race to bring out new functionality and new features in a rapid way."
Visibility Tools Improve Multicloud Security Posture
The cloud attack surface visibility problem gets exponentially worse in multi-cloud environments.
One IT operations manager for an online retailer told DCK that wished he had invested in a visibility tool years ago. The company has infrastructure in AWS, Azure, and on premises, on top of the typical potential attack vectors that are employee devices.
The manager, who did not want his or the company’s name to be published, said they choose Alert Logic, a visibility tool that worked across their entire hybrid environment.
"Having all our security events in one location has made our lives easier," he said. "We now have a single pain of glass for all our security events." This allows for centralized management and easier identification of potential security holes.
"We are heavy users of the vulnerability area of the tooling, using this to highlight current issues," he added. That helps ensure that everything is properly patched, and known exploits are identified and mitigated.
"To add to this, we also utilize the compliance areas a lot," he said. As a retailer, the company must comply with the Payment Card Industry security protocols. "PCI scans run monthly and, again, allow us to build a roadmap of work that needs to be carried out."
The Scale of Exposure Is Unprecedented
Last month, cloud security vendor Zscaler released a global report on the state of enterprise attack surfaces, particularly those exposed during the COVID-19 pandemic.
An in-depth analysis of 1,500 companies, mostly large enterprises, uncovered more than 202,000 vulnerabilities, 49 percent of which were classified as critical or high severity.
The analysis found nearly 400,000 servers exposed to the internet, more than 200,000 exposed ports, and more than 60,500 exposed instances in AWS, Azure, and Google Cloud. In addition, 47 percent of the supported protocols were outdated and vulnerable.
Larger companies weren't more secure than smaller ones. The opposite was true: the larger the organization, the more likely it was to use more cloud resources and to have more vulnerabilities.