Investigation on key threats of cloud computing applications in 2022

Cloud workloads 、 Supply chain 、 Edge of computing 、 The Internet of things （IoT） And the popularity and application of new technologies such as blockchain have changed the security pattern of cloud computing applications . To increase the threat to the cloud 、 Awareness of vulnerabilities and risks , International Cloud Security Alliance （CSA） Not long ago, we launched research on application security in the current cloud computing field , Yes 700 More than experts in the cloud computing technology industry conducted research , And write and publish 《 Cloud computing Top Threat Report 》. According to the report , following 11 Security challenges in three aspects are becoming a key threat to cloud computing applications .

threat 1

identity 、 The credentials 、 Access right

And key management

identity 、 The credentials 、 The access management system generally includes allowing organizations to manage 、 Tools and policies to monitor and protect users' access to key resources , These key resources may include electronic documents 、 Computer systems and physical resources , For example, server rooms or buildings . In the process , Properly maintain and continuously monitor identities 、 The credentials 、 Access to the management system is critical . In identity and access management （IAM） The use of risk scoring in can enhance the security posture . Use a clear risk allocation model 、 Continuous monitoring and appropriate behavioral isolation and segmentation help cross check （cross-check）IAM System .

Business impact

If identity 、 The credentials 、 Poor access rights and key management , It may cause the following negative consequences ：

• Lack of compliance with business system access , Employees are indifferent to network security ;

• Key business data is replaced or damaged , Data leakage from unauthorized or malicious users is difficult to find ;

• Loss of user trust and business revenue ;

• Additional financial expenses incurred due to response and evidence collection of serious security incidents ;

• Ransomware attacks and supply chain disruptions .

Security incidents

2019 year 1 month - 7 month ,Capital One A large-scale data leak occurred in the bank , The cause of this event is Capital One In its AWS The server in the account executes any user initiated request . An attacker can illegally access a server in the intranet with the help of a server placed on the public network , Which leads to command execution 、 Data leakage and other hazards .

Protection points

• Use multifactor Authentication ;

• Use strict access controls for cloud users and identities , In particular, restrictions root Use of accounts ;

• Segregate and segment accounts according to business needs and the principle of minimum privilege ;

• Adopt program 、 Centralized method rotation key ;

• Delete unused credentials and access privileges in a timely manner .

threat 2

Unsafe interfaces and API

To provide better digital experiences for third-party developers and customers , Accelerating adoption API. But as the API It is becoming more and more popular , Protecting the security of these interfaces has also become critical . Must check API And whether the microservice exists due to misconfiguration 、 Bad coding practices 、 Lack of authentication and improper authorization . These vulnerabilities may make the interface vulnerable .

API Misconfiguration with other interfaces is the main cause of security events and data leakage , Common problems are ： Unauthenticated endpoint ; Weak authentication ; Too much authority ; Disable standard security controls ; The system is not patched ; Logic design problems ; Disable logging or monitoring . These problems may lead to resource leakage 、 Delete or modify , Data adjustment or service interruption .

Business impact

API And the impact of insecure interfaces on the business is mainly the accidental exposure of sensitive or private data , The severity of such risks depends on API How it is used and how quickly vulnerabilities are detected and mitigated .

Security incidents

2021 year 5 month 5 Japan , Home fitness brand Peloton Exposure API Loophole , Unsound user authentication and object level authorization will pass API expose Peloton Customer personal identity information （PII）. These data include detailed user ages 、 Gender 、 City 、 weight 、 Exercise statistics , It can even reveal the birthday and other information set as private by the user in the profile setting page .

Protection points

• track 、 Configure and protect with API Relevant attack surface ;

• Update the traditional control and change management strategies and methods , To keep up with cloud based API Growth and change trends ;

• Enterprises should adopt automation technology , Continuously monitor for exceptions API Traffic and fix vulnerabilities in near real time ;

• Consider using open API frame , For example, open cloud computing interface （OCCI） Or cloud infrastructure management interface （CIMI）.

threat 3

Misconfiguration and inadequate change control

Incorrect allocation refers to the incorrect or unreasonable setting of the calculated assets , Make them vulnerable to accidental damage or malicious activities . Common misconfigurations include ： Unsafe data storage elements or containers ; Too many permissions ; Leave the default credentials and configuration settings unchanged ; Disable standard security controls ; The system is not patched ; Disable logging or monitoring ; Unrestricted access to ports and services ; Unsafe management of secrets ; Improper configuration or lack of configuration verification . Cloud resource configuration errors are the main cause of data leakage , It may cause resource deletion or modification and service interruption .

