banner
B1ueD0g

BlueDog's Home

上班使我怨气比鬼重!
x
telegram
email
Home零信任AI 安全国学经典随笔ArchivesAboutMe

2024 Cloud Security Trends: Top Threats and Response Strategies

#云安全#技术学习#好文翻译26
AI Translation
This post is translated from Chinese into English through AI.View Original

Co-authored with my friend Steve

Original article link: https://mp.weixin.qq.com/s/UU0mGXrwE60wLNlqkHIutg

Preface#

With the rapid proliferation of cloud computing, security issues have gradually become a core concern for enterprises. The complexity, diversity, and openness of cloud environments present unprecedented security challenges for businesses. To help enterprises gain a deeper understanding of and respond to these risks, the Cloud Security Alliance Greater China Region has released the “Top Cloud Computing Threats 2024”. The report is based on in-depth research involving over 500 industry experts, gathering their insights and recommendations regarding the current cloud security landscape, aiming to enhance enterprises' awareness and vigilance towards threats, vulnerabilities, and risks associated with cloud computing.

The report points out that the security threat landscape facing cloud computing in 2024 is undergoing significant changes, with traditional threats such as denial-of-service attacks and shared technology vulnerabilities gradually being marginalized, while new security issues, such as misconfigurations, identity and access management flaws, insecure API interfaces, and lack of cloud security policies, are becoming core risks in cloud environments.

image-20241018130530872

Top 11 Cloud Security Threats in 2024#

The report indicates that traditional cloud security issues managed by Cloud Service Providers (CSPs) are continuously declining in ranking. Issues previously mentioned in reports, such as denial-of-service attacks, shared technology vulnerabilities, and CSP data loss, have not been included in this report due to their low ratings, and outdated cloud security issues in Infrastructure as a Service (IaaS) environments are no longer a primary concern.

image

The report analyzes each threat, including its description, business impact, key measures, and real-world cases, while referencing relevant chapters in the CSA's “Cloud Security Guidelines for Key Areas, 5th Edition” and related mitigation controls in the CSA “Cloud Control Matrix (CCM)” and “CAIQ v4”. Finally, the overall methodology represents the top threat methodology proposed in the CSA “Cloud Audit Knowledge Certificate Learning Guide v1”.

1- Misconfigurations and Insufficient Change Control#

Misconfigurations or suboptimal settings of cloud computing assets can make them vulnerable to accidental damage or external/internal malicious activities. A lack of systematic knowledge about cloud security settings or an understanding of potential malicious intents often leads to misconfigurations. Common misconfigurations include: improper key management, disabled monitoring and logging, ICMP not being disabled, insecure automatic backups, insufficient storage access controls, and overly open cloud access permissions. Misconfigurations of AWS S3 buckets are particularly common sources of security vulnerabilities, significantly increasing the risk of data leaks.

Moreover, insufficient change control in cloud environments can lead to configuration issues not being detected and fixed in a timely manner, increasing the security risks of the system. The complex architecture and frequent changes in cloud environments render traditional IT infrastructure management methods inadequate. Enterprises need to leverage cloud-native security tools and real-time automated validation to effectively manage and reduce the security risks posed by misconfigurations.

Key Measures

  • Cloud configuration monitoring, auditing, and assessment: Use machine learning to automate the detection of common errors in cloud system security configurations, reducing reliance on manual checks.
  • Cloud system change management: Ensure that all changes are subject to real-time automated validation during business transformations and security challenges, minimizing errors and vulnerabilities.

2- Identity and Access Management (IAM)#

Identity and Access Management (IAM) ensures that only authorized individuals can access the resources they are entitled to after proving their identity. This system is crucial in defining and managing user roles, access permissions, and the specific conditions under which these permissions are granted or revoked. Although IAM plays a key role in security, it still faces ongoing challenges in cybersecurity due to its complexity and the ever-evolving nature of network threats. Key components include user authentication, authorization, single sign-on (SSO), multi-factor authentication (MFA), and activity monitoring, all of which play significant roles in the effectiveness of IAM. However, the complexity and dynamism of these functions can also introduce vulnerabilities, especially when not properly implemented, configured, updated, and monitored, which can pose significant risks.

