Companies missing security in rushed cloud adoptions

Dive Brief:

Since March 2020, security incidents rooted in disabled encryption in SQL databases increased 212%, according to Palo Alto Networks' Unit 42 1H 2021 Cloud Threat Report, released Tuesday. Unit 42 determined security teams were "not using [infrastructure as code] at all" or missing vulnerabilities.
More than one-third of global businesses have internet-accessible cloud storage. The configuration is justified in some cases, but Unit 42 found 30% of those businesses store sensitive or personally identifiable information (PII) in internet-facing cloud storage. The exposed sensitive data was of note to researchers as "anyone who knows the right URLs can access the data without passwords or other authentication," the report said.
Ninety-three percent of malware found in cloud storage is in executable (.exe) or dynamic link library (.dll) files. Cloud storage data contains less than 0.01% of malware, though researchers recommended an investigation into how the malware penetrated storage.

Dive Insight:

While implementing more cloud-based solutions in the pandemic, security fell behind services rooted in continuity and productivity.

In Q2 2020, cloud security incidents increased 188%, compared to October 2019 and February 2020, according to the report. Companies were migrating quickly at the expense of delayed mitigations and automated cloud security.

"One of the most worrisome findings in our research is that the increase of security incidents can be much faster than the increase of cloud workloads," Jay Chen, senior cloud researcher at Palo Alto Networks' Unit 42, told Cybersecurity Dive in an email. "These non-proportional changes are likely due to the sudden increase of the cloud workloads" without DevSecOps to monitor any alterations.

Over the next five years, industry expects 164% increase in application development security skill growth, followed by 115% increase in cloud security skill growth, according to data from (ISC)².

Catching misconfigurations without IaC is an uphill battle. "IaC makes a large number of cloud resources more manageable. It helps create, update and decommission cloud resources in a repeatable and auditable way," said Chen.

While misconfigurations are likely unknown today, they have the potential to become critical vulnerabilities. "We may see an increasing number of unmanaged, outdated or decommissioned cloud resources years from now," said Chen. Enabling cloud services and applications is quick and easy but leaves maintenance responsibility to the cloud customer.

Oftentimes companies fail to adjust default security settings from vendors. There's a sense of "secure enough" default settings from cloud service providers (CSPs) to apply to most customers before they customize the settings for their business' needs, said Chen.

Hastened cloud migrations are often accompanied by tradeoffs. While the lift-and-shift strategy can alleviate downtime, there's a good chance companies will migrate decades' worth of "junk" data to the cloud too, which contributes to storing more data than necessary.

The cloud easily enables over-consumption of PII because of its ease and scalability. Companies need data visibility to understand what security controls are required, regardless of the type of data or its storage method.