CLOUDTWEAKS CONTRIBUTOR PROGRAM

Join the CloudTweaks thought leadership contributor program which includes a customized profile, branded identity page, newsletter marketing, social amplification and more...

The program is currently available to consultants, influencers or executive level contributors.

Gerrit Lansing

Cyber Attackers Targeting the Keys to the Cloud Kingdom

Cyber Attacking Targets

Privileged Credentials Used to Administer Cloud Services Make an Attractive Target and Entry Point for Attackers

In recent weeks, cyber attacks ranging from Operation Cloud Hopper to the breach at FlexiSpy demonstrate the vulnerable, expanded attack surface associated with greater cloud adoption. As organizations work to secure their applications and other sensitive assets in the cloud as part of their digital transformation strategies, these attacks demonstrate the need to quickly implement consistent security controls across cloud and on-premises environments.

The risk and potential attack surface posed by privileged credentials, which include API and SSH keys, increases exponentially in dynamic cloud environments – and were a common denominator in these attacks.

security attacks

In many cases, the first target of attackers are the privileged credentials used to administer cloud services, such as Infrastructure as a Service or Database as a Service. In on-premises environments, privileged credentials are referred to as the keys to the IT kingdom. Now, increasingly cloud-first organizations must adapt to an expanding attack surface and adopt proactive strategies for also protecting these keys. All it takes is a user with administrative privileges for cloud services to click on one phishing email to give an attacker access to the entire cloud infrastructure.

Cloud Security – A Shared Responsibility

One common misunderstanding when it comes to cloud security is who is responsible for what. This level of uncertainty can create gaps that attackers will exploit to infiltrate your network.

Almost every cloud vendor points out in the terms of agreement that security in the cloud is a shared responsibility. But that division of responsibility must be clearly understood by both parties.

Cloud vendors are responsible for security of the cloud — this includes computing, storage and networking resources, as well as the physical infrastructure and making sure services are delivered securely. This is only a partial security solution. Organizations are responsible for securely using the cloud, including ensuring the security of applications deployed in the cloud and securely using cloud infrastructure.

If your organization relies solely on the cloud vendor for security, you’re exposed to unnecessary risk. Being proactive in cloud security is a requirement to face down today’s cyber threats. While there are several steps that are needed to protect cloud infrastructure, the best place to start is protecting the privileged access necessary for administering cloud services.

Protecting Access to the Cloud Kingdom

Just like in the on-premises world, privileged credentials provide root-like access to cloud infrastructure and can extend security risk to hybrid environments. Most cloud providers rely heavily on APIs. Access to cloud services can be driven automatically by APIs or manually through the management consoles. Either way, that privileged access must be locked down and protected.

With public cloud vendors like AWS or Azure, an organization’s entire cloud infrastructure is accessed through interfaces and APIs with privileged credentials. These powerful credentials are attractive targets because they enable the set up and configuration of the entire cloud infrastructure, including setting security parameters and providing broad access to on-premises infrastructure.

Securing cloud assets starts with securing administrative privileges. Privileged and administrative credentials that are used to authenticate access to the management console and APIs should always be stored in a secure vault and rotated after every use. This is true for on-premises, and remains true in the cloud.

Hardcoded and Embedded Credentials Can Threaten Your Cloud

Applications and scripts running in the cloud require access to resources, such as APIs for cloud services, or other application layers, customer databases and other sensitive assets. The access is typically provided by hardcoding or embedding access credentials (including certificates and API keys) into the application, often in clear text. This is a troubling and unnecessary vulnerability, resulting in many hardcoded credentials being used through cloud and even hybrid environments.

These credentials represent a static, easy target for attackers to exploit. For example, DevOps teams often share source code developed on repositories like GitHub. It’s part of the process – but is also a common example of how embedded passwords and credentials can become public if they’re hardcoded. Even if the code is only saved in the enterprise’s internal code repositories, they can still be easily accessed by other developers and used inadvertently, or maliciously. Additionally, it’s nearly impossible to fully identify which credentials, applications or scripts are being used to interact with other applications and assets.

In an on-premises environment, not knowing everywhere embedded credentials are used may not have been as risky, exploitable or potentially damaging. In today’s world, a configuration of this nature is an unacceptable risk to the entire organization.