As network threats become increasingly complex, protecting sensitive information has become a daunting task. Failure to properly implement and improve IAM strategies can render the cybersecurity defense system vulnerable. Therefore, continuous improvement of IAM strategies is essential for strengthening network defenses.

Key Measures

  • Unified IAM solutions: Use IAM solutions that provide strong authentication, centralized management, and visibility across multi-cloud environments.
  • Follow the principle of least privilege: Ensure that users have only the minimum access necessary to perform their tasks, reducing potential vulnerabilities.
  • Automate user provisioning and revocation: Use automation tools to manage account lifecycles, ensuring timely updates and deletions of permissions.
  • Access assessment and monitoring: Implement automated tools to manage account lifecycles and permissions, preventing unauthorized access.

3- Insecure Interfaces and APIs#

Cloud Service Providers (CSPs), enterprise vendors, and internal developers provide machine-to-machine application programming interfaces (APIs) or complete human-machine interface (UI) suites, often used for system control. However, initial design requirements often become inconsistent with long-term usage. Changes in leadership, adjustments in corporate strategic direction, or access needs from third-party partners can expose potential risks and create time pressures for rapid deployment. Previous decisions, undocumented assumptions, legacy support needs, poor architectural design, or expectations of consistency across on-premises/IaaS/SaaS products can all impact the transition of enterprises to the cloud.

For various reasons, APIs and UIs are susceptible to attacks, with common issues including: 1. Insufficient authentication mechanisms, 2. Lack of encryption, 3. Poor session management, 4. Inadequate input validation, 5. Poor logging and monitoring, 6. Outdated or unpatched software, 7. Assumed protective measures not being implemented during the transition to the cloud, 8. Overly open access controls, 9. Lack of detection for time-sensitive applications. Akamai's 2024 report shows that “from January to December 2023, 29% of web attacks targeted APIs”. In 2023, OWASP pointed out that the importance of interface security is reflected in the latest list of the top ten API security issues.

Key Measures

  • The attack surface provided by APIs should be monitored and secured according to best practices.
  • Rate limiting and throttling policies should be implemented to prevent denial-of-service (DoS) attacks and credential stuffing attacks.
  • Traditional security control methods and change management strategies must be updated based on the growth of cloud-based APIs. Enhancing security by shortening credential lifetimes and introducing multi-factor authentication (MFA).
  • When migrating functionalities, confirm the consistency of products and services. There can be significant delays in API calls between vendor on-premises solutions and SaaS applications, and there may be considerable differences when migrating between different hyperscale cloud service providers.
  • Investigate credential lifecycle automation technologies and techniques for continuously monitoring anomalous API traffic. APIs combined with threat intelligence can correct issues in real-time.

4- Lack of Cloud Security Policies#

Despite the maturity of cloud computing technologies and their increasing application by enterprises, effective cloud security architectures and policies often still do not receive adequate attention. A lack of clear security policies can lead to vulnerabilities in cloud environments, triggering a series of security incidents. Cloud security policies should consider various external factors, existing implementations, and the selection of cloud technologies and priorities, moving towards the creation of high-level plans or methodologies. These insights help enterprises achieve their cloud security goals and support business objectives.

Key Measures

  • Develop cloud security policies or key guiding principles that clearly define goals or objectives.
  • When designing and implementing cloud security controls and measures, consider business objectives, risks, efficiency, security threats, and legal compliance.
  • Anticipate potential human errors and attacker behaviors, adopting a defense-in-depth strategy, prioritizing configuration security.
  • Design appropriate best practices for cloud networking, account management, data management, identity management, and boundary protection, focusing on the implementation and execution of policies.

5- Insecure Third-Party Resources#

The adoption of cloud computing is rapidly increasing, and third-party resources may include externally written code, open-source libraries, to SaaS products, or insecure interfaces and APIs mentioned in Threat 3. Risks originating from third-party resources are also seen as supply chain vulnerabilities, as they are part of delivering cloud services or applications to customers. This is also referred to as Cybersecurity Supply Chain Risk Management (C-CSRM), focusing on managing cybersecurity risks in the supply chain of cloud services or applications.

