IBM Security has released new data examining the top challenges and threats impacting cloud security, indicating that the ease and speed at which new cloud tools can be deployed can also make it harder for security teams to control their usage. According to IBM survey data and case-study analysis, basic security oversight issues, including governance, vulnerabilities, and misconfigurations, remain the top risk factors organisations should address to help secure increasingly cloud-based operations. The case-study analysis of security incidents over the past year also sheds light on how cybercriminals are targeting cloud environments with customised malware, ransomware and more.
With businesses rapidly moving to cloud to accommodate remote workforce demands, understanding the unique security challenges posed by this transition is essential for managing risk. While the cloud enables many critical business and technology capabilities, ad-hoc adoption and management of cloud resources can also create complexity for IT and cybersecurity teams. According to IDC, more than a third of companies purchased 30+ types of cloud services from 16 different vendors in 2019 alone. This distributed landscape can lead to unclear ownership of security in the cloud, policy “blind spots” and potential for shadow IT to introduce vulnerabilities and misconfiguration.
In order to get a better picture of the new security reality as companies quickly adapt to hybrid, multi-cloud environments, IBM Institute for Business Value (IBV) and IBM X-Force Incident Response and Intelligence Services (IRIS) examined the unique challenges impacting security operations in the cloud, as well as top threats targeting cloud environments. Top findings include:
- Complex Ownership: 66 percent of respondents surveyed say they rely on cloud providers for baseline security; yet perception of security ownership by respondents varied greatly across specific cloud platforms and percent applications.
- Cloud Applications Opening the Door: The most common path for cybercriminals to compromise cloud environments was via cloud-based applications, representing 45 percent of incidents in IBM X-Force IRIS cloud-related case studies. In these cases, cybercriminals took advantage of configuration errors as well as vulnerabilities within the applications, which often remained undetected due to employees standing up new cloud apps on their own, outside of approved channels.
- Amplifying Attacks: While data theft was the top impact of the cloud attacks studied, hackers also targeted the cloud for cryptomining and ransomware – using cloud resources to amplify the effect of these attacks.
“Many enterprises in the region have already embarked on their transition to the cloud,” said Hossam Seif El-Din, Vice President, Enterprise and Commercial, IBM Middle East and Africa. “As they continue this journey of shifting mission-critical workloads to the cloud and optimising the fundamentals of their business, it is critical to be aware of the complexities of their cloud resources. It is equally critical for their businesses that they are aware and alert to the security risks posed to distributed landscapes.”
Who owns security in the cloud?
A survey from IBM Institute for Business Value found that responding organisations that relied heavily on cloud providers to own security in the cloud, despite the fact that configuration issues – which are typically users’ responsibility – were most often to blame for data breaches (accounting for more than 85 percent of all breached records in 2019 for surveyed organisations).
Additionally, perceptions of security ownership in the cloud for surveyed organisations varied widely across various platforms and applications. For example, the majority of respondents (73 percent) believed public cloud providers were the main party responsible for securing software-as-a-service (SaaS), while only 42 percent believed providers were primarily responsible for securing cloud infrastructure-as-a-service (IaaS).
While this type of shared responsibility model is necessary for the hybrid, multi-cloud era, it can also lead to variable security policies and a lack of visibility across cloud environments. Organisations that are able to streamline cloud and security operations can help reduce this risk, through clearly defined policies which apply across their entire IT environment.
Top threats in the cloud: Data theft, cryptomining and ransomware
In order to get a better picture of how attackers are targeting cloud environments, X-Force IRIS incident response experts conducted an in-depth analysis of cloud-related cases the team responded to over the past year. The analysis found:
- Cybercriminals Leading the Charge: Financially motivated cybercriminals were the most commonly observed threat group category targeting cloud environments in IBM X-Force incident response cases, though nation state actors are also a persistent risk.
- Exploiting Cloud Apps: The most common entry point for attackers was via cloud applications, including tactics such as brute-forcing, exploitation of vulnerabilities and misconfigurations. Vulnerabilities often remained undetected due to “shadow IT,” when an employee goes outside approved channels and stands up a vulnerable cloud app. Managing vulnerabilities in the cloud can be challenging, since vulnerabilities in cloud products remained outside the scope of traditional CVEs until 2020.
- Ransomware in the Cloud: Ransomware was deployed 3x more than any other type of malware in cloud environments in IBM incident response cases, followed by cryptominers and botnet malware.
- Data Theft: Outside of malware deployment, data theft was the most common threat activity IBM observed in breached cloud environments over the last year, ranging from personally identifying information (PII) to client-related emails.
- Exponential Returns: Threat actors used cloud resources to amplify the effect of attacks like cryptomining and DDoS. Additionally, threat groups used the cloud to host their malicious infrastructure and operations, adding scale and an additional layer of obfuscation to remain undetected.
To view the X-Force IRIS Cloud Security Landscape Report, download the full report here.