Beware the top three blind spots that precede cloud data breaches
Moving workloads to the cloud has led organisations and IT administrators to lose control over workloads and relinquish many critical aspects of cybersecurity. As a result, what is considered ‘inside' in an on-premise based world is suddenly ‘outside' in a publicly hosted cloud infrastructure.
Hackers can have similar access to publicly hosted workloads as IT administrators using standard connection methods, protocols and public APIs. As a result, the whole world becomes an insider threat. Workload security, therefore, is defined by the people who can access those workloads and the permissions they have.
The problem lies with the practicality and flexibility associated with cloud environments. Cloud administrators frequently grant extensive permissions to groups of users to enable them to accomplish tasks seamlessly.
In practice, most users use only a small portion of the permissions granted to them and have no business need for all of them. This represents a serious security gap: if these user credentials were ever to fall into malicious hands, attackers would have extensive access to sensitive data and resources.
According to Gartner's ‘Managing privileged access in cloud infrastructure' report, by 2023, 75% of cloud security failures will be attributable to inadequate management of identities, access, and privileges.
The top three blind spots are:
1. Not understanding the difference between used and granted permissions
80% of excessive permissions are based on roles. In a cloud environment where the resources are hosted ‘outside' the organisation, the access permissions to the network define the organisation's threat surface.
Unnecessary permissions stem from the gap between what users need to get their job done and what they have in terms of permissions. Put differently: it is the gap between defined and used permissions. The difference between these two is the organisation's attack surface.
Understanding the difference between used and granted permissions is one of the most significant blind spots that lead to a data breach. It's important to monitor and analyse this gap constantly to ensure that it is as small as possible, and consequently, that the attack surface is equally small.
2. The problem isn't detection — it's correlation
Cybersecurity alerts have become the proverbial ‘boy who cried wolf.' According to many third-party reports, the average security operations centre handles approximately 10,000 alerts per day.
When security teams are overloaded with alerts, indicative alerts of potentially malicious activity are often overlooked and lost in the sea of warnings. The lack of visibility to delete all the alerts that matter the most is the driver behind one of the biggest cloud security blind spots for organisations.
Security teams should have a unified view across multiple cloud environments with built-in alert scoring for efficient prioritisation.
3. An inability to connect the dots
Data breaches don't happen instantly; they unfold over time. They're a long process of trial and error by the attacker, comprising numerous small steps and activities as the attacker attempts to gain access to sensitive data.
These small steps and activities, many of which are low or medium-priority events, are frequently overlooked. Making matters worse, the average time for detecting a data breach is six months. Even if individual events are detected, they are frequently forgotten when the next related event is detected. The ‘dots' never get connected.
The ability to correlate individual events/alerts over time into an attack ‘storyline' can help mitigate another major cloud security blind spot for organisations and is critical to stopping a data breach before it happens.