Cloud threats on the rise: why workload scanning is non-optional
Organizations and businesses of every kind are making a speedy transition to widespread cloud adoption, with almost all businesses using at least some cloud elements in their IT infrastructure.
As businesses make this move, hackers and cybercriminals follow closely behind, like hyenas tracking a herd of juicy gazelle; as their targets move, so does the focus of their attention. However, the rise in cloud attacks cannot be explained by this shift in targets alone.
According to cybersecurity firm SentinelOne, around 79% of organizations have experienced one or more cloud data breaches in the past 18 months, and 43% had suffered from 10 or more attacks in that period.
During 2020, McAfee reported that attacks on cloud environments had increased by a staggering 630%, suggesting there are other factors involved in making cloud environments more likely to become compromised.
Why is this, and what can you do to protect yourself?
Why are cloud threats increasing?
The change in the IT landscape has certainly led ‘bad actors’ to shift the focus of their efforts, but there are other reasons why cloud environments are under threat.
Threat volumes and novel attack vectors
For one thing, cloud workloads typically consist of many different parts. This translates to more opportunities for different attacks and unique attack vectors. The sheer volume of threats and the pace of cybercrime innovation makes it difficult to keep up.
High exposure
There are also many possible ways for malicious code to sneak into your workloads, including supply chain attacks, APIs, unsecured keys, data sources or uploaded data, and poor access control.
Hard to detect
In many cases, malicious code can remain embedded and encrypted within a cloud environment until a particular moment, when it decrypts and gets to work. As a result, many threats are harder to detect or mitigate until they start causing damage.
Speedy development
When developers are under pressure to deliver under tight timescales (and they always are), the chances of a misconfiguration or other vulnerability are greatly increased.
High complexity and lack of visibility
And, of course, this situation is compounded by a lack of visibility. Complex cloud environments and multicloud environments are increasingly common, and this makes it harder to ensure security. Due to the large number of third-party components involved, it’s impossible to shield yourself from supply chain attacks, and there’s a strong potential for security posture conflicts.
Why workloads need special attention
Many people make the mistake of assuming that cloud environments are secure by design, or that bare-minimum measures are enough (especially during the development phase). They’re not.
While the infrastructure is (generally) protected by the provider themselves, it’s up to you to select and use the right tools to secure workloads and mitigate problems.
Cloud workloads are inherently exposed to some extent, and this makes them easy targets, especially when they are more exposed than they need to be, and use insufficient encryption or access control.
It’s important to recognize that your workloads will be targeted, and they will be compromised – at some point.
The only way you can prevent a problem is with a complete set of security measures that include workload scanning. This gives you real-time protection and visibility.
What’s at stake?
There’s a lot at stake here. According to research from Forrester, the 35 biggest data breaches in 2022 resulted in 1.2 billion customer records being exposed, and fines of over $2.7 billion. And that’s just the 35 biggest breaches.
Some 74% of cybersecurity decision-makers have experienced one or more data breaches in the last year. As 95% of all workloads will operate in the cloud in the next few years, this risk will only grow.
As an IT professional, it’s ultimately your responsibility to secure these workloads as effectively as possible. However, as 89% of organizations are already using multicloud environments, this is a complex challenge that requires visibility across your whole IT landscape.
The visibility problem: you don’t know what you don’t know
Multicloud and complex cloud environments suffer from poor visibility. This means that problems can go unnoticed for some time, increasing the impact.
For example, car manufacturer Toyota recently discovered that they had unwittingly exposed the data of more than 2 million customers for at least ten years, due to a simple misconfiguration that went unnoticed for a decade. This data included customer details, details about the cars (including location data), and even video from the car.
And this is exactly the problem with lack of visibility: you don’t know what’s happening, and this state of ignorance leaves you both open to threats and makes it harder to take action.
Cloud security best practices (and why workload scanning is still needed)
Cloud security measures are primarily defensive: their role is to keep threats out. But what if they do get in somehow?
It’s a bit like trying to stop zombies from breaking into your house. You can board-up all the windows, lock all the doors, and try not to attract attention - but if a zombie does get in, you want to detect and eliminate it before it invites all of its friends round for tea.
You need both strong preventative cybersecurity measures, and active workload scanning to guarantee you won’t get bitten.
Best practices for Cloud workload security
Identity and Access Management (IAM)
Active management of identity and access helps to minimize risks from credentials misuse.
Zero trust
Adopting a ‘zero trust’ posture is especially important in the development phase, which can be loosened to ‘least privilege’ and whitelisting at deployment, when necessary.
Encryption
Using encryption wherever possible ensures that even if data is leaked, then it’s hard to get anything from it.
Minimum exposure
Reduce unnecessary exposure.
Visibility
Attaining visibility over your cloud environment helps avoid problems and identify where vulnerabilities might be. Remembering the Toyota example, achieving visibility with ‘a single pane of glass’ helps ensure total coverage of security measures. Consolidating everything into a single tool is an ideal way forward here.
Cloud Security Posture Management (CSPM)
This tooling mostly analyzes configuration issues and policy drift, but some solutions also include workload and container scanning. Considering the above, it’s good to have a tool that can also give visibility in multicloud environments, scan workloads continuously and flag issues when they’re found.
What is workload scanning?
Workload scanning (sometimes called workload vulnerability scanning) involves an active process of scanning workloads for malware, unusual behavior, network exposure, misconfigurations, and other vulnerabilities. It’s a very different beast to traditional antivirus software, not least because cloud environments work differently to on-premise infrastructure.
Because new threats are constantly emerging, continuous scanning of workloads is one of the most important ways you can make sure your environment stays clean. Many CSPM solutions include workload scanning as part of their functionality, but it’s important to understand the specificities and limitations of each solution, and how it fits with your situation.
The best tool for workload scanning
There is no single ‘best tool’ but there are many tools and platforms you can use to scan cloud workloads, including some great ones like Microsoft’s Azure Defender and Google’s Security Command Center. But our favorite is AWS Amazon Inspector, in combination with other elements and some of our own customizations.
Amazon Inspector is one of the various security tools available via the AWS Security Hub ecosystem, and it’s especially good because it puts everything into that ‘single pane of glass’ everyone is so keen on. With a consolidated view over your entire cloud environment, you gain a simpler way to deal with a complex problem.
The entire AWS Security Hub combined makes a pretty powerful CSPM platform, and it can be deployed across all your AWS accounts with a single click. It includes the Amazon Inspector as an integrated feature, along with GuardDuty, AWS Systems Manager, AWS Health, AWS Config, Firewall manager, IAM Access Analyzer, and Amazon Macie.
Amazon Inspector works by continuously scanning workloads for known vulnerabilities, network exposure, and unusual behaviors. A key part of your workloads is your containers, so it’s good to know that container images (within Amazon ECR) are also scanned statically as part of this. And, whenever something is changed (like a patch is installed or updated) Amazon Inspector will also conduct a rescan automatically, so you’re never left exposed.
If (or rather, when) Amazon Inspector discovers a vulnerability, it creates a ‘finding’ which is available via the customizable dashboard. Each finding is graded by the severity of impact, giving you clear priorities. You also get guidance about remediation or mitigation, and you can take action directly.
To summarize, these are the big advantages to Amazon Inspector as a workload scanning tool:
- You can manage all Amazon Inspector accounts centrally
- It has practically zero (negative) impact on performance
- Scanning and rescanning is continuous and automatic
- All findings are on a single dashboard, rated by severity and impact
- Also scans (Amazon ECR) container images and AWS lambda functions
Despite being an ‘automated’ tool, you still need to use Amazon Inspector properly. It’s worth doing a regular check to make sure everything is running properly. For example, a ‘Not Scanning’ status might mean it just hasn’t gotten round to an initial scan – but it might indicate that something else is amiss, for example, an unsupported OS or another issue like an excluded resource.
And, while it will scan container images you still need to adjust the settings in case you’re not happy with the defaults (it can scan container images for up to 180 days).
Ensuring complete security for your cloud
Despite the rapid pace being asked of cloud development, it’s essential that this never happens at the expense of security.
There are many measures you can (and should) take to make it harder for bad actors to get access to data or compromise your cloud environment. Workload scanning may not be at the very top of this list, but it is an essential component of your cloud security.
With the right tool for your situation, you can gain greater visibility too – with a single view across your entire cloud landscape. When you have all the pieces of this puzzle in place, you can reduce your risks to the absolute minimum – and gain peace of mind.