How Log4j Reshaped Cloud Security Thinking

A report from IT security firm Valtix has revealed how IT leaders are changing the way they secure cloud workloads in the aftermath of the Log4j vulnerability.

Log4j is a logging library and part of the Apache Software Foundation’s Apache Logging Services project. It is pretty much ubiquitous in applications and services built using Java. 

It is used to record all manner of digital activities that run under the hoods of millions of computers. In December 2021, the Log4j vulnerability—aka CVE-2021-44228—was publicly announced and rapidly flagged as one of the most critical security vulnerabilities in recent years.

Once hackers discovered it was vulnerable to attack, they opened a dangerous vulnerability for IT teams across every industry.

Valtix surveyed 200 cloud security leaders to better understand how they protect every app across every cloud in the aftermath of Log4j. The survey found that 95% of IT leaders said Log4j and Log4Shell was a wake-up call for cloud security and that the vulnerability changed it permanently.

Log4j Changed Security Thinking

Log4j impacted not only the security posture of organizations across the globe but the very way IT leaders think about security.

The survey found 83% of IT leaders felt that the response to Log4j has impacted their ability to address business needs and that Log4j taught IT leaders the status quo isn’t good enough.

Respondents said they felt the security protections in place now are insufficient, that other high severity open source vulnerabilities will emerge and they worry that cloud service providers themselves might have vulnerabilities that could impact their teams.

In addition, 85% of respondents said poor integration between cloud security tools often slows down security processes and caused security lapses, while 82% of IT leaders said visibility into active security threats in the cloud is usually obscured. 

Just over half (53%) said they felt confident that all their public cloud workloads and APIs were fully secured against attacks from the internet, and less than 75% said they were confident that all of their cloud workloads were fully segmented from the public internet.

“Security leaders are still dealing with the impacts of Log4Shell,” explained Davis McCarthy, principal security researcher at Valtix. “Although many have lost confidence in their existing approach to cloud workload protection, the research shows they are taking action in 2022 by prioritizing new tools, process changes and budget as it relates to cloud security.”

Changing Cloud Security Priorities

The survey also revealed that Log4j shuffled cloud security priorities, with 82% of IT leaders admitting their priorities have changed and 77% of leaders said they are still dealing with Log4j patching.

Vishal Jain, co-founder and CTO at Valtix, added that the research echoed what the company is hearing from organizations daily: Log4Shell was a catalyst for many who realized that—even in the cloud—defense-in-depth is essential because there is no such thing as an invulnerable app.

“Log4Shell exposed many of the cloud providers’ workload security gaps as IT teams scrambled to mitigate and virtually patch while they could test updated software,” he said. “They needed more advanced security for remote exploit prevention, visibility into active threats or ability to prevent data exfiltration.”

According to the report, as a result of Log4j, security leaders are prioritizing additional tools, process changes and budgets, with industries from financial services to manufacturing reprioritizing their cloud security initiatives after Log4j.

The top five industries where confidence is still negatively impacted due to Log4j are energy, hospitality/travel, automotive, government and financial services, the survey found. 

The majority (96%) of enterprises said their cloud security threats grow more complex every year as new players, threats, tools, business models and requirements keep IT teams busier and more important than ever.

Security leaders also indicated that they recognize there’s no such thing as an invulnerable cloud workload and that defense-in-depth is needed, with 97% of IT leaders viewing defense-in-depth as essential in the cloud.

However, budget constraints slow tech adoption, with lack of funding the top challenge to adequate protection, followed by concerns that preventative security will slow down the business.

Survey respondents also indicated it is difficult to operationalize cloud workload protection solutions, with 79% of IT leaders agreeing that agent-based security solutions are difficult to operationalize in the cloud.

Meanwhile, 88% of IT leaders said they think bringing network security appliances to the cloud is challenging to the cloud computing operating model and 90% of IT leaders said open network paths to cloud workloads from the public internet can create security risks. 

Free and open source software (FOSS) will continue to present a risk to organizations as hackers focus on exploiting security flaws in the code, a report from Moody’s Investors Service found.

In the case of Log4j, for example, three to five years could elapse before organizations are finished patching security flaws, and with recent estimates indicating open source makes up 80% to 90% of the average piece of software, the persistent security threats FOSS presents is significant. 

 

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy