Cloud Migration entering its 2.0 phase at a time when cybercrime is at an all time high, and the vector villains have become extremely sophisticated and well-organised.

Setting the Stage

Although cloud computing first started the 1960s, it wasn’t until Amazon launched AWS in 2006 that people start talking about the cloud as being something other than white, fluffy wisps in the sky.  Even then, companies were slow to adopt the cloud, to some degree because there were insufficient applications available. That is no longer the case

Cloud adoption has almost doubled in the past three years, in part because the lockdown forced us all to change the way we work,

With nearly 90% of companies around the world already using the cloud to some extent in their businesses, you’d think that cloud migration would be old hat by now, yet cloud usage and security remain hot topic. Why is that?

Despite cloud usage being par for the course in business today, less than half of all organisations are cloud-native, or fully cloud-enabled. For instance, only 60% of corporate data is currently stored in the cloud, and less than 30% of corporate processes reside aloft.

From our partners, we know that nearly 60% of companies are seeking to optimize their cloud use over the next 12 to 18 months, while migrating more workloads to the cloud.

We’ve also seen an increase in companies moving from on-premises software to SaaS, because many of these applications have had time to mature. For these reasons, predictions are that cloud-related services will double over the next year and a half, to reach about $830 billion by 2025.

2024 – A Turning Point

In the face of this rapid growth, increasing numbers of IT specialists are sounding the alarm about the risks inherent in using the cloud.

Why?

It’s a bit of a chicken and egg situation. As more cloud-native applications are developed, and I mean truly useful, robust applications, more and more organisations are adopting cloud solutions. There are two reasons for this. One is that it enables any type of firm to easily, confidently and cost-effectively improve its corporate capabilities. The second is that by using SaaS options, OpEx budgets can be leveraged, rather adding to capital expenditures.

As more organisations subscribe to cloud-based services, the more these applications proliferate. Unfortunately, this also expands the attack surface, along with vulnerabilities that cyber criminals are increasingly learning to exploit.

About Attack Surface Vulnerabilities

An attack surface is made up of all the different ways a bad actor can gain unauthorized access to any system across the entire organisation. It includes digital and physical entry points.

Physical attack surfaces include all endpoints. The biggest area of vulnerability: Unmanaged assets. Typically, these orphans have fewer security controls, and act like beacons for the bad guys. So, threat vectors are programmed to scan networks looking for machines with lower patch levels, or are running on ports not accessed by most of the other devices on the network.

Sometimes companies discard hardware without having wiped login credentials or data – and this can also become fodder for cybercriminal activity.

Digital attack surfaces can include applications, vulnerabilities created by poor coding and weak passwords, servers, websites, ports,  default operating system settings – and unpatched programs. The latter is especially problematic.

Last year, 28% of all successful breaches were attributed to poor patch management. Unfortunately, cybercriminals are aware of this, and have developed special programs to scan for vulnerable systems so they can exploit security gaps before they are patched.

Today attack surfaces are constantly shifting and expanding – and they are expanding into the cloud, too.

What?  Vulnerabilities in the cloud?

Experienced IT people started asking that question some years back, with good reason.  Luckily, so did the cloud providers.

Today, for the most part, the major cloud providers, Amazon Web Services (AWS), Microsoft Azure and Google Cloud – which provide two-thirds of corporate cloud services, and control 71% of the public cloud market – are pretty secure.  Actually, the top eight global cloud providers all take security very seriously.

But… this doesn’t mean they are invincible. In May 2022, 6.5 TB of information belonging to Pegasus Airlines was exposed because of an AWS breach.

On July 11^, 2023, Microsoft announced that a group of Chinese hackers known as Storm-0558 gained access to government agency and individual accounts in Europe and the US – and then used the stolen credentials to access other accounts. Although the hole has been patched, it underscores the vulnerability of even the largest cloud providers.

Does that mean corporations should feel secure, if they use one of the top eight providers?

Sadly, no.  Companies are far less likely to encounter security problems with a major provider, but too many companies have become complacent when using the cloud, expecting the cloud provider to be fully-responsible for security.

In actual fact, the onus is on the individual companies to protect their perimeters.

Unfortunately, most of the cloud-related problems stem from improper or inadequate security practices on the part of the users.

