David Linthicum
Contributor

Why are we still confused about cloud security?

analysis
Oct 15, 20245 mins
Cloud ComputingCloud SecurityIdentity and Access Management

We’re building too much complexity and are ill-trained to secure it. The result will be breach after breach, while enterprises wonder what happened. Get a clue now.

Too Many Questions. Pile of colorful paper notes with question marks. Closeup.
Credit: StepanPopov / Shutterstock

A report by cloud security company Tenable discovered that 74% of companies surveyed had exposed storage or other misconfigurations. This is a dangerous open door to cybercriminals. Overall, cloud security is getting worse. The availability and quality of security tools is getting better, but the people confirming the cloud computing infrastructure are getting dumber. Something has to give.

The study also reveals that more than one-third of cloud environments are critically vulnerable due to a confluence of factors: workloads that are highly privileged, publicly exposed, and critically weak. This alarming “toxic cloud triad” places these organizations at an elevated risk of cyberattacks and underscores the necessity for immediate and strategic interventions.

A prevalent issue is publicly exposed storage, which often includes sensitive data due to excessive permissions, making it a prime target for ransomware attacks. Additionally, the improper use of access keys remains a significant threat, with a staggering 84% of organizations retaining unused highly privileged keys. Such security oversights have historically facilitated breaches, as evidenced by incidents like the MGM Resorts data breach in September 2023.

Security problems in container orchestration

Kubernetes environments present another layer of risk. The study notes that 78% of organizations have publicly accessible Kubernetes API servers, with significant portions allowing inbound internet access and unrestricted user control. This lax security posture exacerbates potential vulnerabilities.

Addressing these vulnerabilities demands a comprehensive approach. Organizations should adopt a context-driven security ethos by integrating identity, vulnerability, misconfiguration, and data risk information. This unified strategy allows for precise risk assessment and prioritization. Managing Kubernetes access through adherence to Pod Security Standards and limiting privileged containers is essential, as is the regular audit of credentials and permissions to enforce the principle of least privilege.

Prioritization is key

It is vital to prioritize vulnerability remediation, particularly for areas at high risk. Regular audits and proactive patching can minimize exposure and enhance security resilience. These efforts should be aligned with robust governance, risk, and compliance (GRC) practices, ensuring continuous improvement and adaptability in security protocols.

Cloud security demands a proactive stance, integrating technology, processes, and policies to mitigate risks. Organizations can better protect their cloud infrastructures and safeguard their data assets by evolving from reactive measures to a sustainable security framework, but how the heck do you do this?

Implement strong access control measurees. Regularly audit and review access keys to ensure they are necessary and have the appropriate permission level. Rotate access keys frequently and eliminate unused or unnecessary keys to minimize the risk of unauthorized access.

Enhance identity and access management (IAM). Implement stringent IAM policies that enforce the principle of least privilege. Utilize role-based access controls (RBAC) to ensure that users only have access to the resources they need to perform their job functions.

Conduct regular security audits and penetration testing. Examine cloud environments to identify and address vulnerabilities and misconfigurations before attackers can exploit them. I recommend springing for outside organizations that specialize in this stuff instead of using your own security team. I don’t know how often I have done a post-mortem on a breach and discovered that they have been grading themselves for years. Guess what? They gave themselves an A, and even had that tied to bonuses.

Deploy automated monitoring and response systems. Automated tools provide continuous monitoring and real-time threat detection. Implement systems that can automatically respond to certain types of security incidents to minimize the time between detection and remediation.

Implement Kubernetes best practices. Ensure that Kubernetes API servers are not publicly accessible unless necessary, and limit user permissions to reduce potential attack vectors.

Prioritize vulnerability management. Regularly update and patch all software and cloud services, especially those with high vulnerability priority ratings, to protect against newly discovered weaknesses.

Strengthen governance, risk, and compliance (GRC) frameworks. Continually develop and maintain robust GRC practices to assess and improve the effectiveness of security controls. This should include policy development, risk assessment, compliance tracking, and continuous improvement initiatives.

Train staff on security awareness. Provide ongoing training and awareness programs for all employees to ensure they understand current threats and best practices for maintaining security within cloud environments. As I’ve stated before, most cloud computing security problems are breathing—people are the key here.

The core issue is resources, not the availability of best practices and sound security tools. We have all of the tools and processes we need to be successful, but enterprises are not allocating resources to carry these out effectively. Ask MGM how that works out.

David Linthicum
Contributor

David S. Linthicum is an internationally recognized industry expert and thought leader. Dave has authored 13 books on computing, the latest of which is An Insider’s Guide to Cloud Computing. Dave’s industry experience includes tenures as CTO and CEO of several successful software companies, and upper-level management positions in Fortune 100 companies. He keynotes leading technology conferences on cloud computing, SOA, enterprise application integration, and enterprise architecture. Dave writes the Cloud Computing blog for InfoWorld. His views are his own.

More from this author