Wiz
AcademyTop cloud vulnerabilities for 2022

Top cloud vulnerabilities for 2022

The popularity of cloud computing has grown exponentially in recent years, reducing costs, improving availability of service, and driving collaboration. With increased access and infrastructure being hosted on public-facing, shared platforms, come security challenges that cannot be met using outdated controls from traditional data centers. Cloud vulnerabilities take many forms, and it has never been more important for organizations to secure their accounts, subscriptions, VPCs, access control lists, and security groups from threats.

Wiz Experts Team

Misconfigured IAM

Vulnerabilities are commonly caused by the misconfiguration of cloud resources, with consequences being particularly severe when it comes to Identity and Access Management (IAM). Any breach of a user account or security principal can result in a malicious actor accessing multiple systems, or even your cloud account itself.

IAM is notoriously complex, and is noted in Verizon’s 2021 Data Breach Investigations Report as being responsible for 61% of analyzed breaches. The good news is a few simple steps can improve your security posture:

  • Practice the principle of least privilege: Grant only the minimum permissions necessary to complete a task. It is always easier to grant access than to take it away.

  • Create a password policy: Mandate complex passwords and regular password changes.

  • Store passwords securely: If you use a password manager, be sure to encrypt it and store it somewhere inaccessible to others.

  • Set up alerts on your IAM: Ensure you're notified of any change in policy.

  • Use Multi-Factor Authentication (MFA): Raise the bar of entry to your cloud assets with MFA.

Shadow IT

Shadow IT is the use of your cloud assets without the approval or support of your IT department. There are several risks associated with this, including the financial impact of staff creating cloud workloads for personal use, data loss via unauthorized file-sharing services, and the use of unauthorized messaging services for communications. Some users may be motivated by frustration at in-house technology and look to familiar tools to improve productivity, while others are looking to leverage loopholes to spend their time on non-work activities, or even steal company data.

In all cases, control is key. Keeping the number of staff permitted to build new workloads to a minimum and creating policies to ensure every resource has an associated cost code help mitigate unauthorized expenditure. Creating policies to ensure all deployments meet corporate standards ensures rogue deployments cannot happen. Proxy services and HTTP header controls can be used to limit access to third-party cloud services and ensure data integrity. You might also considerCNAPP to keep your workloads secure throughout the lifecycle.

Lack of encryption

Data is a company’s most valuable asset. Underpinning customer confidence, and carrying the potential for regulatory breach and fines, data security should be a primary concern. With all popular cloud platforms offering encryption solutions at the click of a button, it’s incredible to think that 3,800 data breaches occurred in the first half of 2021. We need to concern ourselves with encrypting data in transit, as well as at rest, toavoid unknowingly giving third-party access to cloud data.

Encryption in transit for cloud services ensures a malicious user is prevented from accessing data as it moves between systems. This is covered in the cloud by use of secure protocols, most notably HTTPS. You should configure your systems and data stores to only be accessible via secure protocols and use firewalls to block insecure access methods.

Encryption at rest ensures that data stored on a disk or other storage medium is kept safe from anyone who should not be accessing it. Full disk encryption (FDE), utilizing AES256 for maximum security, is recommended for virtual machine disks. Transparent Data Encryption (TDE) is available to keep databases secure while in use. 

DDoS attacks

Distributed Denial of Service (DDoS) attacks make cloud resources unavailable to users by flooding and overwhelming them with massive quantities of network traffic generated by many remote systems working in unison. These attacks can result in entire services being taken offline and rendered inaccessible to support staff.

Cloud providers all offer built-in tools to mitigate DDoS. These include edge-caching systems that serve content from multiple locations and network appliances that can intelligently monitor cloud services and sever communications if traffic matches a recognized pattern. Standard tools are provided as part of the cloud service and all you need do is switch them on. Additional security features to mitigate DDoS risks are available at additional cost, but these ultimately cost less than your platform vanishing right in front of you.

API vulnerabilities

Application Programming Interfaces (APIs) are used to connect applications and services together, enabling data to be shared between systems without explicit user request or by creating custom applications. By design, APIs need to interact with other applications over the Internet. Although this is great for convenience and collaboration, it presents a security challenge for cloud computing.

Insecure APIs can be an easy point of attack for a malicious user, enabling DDoS attacks or undetected access to sensitive company or customer data. They are expected to be the most common attack vector in 2022.

The steps to secure APIs are like those used for IAM. You should use secure passwords or keys, store them appropriately, and use the principle of least-privilege. Additionally, the cloud providers offer services such as API gateways which can improve your API security posture, at an extra cost.

Resolve cloud vulnerabilities & improve cloud security 

It is imperative that your organization updates its security position for the cloud and takes advantage of all the tools at its disposal. CSPs provide tools and guidance to secure your services right out of the box. 

Set up your IAM policies before you provide anyone with access, and make sure you provide the minimum access required to new users. Create cloud policies to control what can be deployed in your cloud environment and configure alerts to notify you if those policies are changed. Encrypt all storage by default, and make sure all passwords and keys are stored securely and off-platform. Understand the shared responsibility model, and make sure you keep your side of the cloud security bargain. By following these best practices, you will have headed off most security vulnerabilities at the pass.

Continue Reading

Top cloud computing security challenges

Understanding which security challenges you face when deploying applications and data into cloud environments is the first step in securing your cloud. Those challenges may vary depending on how your cloud is configured and which clouds you use, but in general, the typical organization faces the following core challenges when it comes to cloud computing security.

S3 bucket security risks and best practices

AWS S3 makes it easy to upload virtually unlimited volumes of data to the cloud, and store it at little cost. Although there is nothing inherently insecure about S3, access control misconfigurations and a lack of understanding about how S3 security works can turn S3 buckets into a vector for attack and data exfiltration. If you use S3 to store data, it’s critical to know the risks that come with it and how to mitigate them.

Cloud security basics and best practices

Shifting from on-prem to the cloud can open up significant possibilities for your organization. The cloud is economical, easily scalable, and can be accessible to users across your company. Along with the growth and flexibility it provides, moving to the cloud can also expose your organization to cyber security threats. It is essential that as your organization grows on the cloud, you also strive to protect your cloud-based environments, applications, and data.

Azure security tools your organization should consider

While Microsoft Azure can provide growth and flexibility, moving to the cloud can expose your organization to cyber security threats. Keeping Azure workloads secure requires deploying the right security tools. Azure is subject to a variety of risks, so you need multiple tools to keep your environment secure. Although no one tool provides end-to-end security on its own, each does its part to help you maintain a strong security posture for Azure-based workloads.

What is a Cloud Access Security Broker (CASB)?

CASBs play a critical role in providing visibility into how businesses use the cloud. They enforce security and governance rules to mitigate the risk that cloud services or SaaS apps could become weak links in an organization’s security posture. Without a CASB, you may not know which applications, services, and data your business has exposed in cloud environments. How would you know if those resources are secure if you don’t know they exist?