Cloud compromise a doddle for threat actors as victims attest

It takes an average of just three steps for a threat actor to infiltrate a target cloud environment and get to its “crown jewel” assets, and as a result, vast numbers of organisations are now experiencing cloud security incidents, with at least 80% reporting a “severe” incident in the past 12 months.

This is according to two different reports on the state of cloud security released today by sector specialists Orca Security and Snyk, both of which reveal fresh insight into the cyber risks and challenges brought to the fore by widespread cloud adoption, and how security teams are grappling with them.

Orca’s report, compiled by its aptly named Research Pod, analyses workload and configuration data captured from billions of assets on AWS, Azure and Google Cloud in the first seven months of 2022, to identify where gaps exist and what security teams can do to fill them in.

Besides the concerning idea that a threat actor needs only to chain three connected and exploitable weaknesses in a cloud environment to wreak potentially terminal havoc, Orca found the vast majority (78%) of these attack paths began with a known common vulnerability or exposure (CVE) as the initial vector, suggesting organisations are, as ever, failing to patch appropriately.

It also found that organisations continue to leave their cloud storage assets, such as AWS S3 Buckets and Azure Blobs, completely exposed to the public internet, and are not implementing basic security measures such as multi-factor authentication (MFA), encryption and port scanning.

In addition, Orca found that organisations tend to overlook cloud-native services, likely because even though they are easy to spin up, they need regular oversight and configuration.

Some 58% of organisations have serverless functions with unsupported runtimes, and 70% have a publicly accessible Kubernetes API.

Avi Shua, CEO and co-founder of Orca, said: “The security of the public cloud not only depends on cloud platforms providing a safe cloud infrastructure, but also very much on the state of an organisation’s workloads, configurations and identities in the cloud.

”There is still much work to be done in this area, from unpatched vulnerabilities and overly permissive identities, to storage assets being left wide open. It is important to remember, however, that organisations can never fix all risks in their environment. They simply don’t have the manpower to do this. Instead, organisations should work strategically and ensure that the risks that endanger the organisation’s most critical assets are always patched first.”

Besides its headline statistic – that four-fifths of organisations have experienced a severe cloud security incident – be that a data breach, leak, or intrusion – in the past 12 months, Snyk’s report also found that 58% of respondents felt cloud-based risk was likely to grow in the next 12 months, and 25% were worried they had recently suffered a cloud data breach but were unaware of it.

Snyk also found evidence of some scepticism about cloud-native approaches, with 41% saying they introduced more complexity and complication to their efforts around security, particularly in terms of training and collaboration, and access to engineering resources.

However, where respondents had worked to improve their cloud security, they found multiple benefits, including increased collaboration, enhanced productivity and faster innovation.

“This new research should serve as a wake-up call that our collective cloud security risk is universal and will only continue to grow if we double down on outdated approaches and legacy tools,” said Josh Stella, vice-president and chief architect at Snyk.

“The outlook is not entirely dire, however, as the data also clearly reveals that shifting cloud security left and embracing DevSecOps collaboration can allow global organisations to continue their current pace of innovation more securely.”

Snyk’s report was based on a study of more than 400 cloud engineering and security practitioners, as well as leaders from various organisation types and industries.