The US Department of Homeland Security (DHS) has launched an investigation into the threat of cyberattacks against cloud computing environments. The move comes in the wake of a major attack on Microsoft’s Azure cloud infrastructure, which has prompted intense scrutiny of the company’s handling of the incident.
The investigation is being conducted by the Cyber Safety Review Board (CSRB), a joint public-private subgroup established by DHS. Over the past year and a half, the CSRB has conducted reviews of the Log4j vulnerability and the Lapsus$ group, the results of which were released recently. This latest endeavor will focus on the “issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs [Cloud Service Providers] and their customers,” according to DHS.
Experts have welcomed the investigation as a positive step towards addressing the vulnerabilities present in cloud security services today. Craig Burland, CISO at Inversion6, believes that the government’s intervention is necessary to improve default protections for all cloud clients. Burland notes that while there may be opposition to the government’s involvement in regulating cloud security, organizations of all sizes stand to benefit from a shift in shared responsibility.
Karen Walsh, CEO at Allegro Solutions, sees the investigation as a step towards implementing the US National Cybersecurity Strategy’s Objective 2.4, which aims to prevent the abuse of US-based infrastructure. She believes that the review will help address the lack of clarity regarding responsibilities in securing cloud environments and improve communication between vendors and customers.
The investigation by DHS was prompted by the recent breach of Microsoft’s Azure cloud service. The breach, carried out by a Chinese APT known as Storm-0558, compromised numerous public sector agencies and private companies. The full extent of the damage caused by the breach is still unclear. DHS began considering the incident as a subject for the CSRB’s review as soon as it learned of the breach in July.
Microsoft’s handling of the breach has come under criticism from security experts. Claude Mandy, chief evangelist for data security at Symmetry Systems, highlights the lack of transparency from Microsoft in providing details about the breach and its potential impact. He also criticizes the company for restricting essential security features unless customers pay an additional fee, although Microsoft has since reversed this policy.
Tenable, a cybersecurity research firm, published details of a separate vulnerability in Azure that allowed unauthorized access to cross-tenant applications and sensitive data. Tenable’s researchers discovered authentication secrets to a bank, highlighting the severity of the vulnerability. Microsoft claims to have mitigated the issue for a majority of customers but Tenable disputes this, stating that existing applications developed before the remediation are still affected.
The hope is that the DHS investigation will help address the issues highlighted by these incidents and improve the shared responsibility model for securing cloud environments. Karen Walsh believes that cloud service providers should bear more burden under this model, as they have more resources than their customers. Craig Burland states that the findings of the CSRB could prompt immediate changes to the shared responsibility model, ultimately strengthening the defense against cybersecurity threats.
Ultimately, the investigation by DHS represents an important step towards improving the security of cloud computing environments. By addressing the vulnerabilities and shortcomings in the shared responsibility model, it is hoped that the government can foster a more robust cybersecurity infrastructure that protects both cloud service providers and their customers.