The convenience and ease of public cloud technology have changed our world, enabling scalable business operations, work-from-anywhere, and increased productivity everywhere. As public cloud adoption continues to accelerate, organizations need to hold up their end of the shared responsibility model to protect against cloud security threats. Meanwhile, leaders undertaking cloud transformation or expansion must continue to weigh cost and performance trade-offs between security, operability, control, implementation, and customization.
According to research by Venafi, 81% of organizations have experienced a public cloud-related security incident in the past year, with 45% indicating they suffered four or more incidents. This highlights a key problem; many organizations are still using legacy network-based security technologies to protect cloud environments. Legacy solutions don’t translate well into cloud environments, which are elastic, loosely coupled to infrastructure, and do not have a static perimeter. Securing business in the cloud requires an entirely new approach, one that reestablishes holistic visibility and granular control across the environment.
Under the current directive, cloud security and compliance are shared responsibilities between the cloud service provider (CSP) and the customer. This is known as the Shared Responsibility Model. While CSPs provide security for the cloud service and hosting infrastructure, the customer is responsible for managing security policies, access, and data protection within the cloud. Understanding the shared responsibility model and proper account configuration is important for helping enterprises align and effectively implement the right compliance and security policies.
To support organizations in the mission to protect their cloud environments, Zscaler ThreatLabz researchers analyze cloud workload statistics from the world’s largest security data set, which is built off of over 260 billion daily transactions across the Zscaler platform. For a quick look back, check out the 2020 and 2021 reports. The following findings of this year's report provide a summary look at the state of cloud security in 2022 and its various related challenges.
55.1% of organizations leverage more than a single cloud provider and 66.7% of organizations have public cloud storage buckets. However, from widespread misconfigurations to supply chain threats, the risks around using cloud technology are still slowly being realized and calculated by many organizations as they experience related attacks. This section covers key findings around the top five types of cloud threats, including misconfigurations, vulnerabilities, compromised accounts, supply chain attacks, and ransomware.
98.6% of organizations have misconfigurations in their cloud environments that cause critical risks to data and infrastructure. This is concerning because high-profile data breaches reveal the majority of cyberattacks on public cloud instances are due to misconfigurations rather than vulnerabilities. Managing and eliminating misconfigurations is critical to reduce the risk of attack. While CSPs often provide tools to help manage cloud configuration, misconfiguration of cloud resources remains the most prevalent cloud vulnerability that the threat actors can exploit to access cloud data and services. Cloud misconfiguration errors related to public access to storage buckets, account permissions, password storage and management, unencrypted data stores, etc., have led to numerous data breaches and the exposure of billions of records.
17.4% of organizations are running workloads on vulnerable virtual machine compute instances exposed to the internet that could lead to critical data leaks. The identification of vulnerabilities like Log4j opens up the doors for threat actors to rapidly build exploits and search for exposed devices, sites, apps, and cloud instances they can attack. For many organizations patching systems against new vulnerabilities is still a large challenge as they grapple with uncovering all the places where these vulnerabilities may exist in their environments. While 17.4% may seem like a small percentage of exposure, it is highly likely that all of these vulnerable instances can, and will, be discovered by hackers running automated scans across the internet. That’s why it’s critical that security teams prioritize understanding how cloud vulnerabilities propagate and develop a strong security strategy designed to continuously help identify and close the gaps.
