Operating in the public cloud is all about agility and flexibility. As organizations and DevOps teams focus more on deploying code and features as quickly as possible, the public cloud is where “the rubber meets the road” of digital transformation. According to Radware’s research, 70% of production applications now run in the public cloud. This means that increasingly, ‘cloud’ security is becoming synonymous with cyber security.
The rapid and dynamic nature of cloud environments creates certain security considerations, which organizations must consider, as they enjoy the flexibility that comes with the cloud. In particular, the issue of identity and access management in the public cloud is a concern.
Your Permissions = Your Threat Surface
Workloads hosted on the public cloud are now, by definition, remote. All-access is done via remote connection, using mechanisms and APIs provided by the public cloud hosting provider. Administrators no longer have physical control over their resources, and all access to their resources is done remotely. However, hackers, malicious actors and other unauthorized 3rd parties can access those same resources using the same standardized protocols, APIs and access methods.
Therefore, your workload security is defined by who has access – and what access they have.
In effect, this means that your permissions equal your threat surface. And protecting yourself against threats in the public cloud begins with securing your permissions and identity and access management (IAM).
Different Networks, Similar Challenges
As more of Radware’s customers deploy applications in cloud environments, we have seen several key common challenges and concerns in our practice.
And as explained above, many of those security challenges are around permissions and identity management:
- Excessive permissions granted to users with no business need
- Misconfigurations of cloud environments and customer security policies
- Public exposure of assets without proper (or any) security controls
- Malicious access by unauthorized 3rd-parties to the cloud environment
So let’s briefly look at each one in a bit more detail and see why it is such a problem:
Challenge #1: Excessive Permissions
Permission and access management is a critical IT security topic no matter where you are hosted, but the cloud makes it a problem.
This is because the migration to the cloud is frequently driven by the desire for more agility and flexibility. The cloud makes it incredibly easy to spin up new resources, deploy new code and accelerate development processes, which leads to faster time to market.
However, this agility and flexibility come at a cost to security. In the name of expediency, cloud administrators frequently grant extensive permissions to users to enable them to accomplish tasks seamlessly. In practice, most users use only a small portion of the permissions granted to them and have no business need for all of them. This represents a serious security gap if these user credentials fall into malicious hands; attackers would have extensive access to sensitive data and resources.
Challenge #2: IAM Misconfigurations
Due to the speed of operating in the cloud – and the uncertainty that comes with who is responsible for which aspects of security—many organizations frequently fall vulnerable to misconfigurations in the cloud, which are again a source of vulnerability.
IAM is a particular pitfall for many organizations due to the many configurations and potential pitfalls around it, including password policy, user authentication misconfigurations, logging, and reporting gaps, and so on.
These concerns are also backed by industry research. According to Gartner’s Managing Privileged Access in Cloud Infrastructure report, by 2023, 75% of the cloud security failures will be attributable to inadequate management of identities, access, and privileges. This presents further complexity in managing and monitoring for malicious and unauthorized behavior in accessing infrastructure or applications.
Challenge #3: Public Exposure
The next issue is public exposure of assets. This refers to accidental exposure of workloads without proper (or any) security measures.
Moving to the cloud puts your assets “outside” out of your direct reach. Therefore, a key problem is protecting against public exposure of those assets and making sure only those who should have access, do, have access, and no one else.
However, migration to the cloud is frequently driven by the desire for more agility and flexibility. As a result, organizations don’t always lock down access to their systems correctly. Indeed, according to Gartner, by 2021, 50% of enterprises will unknowingly and mistakenly have IaaS storage services, applications, or APIs directly exposed to the public internet.
Challenge #4: Malicious Access
Finally, another very important topic for cloud security is the issue of remote malicious access. This refers to accessing remote, cloud-based workloads using stolen user credentials.
According to Verizon’s 2020 Data Breach Investigations Report (DBIR), the most common threat actions that led to an organizational breach were phishing and the use of stolen credentials.
Moreover, according to IBM’s 2021 The Cost of Data Breach Report, malicious access using stolen credentials is the #1 cause of data breaches, accounting for 20% of total data breach incidents and costing an average of $4.37 million per incident caused by stolen credentials.
This means that securing your cloud against malicious access, as well as actively monitoring for such access, is a crucial part of locking down your cloud environment.
Locking Down Your Cloud Access
Radware recently partnered with AWS for a webinar to discuss managing your IAM configurations on AWS and fortifying them against malicious abuse and accidental misuse. We were also joined by Perion Network, one of Radware’s longtime customers, to discuss their experience with Radware, and how we helped them lock down their cloud security posture.For full information on how to lock down your identities and access management (IAM) against compromise, click here to view the joint webinar by AWS and Radware.