Extreme Compute’s Cloud Threat Landscape Report for 2021 showed an increase in cloud application vulnerabilities. On-premises resources being used to pivot to cloud resources are the leading causes of threat actor vulnerabilities. RDP (Remote Desktop Protocol) is used to access both cloud and on-premises resources.
Affirmation flaws: The remotely accessed device uses a password-based single-factor authentication approach. The risk increases if the same password is used for RDP and device access. A lack of RDP password management leads to weak passwords.
Access to all ports. Threat actors know where to bypass firewalls and attempt RDP access or launch on-path attacks if TCP 3389 is not adequately managed.
Misconfigurations are a major cause of cloud and on-premises vulnerabilities. Misconfigurations come third behind phishing and compromised passwords. Config errors and omissions cost an average of $3.86 million. Here are some common misconfiguration results.
- Unintentionally exposing data to the internet without authorization
- Public storage bucket access
- Incorrect network creation
- Providing all system users with unrestricted access to cloud data
- Passwords and keys exposed
- Compromise of Application Programming Interfaces (APIs).
Two-thirds of assessed incidents involved misconfigured APIs.
Credential compromise is one of the top two cloud attack vectors. Up to 30,000 cloud accounts are for sale on the dark web. Using only passwords or PINs to access cloud user and admin accounts allows threat actors to capture credentials. RDP credential compromise attacks are common. According to recent reports, 71 percent of for-sale credentials are RDP access to public cloud services.
A cloud shadow IT is a service or application that is used outside of regular IT security and change management processes. Managers become impatient of waiting for IT to respond to business needs. Shadow IT thrives because policies, processes, and monitoring measures either do not exist or are ineffective. Shadow IT services frequently suffer from common cloud vulnerabilities such inadequate authentication, lack of data limits, and a lack of comprehensive risk assessment due to lack of IT and security evaluation.
From on-premises to cloud compromise.
One of the most common attack vectors is moving compromised on-premises resources to cloud resources. Upon breach of an on-premises system, absence of network segmentation, shadow IT operations, misconfiguration, and other systemic weaknesses enable lateral network and cloud mobility. These five cloud security issues are not isolated. Instead, they typically complement each other.
1. Managing the Issues
Businesses often invest time and money into protecting their on-premises networks. On the other hand, they seem to pay less attention to what happens in the cloud, both approved and unapproved.
2. Authentication issues and pivoting
On-premises resources are mirrored in the cloud. Cloud networks connecting to internal networks are high-risk trust zones. Managing traffic between the cloud and the data centre is required. There should be no trust between cloud resources and on-premises networks. This is the start of a zero-trust information processing environment.
The ZTN approach handles weak authentication and threat actors pivoting from compromised on-premises systems to the cloud. During a point-in-time authentication to an object, ZTN never assumes a subject (entity attempting access) is who they claim to be (information resource being accessed). It also never implies a topic is who or what they claim to be. Adaptive authentication and explicit trust zones are ZTN tools. Login requests using adaptive authentication are checked for context. Context includes time, day of week, location, and device. Adaptive authentication can also be continuous and based on user behaviour. If the subject’s behaviour deviates too much from the baseline, they may be requested to authenticate again or logged off. Network segmentation creates clear trust zones around things. Perimeter-to-server micro segmentation utilising firewalls or VXLAN technology might be described as a step towards a zero-trust network. The resulting network segments are called trust zones. Moving from one trust zone to another may require re-authentication or stricter authentication. Consider ZTN for both on-premises and cloud infrastructure. Moving from on-premises to cloud resources is also a transition from one trust zone to another.
3. Using RDP
To improve RDP access, consider these points. Some suggestions for managing RDP access, include
- Using MFA
- RDP software patching
- Authentication at the network level
- Using GPO to restrict RDP access
- Creating a lockout policy
- RDP over IPSec or SSH
Using RDP gateways can solve all of these issues.
4. Managing Shadow IT is difficult since it is not just technological. It also has a lot of political baggage. Shadow IT frequently occurs when IT is viewed as inflexible. This motivates goal-driven business managers to explore for alternate ways to gain the resources they need. As a result, they contract cloud services outside of the SDLC and change management processes. Managing shadow IT starts with good IT-business collaboration. Policies defining the penalties of engaging services or using resources that have not been approved and documented are also required. Finally, enterprises must check unauthorised cloud resource usage. Extreme Compute’s Cloud Discovery solution has a guide on how to do this. Budgets for TTP should be included in 2022 budgets.
5. Managing misconfigs
Misconfigurations occur in all four cloud challenges. Steps to regulate unmanaged settings, both purposeful and inadvertent, are included above. The best way to manage configurations is to have several eyes look at what is configured, why, and the risk. This is the role of policy-driven change management. In the cloud or on-premises, employees should grasp the risks of bypassing change management. Confidential computing also prevents misconfigured container and API interfaces. Assume a threat actor breaches an application server in a high-trust zone, but it will have no access to discrete, virtual, or containerized apps on the server. The programmes’ decrypted data in memory is also protected from theft or harm.
Controlling who can create cloud resources, the approval process, and detecting unauthorised modifications are all key components of configuration management.
Lastly, The five issues discussed here are not the only ones to consider. However, our analysis shows that these have been and will continue to be high-risk vulnerabilities through 2022. Cloud challenges should not be viewed in isolation since they often overlap. Instead, businesses should define TTP holistically to address difficulties under effective management.