2024 State of Cloud Security: Analysis of Emerging Threats
Strategic Context
The cloud cybersecurity landscape is undergoing a rapid and complex transformation. Datadog’s annual report provides an in-depth look at current risk dynamics, revealing concerning trends in identity and access management. IAM, and more specifically permission management, is a major concern in cloud computing, let’s see why.
In-depth Access Analysis
Scale of the Problem
Defined access now represents the primary vector of compromise in cloud environments. In its report, on pages 13 and 14 (Fact 6: “Most cloud incidents are caused by compromised cloud credentials”), here is what we find:
- 74% of cloud incidents are caused by compromised identities
- Average cost: $4.8 million
- Median detection time: 280 days
I regularly have the opportunity to investigate compromised environments in my work, and sometimes a company discovers that their data has been exfiltrated for several years… To protect yourself, it’s quite simple in theory (but complicated to implement):
- Apply the principle of least privilege
- Regularly rotate the permanent access keys of your IAM users
- Avoid IAM users like the plague, instead favoring federated access that provides temporary access keys
Sophisticated Attack Mechanisms
Attack techniques are becoming increasingly sophisticated and, above all, original, exploiting the capabilities of the Cloud platform.
- Identity Pivoting
Attackers use techniques such as:
- Generation of federation tokens
- Enumeration of Amazon SES services (SNS and SMS services are also targeted in my experience)
- Reselling access on secondary markets
- Cryptomining and Resource Hijacking
- Creation of ECS clusters dedicated to mining
- Opening AWS support cases to increase quotas
In short, in addition to the default exfiltration of your data, attackers will hurt your reputation and the costs charged to your credit card for your Cloud consumption…
You will find these details on page 13 of the report.
Risk Distribution by Cloud Provider
Comparative Analysis
Surprisingly, we find attack specificities by platform (also on page 13 of the report):
- AWS: Primary platform for compromise (the wealth of services and the existence of those famous unprotected permanent access keys must have a lot to do with it)
- Microsoft 365: Access techniques via OAuth (thanks EntraID…)
- Google Cloud: Emergence of threats via VPN/Tor (perhaps a heads up for GCP teams in charge of monitoring network traffic?)
Strategic Recommendations
Identity Governance
In terms of IAM, as mentioned above, Datadog’s recommendations are unsurprising:
- Limiting Permanent Credentials
- Avoid static IAM users
- Use federated authentication mechanisms
- Implement short-lived credentials
- Multi-Factor Authentication
- Generalization of MFA
- Use of mechanisms like AWS IAM Identity Center
For MFA, I would also highlight the importance of implementing it for all your access, including your console access!
Monitoring and Detection
On pages 28 and 29, we find recommendations on monitoring and detection:
- Deployment of identity monitoring solutions: CIEM, normally included in your CNAPP, is not an option !!!
- CloudTrail logs analysis: check the CloudTrail logging level and, above all, validate that you have associated detection use cases
- Monitoring API changes: new attack paths appear with new services and methods, so keep a close watch
Conclusion
The cloud continues its transformation, with an increasing complexity of security mechanisms. It’s sometimes scary, but we have to accept it and get on board. To do this, it is essential to reconsider your processes and defense mechanisms in light of cloud computing, rather than trying to adapt your Cloud security according to your existing processes… Cloud security is no longer a choice, but a strategic necessity involving continuous cultural and technological transformation.