Improper change control in the cloud environment may lead to misconfiguration , And prevent the repair of misconfiguration . Cloud environment and cloud computing methods are different from traditional information technology （IT） The difference is that it makes changes more difficult to control . Traditional change processes involve multiple roles and licenses , So it takes days or weeks to put it into use . Cloud computing relies on automation 、 Role extension and access to support rapid change , This makes it difficult to control change . Besides , Using multiple cloud providers adds complexity , The unique capabilities of each provider are being enhanced and expanded almost daily . This dynamic environment requires an agile and proactive approach to change control and repair .

Business impact

The impacts caused by incorrect configuration and insufficient change control mainly include ：

• Data disclosure affects confidentiality ;

• Data loss affects availability ;

• Data corruption affects integrity ;

• System performance affects operational efficiency ;

• System disruption impacts operational sustainability ;

• Ransom extortion can have financial consequences ;

• Violations and fines have compliance and financial implications ;

• Loss of income ;

• Share price fall ;

• Company reputation impact .

Security incidents

2021 year 1 month 7 Japan , Microsoft has misconfigured Microsoft Azure Blob（ cloud ） bucket , This bucket holds a large amount of third-party data , Hope to cooperate with Microsoft 100 Multiple businesses “ Trailer ” And the source code is publicly disclosed .

Protection points

• Enterprises need to adopt available technologies that continuously scan for misconfigured resources , In order to fix the vulnerability in real time ;

• The change management approach must reflect the dynamic nature of business transformation and security challenges , To ensure that changes are approved correctly using real-time automated validation .

threat 4

Lack of cloud security architecture and strategy

Cloud security policy and architecture include cloud deployment model 、 Cloud service model 、 Cloud service providers （CSP）、 Service area availability zone 、 Consideration and selection of specific cloud services and general principles . Besides ,IAM Forward looking design 、 Across different cloud accounts 、 supplier 、 The network and security control of services and environment are also within the scope . Strategic considerations should precede architecture planning and guide architecture design , But cloud challenges often require incremental and agile planning methods . If cloud computing is to be successful and secure , Safety considerations and risks cannot be ignored . Industry violations indicate , Lack of such planning may result in cloud environments and applications not being able to （ Or cannot effectively ） Defend against cyber attacks .

Business impact

The lack of cloud security policies and architectures will limit the feasibility of implementing efficient enterprise and infrastructure security architectures . Without these safety / Compliance objectives , Cloud computing will not succeed , It may even lead to fines and other penalties for violations , Or the huge cost caused by improper reconstruction and migration .

Security incidents

2021 year 1 month , Wal Mart's American clothing store Bonobos Large scale data leakage , Exposed the personal information of millions of customers , This includes the customer address 、 Phone number 、 Some credit card numbers and orders on the website . The reason for this is that the external cloud backup service that hosts the backup files is damaged .

Protection points

• Enterprises should consider business objectives in cloud service and infrastructure design and decision-making 、 risk 、 Security threats and legal compliance ;

• Given the rapid pace of changes in the cloud environment and limited centralized control , Following cloud services and infrastructure security design principles is more important for development ;

• Consider due diligence and third-party supplier security assessment as basic practices , And modeling with threats 、 Security design and integration complement each other .

threat 5

Unsafe software development

The software system is very complex , Cloud technology tends to add to this complexity , This increases the likelihood of exploits and misconfigurations . Although developers are not meant to develop unsafe Software , But major software vendors release patches every month , To fix the problem that affects the confidentiality of the system 、 Integrity and / Or usability code error . Although not all software errors have security risks , But as history has proved , Even modest mistakes can be a major threat .