According to research from Colorado State University, two-thirds of data breaches originate from vulnerabilities in vendors or third-party resources. As products or services consist of multiple components, attackers can often exploit any one of these links (e.g., a single line of code embedded in code). For malicious hackers, they only need to find the weakest link in the entire system as an entry point, which is often a small vendor relied upon by large enterprises.

Key Measures

  • Software cannot be completely secured, especially code or products developed by third parties. Therefore, organizations can make informed decisions to choose third-party resources that are officially supported and have compliance certifications, and require transparent security handling mechanisms.
  • Use Software Composition Analysis (SCA) tools to identify third-party resources, creating Software Bill of Materials (SBOM) or SaaSBOM to clearly understand all components in the supply chain.
  • Continuously track SBOM and third-party resources to ensure that the products used do not contain known vulnerabilities and receive timely updates and patch information.
  • Regularly conduct automated and manual reviews of third-party resources to ensure they meet the latest security requirements and are updated to secure versions.
  • Collaborate with vendors to ensure they have the capability to conduct automated security testing and possess the necessary training and tools to reduce potential security risks in the supply chain.

6- Insecure Software Development#

Although developers do not intentionally create insecure software, the complexity of software and cloud technologies often inadvertently introduces vulnerabilities. Once this insecure software is deployed, attackers may exploit these vulnerabilities to compromise the security of cloud applications. By focusing on a “cloud-first strategy,” organizations can build DevOps pipelines and drive the implementation of continuous integration/continuous delivery (CI/CD). Cloud Service Providers (CSPs) also offer secure development capabilities, such as protective or automated application security testing. Additionally, CSPs provide identity and access management (IAM) features to enforce the principle of least privilege in development environments and support tracking remediation efforts.

It is crucial to ensure that every developer understands the shared responsibility assumption between the company and the CSP, which requires ongoing security education. For example, when a 0-day vulnerability is reported in a developer's software, the developer is responsible for fixing the issue. Conversely, if a vulnerability exists in the development or operational environment provided by the CSP, it is the CSP's responsibility to implement patches to address the issue.

Adopting cloud technologies allows companies to focus on unique business needs while leaving everything else to the CSP for management and monitoring. According to the recommendations in the “Cloud Control Matrix 4.0,” organizations should “define and implement a secure software development lifecycle (SDLC) process” for application design, development, deployment, and operation to meet the security requirements set by the organization. By implementing SDLC, enterprises will be more focused on delivering safer cloud applications.

Key Measures

  • Define and implement a secure software development lifecycle (SDLC) process that includes vulnerability scanning and weakness detection during design, development, and operational phases.
  • No software is absolutely secure. Enterprises should leverage cloud technologies to develop safer cloud applications and deploy mechanisms to enhance system resilience.
  • Using cloud technologies can avoid reinventing existing solutions, allowing developers to focus on solving unique business problems using guardrails and other APIs.
  • Understand the shared responsibility model, such as patching vulnerabilities in CSP services or developer applications, ensuring rapid remediation.
  • CSPs prioritize security and provide guidance, such as “good architecture frameworks” or secure design patterns, to help enterprises implement services securely.

7- Accidental Data Leaks#

The risk of accidental data leaks (often due to misconfigurations) is increasing year by year. Free public search tools can help locate publicly accessible data repositories, and these risks are widespread across multiple cloud storage services, such as Amazon S3 buckets, Azure Blob, GCP storage, Elasticsearch, etc. Although these issues have been widely discussed, vulnerabilities in Elasticsearch and S3 buckets have continued to appear frequently over the past two years, often exploited within 24 hours of exposure.

In April 2024, research released by the Cloud Security Alliance showed that 21.1% of public buckets contained sensitive data. This accidentally leaked data includes not only common information such as names, nationalities, birth dates, and genders but also more sensitive information like passport information, passwords, educational data, driver's licenses, medical records, and biometric data. Many of these leaks are caused by user oversight or misconfigurations.