To minimize these risks, organizations should never hardcode passwords and keys used by applications. In accordance with best practices, these credentials should be secured like any other privileged credential used by IT administrators – stored in a secure digital vault and rotated according to existing policy. This allows IT administrators to gain visibility into what applications are accessing these credentials, and when the application is retired, the privileged credential can be turned off.

Taking Responsibility for Cloud Security

Whether your enterprise is fully in the cloud, or is migrating – finding and securing the privileged credentials used by IT administrators, applications and scripts is a critical part of security. And in most cases — it’s the organization’s responsibility. Risk management in the cloud needs to be prioritized with the same, consistent policy enforcement that organizations use on-premises.

By Gerrit Lansing, Chief Architect, CyberArk

Cloud Syndicate

The 'Cloud Syndicate' is a mix of short term guest contributors, curated resources and syndication partners covering a variety of interesting technology related topics.

Contact us for syndication details on how to connect your technology article or news feed to our syndication network.

The Lighter Side Of The Cloud - Black Friday Online
The Lighter Side Of The Cloud - Lost
The Lighter Side Of The Cloud - Autonomous Sleigh
The Lighter Side Of The Cloud - Which One?
The Lighter Side Of The Cloud - Bullseye
Quantum Computing opens new front in Cloud!

Quantum Computing opens new front in Cloud!

Quantum Computing As the amount of data in the world is rapidly increasing, so is the time required for machines to ...
Cloud Communications Security: Whose Business Is It, Anyway?

Cloud Communications Security: Whose Business Is It, Anyway?

Cloud Communications Security Don’t count on cloud providers to provide all your UCaaS security It’s official: Unified Communications-as-a-Service (UCaaS) has ...
Bryan Doerr

Cyber-Threats and the Need for Secure Industrial Control Systems

Secure Industrial Control Systems (ICS) Industrial Control Systems (ICS) tend to be “out of sight, out of mind.” These systems ...
DATA SOVEREIGNTY

Data Sovereignty: the ONLY truly safe path to avoid Privacy Shield turmoil

DATA SOVEREIGNTY India is following Russia and others in imposing data sovereignty restrictions that specify that data must remain in ...
Chris

How to Avoid Becoming Another Cloud Security Statistic

Cloud Security Statistic Last year, Gartner predicted that, by 2020, 95 percent of all cloud security failures will be caused ...
Why ‘Data Hoarding’ Increases Cybersecurity Risk

Why ‘Data Hoarding’ Increases Cybersecurity Risk

Data Hoarding The proliferation of data and constant growth of content saved on premise, in cloud storage, or a non-integrated ...
A Smart Data Approach to Assurance in a Hybrid Cloud Environment

A Smart Data Approach to Assurance in a Hybrid Cloud Environment

Smart Data Microsoft and Amazon both reported significant growth in their cloud businesses recently. Revenue for Microsoft’s Azure increased by ...
15 Promising Cloud-Based Video Conferencing Services

15 Promising Cloud-Based Video Conferencing Services

Cloud Video Conferencing Services We have put together a compilation of some of the best cloud based conferencing services for businesses. The cloud video conferencing services market is expected to reach US$ 6.40 Billion by 2020 from the current $3.31 ...
Automate Service Management

[Free eBook] 150 Ways to Automate Service Management Throughout Your Organization…

Think about an IT Service Catalog as a supermarket of available services. Everyone in your company requests and delivers services from each other. From Human Resources and Marketing to Facilities and Procurement, each department is a service provider to the ...
Glassdoor’s 10 Highest Paying Tech Jobs Of 2018

Glassdoor’s 10 Highest Paying Tech Jobs Of 2018

Glassdoor is best known for its candid, honest reviews of employers written anonymously by employees. It is now common practice and a good idea for anyone considering a position with a new employer to check them out on Glassdoor first. With ...
Key Findings of the 2018 IDG Cloud Computing Study

Key Findings of the 2018 IDG Cloud Computing Study

IDG Cloud Computing Study The results of the 2018 IDG Cloud Computing study highlight how interest in the technology isn’t fading and a growing number of companies are embracing it or at least want to do so. The survey, which ...
Network Management Software Buyer Guide 2018

Network Management Software Buyer Guide 2018

This concise data-driven report covers the Network Management software landscape, as of August 2018. he 24-page report includes: Market Overview - Top 10 Network Management products in 2018, User reviews and vendor size data, In-depth look at the Top 3 ...