Nine in ten cyberattacks against cloud environments involved compromised privileged credentials according to a survey of 150 IT decision-makers in the U.S. conducted by the market research firm Censuswide.
In total, 65% of respondents said they have been made aware of attempted attacks on their cloud environments, with 80% of those respondents admitting their cloud environments were successfully compromised.
Sponsored by Centrify, a provider of privileged access management tools, the survey makes it clear just how credentials are at a time when many organizations have become considerably more concerned about the integrity of their software supply chains in the wake of a raft of high-profile security breaches through which malware was embedded within a widely employed network management application.
The survey makes it apparent security issues are a concern regardless of what type of cloud is employed. Nearly half of respondents (45%) have set up a private cloud, while nearly a third (31%) use hybrid and multi-cloud environments. Just under a quarter (23%) rely exclusively on a public cloud.
Managing multi-cloud environments is the greatest cloud transition challenge (36%), followed by cybersecurity risks and cloud migration tied at 22% and maintaining compliance at 19%, the survey also finds.
Cybercriminals are targeting credentials mainly because many of the controls that IT teams historically had in place in their on-premises IT environments have been abandoned in the name of expediency in the age of the cloud. Not only do application developers provision their own infrastructure, but the number of individuals that have access to those cloud services that are not directly employed by an organization is also considerably higher. It’s not uncommon for a wide range of consultants to have credentials that enable them to easily access cloud applications and the infrastructure they run on.
Making matters even more challenging, it’s also not uncommon for cloud services to be misconfigured. Developers using tools such as Terraform to manage infrastructure as code routinely misconfigure cloud resources in ways that cybercriminals have now learned to scan for across multiple clouds. Thanks to the rise of DevSecOps many organizations are finally starting to address that issue but it’s still early days. Many DevOps practitioners that tend to prize the rate at which applications are developed and deployed above all else have been sidestepping security controls for years now. That issue is now coming to a head as senior IT leaders are now being asked to review their software supply chain processes on an end-to-end basis.
In general, those reviews are long overdue. Rolling out new applications as fast as possible is an admirable business goal. However, if the cost of achieving that goal is security breaches then the point of the exercise is arguably being lost. There is no such thing as a great insecure application.
One day soon security will become a more natural extension of the quality assurance process. In the meantime, cybersecurity teams need to find a way to establish a meaningful working relationship with application developers inside their organizations. Most of those developers are not looking to purposely deploy cloud applications that have been compromised by malware. However, most of them don’t really appreciate how easily a credential they have lost control over can sink the proverbial application ship.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.