Key Measures

  • All cloud platforms are susceptible to data leaks due to misconfigurations or user operational errors. Enterprises should adopt a combined approach of technology and processes to promote educational programs, IT audits, legal planning, etc., to reduce the occurrence of such errors.
  • Some basic configuration steps can significantly reduce the likelihood of accidental data leaks, such as ensuring that buckets are configured as private, encrypting content, using strong passwords, and enabling multi-factor authentication (MFA). Each major cloud provider (such as Amazon, Google, Microsoft) provides detailed configuration security guidelines.
  • To significantly reduce risks, implement identity and access management (IAM) policies based on the principle of least privilege, strictly controlling database access permissions and conducting regular audits.
  • Regularly review data storage permissions to ensure compliance and data security. If configured correctly, Cloud Security Posture Management (CSPM) tools can also automatically remediate potential security issues.

8- System Vulnerabilities#

System vulnerabilities are security flaws within cloud service platforms that attackers may exploit to compromise the confidentiality, integrity, and availability of data, potentially leading to service disruptions. Cloud services are typically built from custom software, third-party libraries, services, and operating systems, and any vulnerabilities in these components can make cloud services more susceptible to cyberattack threats.

System vulnerabilities can be primarily categorized into misconfigurations, 0-day vulnerabilities, unpatched software, and weak passwords or default credentials. Misconfigurations often occur when cloud services are deployed using default or incorrect configurations; according to NSA reports, misconfigurations are one of the most common security issues in cloud computing. 0-day vulnerabilities refer to those that have been discovered and exploited by attackers but have not yet been patched by cloud service providers and software vendors. Unpatched software refers to software that contains known security issues, even though corresponding patches have been released, these vulnerabilities remain unaddressed. Additionally, weak passwords or the use of default credentials arise from a lack of strong authentication mechanisms, allowing attackers to easily gain unauthorized access to systems and data. The existence of these vulnerabilities significantly increases the risk of cloud services being subjected to cyberattacks, necessitating timely remediation and configuration hardening to ensure system security.

Key Measures

  • System vulnerabilities are one of the root causes of expanded attack surfaces in cloud services. Investigations by the NSA and CSA indicate that misconfigurations are the most significant vulnerabilities in cloud services.
  • Continuously monitor systems and networks to discover and remediate security vulnerabilities and other system integrity issues by increasing visibility.
  • Regularly implement patch management to ensure that the latest security patches are timely obtained and deployed, enhancing the system's defenses against cyberattacks.
  • A zero-trust architecture can reduce the potential impact of 0-day vulnerabilities by continuously verifying identities and limiting access to critical cloud resources.

9- Insufficient Cloud Visibility/Observability#

When organizations cannot effectively visualize or analyze whether the use of cloud services is secure, the issue of insufficient cloud visibility/observability arises. This problem manifests in two main aspects: unauthorized application usage and misuse of approved applications. Unauthorized application usage typically occurs when employees use cloud applications and resources without IT department and security approval, leading to the issue of “shadow IT.” This situation is particularly dangerous when sensitive data is involved. Misuse of approved applications occurs when organizations cannot monitor the usage of their approved applications, with internal employees or external threats often exploiting these vulnerabilities through credential theft, SQL injection, or DNS attacks.

Key Measures

  • Develop a comprehensive cloud visibility solution: Start from the top-level design, appoint a cloud security architect to create a solution that integrates people, processes, and technology.
  • Conduct training for all employees: Ensure that all employees receive training on cloud usage policies and comply with relevant regulations.
  • Review and approve unauthorized services: Have cloud security architects or third parties conduct risk management reviews and approve all unauthorized cloud services.
  • Utilize Cloud Access Security Brokers (CASB) and zero-trust security solutions to analyze external activities, discover cloud usage, and identify high-risk users.

10- Unverified Resource Sharing#

Unverified cloud resource sharing can pose significant security risks to cloud services. Cloud resources may include virtual machines, buckets, and databases, which contain sensitive data and applications critical to business operations. Without user identity verification or adherence to the principle of least privilege, cloud resources face threats, and attackers may steal confidential data from companies and individuals.