Business impact

The possible impacts of unsafe software development include ：

•  The customer loses confidence in the product or solution ;

• Data leakage causes damage to brand reputation ;

• Legal and financial implications of litigation .

Security incidents

2021 year 9 month 13 Japan , The researchers found that AppleiOS By NSO Of Pegasus Software utilization , Zero hit vulnerability involving remote code execution .

Protection points

• Using cloud technology enables developers to focus on business - specific issues ;

• By using the shared responsibility model , Items such as repairs can be attributed to cloud service providers （CSP） Not owned by the enterprise ;

• CSP Pay attention to safety , And will provide guidance on how to implement the service in a secure manner , for example AWS Well-Architected Framework Or safe design pattern .

threat 6

An insecure supply chain system

In the reality of the rapid growth of Cloud Computing Adoption , Third party resources can mean different things ： From open source to SaaS Products and API risk , All the way to the hosting services provided by cloud providers . Risks from third-party resources are also considered “ Supply chain vulnerability ”, Because they are part of the process of delivering products or services . In recent years , With the increasing reliance on third-party supply chain services , Cyber criminals are taking advantage of these vulnerabilities more and more . Studies have shown that ,2/3 Is caused by a supplier or third party vulnerability .

Business impact

The possible impacts of an insecure supply chain system are ：

• Loss or disruption of key business processes on the cloud ;

• Cloud business data is accessed by external users ;

• Patching or fixing security issues depends on the provider and its responsiveness , At the same time, internal applications and products need to be constantly updated . The impact on the business can be critical , It depends on the importance of vulnerable components to the application .

​ Security incidents

2019 year 5 Month to 2021 year 8 month , The North American subsidiary of Volkswagen group suffered a data leakage event caused by suppliers , The supplier is in 2019 year 5 Month to 2021 year 8 Put the storage service in an unprotected state during the month . This event involves 330 Thousands of customers , Leaked data includes personally identifiable information （PII） And more sensitive financial data for some customers .

Protection points

• Although enterprises cannot prevent vulnerabilities in code or products that are not created by themselves , But you can try to make the right decision about which product to use , for example ： Looking for officially supported products , And those with compliance certification 、 Vulnerability bounty program and provide security announcements and quick fixes for enterprises ;

• Identify and track the third parties that the enterprise is using , This includes open source 、SaaS product 、 Cloud providers and managed services , And other integrations that may have been added to the application ;

• Periodic review of third party resources . If you find an unwanted product , Please delete them and revoke the permissions that may have been granted to them （ Such as entering the code repository 、 Any access to the infrastructure or application ）;

• Don't be a weak link . Penetration testing of enterprise applications to the extent applicable 、 Introduce developers to secure coding practices , And use static application security testing （SAST） And dynamic application security testing （DAST） Solution .

threat 7

System FLAW

System vulnerabilities are also common defects in cloud service platforms . Attackers may use them to compromise the confidentiality of data 、 Integrity and availability , Thus undermining the service operation . It is worth noting that , All components may contain vulnerabilities that make cloud services vulnerable . There are four main types of system vulnerabilities ：

• Zero Day vulnerability —— Newly discovered vulnerabilities that have not yet been patched . Hackers will quickly exploit these vulnerabilities , Because nothing can stop the patches before they are deployed . I found out before Log4Shell Is a typical Zero Day vulnerability example .

• Lack of security patches —— As the number of unfixed vulnerabilities increases , The overall system security risk is also increasing , therefore , Once a patch with known critical vulnerabilities is found available , Deploying them as soon as possible can reduce the attack surface of the system .

• Configuration based vulnerability —— When the system is deployed with default or misconfigured settings , There will be such loopholes . Examples of configuration based vulnerabilities include the use of legacy security protocols 、 Weak encryption password 、 Weak authority and poorly protected system management interface . Besides , Running unnecessary services on the system is another configuration related problem .

• Weak authentication or default credentials —— The lack of strong authentication credentials allows potential attackers to easily access system resources and related data . similarly , The password that is not stored securely may be stolen by hackers and used to invade the system .

