Securing the cloud

AWS said most-privileged users, and eventually more account types, will be required to use multifactor authentication beginning in mid-2024. The move makes the cloud giant the first of the three major hyperscalers to commit to MFA baseline controls by default.

“AWS is further strengthening the default security posture of our customers' environments by requiring the use of MFA, beginning with the most privileged users in their accounts,” Amazon CSO Steve Schmidt said in a blog post.

“Beginning in mid-2024, customers signing in to the AWS Management Console with the root user of an AWS Organizations management account will be required to enable MFA to proceed,” Schmidt said. Root users have complete access to all AWS services and resources in the account.

AWS, Microsoft and Google allow administrators to set MFA as a requirement for specific users, but the authentication mechanism which is already widely considered a basic cybersecurity control has not previously been required by default. All three hyperscalers highly encourage customers to use MFA.

Federal cyber authorities are pushing to shift the responsibility for security in technology products and services to manufacturers and vendors. Cloud providers are central to that effort to ensure products are secure by design and default.

An MFA mandate for for all privileged users is one of the secure-by-default tactics recommended by cyber authorities in the U.S. and six other nations.

“Whether or not to require MFA to access cloud resources gets at the heart of the security challenges in the shared responsibility model for the public cloud,” Lee Sustar, principal analyst at Forrester, said via email.

MFA use has been viewed as a customer decision, but the company’s commitment to impose a mandate shows “AWS has decided that it is in the best interest of both themselves and their customers to make MFA a core part of cloud security,” Sustar said.

AWS’ closest cloud competitors are reacting to the news in different ways, as the largest cloud providers race to improve default security controls.

Google said it will mandate MFA for some accounts before the end of this year, a commitment that puts it ahead of AWS’ plans.

"Starting later this year, in a phased approach, select administrator accounts of our resellers and largest enterprise customers will be required to add [two-step verification] to their accounts to strengthen their security,” a Google spokesperson told Cybersecurity Dive.

“We're constantly evaluating the security of our customers and users and will continue to adjust our policies based on the level of risk,” the spokesperson said.

Google required consumers to use two-factor authentication starting in late 2021, but this marks the first such mandate for enterprise cloud customers.

Microsoft isn’t changing course yet. “Microsoft does not require MFA for commercial customers,” a company spokesperson told Cybersecurity Dive.

“However, in the last two years, we began enabling security defaults for all new Azure AD customers (including customers of the Azure AD free tier), and recently began enforcing security defaults to customers who haven’t enabled MFA or rolled out their conditional access policies yet,” the Microsoft spokesperson said.

Mark Ryland, director of Amazon Security, said the cloud provider is announcing this move now to provide customers adequate time and resources to enable MFA.

“Customers have been able to use MFA for their root users in AWS for a long time. However, historically the use of MFA has been optional,” Ryland said. “What is changing is that we will be gradually enforcing the use of MFA for AWS Console access, starting with the most privileged users.”

While a steady pace of phishing attacks against identity-based authentication shows the extent to which MFA defenses can crumble, even under unsophisticated tactics, AWS supports many forms of MFA, not just the phishing-resistant variants.

“While we strongly recommend phishing-resistant forms of MFA like security keys, any form of MFA is better than no MFA at all, and we encourage everyone who is currently using password-only authentication to adopt some form of MFA,” Ryland said.

AWS said it will expand this mandate throughout 2024 to additional scenarios such as standalone accounts.

“We at CISA are excited by AWS’ announcement strengthening the default security posture of their customers by beginning to require them to use MFA. MFA is an important security feature that we encourage all users to implement to practice better cyber hygiene,” Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said via email.

“CISA is also working with technology manufacturers to encourage them to develop products that are secure by design, shifting the burden from the user to the companies and manufacturers who are best equipped to understand and safeguard risks. This is an example of a company doing just that,” Goldstein said.

Cloud-related threats are the top cyber concern for organizations that have adopted the technology, according to a PwC report. The accounting and consulting firm surveyed 3,876 senior business and technology executives.

Security concerns intensify for organizations with multiple clouds or hybrid infrastructures, the report found. More than half of respondents in this category cited cloud as their most pressing cyber concern and more than one-third said their organization prioritized cloud for security investments over the next year.

Despite the focus on cloud security, nearly every organization had risk management lapses. Nearly one-third of respondents had yet to address disaster recovery and backup with their cloud service provider and more than 2 in 5 pointed to in-house cloud skills gaps as a lingering risk factor.

Migration to public cloud offers the promise of enhanced security, as workloads shift from legacy systems to modernized infrastructures where risk is shared.