One of the best practices to ensure the security of cloud resources is to use basic authentication mechanisms that at least require password input. However, each year, a large number of data breaches are related to cloud storage and database systems lacking password protection. In today's vast data networks, finding unprotected cloud resources seems challenging, but in reality, using IoT search tools like Shodan, Binary Edge, and Grayhat Warfare makes it easy to discover unprotected data repositories.

Key Measures

  • Cloud storage and databases sometimes lack password protection, making them easily accessible to anyone. Enforcing basic user authentication is an important means of restricting access to cloud resources.
  • Further enhance authentication by deploying MFA and third-party authentication services.
  • Continuously monitoring user activities helps determine whether their behavior is legitimate or malicious.

11- Advanced Persistent Threats (APT)#

Advanced Persistent Threats (APT) continue to pose significant risks to cloud security. These sophisticated adversaries, including nation-state actors and organized crime groups, possess the resources and expertise to launch prolonged attacks in cloud environments, often targeting sensitive data and critical business resources. Between 2022 and 2023, APT activities posed significant threats to cloud environments, employing a variety of attack methods, including ransomware, exploitation of 0-day vulnerabilities, phishing, credential theft, destructive data wiping attacks, and supply chain attacks. These attack methods highlight the persistent nature of APTs, and businesses must adopt robust security measures to protect their cloud infrastructure from these advanced threats.

To defend against APT attacks in cloud environments, enterprises should closely monitor network threat intelligence and gain a deep understanding of the most active APT organizations and their tactics, techniques, and procedures (TTPs). Regular red team exercises can help enterprises test and improve their ability to detect and respond to APT attacks. Meanwhile, threat-hunting activities are also an important component of APT detection, especially in cloud environments.

A multi-layered cloud security strategy, including strong access controls, encryption, monitoring, and incident response, is key to defending against advanced adversary attacks.

Key Measures

  • Business Impact Analysis: Conduct regular business impact analyses to identify and understand the organization's critical information assets and their potential vulnerabilities. This helps enterprises focus security resources and efforts on protecting the most valuable data.
  • Cybersecurity Information Sharing: Participate in cybersecurity information sharing groups and forums to learn about the most active APT organizations and their tactics, techniques, and procedures (TTPs). This collective knowledge can enhance the enterprise's defense and response capabilities.
  • Offensive Security Exercises: Regularly simulate APT tactics, techniques, and procedures (TTPs) through red team exercises and threat-hunting activities. These offensive security exercises help test and improve your detection and response capabilities, ensuring that your security measures can effectively address complex threats.

Comparative Analysis of Cloud Security Threat Rankings from 2022 to 2024#

This report analyzes the evolution of cloud security threats, focusing on the persistent issues of misconfigurations, IAM (Identity and Access Management) weaknesses, insecure APIs, and the lack of comprehensive security policies. While these threats are the same as those identified in the 2022 report, their continued presence underscores their criticality.

The 2024 report raises awareness of the following key security issues:

1. Misconfigurations and Insufficient Change Control: Now ranked first in the 2024 top threats survey, up from third place in the 2022 report. For years, configuration management has been the cornerstone of organizational capability maturity. However, the transition to cloud computing has exacerbated this challenge, requiring teams to adopt more robust cloud-specific configurations. Due to the continuous network access and infinite capacity characteristics of cloud services, misconfigurations can have widespread impacts across the organization.

2. Identity and Access Management (IAM): Previously ranked first, now dropped to second place. Challenges such as replay attacks, identity spoofing, and excessive permissions still exist in cloud environments, similar to on-premises settings. However, the use of self-signed certificates and poor encryption management significantly increases security risks. The implementation of zero-trust architectures and the application of software-defined perimeter (SDP) are becoming focal points for respondents, reflecting the importance of these issues in cloud security.

3. Insecure Interfaces and APIs: Dropped from second to third place, the adoption of microservices highlights the importance of protecting interfaces and APIs. Although they play a critical role in cloud services (including SaaS and PaaS products), ensuring the security of interfaces and APIs remains a significant challenge due to insufficient developer efficiency and the continuous online requirements of cloud services.

