It’s hard enough running an MSP these days with all the malware, ransomware, and cryptocurrency miners one has to protect against, but there’s another front in the cyberwar, one that once seemed relatively safe: the cloud.
Consider that attacks on Microsoft’s Azure Cloud were up a whopping 300 percent in the first quarter of 2017. And, Cisco released a report in the first quarter of this year that continues to beat the warning drums of cloud vulnerability.
Cloud attacks have been increasing, and experts that Smarter MSP has spoken to predict that trend will continue.
Clouds clouding the cloud
“It is not surprising that cloud attacks have increased, partly due to the corresponding increase in the amount of (sensitive) data, including intellectual property being stored in the cloud. In other words, instead of attacking X number of organizations, the attacker(s) can choose to focus on one or two major MSPs and seek to identify and exploit any vulnerabilities to gain access to the data stored in the cloud,” says Dr. Raymond Choo, professor of cloud technology at the University of Texas. And as more and data migrates to the cloud, so too will the bad guys.
“In fact, one could safely assume that cloud attacks will increase in terms of frequency and sophistication in the foreseeable future, as cloud services become the norm in organizations and government agencies,” Choo says.
Others agree with the assessment.
“In a nutshell, cloud attacks will continue to increase in number and also in sophistication as more and more enterprises move data processing activities to cloud systems,” says Jeffrey Blatt, lead TMT (technology, media, and telecommunications) counsel for Tilleke & Gibbins, a Bangkok-based law firm specializing in business and telecom. Blatt served on the board of Sri Lanka Telecom from 2008 to 2016 and helped develop cloud security measures in that country.
Prevention is not a cure
Blatt says preventing attacks isn’t easy.
“Prevention is more difficult because the client using the cloud service has only limited access to the cloud system,” Blatt says.
In addition to attacks increasing due to the sheer number of accounts migrating to the cloud, there are other issues, too. Weak passwords and poor encryption contribute to the problem.
“While we have high awareness of cybersecurity and cloud security requirements, few users actually have an awareness of access to their privileged accounts, and also a good awareness of the provenance of their data,” says Ryan Ko, director of the New Zealand Institute for Security and Crime Science at the University of Waikato in Hamilton.
Ko says that often the cloud can be breached in multiple ways.
“There have been several instances where user accounts are compromised through sophisticated exploit-based phishing attacks, and attackers move laterally through the organizations’ accounts to the ones which control the most access rights or most valuable assets. Several of the current administration and security tools do not provide such awareness, both externally and internally,” Ko says, meaning attacks can come from unauthorized outsiders who breach the system or malicious insiders.
Growing attack surface
Martin Holste is the Chief Technology Office of California-based FireEye Security. He, too, predicts the attacks will continue to increase.
“Attacks will increase proportional to the increase in assets placed in the cloud,” Holste says, but he adds some caveats. Cloud services present a broader attack surface because the individual services often have their own public internet, and many individual cloud infrastructure services, such as Microsoft’s Azure, have public APIs that need to be secured.”
“This increase in the total number of public interfaces raises the bar for security practitioners who used to be able to hide critical apps behind firewalls. As such, the overall opportunities for attackers to attempt authentication are rising faster than services hosted in traditional data center,” Holste says. That doesn’t, Holste says, mean services are becoming inherently less secure, though, because the underlying infrastructure for those services is usually more secure than the do-it-yourself approach.
“Ultimately, cloud is no more or less secure than private data centers, but you will see more noisy login failures which can be characterized as ‘attacks,’” Holste says.
How can MSPs keep the cloud safe?
So, what specifically can an MSP do to help prevent cloud attacks?
“MSPs need to implement a strong security and management of privileged accounts, and have a good information security management system around the management of not just their employees, customers, but also their vendors,” Ko says.
Ko says that MSPs should try to avoid being the weak link in the chain themselves, and a big part of that is educating on best practices.
#MSPs should try to avoid being the weak link themselves, and a big part of that is educating on #cybersecurity best practices. @SmarterMSP
“MSPs should also look into solutions which track data provenance across their infrastructure and empower themselves and their users with auditability and accountability. With these solutions implemented, MSPs will have a much stronger security posture and prevent themselves from being the weakest link. This lifts the security posture for the cloud(s) they are running on,” Ko says.
Preventing credential compromise
Holste says there are plenty of steps an MSP can and should take to prevent cloud attacks. At the top of the list should be preventing credential compromise.
“An administrative credential compromise is more devastating than in a traditional data center because attackers can do things like permanently delete all assets, and so the biggest threat to cloud security is administrative credential theft, often via phishing,” Holste says. So that means the number one thing an MSP should do to protect cloud assets is to initiate phishing protection and two-factor authorization. Restricting all cloud logins to company internet protocol space, such as from within the VPN, is also key.
In addition to protecting logins themselves, endpoint security is also becoming critical as advanced attackers will pivot from on-premises desktops belonging to administrators into cloud assets. This means running endpoint protection on cloud virtual machines is just as crucial as it is in a traditional data center, and it can often, Holste says, provide a layer of prevention or early warning.
Improve visibility and insight
“Beyond these base-level measures, it’s critical that an organization’s security staff has real-time visibility into what’s happening in the cloud accounts they control. The public cloud makes it relatively simple to see what virtual machines are being deployed and what they are doing, but administrators need to take the time to centralize the provided audit logs and get it into the hands of the security staff,” Holste says
Once this information is centralized, it needs to be enriched with organization content to make it meaningful to security staff.
“These events go well beyond simple compliance-oriented events, such as logins. Advanced attackers have playbooks they run which leverage the full scope of cloud capabilities and services to bypass security controls such as firewall rules. This shifts the things MSPs need to look for from simple failed login events to strange API calls, which requires a sophisticated analyst,” Holste says. And that can be a challenge.
“In our experience, even the cloud providers themselves are not privy to the most advanced attacks, because they occur above the infrastructure level at which they have visibility and at the application level,” Holste says.
Keeping up with evolving threats
Meanwhile, Choo, the University of Texas professor, advises MSPs to keep up to date on the constantly evolving cloud.
“Keep an open mind. For example, explore new security paradigms that can be potentially game-changing and provide the MSP a competitive advantage,” Choo says. And Choo advises that an MSP should operate under the assumption that a cloud breach will occur — not might or could.
“Operate with the mentality that ‘It is not a matter of if, but of when that the system will be compromised,’ and when that happens, the provider needs to have a robust risk mitigation strategy,” Choo says.
So, the takeaway from all of this? As the cloud grows more and more crowded, the bad guys will follow, and a cat-and-mouse game will ensue. Right now, it’s a draw.