The Biden administration may eye CSPs to improve security, but the real caveat emptor? Secure thyself
Maksym
Yemelyanov/Adobe
Stock
President
Joe
Biden’s
administration,
as
part
of
its
recently
released
National
Cybersecurity
Strategy,
said
critical
sectors
such
as
telecommunications,
energy
and
healthcare
rely
on
the
cybersecurity
and
resilience
of
cloud
service
providers.
Yet,
recent
reports
suggest
the
administration
has
concerns
that
major
cloud
service
providers
constitute
a
massive
threat
surface
—
one
through
which
an
attacker
could
disrupt
public
and
private
infrastructure
and
services.
That
concern
is
hard
to
argue
with
given
the
monolithic
nature
of
the
sector.
Research
firm
Gartner,
in
its
most
recent
look
at
worldwide
cloud
infrastructure-as-a-service
market
share,
put
Amazon
on
top,
leading
with
revenue
of
$35.4
billion
in
2021,
with
the
rest
of
the
market
share
breakdown
as
follows:
-
Amazon:
38.9% -
Microsoft:
21.1% -
Alibaba:
9.5% -
Google:
7.1% -
Huawei:
4.6%
The
Synergy
Group
reported
that
together,
Amazon,
Microsoft
and
Google
accounted
for
two-thirds
of
cloud
infrastructure
revenues
in
three
months
ending
Sept.
30,
2022,
with
the
eight
largest
providers
controlling
more
than
80%
of
the
market,
translating
to
three-quarters
of
web
revenue.
Jump
to:
A
focus
on
cloud
service
providers?
The
administration’s
report
noted
that
threat
actors
use
the
cloud,
domain
registrars,
hosting
and
email
providers,
as
well
as
other
services
to
conduct
exploits,
coordinate
operations
and
spy.
Additionally,
it
advocated
for
regulations
to
drive
the
adoption
of
secure-by-design
principles
and
that
regulations
will
define
“minimum
expected
cybersecurity
practices
or
outcomes.”
Also,
it
will
“identify
gaps
in
authorities
to
drive
better
cybersecurity
practices
in
the
cloud
computing
industry
and
for
other
essential
third-party
services
and
work
with
industry,
congress
and
regulators
to
close
them,”
according
to
the
administration
report.
If
the
administration
is
speaking
to
CSPs
controlling
traffic
through
vast
swaths
of
the
global
web
with
an
eye
to
regulating
their
security
practices,
it
may
be
moot,
as
CSPs
already
have
strong
security
protocols
in
place,
noted
Chris
Winckless,
senior
director
analyst
at
Gartner.
“Cloud
providers
appear
from
all
evidence
to
be
highly
secure
in
what
they
do,
but
the
lack
of
transparency
on
how
they
do
so
is
a
concern,”
Winckless
said.
See:
Cloud
security,
hampered
by
proliferation
of
tools,
has
a
“forest
for
trees”
problem
(TechRepublic)
However,
Winckless
also
said
there
are
limits
to
resilience,
and
the
buck
ultimately
lands
on
the
customer’s
desk.
“The
use
of
the
cloud
is
not
secure,
either
from
individual
tenants,
who
don’t
configure
well
or
don’t
design
for
resiliency,
or
from
criminal/nation-state
actors,
who
can
take
advantage
of
the
dynamism
and
pay
for
flexibility
model,”
he
added.
Cloud
providers
already
offering
enough
Chris
Doman,
chief
technology
officer
of
cloud
incident
response
firm
Cado
Security,
said
major
cloud
service
providers
are
already
the
best
at
managing
and
securing
cloud
infrastructure.
“To
question
their
abilities
and
infer
that
the
U.S.
government
would
‘know
better’
in
terms
of
regulation
and
security
guidance
would
be
misleading,”
Doman
said.
Imposing
“know-your-customer”
requirements
on
cloud
providers
may
be
well
intentioned,
but
it
risks
pushing
attackers
to
use
services
that
are
further
from
the
reach
of
law
enforcement,
he
said.
The
biggest
threat
to
cloud
infrastructure
is
physical
disaster,
not
technology
failures,
Doman
said.
“The
financial
services
industry
is
a
great
example
of
how
a
sector
diversifies
activity
across
multiple
cloud
providers
to
avoid
any
points
of
failure,”
said
Doman.
“Critical
infrastructure
entities
modernizing
towards
the
cloud
need
to
think
about
disaster
recovery
plans.
Most
critical
infrastructure
entities
are
not
in
a
position
to
go
fully
multicloud,
limiting
points
of
exposure.”
Cloud
customers
need
to
implement
security
While
the
Biden
administration
said
it
would
work
with
cloud
and
internet
infrastructure
providers
to
identify
“malicious
use
of
U.S.
infrastructure,
share
reports
of
malicious
use
with
the
government”
and
“make
it
easier
for
victims
to
report
abuse
of
these
systems
and
…
more
difficult
for
malicious
actors
to
gain
access
to
these
resources
in
the
first
place,”
doing
so
could
pose
challenges.
Mike
Beckley,
founder
and
chief
technology
officer
of
process
automation
firm
Appian,
said
that
the
government
is
rightly
sounding
the
alarm
over
the
vulnerability
of
government
systems.
“But,
it
has
a
bigger
problem,
and
that
is
that
most
of
its
software
isn’t
from
us
or
Microsoft
or
Salesforce
or
Palantir,
for
that
matter,”
said
Beckley.
