Cloud use is at an all-time high, despite security worries. Last week's ChaosDB vulnerability shows that enterprises need to adapt their security strategies and move to the zero-trust model and identity-based authentication.
The standard thinking on cloud security goes like this:
We're giving up control over the infrastructure when we move to the cloud, but the providers, on average, do as good a job or better than we can manage on premises.
The cloud providers do nothing but cloud and can afford to invest more in security technology and personnel than the average company.
So we're going to let the cloud providers handle the infrastructure, and we'll worry about the stuff that's our responsibility, like cloud configuration settings and application security.
But when a major cloud provider messes up on fundamental infrastructure security, should data center and IT professionals shrug their shoulders, reset security keys and move on? After all, Microsoft shut down the ChaosDB vulnerability within two days of finding out about it.
And even though the researcher who discovered it, Wiz’s chief technology officer Ami Luttwak, told Reuters that it was “the worst cloud vulnerability you can imagine," we haven't seen any reports yet of confirmed breaches due to ChaosDB. That is despite the fact that, according to cloud security firm Wiz, "exploiting it was trivial."
ChaosDB allows attackers to break multitenancy, leveraging a flaw in Microsoft's Jupyter Notebook data visualization tool to get into other customers' Cosmos DB databases. Cosmos DB has thousands of customers, including corporate giants like Coca-Cola, ExxonMobil, Kohler, Bentley and Liberty Mutual.
Cloud Security Risks
Companies are highly aware of cloud risks.
According to Fortinet's cloud security report, released this summer, 73% of enterprises are "very or extremely concerned" about cloud security.
Currently, 97% of enterprises use cloud computing.
But cloud usage will increase even more.
That's because, according to Gartner, only 20% of workloads use cloud infrastructure and platform services. That percentage will double to 40% by 2023.
And public cloud spending accounts for only 17% of enterprise IT spending, Gartner said in a report last month.
That will grow to more than 45% by 2026.
In light of this coming tsunami, enterprises need to rethink their security strategies to embrace zero-trust and identity-based authentication.
Both of those strategies are ones that experts recommend for dealing with risks like those posed by the ChaosDB vulnerability. And they will help prepare enterprises for future problems of the same kind, where much of the underlying architecture and processes are out of their control.
"The cloud provider can become a single point of failure," said Dan Petro, lead researcher at security testing firm Bishop Fox.
And as the industry moves even further toward serverless infrastructure, vulnerabilities like ChaosDB are likely to increase in occurrence and severity, he told Data Center Knowledge.
"Anytime we have these highly visible, high-profile weaknesses, attackers are going to notice that, and it's going to inspire similar attacks, similar offensive research," said Mark Orlando, co-founder and CEO at Bionic Cyber; security operations instructor at the SANS Institute; and former security team manager at the Pentagon, the White House and the Department of Energy.
And a vulnerability like ChaosDB can arise with any service provider, he told Data Center Knowledge.
Move to the Zero-Trust Model
One key strategy is to move to a zero-trust, identity-based approach to authentication and security.
With the ChaosDB vulnerability, the attackers were able to get access to security keys.
Today, many systems rely on keys or credentials for authentication, which can be easily stolen.
In fact, according to the latest Verizon Data Breach Investigations Report, lost or stolen credentials were involved in 61% of breaches.
With the ChaosDB vulnerability, even though Microsoft fixed the security flaw immediately, companies were still vulnerable if they relied on shared security keys.
Microsoft contacted those companies and instructed them to change their keys. Microsoft couldn't reset those private keys for them.
But will companies get around to doing it, asked Oliver Pinson-Roxburgh, CEO at TargetDefense, a cybersecurity firm. "And will Microsoft monitor if those at risk have changed the key?"
Companies are often slow to make security fixes, even very simple ones, he told Data Center Knowledge. "In our penetration test data, it shows that more than 79% of issues are low effort to fix, meaning that businesses, even those that spend money on security, are still not remediating low-hanging fruit."
Zero-trust, segmentation and role-based access controls are some of the strategies that can be used to minimize these risks.
With such techniques, "even if credentials and keys are compromised, the damage is limited," Orlando said. "It's not a global issue."
For example, with the ChaosDB vulnerability, if enterprises had limited connections to specific IPs or private endpoints and used role-based access controls, they would have been protected, said Avi Nutkis, security engineer at Oak9, a cloud security company.
In the old castle-and-moat model of security, internal traffic was automatically trusted. But with ChaosDB, the attackers would have already been in the house.
"We should not assume that any traffic from inside the network is trustworthy," Nutkis told Data Center Knowledge. "Zero-trust architectures require all traffic to be viewed as untrustworthy until proven otherwise."
Companies are increasingly aware of the benefits of the zero-trust model and are planning to adopt it.
According to a survey Microsoft released in July, 96% of security decision-makers state that zero trust is critical to their organization’s success, and 76% say that they are in the process of implementing it. But only 35% have fully implemented it, and even those haven't finished implementing zero trust across all security risk areas and components.
In May, U.S. President Biden signed an executive order instructing the federal government to adopt zero trust and to require zero trust from external cloud service providers.
However, more than 40% of respondents to a July IBM survey of IT government decision-makers said it would take three more years to adopt the zero-trust model.
A simple security control that is part of the zero-trust framework, multifactor authentication, is also part of Biden's executive order. It's been a top recommendation for enterprises for years and is widely recognized to be one of the single most effective security controls.
But according to the latest Thales data threat report, only 55% of enterprises have adopted any form of multifactor authentication.
There's a big gap today between what enterprises know they should be doing and what’s happening on the ground.
Vulnerabilities like ChaosDB and recent attacks against SolarWinds and Kaseya show how vulnerable we are to attacks on commonly used services or platforms.
Cloud Security Encryption
There is one other fundamental security practice that would have protected companies against ChaosDB and similar attacks: comprehensive encryption of all critical data.
"Individually encrypting each entity in a database is the only way to stop attacks that are exfiltrating data," said W. Curtis Preston, chief technical evangelist at Druva, a cloud security firm. "With these measures in place, hackers won’t have a way to decrypt the sensitive information even if they are able to obtain access to the database."
But, according to Thales, only 17% of companies encrypt more than half of the data they have in the cloud.
Given how important the cloud is to today's enterprises and how important cybersecurity is, it's a shock how many basic security precautions aren't being taken. It doesn't instill much confidence in the quick adoption of more complex security approaches, like zero trust.