Cloud Attack Surface Expands, Putting Pressure on Enterprise Security

Organizations are overwhelmed with devices and applications in their environment due to lack of management and control, and this expansion of the cloud-based attack surface threatens to overwhelm enterprise IT security.

Findings from JupiterOne’s State of Cyber Assets Report (SCAR) revealed digital assets increased by 133% year-over-year to an average of 393,419 in 2023 from 165,000 in 2022, while organizations also saw the number of security vulnerabilities jump by 589%.

While the proliferation of distributed cloud architecture has significantly enhanced resilience in the face of cyberattacks, the exponential growth of such architecture has given rise to an unparalleled level of intricacy for cybersecurity teams.

These teams must now confront a multitude of assets, non-uniformity across cloud service providers (CSPs) and the pressing need for integrated cybersecurity intelligence.

Darren Guccione, CEO and co-founder at Keeper Security, pointed out the skyrocketing number of endpoints has made it increasingly difficult for IT and security professionals to keep up with emerging threats and vulnerabilities.

“IT leaders are finding it increasingly difficult to gain comprehensive visibility, security, compliance and control—to protect every employee on every device from every location,” he said. “In the cloud, all it can take is one click for a threat actor to gain access to an entire organization if data is not properly protected and secured.”

He added that the expanding attack surface is particularly concerning, with cyberattacks on the rise and IT security teams competing for talent as macroeconomic conditions are tightening budgets.

“The traditional IT perimeter has vaporized, dramatically increasing the attack surface,” he explained.

The mass migration to distributed remote work environments has radically increased the number of endpoints, the number of remote locations such as home offices and, correspondingly, the sheer number of websites, applications and systems that require identity verification, access and full end-to-end encryption.

“Organizations should focus on implementing modern, elegant and pervasive cybersecurity solutions that seamlessly integrate with identity solutions in order to provide enterprise-wide visibility, security, reporting and control,” Guccione said.

Lift and Shift is Part of the Problem

Timothy Morris, chief security advisor at Tanium, said the “lift and shift” mentality toward cloud adoption may be another part of the problem.

“Practitioners have spent years developing security and monitoring processes for on-premises systems that typically do not easily translate to a cloud environment,” he said. “As such, security and config management can lag behind.”

From his perspective, security needs to be in the equation at the very outset of the application development process.

“There needs to be a push to find clarity as to what devices reside on the network while ensuring security measures are up to date,” he added.

Mike Parkin, senior technical engineer at Vulcan Cyber, said the most concerning takeaway is that the ever-growing number of assets is not being matched by an increase in technical resources.

“This puts a greater strain on security operations personnel leading to reduced effectiveness and burnout,” he said. “As the number of assets goes up and the number of tools the teams uses to monitor the assets goes up while their headcount remains constant, they’ll eventually hit a limit.”

He noted that, while there are tools that can help consolidate all the other assets and help with risk management, it’s likely that the long-term solution is a combination of better tools and more qualified security professionals.

“It’s unlikely that the number of assets will go down anytime soon, which means IT security teams will need to find improvements in efficiency to stay ahead of the growth,” Parkin said. “There are usually improvements to be found in better tools and processes.”

While that can keep IT security pros ahead of asset growth to a point, eventually it will take more qualified people to match the load.

Attack Surface Management Starts With People

Guccione said IT security teams should also consider their own password and secrets management policies.

He explained this is a pervasive problem, pointing to a 2022 U.S. Cybersecurity Census report which found that nearly a third of organizations allowed their employees to create their own passwords and share passwords using insecure means.

“To add an additional layer of security, we recommend every user create strong and unique passwords and enable MFA when and wherever possible,” he said. “To achieve this, it is essential to use a password manager as a first line of defense.”

This will ensure employees are using high-strength random passwords for every website, application and system and, further, will enable strong forms of two-factor authentication, such as an authenticator app, to protect against remote data breaches.

“Organizations large and small should implement a zero-trust security architecture with the principle of least privilege to ensure employees only have access to what they need to do their jobs,” Guccione added.

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 344 posts and counting.See all posts by nathan-eddy