Securing the slow but inevitable transition from traditional network and application infrastructures to the Cloud has long been a point of emphasis.
The COVID fueled acceleration of Cloud-first infrastructures, combined with tectonic shifts in the Cloud threat model and a substantial lack of cloud security specific talent, has us fighting next generation attackers, with last generation thinking.
Past the point of no return, research from Fortinet shows 39% of companies have more than half of their workloads in the cloud, and 58% plan to within the next 12-18 months.
While on premise infrastructure is well understood and monitored, in the cloud they've lost sight - literally and figuratively - of the vast differences between the assets they know, and those for which they have now ceded oversight to others.
Changes happen outside of enterprise purview by multiple entities, from business units to the cloud providers themselves.
Each time a cloud asset is added, removed, or changed - the organizational security posture is put at risk.
Most companies don't have clear insight into all the applications, systems, and data they are running in the cloud, and for more than 75% of companies, across multiple clouds.
While open buckets and misconfigurations get the most attention, they are only a fraction of the risks that security teams must account for, including sensitive data movement, access misuse/abuse, insecure interfaces/APIs, external sharing, hijacking, and malicious insiders.
The range of understanding about how best to assess security of cloud infrastructure and assets are as varied as the issues themselves.
Some put trust in the cloud provider controls, some apply on premise methodologies and concepts in a range of new tools and services.
The most forward-looking organizations are going beyond cloud asset and activity enumeration, to understanding how cloud assets can be compromised, and the paths to and between assets that represent real business risk.
The only real test of organizational cloud vulnerability is how it withstands an attack.
Much like applications and code, a corporate cloud can be subjected to a penetration test.
This involves simulating an attack on a cloud environment via a compromised asset and/or conducting manual penetration tests based on specific objectives, not simply assets.
While important and a good way of determining the strength of individual asset compliance with security best practices, this approach fails to provide an accurate representation of how the controls will perform against real-world attacks or even account for all the risks facing cloud resources.
Infrastructure testing - Cloud Security Reviews provide strong inventories of assets, controls and configurations that may be sub-optimal and at risk of compromise.
Posture Review - examines optimal composition and coordination of overall cloud protections and best practices for securing cloud environments.
In contrast, Cloud penetration testing is about identifying exploitable findings and focusing on vulnerabilities that matter, to provide actionable recommendations and affect quantifiable improvement.
While applications and cloud infrastructure present different risk profiles and require different security assessments, they must not be viewed separately with regards to enterprise defense.
This continued expansion of business assets and operations in the Cloud highlight the need for a comprehensive view and approach, that acknowledges the singular focus and coordinated approach attackers will take to achieve their goal.
This Cyber News was published on www.securityweek.com. Publication date: Mon, 04 Dec 2023 17:14:55 +0000