“It’s
written
by
a
low-cost
bidder
in
custom
contracts
and,
therefore,
sneaks
by
most
rules
and
constraints
we
operate
by
as
commercial
providers.
“Whatever
the
government
thinks
it’s
buying
is
changing
every
day,
based
on
least
experience
or
least
qualified,
or
even
the
most
malicious
contractor
who
has
the
rights
and
permissions
to
upload
new
libraries
and
codes.
Every
single
one
of
those
custom-code
pipelines
has
to
be
built
up
for
every
project
and
is
therefore
only
as
good
as
the
team
that
is
doing
it.”
It’s
on
customers
to
defend
against
major
cloud-based
threats
Seeking
out
malefactors
is
a
big
ask
for
CSPs
like
Amazon,
Google
and
Microsoft,
said
Mike
Britton,
chief
information
security
officer
at
Abnormal
Security.
“Ultimately,
the
cloud
is
just
another
fancy
word
for
outside
servers,
and
that
digital
space
is
now
a
commodity
—
I
can
store
petabytes
for
pennies
on
the
dollar,”
said
Britton.
“We
now
live
in
a
world
where
everything
is
API-
and
internet-based,
so
there
are
no
barriers
as
there
were
in
the
old
days.
SEE:
Top
10
open-source
security
and
operational
risks
(TechRepublic)
“There
is
a
shared
responsibility
matrix,
where
the
cloud
provider
handles
issues
like
hardware
operating
system
patches,
but
it
is
the
customer’s
responsibility
to
know
what
is
public
facing
and
opt
in
or
out.
I
do
think
it
would
be
good
if
there
were
the
equivalent
of
a
‘no’
failsafe
asking
something
like
‘Did
you
mean
to
do
that?’
when
it
comes
to
actions
like
making
storage
buckets
public.
“Taking
your
50
terabytes
in
an
S3
storage
bucket
and
accidentally
making
it
publicly
available
is
potentially
shooting
yourself
in
the
foot.
So,
cloud
security
posture
management
solutions
are
useful.
And
consumers
of
cloud
services
need
to
have
good
processes
in
order.”
Major
threats
to
your
cloud
operations
Check
Point
Security’s
2022
Cloud
Security
report
listed
leading
threats
to
cloud
security.
Misconfigurations
A
leading
cause
of
cloud
data
breaches,
organizations’
cloud
security
posture
management
strategies
are
inadequate
for
protecting
their
cloud-based
infrastructure
from
misconfigurations.
Unauthorized
access
Cloud-based
deployments
outside
of
the
network
perimeter
and
directly
accessible
from
the
public
internet
make
unauthorized
access
easier.
Insecure
interfaces
and
APIs
CSPs
often
provide
a
number
of
application
programming
interfaces
and
interfaces
for
their
customers,
according
to
Check
Point,
but
security
depends
on
whether
a
customer
has
secured
the
interfaces
for
their
cloud-based
infrastructures.
Hijacked
accounts
Not
a
surprise,
password
security
is
a
weak
link
and
often
includes
bad
practices
like
password
reuse
and
the
use
of
poor
passwords.
This
problem
exacerbates
the
impact
of
phishing
attacks
and
data
breaches
since
it
enables
a
single
stolen
password
to
be
used
on
multiple
different
accounts.
Lack
of
visibility
An
organization’s
cloud
resources
are
located
outside
of
the
corporate
network
and
run
on
infrastructure
that
the
company
does
not
own.
“As
a
result,
many
traditional
tools
for
achieving
network
visibility
are
not
effective
for
cloud
environments,”
Check
Point
noted.
“And
some
organizations
lack
cloud-focused
security
tools.
This
can
limit
an
organization’s
ability
to
monitor
their
cloud-based
resources
and
protect
them
against
attack.”
External
data
sharing
The
cloud
makes
data
sharing
easy,
whether
through
an
email
invitation
to
a
collaborator,
or
through
a
shared
link.
That
ease
of
data
sharing
poses
a
security
risk.
Malicious
insiders
Although
paradoxical
since
insiders
are
inside
the
perimeter,
someone
with
bad
intent
may
have
authorized
access
to
an
organization’s
network
and
some
of
the
sensitive
resources
it
contains.
“On
the
cloud,
detection
of
a
malicious
insider
is
even
more
difficult,”
said
CheckPoint’s
report.
“With
cloud
deployments,
companies
lack
control
over
their
underlying
infrastructure,
making
many
traditional
security
solutions
less
effective.”
Cyberattacks
as
big
business
Cybercrime
targets
are
mostly
based
on
profitability.
Cloud-based
infrastructure
that
is
accessible
to
the
public
from
the
internet
can
be
improperly
secured
and
can
contain
sensitive
and
valuable
data.
Denial-of-service
attacks
The
cloud
is
essential
to
many
organizations’
ability
to
do
business.
They
use
the
cloud
to
store
business-critical
data
and
to
run
important
internal
and
customer-facing
applications.
Ethical
hacking
may
secure
operations
in
the
cloud
and
on-premises
It’s
important
for
organizations
to
secure
their
own
perimeters
and
conduct
a
regular
cadence
of
tests
on
vulnerabilities
internal
and
external.
If
you
want
to
hone
your
ethical
hacking
skills
for
web
pen
testing
and
more,
check
out
this
comprehensive
TechRepublic
Academy
ethical
hacking
course
bundle.
Read
next:
How
to
minimize
security
risks:
Follow
these
best
practices
for
success
(TechRepublic)
About Author
