The challenge is that the cloud is not really some nebulous thing that just exists. Instead, the cloud is just like an on prem setup, it is just much larger and exponentially more complex. They have patching cycles, vulnerability scans and due to their proprietary software and design, they have vulnerabilities that are specific to their services. They must maintain staff to ensure they are operational, provide customer support and even ensure security for their core products and services. Every cloud service provider wants to be profitable so, just like other organizations, cloud service providers are looking to keep their total ownership costs reasonable.
Cloud services also represent a target for attackers are they are a nicely concentrated target arena. By targeting Microsoft, Google, Amazon, Atlassian, etc. an attacker can potentially have a much bigger payoff when they identify an exploitable vulnerability, especially ones that related to authentication or access. Once an attacker has credentials, either through a phishing campaign or purchase from an IAB marketplace, they still need to ensure they can get around any additional authentication requirements. The ideal scenario would be to compromise both the user endpoint and their mobile device containing the 2nd authentication factor. However, this is not always possible or feasible. The attack efforts shift to identifying ways of getting around this.
Another wrinkle to cloud service providers. If there is a vulnerability found that is specific to a proprietary service, there is no CVE assigned and no way to track disclosure or the fixes for the identified vulnerability. An example of this is the recent discovery and disclosure of the Azure ExtraReplica bug. It was identified back in January by cloud security group Wiz. They found two vulnerabilities in Microsoft’s Flexible Server deployment option for Azure Database when using PostgreSQL. The two flaws allowed an attacker to by-pass authentication requirements and execute arbitrary code via an attacker-controlled database instance. The bugs were disclosed to Microsoft on January 11th, 2022, Microsoft said they fixed one bug on January 13th. They did not complete the fix rollout until February 25th.
If the news about this was not widely reported (as it should be after responsible disclosure) it would only have been tracked by an internal Microsoft ticket. This ticket would have been tracked by the Microsoft Security Response Center and might never have been widely known. The same thing happens with most cloud service providers. If a researcher reports a bug in their internal proprietary systems, they are only tacked internally, not publicly. Yes, if the bug is big enough, there will be news about it but once the news cycle ends, the bug will often fade from memory with nothing allowing someone to search for and track items around it.
Where are we going with all of this? Well in simple terms, we are saying that while cloud services do represent a cost-effective solution to maintaining infrastructure, they are not fire and forget solutions. Because of the proprietary nature of cloud services subscribers are far too often in the dark about what is going on in the background. They are unaware of how maintenance is conducted, change control around these maintenance items (think the Atlassian maintenance debacle). They are also far too often unaware of vulnerabilities that are identified and unable to track them as they can with other software-based vulnerabilities (via CVE numbers). This “shadow” IT and IT security part of cloud services makes security in the cloud a concerning item and one that users of these services should be very aware of. It means that users/subscribers need to more actively monitor and ensure on their own, outside of the cloud service providers internal tools. As we have said before, the new distribute infrastructure of the modern business did not reduce the attack surface, it expanded it, it has created a target rich environment for attackers who can now leverage several vectors to compromise an organizations environment. The user, the endpoint, the mobile device, and the cloud service; all are part of what needs to be protected now.
Securing this is not easy, but also not impossible. The biggest challenge is a shift in mindset and the way tools are implemented across the environment. With more and more remote workers, organizations need to ensure that every endpoint is secure (including mobile devices). This means, vulnerability scanning for every endpoint, remote patching on every endpoint, identity protection (again on every endpoint). This means that the tools used need to move off prem and into the cloud so that there is accurate tracking and protection of those distributed devices. Next you need to monitor everything about your cloud services that you can as if it were internal and including the same items that you are leveraging for your endpoints (vulnerability scanning, anti-malware, identity protection, etc.).
Cloud services were meant to help reduce cost and they do that. However, they were never intended to reduce the need for security. If anything, they have made it more important to have the right tools, configured properly, in place to protect your cloud assets.