4. Lack of Cloud Security Policies: Still ranked fourth, the ongoing concern in this area is: why are there still significant challenges in planning and building secure solutions? Cloud computing has become a stable and developing technology that requires clear executable architectural strategies.

image

The CSA “Top Threats to Cloud Computing 2024” is not only a technology-oriented document but also a guiding principle and action guide. By providing in-depth analysis, case studies, and practical recommendations, the report aims to help organizations enhance their cloud security posture, reduce potential risks, and remain vigilant and prepared in the face of complex and evolving security challenges.

Conclusion and Future Outlook#

As a leader in the field of cloud security, the CSA continues to support enterprises in addressing the ever-evolving security threats. Through ongoing threat tracking and in-depth research, the CSA provides enterprises with practical solutions and industry standards to ensure they have robust security capabilities in a rapidly changing technological environment. This report is a result of these efforts, aiming to provide enterprises with forward-looking threat insights and response strategies.

In the future, as cloud computing and security technologies continue to advance, especially with the accelerated integration of AI and cloud computing, several key trends will have a profound impact on the cloud security threat landscape. Enterprises must remain highly vigilant and proactively respond to these trends to ensure the security and stability of their cloud environments.

Four Key Trends in Cloud Computing#

1. Increasing Complexity of Attacks: Attackers will continue to develop more sophisticated techniques, including exploiting vulnerabilities in cloud environments using artificial intelligence (AI) technologies. These new technologies will require proactive security postures with continuous monitoring and threat-hunting capabilities.

2. Supply Chain Risks: The increasing complexity of the cloud ecosystem will expand the attack surface for supply chain vulnerabilities. Organizations need to extend their security measures to their vendors and partners.

3. Evolving Regulatory Environment: Regulatory bodies may implement stricter data privacy and security regulations, requiring organizations to adapt their cloud security practices.

4. Rise of Ransomware as a Service (RaaS): RaaS will make it easier for technically inexperienced participants to launch complex ransomware attacks against cloud environments. Organizations will need robust data backup and recovery solutions, along with strict access controls.

Key Mitigation Strategies Enterprises Can Adopt Against These Trends:#

  • Integrate AI throughout the Software Development Lifecycle (SDLC): Utilizing AI for tasks such as code reviews and automated vulnerability scanning during early development will help identify and address security issues before code goes into production.
  • Use AI-driven Offensive Security Tools: These tools simulate attacker behavior to discover vulnerabilities in cloud configurations, IAM protocols, and APIs. This proactive approach helps organizations stay ahead of potential threats.
  • Cloud-native Security Tools: Organizations will increasingly adopt cloud-native security tools designed specifically for cloud environments. These tools provide better visibility and control compared to traditional security solutions.
  • Zero Trust Security Model: The zero-trust model emphasizes continuous verification and least-privilege access, becoming the standard for cloud security.
  • Automation and Orchestration: Automating security processes and workflows is crucial for managing the complexity of cloud security.
  • Security Skills Training: The cybersecurity skills gap will continue to be a challenge. Organizations need to prioritize and budget for training and development programs to provide ongoing education for employees, continuously enhancing their security expertise and awareness.

By applying these strategies, enterprises can build a secure and resilient cloud environment while remaining vigilant against evolving threats. However, as the cybersecurity landscape continues to change, enterprises must also continuously adapt and invest in cutting-edge security solutions, such as Cloud Security Posture Management (CSPM) and Endpoint Detection and Response (EDR) tools, to ensure they remain ahead of the curve and effectively mitigate financial and reputational risks associated with cloud security vulnerabilities.

Acknowledgments#

The “Top Threats to Cloud Computing 2024” was authored by experts from the CSA Cloud Security Alliance Top Threats Research Working Group and translated and reviewed by experts from the CSA Greater China Region Group. Thanks to the contributions of the following experts and organizations (in no particular order):

Translation Team Members

Lu Qi, Liu Lianjie, Liu Gang, Zhao Chenxi, Bu Songbo, Xiao Wendi

Review Team Members

Guo Pengcheng, Dang Chaohui, Bu Songbo

Contributing Organizations:

Ericsson, Tianyi Security, Tianyi Cloud, China Mobile (Hong Kong), Morningstar Information

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.