But cloud security isn’t automatic. A robust defense requires a level of planning and coordination that may be overlooked in the rush to adopt the technology, especially as ecosystems grow beyond the reach of IT.

“Overall, cloud is more secure, if done right,” said Matt Gorham, Cyber & Privacy Innovation Institute leader at PwC. “But then you need to parse out securing the cloud versus securing your instance in the cloud, which are two separate things.”

Cultivating the in-house knowledge, tools and governance needed to manage cloud deployments requires investments of time and resources many enterprises have yet to allocate. Large companies, where the stakes of a breach are highest, tend to perform better in these areas, Gorham said.

“The top performers are likely to be more optimized and simplified in their tooling and approach to security,” said Gorham.

Instead of deploying multiple best-in-class security solutions, enterprises are better off settling on one integrated system that can be more easily mastered, according to Gorham. 

“Having a simple environment allows you to invest in other things,” he said. “It gives you a better view of what's going on in your system and allows you to prosecute alerts in ways that aren’t always clear when you have a collection of various tools.”

Streamlining has already begun. While 15% of respondents indicated no current plans to simplify cyber operations, 44% said their organization already uses an integrated toolkit and another 39% are moving in that direction in the next two years.

Less mature organizations are also less likely to use off-the-shelf security features available from their cloud provider, Gorham said, or to have a tech leader with C-suite clout.

“If you're a CISO or CIO and you’re reporting up high, and you're having frequent interactions with the board, there's going to be a much greater focus on cyber risk,” Gorham said.

As banks target core systems for cloud migration, difficulty sourcing cloud talent is a major risk factor, Accenture’s annual banking cloud report found.

Banks perceive core migration as high-risk for several reasons, the report said, including "a lack of staff with cloud expertise to manage these core functions and the difficulty of recruiting the required skills in the current environment."

Public cloud adoption represents both a security upgrade and a risk factor — a paradox reflected in the banking industry’s mixture of enthusiasm and reticence toward cloud adoption.

The complexity of cloud deployments coupled with shortages of technical expertise leads to misconfiguration errors, one of the more common causes of security lapses, according to a report published last month by the U.S. Department of the Treasury on cloud adoption in financial services.

“When configured correctly, public cloud services can provide an environment that is resilient and secure,” the report said. “But the resilience and security of any particular cloud service can and will vary depending on the vendor and service, as well as how each service is configured, provisioned, and managed.”

Patch management is a particular point of weakness, Jason Malo, banking and financial services research manager at consulting firm Gartner, told CIO Dive.

“When you look at the incidents that have happened over the last few years, it’s rarely a major denial of service or hacker attack,” Malo said. “It’s usually that someone didn't patch a web application firewall with a known exploit.”

Migration advances

Nevertheless, cloud adoption in the financial sector accelerated last year, Accenture found.

Cloud workloads as a percentage of total storage and compute nearly doubled, reaching a weighted average of 15%, compared to just 8% in 2021, according to the IT services and consulting firm, which analyzed nearly 100 banks.

Migration of core banking systems continued to lag but picked up momentum. The percentage of core functions in cloud more than doubled, with banks running 7% of these workloads in cloud environments, up from 3% in 2021.

For banks, as in many other sectors reliant on legacy systems, the cloud journey began with the easiest-to-shift enterprise applications and then moved to backend IT.

Nearly 4 in 5 banks rely at least partially on public cloud infrastructure for enterprise systems, including applications for sales, marketing, human resources and finance. Yet 85% of workloads remain on-prem, trapped in complex legacy systems, according to Accenture.

Collaboration software and workplace applications have led the migration charge, with more than half of workloads now cloud-based, a year-over-year increase of 15 percentage points, the report said.

IT and operations workloads experienced an even larger bump, growing by 16 percentage points, although that still leaves nearly two-thirds of workloads on-prem.

The security paradox

Despite these advances, core migration remains fraught.

“The perception of reduced security in the cloud is a challenge for many organizations,” Cenk Ozdemir, cloud and digital lead at technology consulting firm PwC, told CIO Dive in an email. “But contrary to popular belief, moving to the cloud may generally increase security as cloud providers are spending more time and money on cybersecurity.”

Integration with core applications and legacy systems complicates cloud adoption. The knowledge required to shift workloads without disrupting operations or exposing systems to security risks can be difficult to source.

In addition to on-prem systems, 7 in 10 banks use multiple cloud service providers, Accenture found. This brings further complexity to the ecosystem and ups the ante for upskilling and talent recruitment.

Most banks are adopting more than one CSP, and knowledge of one cloud ecosystem doesn’t necessarily translate to others, Malo said.

Companies have to redefine governance and operating procedures in order to take advantage of cloud scalability, said George Haggar, U.S. financial services technology risk offering leader at EY.