Business impact

Cloud computing system vulnerabilities may have an impact on the business ：

• Many data leaks are caused by system vulnerabilities ;

• When there is a data leak , Business may be disrupted , This will affect customers' use of enterprise services ;

• Additional technical costs incurred in dealing with problems such as data leakage .

Security incidents

2021 year 12 month ,Log4Shell（CVE-2021-45046） Remote code vulnerability outbreak , Affected based on Java Of Log4j Logging tools 2.0beta9-2.14.1 edition . Whereas Java Widespread use in cloud systems ,Log4Shell Become a serious threat . Attackers can exploit by submitting malicious requests to vulnerable systems Log4Shell, This request will cause the system to execute arbitrary code , This allows attackers to steal information 、 Start blackmail software or take control of the system .

Protection points

•  System vulnerabilities are defects in system components , Usually introduced by human error , Make it easier for hackers to attack enterprise cloud services , So strengthen “ people ” The key factor is , Enterprises can regularly carry out safety training and education ;

• Through routine vulnerability detection, patch deployment and strict IAM practice , It can greatly reduce the security risks caused by system vulnerabilities .

threat 8

Accidental disclosure of cloud computing data

Cloud services enable enterprises to build at an unprecedented speed 、 Innovation and expansion . However , The complexity of the cloud and the shift to cloud service ownership , This often leads to a lack of security governance and control . Different CSP The increase in the number of cloud resource configurations makes misconfiguration more common , The lack of transparency and network visibility of cloud inventory may lead to accidental data disclosure .

Business impact

The possible business impact of accidental data leakage is ：

• These data may contain sensitive customer data 、 Employee information 、 Product data, etc . Exposing such data can lead to unexpected expenses , Such as forensics team 、 Expenses incurred in the customer support process and compensation of affected customers ;

• Data breaches also incur many additional indirect costs , Such as internal investigation and communication 、 Loss of current customers and loss of potential customers due to reputation damage .

Security incidents

2021 year 1 month ,VIP Game companies have exposed more than 6 Million users 2300 Ten thousand records , It contains email 、 user name 、 Social problems 、 The Internet ID And player data on the network .

Key points of protection

• Configuration based solutions are limited in providing the necessary visibility , And the workload cannot be checked or scanned , Therefore, it is necessary to view the PaaS database 、 Storing and computing workloads , Including virtual machines 、 Container and database software installed on it ;

• Choose an engine that has full visibility into the enterprise cloud environment , To identify any routing or network services that allow traffic to be exposed externally , Including load balancer 、 Application load balancer 、 Content distribution network （CDN）、 Network peer-to-peer interconnection 、 Cloud firewall 、Kubernetes Network, etc ;

• Ensure that the database implements the minimum permissions IAM Strategy , And reduce the access risk by controlling and monitoring the allocation of the policy .

threat 9

Misconfiguration and utilization of cloud workloads

Managing and extending cloud infrastructure and security controls to run applications remains a major challenge for cloud computing development teams . Serverless and cloud native containerized workloads seem to be a panacea for this problem —— Shift responsibility to cloud service providers . But compared to moving virtual machines to the cloud , They require a higher level of cloud and application security maturity .

In the serverless model ,CSP Responsible for the security and management of the underlying infrastructure . In addition to the development and operation advantages , It also reduces the attack surface , Because by default CSP Run the function code in a short container . The constantly refreshing system significantly limits the persistence of attack events . however , If CSP Allows customer configurations to have a longer lifecycle and “ Hot start ”（warm start） Configured serverless container , The environment will become less secure . Other risks include temporary file systems and shared memory , This may also reveal sensitive information .

Lack of control over infrastructure , It also hinders the mitigation of application security issues and the visibility of traditional security tools . Enterprises need to focus on the cloud environment 、 Applications 、 visualization 、 Access control and confidentiality management build strong security , To reduce the attack radius .

Business impact

Serverless and containerized workloads can significantly improve the agility of cloud computing applications 、 cost reduction 、 Simplified operation , Even improve security . But in the absence of the necessary expertise and due diligence , Application configurations implemented using these technologies can lead to major violations 、 Data loss and even business cash flow depletion .

Security incidents

2021 Since then , Around rejecting wallets （Denial of Wallet,DOW） More and more cloud security incidents have been attacked .DoW Attacks and traditional denial of service （DoS） Similar attacks , Both are designed to cause damage . however ,DoW The attack is specifically targeted at serverless users . This attack exploits the following facts ： Serverless vendors charge users based on the amount of resources consumed by the application , It means , If an attacker flooded the site with traffic , Then the website owner may bear a huge bill .

Protection points

• Enterprises should adopt cloud security situation management （CSPM）、 Cloud infrastructure authorization management （CIEM） And cloud workload protection platform （CWPP） Implement automatic checks ;

• Enterprises should invest in cloud security training 、 Governance processes and reusable security Cloud Architecture patterns , To reduce the risk and frequency of unsafe cloud configuration ;

• Before the development team migrates to serverless Technology , Safety related best practices should be followed more strictly .

threat 10

Organized criminal gangs and APT attack

Organized criminal gang aims to describe the organizational level of a criminal gang . High level persistent threat （APT） Is a broad term , It is used to describe the long-term illegal activities of intruders or intrusion teams on the network , To mine highly sensitive data .APT Complex tactics have been established 、 Technology and agreement （TTP） To infiltrate its goals . They often lurk in the target network for months without being detected , And can move horizontally in the network to access highly sensitive business data or assets .

Business impact

• APT Organizations have different motivations . Some are politically motivated （ Hacker activism ）, Others are part of organized criminal groups , There are even some groups that are hacking organizations of state actors ;

• To understand APT The business impact the organization may have on the enterprise , Enterprises must conduct business impact analysis on their information assets . This enables enterprises to understand APT How and why an organization might target it , And the potential business impact of potential security vulnerabilities .

Security incidents

2016 year 2 month ,Lazarus group（APT38） Almost completely robbed the National Bank of Bangladesh ;2022 year 1 month ,LAPSUS$ Invading Nvidia And stole confidential data . The organization did not report to Nvidia Blackmail data , Instead, it requires the release of restrictions on the graphics processing unit used for encrypted mining .

Protection points

• Conduct business impact analysis on the enterprise , To understand enterprise information assets ;

• Participate in network security information sharing group , To learn about any relevant APT Organization and its TTP（Tactics、Techniques and Procedures, That is, tactics 、 Technology and process ）;

• Conduct offensive security exercises to simulate these APT The organization's TTP, And adjust the safety monitoring tools for detection .

threat 11

Insecure cloud data storage

Cloud storage data leakage is sensitive 、 A serious security incident involving protected or confidential information . These data may be released by individuals outside the enterprise 、 see 、 To steal or use . Cloud storage data is one of the main targets of targeted attacks , And may be exploited by a vulnerability 、 Configuration error 、 Application vulnerabilities or poor security practices . Such data breaches may involve any type of information that is not intended to be publicly disclosed , For example, personal health information 、 Financial information 、 Personal identity information 、 Trade secrets and intellectual property rights .

Business impact

The possible business impacts caused by cloud storage data leakage are ：

• Loss of intellectual property , Used for other product development 、 Strategic plan , Even launch future attacks ;

• Lose customers 、 stakeholders 、 The trust of partners and employees , May inhibit business behavior 、 Invest and buy , And reduce employees' willingness to work in the enterprise ;

• Stricter supervision , Including financial fines or process and business changes ;

• Geopolitical factors can influence business behavior .

Security incidents

2021 year 6 month , Due to major user data leakage events ,Facebook Prosecuted in Europe , But the incident was not until it was found on the dark net forum that it had more than 5.33 Million account information can be downloaded for free before being exposed .

Protection points

• Cloud storage requires a well configured environment （SSPM、CSPM）;

• application CSP Best practice guide 、 Monitoring and detection functions , To detect and prevent attacks and data leaks ;

•  Employees need to be trained in cloud storage security awareness , Because the data is scattered in different places and controlled by different roles ;

• Implement client-side encryption where appropriate ;

• Classify the data and record the actions taken in the event response .