97.1% of organizations use privileged user access controls without MFA enforcement. When it comes to cloud threats, gaining privileged account access can enable hackers to bypass detection and launch a myriad of attacks, yet many organizations still don’t properly limit the privileges or access of servicing users and accounts or enforce MFA verification. With about 25% of breaches being initiated by a phishing attack, and the sophistication of these scams growing harder to detect, it is critical to ramp up access controls and MFA enforcement to protect sensitive data, applications, and workloads kept in the cloud. Malicious insiders, such as disgruntled employees and planted threat actors, can also wreak havoc before they are discovered, and compounding the problem, ransomware gangs have taken to offering payouts in the millions of dollars to users that give them privileged access to targeted organizations. While MFA might not stop these bad actors, applying the principles of zero trust and limiting what actions privileged account holders can perform is key to reducing risk. The following findings suggest that updating access controls to mitigate the threat of compromised cloud accounts should be high on the priority list for security leaders in 2023:
68% of organizations have external users (from outside the organization, via role delegation or guest users) with admin permissions to the cloud environment; which leads to a governance challenge and increased risk of data exfiltration and exploits. More specifically, 75.4% of organizations with AWS accounts for external identities—including managing contractors and integrations—do not apply strict access controls to limit the permissions and activities that these admin/supers user-level accounts can perform. As organizations continue to migrate to the cloud, reliance on third parties, partners, and integrations increases, which in turn exacerbates the risk of compromising software supply chain attacks. A major aspect of this problem comes from the use of cloud-based builders and code versioning services to expedite the development process across vendors. Unfortunately, shared access to cloud development tools introduces more risk that attackers may gain unauthorized access to CI/CD pipelines and add backdoors, malware, and other threats directly into the software code before it is delivered to customers. Additionally, it is much easier for hackers to find errors and vulnerabilities they can exploit in other ways when they have access to a software’s code.
17.4% of organizations with instances exposed to the internet run a vulnerable cloud image and do not properly restrict user accounts data storage access privileges. In large cloud-based environments, it is common to find the use of automation for setting up infrastructure using an Infrastructure as Code (IaC) platform and configuration files (config files) provided by a cloud vendor or another third party. If a main configuration contains a key vulnerability or risk, like insecure access control settings, the risks will flow downstream into all subsequent use environments, potentially even for on-premises development environments.
According to a Proofpoint study, 58% of organizations indicated that one or more third-party affiliates or suppliers were the target of a cloud breach in 2022. If cloud security does not extend to the supply chain and access continues to go unchecked, the number of cloud breaches from supply chain attacks will only increase.
59.4% of organizations do not apply basic ransomware controls for cloud storage like MFA Delete and versioning. Amazon S3 Versioning enables multiple object variants to be kept in the same bucket so that when a file is modified both copies are saved for future recovery, comparison, and fidelity verification. Unfortunately, S3 Versioning is not enough on its own because an attacker can disable the configuration and overwrite/delete any existing versions that are in the bucket. To combat this, AWS offers MFA Delete, an S3 bucket feature that requires multi-factor authentication for deletion. Having MFA Delete enabled forces users to authenticate before changing or disabling the versioning state of the specified S3 bucket and prior to permanently deleting object versions. Although preventive measures like the S3 examples outlined above are critical for stopping ransomware threat actors from modifying cloud storage containers, they can be expensive and cost prohibitive for organizations to implement.
From one organization to the next, no two cloud environments look the same. Your needs and procedures will differ by industry, geography, and your specific single-, multi-, or hybrid-cloud architecture. That being said, a few general best practices hold true in any environment:
Zscaler secures your cloud environment with a cloud native zero trust architecture through Zscaler Private Access (ZPA), part of the Zscaler Zero Trust Exchange platform. As the world’s most deployed ZTNA platform, ZPA applies the principle of least privilege to give users secure, direct connectivity to private apps while eliminating unauthorized access and lateral movement.
Our leading ZTNA platform offers you:
Zscaler for Workloads provides comprehensive protection for workloads in multicloud environments, including on-premises data centers. Zscaler Posture Control secures your cloud native applications from build, deploy, to runtime and includes:
Additionally, Zscaler Workload Communications (ZWC) protects all your cloud workload traffic—north-south and east-west—to prevent the spread of malware across your cloud infrastructure. Because ZWC is a unified solution that provides orchestration across all major cloud providers, it offers both consistent security and simpler operations. Companies should expand zero trust to the cloud as they do with people. This trust can go as broad as the communication between VPCs to as granular as communication between applications.
Uncover critical risks across your entire public cloud environment with Zscaler’s Cloud Security Risk Assessment. Get a complete cloud asset inventory, a clear picture of your public cloud security risks, an overview of how you are meeting compliance benchmarks, and actionable remediation guidance.