Greatest Areas of Vulnerability – and What You Can Do

For those of you actively involved in your company’s coding, it’s a good idea to check if your credentials have been hardcoded into your source control management systems. Unit 42 recently surveyed thousands of organisations around the  globe and found this to be the case for 83% of firms.

This is a huge vulnerability because these kinds of credentials that can be used cloud-centric cybercriminals to move laterally and vertically within the organisation. For this reason, cybercrooks quickly learn, or are taught, to ferret out susceptible cloud environments. Thankfully this weakness is relatively easy to shore up.

Another big problem is improperly configured cloud environments.

In fact, nearly two thirds of cloud security incidents in 2022 and 2023 were the result of misconfigurations related to permissions granted to individual or groups – most being granted far too much latitude. For this reason, Identity and Access Management (IAM) is crucial so that administrators can determine which users should be authorized to modify or otherwise engage with specific resources.

Some Identity and Access Management Approaches

It’s critical enough that it bears repeating: Investigations by multiple partners indicate that a major problem is providing too much access, to too many people. In fact, research suggests that 99% of cloud identities are overly-permissive.

At very least, administrator and user credentials should be separated, and access within the cloud should be limited/ restricted based on functional roles, following the “Least Privilege” guidelines, which are considered “best practice” today.

Using the Principle of Least Privilege (PoLP), users only have access to the specific resources, applications and data they need to perform the specific tasks associated with their role in the company.

Unfortunately, in the vast majority of organisations, permissions related to cloud access and usage often exceed what’s needed for the user’s position. By restricting access, you also limit where threat vector can go if an individual’s credentials are compromised.  Using this approach helps organisations reduce their attack surface and improve their security posture.

It’s also important to ensure that all identities are de-provisioned when they are no longer needed, and/or the stakeholder is no longer associated with the company.

To make this process more efficient and effective, it’s good to centralize the management of user credentials.  This is  sometimes referred to as centralized IAM.

The Role of MFA in the Cloud

Multi-Factor Authentication (MFA) is an excellent first line of defence, and not just helping to protect corporate networks and endpoints.

Unfortunately, MFA is not routinely enforced for cloud users. Approximate three quarters of organisations do not have MFA on their consoles, and… console access is more susceptible to brute-force attacks. Indeed, such attacks are still responsible for 10% of successful breaches.

Additionally, over half of all firms do not require MFAs for their system administrators. Something else cybercriminal know and try to exploit.

As a starting point, it is highly recommended that MFA software, such as Duo, be adopted for all remote access. Research shows that 89% of organisations that fell victim to hackers through compromised emails, had no MFA protection on key Internet-facing systems, including their VPNs.

It is also important to implement MFA internally, so that the user needs to be verified each time he, she or they move to a system or platform with a different trust level, based on the company’s permission policies. This will provide you with a layered defence, making it harder for threat vectors to successfully worm their way to deeply into your network – especially if you implement a Least Privilege approach.

Cybercriminals who focus on cloud penetration follow different set of tactics, techniques and procedures, by targeting cloud vulnerabilities and then determining how to hop, skip and jump from one system to another, moving laterally and vertically within the network.

What Can You Do to Protect Your Cloud, Edge, Networks and Endpoints?

1. Use MFA (e.g. Duo) on all users and administrators, on every portal, credentials, workstation, server, etc.

2. Have fully- automated back-ups, with redundancies, of data, network and configurations.

3. Develop comprehensive breach response and business continuity plans + Practice Routinely.

4. Develop Disaster Recovery Protocols + and test on regularly with full back-up from scratch.

5. Set privacy policies with centralized IAM and adopt “Least Privilege” Approach.

6. Introduce a 3^rd generation route with tools to prevent Darkweb or Tailscale networks from connecting to or from your network.

7. Conduct a security audit and on-going pen testing.

8. Institute Darkweb and cybercrime awareness train for all employees and stakeholders accessing network.

9. Install an organisational password management tool.

10. Install antivirus protection such as Cisco’s AMP on all endpoints (yes, even on MACs).

11. Implement EDR (equipment IT security threat detection) on all devices.

12. Review your cyberinsurance policy and ensure you remain compliant

By implementing these relatively simple steps, organisations have a pretty good chance of staying at least one step ahead of the cybercriminals.

If you would like more information, please contact us at [email protected] or call us at 416.429.0796 or 1.877.238.9944 (toll free).