In the realm of cybersecurity, managing cloud environments can be compared to playing three-dimensional chess rather than the traditional version. While the ultimate goals remain the same — reducing risk, protecting confidential data, and meeting compliance requirements — the intricacies of the cloud add a complexity that changes the entire dynamic. Factors such as the cloud’s unique architecture, lack of change controls, and the subtle and not-so-subtle differences in various cloud platforms’ design and operations make cloud security a more intricate task.
Although the transition to infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS), and serverless computing has become commonplace, some individuals who were trained in on-premises environments still bring that operational bias to managing clouds. However, the nature of cloud environments necessitates a different mindset for understanding and managing the new attack surface.
Many organizations utilize multiple cloud vendors, either to meet specific operational needs, optimize price and performance, or access specialized capabilities. The majority of midsize to large organizations employ two or more clouds in combination with on-premises servers and infrastructure, resulting in a hybrid cloud setup. Microsoft Azure is often the preferred choice for running Windows applications, while Amazon Web Services (AWS) is popular for large-scale web apps. Google Cloud Platform (GCP) is known for its analytics capabilities, making it an exclusive data lake option for some organizations.
To effectively protect each cloud environment, cybersecurity teams must become experts in the security of each one. However, there is often a disconnect between the perceived additional work associated with managing multiple clouds and the actual workload, as each cloud has a distinct attack surface. Therefore, splitting workloads across two clouds nearly doubles the knowledge and work required compared to consolidating all workloads in a single cloud.
Another significant difference between on-premises data centers and cloud environments is the presence of a well-defined demilitarized zone (DMZ) in physical data centers. This DMZ serves to protect external-facing services and involves multiple security controls and monitoring. In contrast, the DMZ in cloud environments is more of a logical construct that may not align with an organization’s mental model. Scans often reveal unexpected vulnerabilities that expose organizational data outside of the intended environment. Effectively managing the DMZ in the cloud requires specialized expertise that may not be present in security architects who primarily focus on on-premises networks.
One unique challenge in cloud environments is the potential for attackers to exploit multitenant cloud services to communicate in and out of a cloud environment without being detected by the tenant’s network. For example, an attacker who gains access to an AWS environment may expand their reach to an S3 bucket, and this activity may go unnoticed by the tenant’s network since it occurs within the cloud service provider’s infrastructure. In contrast, if the same activity occurred in an on-premises network, it would likely be flagged, and the security team would be alerted. Each cloud service has its own features and controls, some of which may enable hidden external communication. Therefore, cybersecurity teams must diligently find and secure all services, not just the ones intended for use.
Cloud providers regularly make updates to their services, introducing new features, improving existing capabilities, or changing default settings. Even services not intended for use can introduce risks, as attackers can exploit them to establish external communications within an environment. Additionally, providers might change the default configurations of their services, inadvertently exposing users to more risk. This is not merely a theoretical concern; attackers are already taking advantage of these capabilities. On the other hand, in on-prem data centers, organizations have control over software updates and can avoid installing unnecessary software that could increase their risk exposure. However, a common challenge in on-prem data centers is the delayed patching of known vulnerabilities.
Understanding the structural and operational differences between on-premises and cloud operations is crucial for effective cloud security. It may seem convenient to allow each business unit to choose its preferred cloud platform, but this approach often leads to substantial additional work to secure each cloud individually. Ignoring the risks and failing to prioritize training and staffing for cloud security can leave organizations vulnerable to advanced attackers who focus on exploiting their cloud footprint. The innovative cloud attacks seen today will likely become the standard breaches of tomorrow.