Revealed: Five Steps for Reducing Your Cloud Attack Surface
Today’s network perimeters are growing at a rapid rate and require multi-layered, strategic protection, writes Rahil Ghaffar, Director, Sales for Middle East & Africa at Virsec
The unique challenges of the pandemic propelled many organisations towards digital transformation. In turn, the global business landscape has witnessed mainstream migration to the cloud.
But as more organisations scale to meet the demands of a hybrid workforce model, more cloud services inherently increase the attack surface. A study by McAfee found almost 3.1 million external attacks on cloud user accounts throughout 2020.
As attack opportunities proliferate, it’s vital that companies minimize external exposure to their cloud environments. Let’s take Amazon Web Services (AWS), the leader in cloud infrastructure services, as an example.
When the public cloud emerged, it reimagined how businesses deployed infrastructure and forced companies to rethink security for this highly dynamic environment. Cloud native security solutions, such as security groups and network access control lists (NACLs), offer an immediate level of protection at no cost and with nothing to deploy.
For example, organisations can use security groups to restrict traffic based on IP addresses. They can quickly and easily microsegment the environment and secure east-west traffic to restrict lateral movement once an adversary is inside. And these security solutions will scale to the size of any environment transparently.
A nuanced picture
But while these strategies may sound straightforward, the real picture is more complex. One reason AWS is so popular is because of the many different services offered for consumption – 285 in total. Some of those services create more attack surface. So, with the right credentials combined with loose security policies and a growing list of interconnected services, an attacker has many avenues to take advantage of.
Put simply, the network perimeter from the pre-cloud era is now just one of many. As enterprises move to the cloud they must protect four additional perimeters, because one successful penetration on the right resource can lead to a major incident.
- Data perimeters can allow unauthorized users to read, modify, delete, or download your private data directly from the internet.
- Compute perimeters can allow external entities to run code in your environment, exploiting software vulnerabilities to compromise workloads.
- Messaging perimeters can allow external entities to receive and send messages to private systems that can trigger code or transport malicious payloads to downstream applications.
- Identity perimeters can allow external entities full control over your virtualized data center when privileged Identity Access Management (IAM) users, roles, and access keys are compromised.
5 ways to protect your attack surface
While cloud-native tools are imperative for network protection, it’s also vital to employ security best practices. Here are five steps to reduce your cloud attack surface.
- Deploy sufficient network segmentation and security. Establish security zones in each of your environments and allow traffic through the firewall for only what is needed and scoped. At a minimum, have a separate virtual private cloud for each application and environment, but also consider assigning each application environment (development, staging, and production) its own cloud account.
- Take advantage of the principle of least privilege. Assign access and resources with purpose. For instance, a developer just deploying code should not have administrative rights across the entire cloud account. Nor should a developer have continuous access to a production environment. Give them exactly what they need and nothing more. There are tools available to help scope accounts and users appropriately.
- Minimise the install base on computer resources. Install what you need, remove what you don’t. For example, with containers, only install the packages and libraries that your application needs to run. Anything superfluous an attacker can use against you.
- Patch software to fix vulnerabilities. Patching is essential but it doesn’t address every vulnerability. It is dependent on the vulnerability having been seen in the wild; if you have a version of software that has a zero-day threat, it does nothing for you. And, once a patch is published, it’s a race against time to patch it before an attacker has an opportunity to find and exploit that vulnerability in a system.
- Stop attacker-influenced code with runtime protection. True runtime protection acts as a safety net. It enforces what your application should be doing and stops what it shouldn’t be doing in real-time – before an attack happens. Adversaries are blocked before they can exploit a software vulnerability, known or unknown, or take advantage of misconfigurations, outdated security policies, improperly scoped access rights, and insufficient identity or credential management. Dwell time is non-existent, so threat actors never have a chance to install malware or exfiltrate data. And you gain air cover and time to make updates, while still being protected.
While today’s attack surface is expanding at an unprecedented rate, taking the right precautionary steps will considerably mitigate risk and protect your business.