Compromised Cloud Costs Orgs $6.2 Million Annually
Compromised cloud accounts cost companies an average of $6.2 million each year according to the Ponemon Institute, and more than two-thirds of professionals said the compromised accounts represented a “significant security risk” to their companies.
Organizations experience 138 hours of application downtime per year due to compromised cloud accounts, according to the Ponemon Institute report, which was sponsored by Proofpoint and surveyed 662 IT and IT security professionals in the U.S.
The deluge of compromised account incidents—the survey average was 64 cloud account compromises—is taking its toll on IT and IT security teams, which spend around 1,200 hours per month, or roughly 14,200 hours per year, dealing with the issue.
New Security and Compliance Risks
At the same time, the move to the cloud and a mobile workforce has brought new security and compliance risks, with cloud-based collaboration or messaging tools for sharing sensitive or confidential files presenting a significant security risk for organizations.
On top of it all, responsibility for evaluating cloud provider security capabilities is dispersed throughout the organization, with no one function clearly accountable for evaluating the cloud provider’s security capabilities.
Information security (23% of respondents) and corporate IT (21% of respondents) are most responsible, and the survey also revealed that very little corporate data in the cloud is controlled by IT.
Vishal Jain, co-founder and CTO at Valtix, a provider of cloud-native network security services, explained that, as a result, lost business productivity, reputation damage or cost of incident response are to be expected.
To Jain, however, just as interesting are the harder to quantify and not-as-obvious impacts such as unauthorized compute usage in the compromised cloud accounts.
“This can be compounded by re-compromise due to a lack of continuous multi-cloud visibility and the ability for attackers to move laterally in increasingly complex cloud architectures,” he said. “Lack of centralized visibility and control makes remediation and recovery manual and cumbersome leading to the burning of critical FTE cycles.”
He explained that because most attacks are financially motivated, Microsoft Office 365 and Google Apps are increasingly where the low-hanging fruit of sensitive corporate information or email access can be gained.
“The good news is that both Microsoft and Google provide great security mechanisms by default including two-factor authentication,” he said. “In many cases, it’s simply a matter of enforcement of these cloud access standards.”
Securing the Back End
Jain said the more challenging area to secure is the back end of cloud applications that have been deployed to Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure infrastructure, where the security model is less standardized and more of the shared responsibility is on the organization versus the cloud provider.
For organizations, that means investing in cloud-native security platforms that align to the dynamic and distributed nature of the cloud is a must.
“These platforms were built to enable continuous visibility and protection of resources that scale up or down with cloud app requirements,” he said. “They can also speed up and improve incident response by closing the gap between the offline identification of a problem and then manually remediating.”
In the cloud world, where the gap between compromise and remediation gives attackers more of an opportunity to move laterally, hide their tracks and ultimately exfiltrate critical data, all these factors serve to increase the cost of a security compromise in the cloud.
John Hellickson, cyber executive advisor at Coalfire, a cybersecurity advisory services provider, also pointed to Microsoft Office 365 and Google Workspace service due to these platforms’ ubiquity and their role as the source of enterprise user account storage and authentication for most organizations.
“If hackers can breach these systems, then they can gain access to all enterprise systems,” he said. “IAM is one of the most overlooked risk and breach mitigation tactics, yet among the most damaging tool in a hacker’s arsenal.”
He pointed to some common mistakes enterprises make when setting up security for cloud accounts, including “blatant violation” of meaningful separation of duties and identity and access management (IAM) hardening.
“Another would be isolation and security of development environments—there’s a false notion that the development area doesn’t need security because its non-prod (in other words, it doesn’t have data), but it’s also where all the code and configurations are done that hackers could—and do—easily use to inject vulnerabilities,” Hellickson said.
One potential solution is to implement a top-down (either enterprise or revenue segment) strategy and enforcement of cyberrisk investment and enforcement.
According to 57% of respondents to the Ponemon survey, Microsoft Office 365 and Google Workspace accounts are heavily targeted by brute force and phishing-based cloud attacks.
John Bambenek, threat intelligence advisor at Netenrich, said the biggest mistake organizations make with security of cloud accounts is assuming that because the services are run by Microsoft and Google that means they are secure and protected.
“While Microsoft and Google do take steps to secure their services, the security is protecting the ecosystem as a whole,” he said. “Individual accounts can still be stolen and there is little those companies will do to protect you. Organizations need to be fully aware of where the line of Google and Microsoft’s protection ends and where they need to begin.”
More than half (51%) of respondents say phishing is the most frequent method that attackers use to acquire legitimate cloud credentials, indicating that despite all of the improvements in security technology, users are still the biggest attack vector.
Meanwhile, phishing techniques have gained significant sophistication over the years and will continue to do so, security professionals warn.
“Give a man an zero-day, he’ll pwn for a day. Teach a man to phish, he’ll pwn for a lifetime,” Bambenek said. “Phishing is common because it works and because we have yet to come up with adequate protection against human mistakes. Finding vulnerabilities takes real expertise and time, and phishing simply does not. Scammers have existed for thousands of years of the human species; they just moved meatspace tactics to the Internet.”
