How can companies and employees who start to adapt to hybrid working practices protect themselves against cloud security threats?
When government lockdowns forced workers to stay home en masse for much of 2020, one technology was there to pick up the pieces. Without the three main cloud computing models, software-, platform- and infrastructure-as-a-service (SaaS, PaaS and IaaS, respectively), it’s unlikely many organizations would have survived those dark days. But as data and users migrated to the cloud in vast numbers, those same platforms quickly became a major target for attack.
According to one study, 90 percent of global CXOs reported an increase in cyberattacks in the early days of the pandemic, and even more (98 percent) saw an increase in security challenges in the first two months of the shift to remote work. Much of this will undoubtedly have been cloud-related. The trick now that a new hybrid workplace is emerging will be to manage these challenges more effectively, in a way that reduces cyber-risk without impacting user productivity.
Security for the hybrid workplace:
The hybrid workplace: What does it mean for cybersecurity?
Protecting the hybrid workplace through Zero Trust security
Tackling the insider threat to the new hybrid workplace
How cloud saved the day
The headline figures were astonishing. For example, video conferencing start-up Zoom has said that it went from 10 million to over 200 million active users between December 2019 and March 2020. Microsoft claimed its rival Teams platform had over 200 million meeting participants in a single day in April, amounting to what CEO Satya Nadella described as “two years’ worth of digital transformation in two months.”
Third-party research backs-up these bold claims. A Snow Software study in June 2020 revealed 52 percent of global organizations had increased their reliance on cloud-based video conferencing platforms, while three-quarters (76 percent) said they’d spent more on cloud infrastructure from the likes of Microsoft Azure, Google and Amazon Web Services. The adoption of cloud computing will only continue to increase, with Gartner predicting recently that spending on public cloud services will grow 18.4 percent in 2021.
It’s easy to see why. The ability to log-on from anywhere in the world and access corporate data and applications, host meetings and collaborate with colleagues was absolutely invaluable to users in lockdown. Larger scale IaaS deployments, meanwhile, helped to support new customer-facing websites, applications and go-to-market strategies to engage customers online. From hosted email and CRM to innovative new B2C services, the cloud in all its guises was there to keep organizations operational when they needed it most.
Why is cloud a remote working risk?
Yet security has always been the elephant in the room when it comes to cloud. With SaaS, it effectively expands the traditional corporate perimeter, putting data in the hands of a third-party provider and out of the control of IT.
The cloud entails greater complexity, which can create security gaps – especially if organizations are running multiple hybrid clouds alongside on-premises servers, some of which may need to be accessed via VPN. This is challenging for IT to run securely and it’s certainly challenging for employees to use securely. On average, 92 percent of organizations have a multi-cloud strategy today and 82 percent have a hybrid cloud strategy.
The cloud expands the corporate attack surface significantly for threat actors – providing more to aim at in the form of misconfigured accounts and systems, weak passwords and vulnerabilities. Add to this the use of insecure home networks and devices and poorly trained, distracted users and you have a perfect storm for remote working cyber-risk.
Some key cloud security challenges
These threats aren’t theoretical. Over the course of the pandemic we’ve seen first-hand how the cloud has been targeted by threat actors, and unwittingly exposed by developers and users. Here are some of the most notable examples:
Phishing: As employees are handed the keys to more corporate SaaS accounts, their log-ins become a greater phishing risk. In the early days, many of these phishing attacks were focused around COVID-specific lures. Google claimed in April 2020 to be blocking 18 million malicious and phishing emails related to the pandemic each day. Credentials could be used to unlock business applications and in brute force attacks to try against other accounts. Over half a million Zoom accounts were found up for sale on the dark web thanks to credential stuffing.
Misconfiguration: This could take two forms. The first involves simply failing to switch on the right security and privacy settings in apps such as video conferencing, potentially exposing your chats to eavesdroppers. This is the risk that gave rise to Zoombombing, although Zoom has since improved built-in security a great deal and switched many of the most important settings on by default.
A second, perhaps more dangerous type of misconfiguration, returns us to the issue of multi- and hybrid cloud complexity. IT teams regularly leave storage buckets open to all-comers by failing to apply the right policies to accounts. The bad news is that hackers are increasingly scanning for these exposed databases.
Vulnerabilities: Humans are fallible, and so is their code. During the pandemic, major zero-days were discovered in Zoom and other SaaS apps which could have enabled attackers to take remote control of users’ devices. In-house web applications hosted in the cloud are also at risk. According to one estimate, basic web application attacks were responsible for over 20% of breaches last year.
How to improve cloud security for hybrid workers
The good news is that security experts like ESET have been promoting best practices in cloud security for years. While there’s no silver bullet, the following will help to mitigate cyber-risk as your employees start to adapt to new hybrid working practices:
- Classify enterprise data flowing through the cloud and put in place appropriate controls
- Understand the shared responsibility model for cloud security
- Strong encryption for data residing in the cloud at rest and in transit
- Strong passwords (use a password manager)
- Multi-factor authentication (MFA) for all accounts
- Restrict access to sensitive accounts with a policy of least privilege
- Consider using a cloud access security broker to coordinate authentication and encryption
- Configure SaaS accounts properly according to your risk appetite (security and privacy settings)
- Use a cloud security posture management (CSPM) tool to flag IaaS misconfigurations
- Regular staff security training on how to spot phishing
- Prompt risk-based patching of all cloud servers and software
- Consider Zero Trust approach to reduce the impact of cloud breaches
Cloud computing will increasingly be the norm rather than the exception for business IT. Get ahead of the game now on security and your organization can drive major business benefits while managing cyber-risk to acceptable levels.
written by Phil Muncaster, ESET We Live Security