We all know that our clouds are under constant attack, but what Forrester Consulting found in a survey of 154 cloud security decision-makers for Amazon Web Services (AWS) and Sonrai Security, a public cloud security company. Ow!
In the study, Identity Controls Are Central to Enterprise Plans for Cloud Security, of those, 98% of attacks involved identity-related security challenges. Of these, according to Sonrai, these problems aren’t with people’s identities, but with all the systems and service identities used to run cloud applications. So it is that “cloud decision-makers struggle with overly complex access control policies, a dispersed view of cloud platform identities, and over-privileged cloud admin users.”
These non-people identities include bots, serverless functions, the infrastructure of code, and compute resources. And with every new technology comes new unique identities with their own set of risks. As Eric Kedrosky, Sonrai’s CISO observed,
Due to digital transformation, there are far more non-person identities than personal identities, which means your risk profile is increasing, often in ways and areas unknown to you.”
The survey’s respondents agreed. Over half, 56%, said identities not attached to individuals are out of control in the cloud. As a result, 82% said they expect to have invested in new identity access management (IAM) tools to address this issue by 2023. 74% went so far as to say that cloud migration requires a different IAM approach.
So what can you do about it? Kedrosky agrees with the respondents that machine learning, automation, and DevOps integration are key to addressing security issues. As for IAM in specific, he believes that to get the true risk picture of their public cloud, organizations require context beyond just the identities themselves.” That means connecting identities with business data and overall platform risk through Continuous Cloud Security Posture Management (CSPM) and workload security. For this to really be effective it needs to be deployed using intelligent workflows and automation, so it moves at the cloud’s speed and the scale.
Additional Sore Points
While identity is a real cloud security sore point, it’s not the only one. Others included:
- More than half of the respondents had been victims of internal incidents targeting their clouds.
- 49% said they had suffered attacks involving business partners or third-party suppliers.
- Another 49% reported data loss because of cloud misconfigurations
- While 49% reported having to deal with external attacks.
Behind these specific security problems are more general ones. These include legacy tools that don’t integrate well with the cloud, 45%; too complicated access control policies, 40%; regulatory compliance issues, 40%; and over-privileged users, 40%.
All-in-all let’s be honest about it, cloud security is a mess. Really, it’s no wonder that almost everyone has had cloud security problems.
Behind all this is a simple truth that cloud admins and developers have almost no cloud security skills. Until they gain the necessary expertise with automated tools designed to manage cloud-level security issues, we will always face significant cloud security problems.
Featured image by Felix Mittermeier from Pixabay.