“Organizations need to operate differently to take advantage of the strengths of cloud,” Haggar said. “It’s not just applying what they do currently to the on-prem environments in a cloud context — that won’t work.”

CSPs have a role to play as well, providing financial institutions with greater transparency regarding operational incidents, supply chain risk and testing resilience, the Treasury report noted.

To ease cloud adoption, CSPs need to provide banks with resources and tools to overcome talent shortages. 

Banks have to be prepared to answer to regulators, regardless of enterprise architecture. “If the banks can’t answer compliance questions, it creates issues and the cloud providers certainly don’t want to find themselves in the middle of an audit,” Malo said.

CSPs may offer risk-mitigating industry cloud solutions, but accountability for security rests in the financial sector, not in Silicon Valley.

“Banks can outsource their technology stack,” Malo said. “What they can’t outsource is their responsibility to the data and their customers.”

More than 3 in 5 compromises in the cloud during Q1 2023 were directly linked to poor access management, according to research from Google Cloud.

About 55% of all cloud compromises analyzed by Google Cloud’s incident response teams during the quarter were the result of weak or nonexistent passwords, the company said in its Threat Horizons Report. Leaked credentials accounted for 7% of cloud compromises.

The remaining cloud compromises were associated with misconfigurations, sensitive user interfaces or exposed APIs and software vulnerabilities, according to the report.

Google Cloud’s research underscores a persistent theme across the cyber landscape: Access is critical.

Account credentials are at the root of most cyber intrusions, including attacks on critical infrastructure networks and state and local agencies, the Cybersecurity and Infrastructure Security Agency said in its annual risk and vulnerability assessment last week.

Valid accounts, including former employee accounts not removed from Active Directory and default administrator credentials, were responsible for 54% of all attacks studied by CISA.

​​“Gaining initial access to an organization’s network is the first step in a successful attack,” CISA wrote in its analysis. “If threat actors establish initial access, then they could execute other techniques such as privilege escalation to ultimately steal information.”

Stronger identity management guardrails could address the credential issues that remain a consistent challenge for organizations, Google Cloud said in the report.

There’s a good chance that someone in your organization is hoarding data. 

More likely, everyone in the company is holding on to files, emails and other bits of information they don’t need now, but think they might need someday. 

Data hoarding presents a huge security risk because it creates a large attack surface, which is difficult to protect. Making things even more complicated — and risky — is the issue that most hoarded data is forgotten data. 

There is so much information tucked into folders across multiple devices that the average user has no idea what is stored. 

When an organization has little visibility into the data in its possession, it becomes even more vulnerable to data leaks, breaches, and both insider and external threats. 

There are two primary reasons why data hoarding is increasing as a threat risk: the low cost of storing data in the cloud and the hybrid/remote workforce. 

Cloud computing makes data storage scalable and readily accessible. More than 85% of companies store some or all of their data in the cloud, according to a Blancco study. The research is based on a survey of more than 1,800 data retention and disposal decision makers. 

And it is a lot of data they are keeping. Many organizations have long-standing policies to keep their data forever, said Russ Ernst, CTO with Blancco. It’s a move that many cloud providers encourage, and because cloud storage is cheap, it is easier than ever to store everything indefinitely. 

In hybrid workplaces, employees depend on having data available to them wherever they are working and on whatever device they are using. Not only is more data being kept in the cloud for those purposes, but now corporate data is being stored on personal computers, phones and tablets, commingling with personal data. 

This is causing an uptick in duplicate data stored on premise and in the cloud.

Policy changes

This move to a hybrid workforce has brought new attention to the need for updated policies around data security. The majority of organizations, 4 in 5, say the hybrid workforce increased the need for security training around the storage and use of data, according to a study by Code42.

“In the normal course of business, people are collecting and keeping more data,” said Joe Payne, president and CEO of Code42.

However, when people are working remotely, they aren’t following normal security protocols, and that includes keeping data that should be taken to the end of its lifecycle.

Having a lot of data isn’t the problem as much as not having visibility into what the data is. The reasons companies tend to keep everything is because they don’t know what value that data will hold in the future, said Ernst.

“But there’s only a small portion of that data that has value,” said Ernst. The rest is redundant, obsolete, or trivial, but it's all kept because one day, someone might need something from one of those files.

Keeping data that lacks value isn’t necessarily a bad thing, as long as you have full visibility into everything — critical data, active data, and data in long-term storage. Organizations should have policies in place to define critical data, how to determine what data to store and for how long, and what data should be disposed. 

The greatest risk to data, however, is the employees. Many workers find destroying data abhorrent, said Payne, so they will hoard data outside the company perimeters. 

