The convenience and ease of public cloud technology have changed our world, enabling scalable business operations, work-from-anywhere, and increased productivity everywhere. As public cloud adoption continues to accelerate, organizations need to hold up their end of the shared responsibility model to protect against cloud security threats. Meanwhile, leaders undertaking cloud transformation or expansion must continue to weigh cost and performance trade-offs between security, operability, control, implementation, and customization.

According to research by Venafi, 81% of organizations have experienced a public cloud-related security incident in the past year, with 45% indicating they suffered four or more incidents. This highlights a key problem; many organizations are still using legacy network-based security technologies to protect cloud environments. Legacy solutions don’t translate well into cloud environments, which are elastic, loosely coupled to infrastructure, and do not have a static perimeter. Securing business in the cloud requires an entirely new approach, one that reestablishes holistic visibility and granular control across the environment.

Under the current directive, cloud security and compliance are shared responsibilities between the cloud service provider (CSP) and the customer. This is known as the Shared Responsibility Model. While CSPs provide security for the cloud service and hosting infrastructure, the customer is responsible for managing security policies, access, and data protection within the cloud. Understanding the shared responsibility model and proper account configuration is important for helping enterprises align and effectively implement the right compliance and security policies.

To support organizations in the mission to protect their cloud environments, Zscaler ThreatLabz researchers analyze cloud workload statistics from the world’s largest security data set, which is built off of over 260 billion daily transactions across the Zscaler platform. For a quick look back, check out the 2020 and 2021 reports. The following findings of this year's report provide a summary look at the state of cloud security in 2022 and its various related challenges. 

 

Cloud threat insights

55.1% of organizations leverage more than a single cloud provider and 66.7% of organizations have public cloud storage buckets. However, from widespread misconfigurations to supply chain threats, the risks around using cloud technology are still slowly being realized and calculated by many organizations as they experience related attacks. This section covers key findings around the top five types of cloud threats, including misconfigurations, vulnerabilities, compromised accounts, supply chain attacks, and ransomware. 

 

Misconfigurations

98.6% of organizations have misconfigurations in their cloud environments that cause critical risks to data and infrastructure. This is concerning because high-profile data breaches reveal the majority of cyberattacks on public cloud instances are due to misconfigurations rather than vulnerabilities. Managing and eliminating misconfigurations is critical to reduce the risk of attack. While CSPs often provide tools to help manage cloud configuration, misconfiguration of cloud resources remains the most prevalent cloud vulnerability that the threat actors can exploit to access cloud data and services. Cloud misconfiguration errors related to public access to storage buckets, account permissions, password storage and management, unencrypted data stores, etc., have led to numerous data breaches and the exposure of billions of records.

 

Vulnerabilities

17.4% of organizations are running workloads on vulnerable virtual machine compute instances exposed to the internet that could lead to critical data leaks. The identification of vulnerabilities like Log4j opens up the doors for threat actors to rapidly build exploits and search for exposed devices, sites, apps, and cloud instances they can attack. For many organizations patching systems against new vulnerabilities is still a large challenge as they grapple with uncovering all the places where these vulnerabilities may exist in their environments. While 17.4% may seem like a small percentage of exposure, it is highly likely that all of these vulnerable instances can, and will, be discovered by hackers running automated scans across the internet. That’s why it’s critical that security teams prioritize understanding how cloud vulnerabilities propagate and develop a strong security strategy designed to continuously help identify and close the gaps.

 

Compromised accounts

97.1% of organizations use privileged user access controls without MFA enforcement. When it comes to cloud threats, gaining privileged account access can enable hackers to bypass detection and launch a myriad of attacks, yet many organizations still don’t properly limit the privileges or access of servicing users and accounts or enforce MFA verification. With about 25% of breaches being initiated by a phishing attack, and the sophistication of these scams growing harder to detect, it is critical to ramp up access controls and MFA enforcement to protect sensitive data, applications, and workloads kept in the cloud. Malicious insiders, such as disgruntled employees and planted threat actors, can also wreak havoc before they are discovered, and compounding the problem, ransomware gangs have taken to offering payouts in the millions of dollars to users that give them privileged access to targeted organizations. While MFA might not stop these bad actors, applying the principles of zero trust and limiting what actions privileged account holders can perform is key to reducing risk. The following findings suggest that updating access controls to mitigate the threat of compromised cloud accounts should be high on the priority list for security leaders in 2023:

• 84.1% of organizations give IAM power users administrative privileges without MFA enforcement.
• 43.5% of organizations with instances that are exposed to the internet and have identities with data access (S3/storage/RDS)
• 57.8% of organizations utilizing serverless AWS Lambada services violate the least-privileged access principle by assigning users over-privileged roles to the environment.
• 92.8% of organizations are using Lambada serverless offerings from AWS and 53.6% of these orgs have set up escalated identity and access privileged to these functions. Serverless architecture enables organizations to build and run applications and services while AWS provides the overhead of managing the server infrastructure. While this approach is extremely convenient, it also introduces significant security risks.

 

Supply chain attacks

68% of organizations have external users (from outside the organization, via role delegation or guest users) with admin permissions to the cloud environment; which leads to a governance challenge and increased risk of data exfiltration and exploits. More specifically, 75.4% of organizations with AWS accounts for external identities—including managing contractors and integrations—do not apply strict access controls to limit the permissions and activities that these admin/supers user-level accounts can perform. As organizations continue to migrate to the cloud, reliance on third parties, partners, and integrations increases, which in turn exacerbates the risk of compromising software supply chain attacks. A major aspect of this problem comes from the use of cloud-based builders and code versioning services to expedite the development process across vendors. Unfortunately, shared access to cloud development tools introduces more risk that attackers may gain unauthorized access to CI/CD pipelines and add backdoors, malware, and other threats directly into the software code before it is delivered to customers. Additionally, it is much easier for hackers to find errors and vulnerabilities they can exploit in other ways when they have access to a software’s code. 

17.4% of organizations with instances exposed to the internet run a vulnerable cloud image and do not properly restrict user accounts data storage access privileges. In large cloud-based environments, it is common to find the use of automation for setting up infrastructure using an Infrastructure as Code (IaC) platform and configuration files (config files) provided by a cloud vendor or another third party. If a main configuration contains a key vulnerability or risk, like insecure access control settings, the risks will flow downstream into all subsequent use environments, potentially even for on-premises development environments.

According to a Proofpoint study, 58% of organizations indicated that one or more third-party affiliates or suppliers were the target of a cloud breach in 2022. If cloud security does not extend to the supply chain and access continues to go unchecked, the number of cloud breaches from supply chain attacks will only increase.

 

Ransomware

59.4% of organizations do not apply basic ransomware controls for cloud storage like MFA Delete and versioning. Amazon S3 Versioning enables multiple object variants to be kept in the same bucket so that when a file is modified both copies are saved for future recovery, comparison, and fidelity verification. Unfortunately, S3 Versioning is not enough on its own because an attacker can disable the configuration and overwrite/delete any existing versions that are in the bucket. To combat this, AWS offers MFA Delete, an S3 bucket feature that requires multi-factor authentication for deletion. Having MFA Delete enabled forces users to authenticate before changing or disabling the versioning state of the specified S3 bucket and prior to permanently deleting object versions. Although preventive measures like the S3 examples outlined above are critical for stopping ransomware threat actors from modifying cloud storage containers, they can be expensive and cost prohibitive for organizations to implement.

 

Cloud security best practices

From one organization to the next, no two cloud environments look the same. Your needs and procedures will differ by industry, geography, and your specific single-, multi-, or hybrid-cloud architecture. That being said, a few general best practices hold true in any environment:

• Take responsibility for configuring and maintaining your own environment. While cloud environments are covered under a shared responsibility for security with the service provider, the proper configuration of these environments is the responsibility of the consumers. A cloud security posture management (CSPM) service can help identify misconfigurations, and coupled with cloud infrastructure entitlement management (CIEM), it can be used to identify permission issues and act as a logical progression from long-established identity and access management (IAM) and privilege access management (PAM) solutions built on least-privileged approaches.
• Encrypt what you can, and inspect all encrypted traffic. Encryption is a powerful way to protect sensitive traffic, but it’s an equally devious—and extremely common—way for threats to sneak into your systems. Strong encryption and inspection capabilities will protect you in both directions.
• Log and monitor access and traffic. Besides maintaining visibility as part of a zero trust deployment, incident response activities require comprehensive logging across all assets and services.
• Monitor and audit configurations for all your clouds and data centers. Most misconfigurations stem from user error, and they’re the leading cause of cloud vulnerabilities. Relying on automation, rather than manual management, is an effective way to keep configurations in check.
• Run regular vulnerability scans to identify weak points. Use an automated solution built to triage your vulnerabilities by risk profile. This way, your teams don’t have to waste time fixing issues that don’t pose any real danger.
• Apply security patches as promptly as possible. The time between a patch release and your update can be a window of opportunity for attacks. Besides taking advantage of misconfigurations, most malware are able to take hold because of unpatched vulnerabilities. Choosing cloud services where the shared responsibility of patching rests with the CSP completely eliminates this threat vector in cloud services.
• Enforce zero trust security. The tenets of zero trust, built on least-privileged access and strong authentication, are critical protection in our digital age, where data, applications, and users can be anywhere and everywhere. To secure the cloud now and in the future, it is imperative that organizations hide applications behind a proxy, limit privileged access, and broker 1:1 connections between users and applications with Zero Trust Network Access (ZTNA).
• Have a tested response plan in place in the event of a breach. Separating your backup storage from the original data source helps avoid a single point of failure and speeds up remediation. 
• Secure your endpoints, including mobile and IoT devices. Cloud computing has changed enterprise security immeasurably, but endpoints remain the weakest link in the chain. With mobile and IoT data so vulnerable, it’s critical to protect the cloud data traveling through and between these endpoints.

 

Secure your cloud with Zscaler

Zscaler secures your cloud environment with a cloud native zero trust architecture through Zscaler Private Access (ZPA), part of the Zscaler Zero Trust Exchange platform. As the world’s most deployed ZTNA platform, ZPA applies the principle of least privilege to give users secure, direct connectivity to private apps while eliminating unauthorized access and lateral movement.

Our leading ZTNA platform offers you:

• Peerless security, beyond legacy VPNs and firewalls: Users connect directly to apps—not the network—minimizing the attack surface and eliminating lateral movement.
• The end of private app compromise: First-of-its-kind app protection, with inline prevention, deception, and threat isolation, minimizes the risk of compromised users.
• Superior productivity for today's hybrid workforce: Lightning-fast access to private apps extends seamlessly across remote users, HQ, branch offices, and third-party partners.
• Unified ZTNA platform for users, workloads & OT/IoT: Securely connect to private apps, services, and OT/IoT devices with the industry’s most comprehensive ZTNA platform.

Zscaler for Workloads provides comprehensive protection for workloads in multicloud environments, including on-premises data centers. Zscaler Posture Control secures your cloud native applications from build, deploy, to runtime and includes:

• Cloud security posture management (CSPM): Improve your overall security and compliance posture with a unified platform that identifies and remediates cloud misconfigurations and vulnerabilities across all major public cloud providers.
• Cloud infrastructure entitlement management (CIEM): Manage cloud risk by identifying and minimizing excessive privileges in public cloud services.
• Cloud data loss prevention (DLP): Protect sensitive data and secrets and significantly improve risk prioritization with greater understanding of impact for public cloud risks.

Additionally, Zscaler Workload Communications (ZWC) protects all your cloud workload traffic—north-south and east-west—to prevent the spread of malware across your cloud infrastructure. Because ZWC is a unified solution that provides orchestration across all major cloud providers, it offers both consistent security and simpler operations. Companies should expand zero trust to the cloud as they do with people. This trust can go as broad as the communication between VPCs to as granular as communication between applications.

 

Your next step

Uncover critical risks across your entire public cloud environment with Zscaler’s Cloud Security Risk Assessment. Get a complete cloud asset inventory, a clear picture of your public cloud security risks, an overview of how you are meeting compliance benchmarks, and actionable remediation guidance.