The Cloud Is Under Attack. How Do You Secure It?
What’s great about building for and deploying to the cloud? Scale.
“And B, You can scale to crazy levels really quickly — as long as you’ve got a big enough credit card to keep adding on the infrastructure.”
But what also makes building for and deploying to the cloud so dangerous? Scale.
If a developer makes a mistake in building an application and deploys it to the cloud, Zaitsev noted, “Now I’ve just introduced that same mistake a million times over and there may not be any other teams, departments, processes, limiting factors getting in my way that stopped me from doing a bad thing that I didn’t realize.”
No wonder then that attacks focused on the cloud nearly tripled from 2021 to 2022, according to the latest Cloud Risk Report from CrowdStrike.
In this episode of Makers, Zaitsev spoke to TNS host Heather Joslyn about the growing problem of cloud-focused attacks, the challenges involved in protecting against those attacks and some best practices that can help.
The Rise of Cloud Native Attackers
A big challenge in securing the cloud is that it’s so new: Amazon only introduced the first public cloud in 2006, and many organizations, even those that have moved fully to the cloud, are still learning about it.
However, Zaitsev said, the cloud native generation — both within and outside of organizations — is coming of age: ”We’ve got this new generation of adversaries that are coming up, and they totally get the cloud. And they implicitly understand what those risks are.”
For these bad actors, the advantage in attacking a cloud is — you guessed it — scale.
“If there’s an issue in one place, it might be scaled up to many, many systems,” he said. “That’s actually the preferred attack vector, because they know if they find an issue that they’re comfortable exploiting, they can actually much more rapidly achieve their actions or objective, cause damage, make financial gains on their side, cause pain to the end user, etc.”
Cultural issues within an organization — tension between security professionals who are “paid to be paranoid,” as Zaitsev said, and developers who are incentivized to build quickly — can make it harder to protect the cloud.
Another big challenge is that attacks have gotten harder to detect as attackers grow more sophisticated. Stealing credentials is a common way attacks start. Said Zaitsev, “Typically, what they want to do, or the most effective way for them to penetrate an organization is to pretend to be you.”
Hard-Coded Credentials: an ‘Unforced Error’
What are some of the best practices to protect your clouds? Adopting the principle of least privilege should be a cornerstone of your strategy, our podcast guest said, and running regular evaluations of who has access and to what.
“Organizations need to be regularly doing this kind of ongoing hygiene and assessment, looking at all the accounts, the credentials that they’ve created in their environment,” Zaitsev said. “And doing that regular assessment of, is this really what they need? Can I dial it back a little bit and be a bit more secure?”
He also reminded listeners to avoid hard-coding credentials into their systems. “There’s almost never a good reason to do it,” Zaitsev said. “Other than it being quicker and cheaper and lazier. It’s definitely an unforced error that you can avoid.
Listen to the full episode for more on best practices to avoid cloud-focused attacks, including the importance of runtime security and avoiding misconfigurations.