“Most organizations don’t have good visibility to watch how data moves outside the company,” said Payne. 

Managing data hoarding

The vast majority of data in any company is forgotten data, said Ernst. You might think you know what you have on hand, but as soon as you wade into the data lake, you discover it is a swamp filled with unknown holes of information. 

To make sense of what you have, Ernst suggested starting fresh. “Enforce policies on new data; it is easier.”

Compliance regulations should also act as a guide on how to determine policies on how to protect the data you should have on hand and how to best discover and dispose of the forgotten and obsolete data.

What you keep and what you dispose of tends to be a mix of business policy, regulatory requirements, and best practices. To do this right, you need the right data lifecycle management strategy, according to Dimitri Sirota, CEO with BigID.

This is often easily managed with data retention strategies that will define what you should keep and what you should get rid of. 

“Data hoarding makes it more difficult to protect your data, maintain compliance, and can exponentially increase risk,” said Sirota. 

If you don’t have a way of identifying and finding the data that you have, you may have dark data, forgotten data, or shadow data, you are adding risks that can lead to costly data breaches and other cyber incidents.

AWS, Cloudflare and Google observed mass exploits of a novel zero-day vulnerability used to launch distributed denial of service attacks reaching a record-breaking scale, the companies said in October.

Security researchers warned threat actors are exploiting the zero-day vulnerability, HTTP/2 Rapid Reset, to launch a series of attacks. Observations of peak requests per second during the attacks varied widely between AWS, Cloudflare and Google.

Google said the attacks peaked at 398 million requests per second, surpassing the peak DDoS attack observed during 2022, which topped off at 46 million requests per second. 

The vulnerability is being tracked as CVE-2023-44487 and has a high severity CVSS score of 7.5, according to Google. 

“This zero day provided threat actors with a critical new tool in their Swiss Army knife of vulnerabilities to exploit and attack their victims at a magnitude that has never been seen before,” Cloudflare CSO Grant Bourzikas said in a blog post.

The vulnerability allows attackers to make hundreds of thousands of requests and then immediately cancel them at a scale that overwhelms the site, according to Cloudflare.

Cloudflare said it was handling about 201 million requests per second at the peak of this series of attacks.

“One crucial thing to note about the record-breaking attack is that it involved a modestly-sized botnet, consisting of roughly 20,000 machines,” Bourzikas said.

AWS said it detected an unusual spike in requests  at 155 million requests per second Aug. 28-29. This new type of HTTP/2 request flood continued through the month of September, according to AWS.

Despite the spectacular nature of some of these attacks, HTTP/2 Rapid Reset remains just an optimization of an older attack method called asymmetric query attacks, according to David Holmes, a principal analyst at Forrester.

Due to the client/server nature of HTTP and most of the web, malicious clients can make very expensive requests using relatively very little compute power or packet space.

“Think about a malicious client requesting your largest PDF a hundred times a second for a couple of hours,” Holmes said via email. “The new rapid reset attack might allow the attacker to request that PDF a thousand times a second instead of a hundred, but either way your web server was going to be toast.”

The cloud is a key tool in shifting the burden of cyber risk away from small, under-resourced customers, Acting National Cyber Director Kemba Walden, said during a fireside chat at the AWS Summit Washington, DC. 

As the Biden administration inches closer to unveiling the implementation plan for the national cybersecurity strategy, Walden discussed the role cloud services will play in the effort to improve U.S. cyber resilience. 

While shifting the burden of risk is important, the last thing officials want to see is a catastrophic cyberattack against a cloud services provider, said Walden, speaking to David Levy, VP of U.S. government, nonprofit and healthcare at AWS. 

“So on the one hand, we want to encourage the shifting of risk to those that are more capable of handling it, and I would include cloud service providers in that space,” Walden said. “But on the other hand, we want to make sure that those cloud services are secure by design, at the end of the day.”

AWS, the largest cloud provider worldwide, released a blog post during the summit, to publicly back the administration’s efforts to create a more resilient national infrastructure. 

“We recognize that we operate in a complicated global landscape and dynamic threat environment that necessitates a dynamic approach to security,” Mark Ryland, director of the Office of the CISO at AWS said in the blog.

Cloud service providers may need to go a step further in making sure they meet minimum standards to ensure they are fully secure, Walden said. 

While financial services are already pretty well regulated, the acting director noted other sectors are not regulated at nearly the same levels.

“There are some industries that are going to need help raising baseline cybersecurity requirements and that is going to require regulatory work,” Walden said. 

In other cases, instead of regulatory changes there may be additional guidance, using regulatory authorities from sector risk management agencies. Industries like the cloud, will have to leverage that across various sectors, said Walden.