Intelligent Tech Channels Issue 51 | Page 67

There will be many more cloud provider vulnerabilities in 2022 but fortunately there are things within an organisation ’ s control that can mitigate the risk .

With the new hybrid-working model we see organisations increasingly moving more of their workload settings to the cloud . While this transformation offers great agility and scalability benefits , it comes with inherent and increased risks to security and compliance . A simple configuration error can result in your entire organisation being exposed to threat actors who no longer need to break into your data centre to access your critical data or conduct ransomware attacks .

Research firm Gartner predicts that by 2025 , 99 % of cloud security issues will be a result of human error when configuring assets and security in the cloud . At a time when organisations are becoming increasingly dependent on third-party cloud vendors such as AWS , Microsoft Azure , IBM and Google Cloud Platform to securely manage their data , concern around misconfigurations and other vulnerabilities in the cloud is likely to amplify quickly . What ’ s more , many of the organisations finding themselves at risk have had to accelerate their Digital Transformation initiatives at an uncomfortable pace over the past two years , resulting in knowledge and talent gaps that only add to their fears around cloud security .
Under the shared responsibility model – a security framework designed to ensure accountability for compromised data and other incidents – the cloud provider will offer basic cloud security , but it ’ s up to businesses themselves to secure their own data within the cloud . To put it another way , if cloud providers ensure the town gates are locked and the perimeter is well guarded , it ’ s still up to businesses to ensure their own doors are locked . That ’ s no mean feat , particularly when you consider that many large enterprises now rely on three or four cloud platforms as part of a multi-cloud strategy .
Attacks on cloud service providers are ramping up
As outlined in our 2022 Security Report , the previous year has seen a tidal wave of attacks that exploit flaws in the services of industry-leading cloud providers . For the cybercriminals involved , the end goal is to gain full control over an organisation ’ s cloud infrastructure or , worse , an organisation ’ s entire IT estate , including its proprietary code and customer records . This can have a devastating impact on the businesses affected and they ’ re quite right to be concerned .
The kinds of flaws we ’ re talking about here aren ’ t logic or permission-based flaws derived from an organisation ’ s control policy that threat actors might use to gain unauthorised access and escalate privileges . This could at least be pinpointed and dealt with by the organisation in question . Instead , these flaws tend to be critical vulnerabilities within the cloud infrastructure itself that can be much more difficult to guard against .
Take the OMIGOD flaw , for example , which broke the floodgates when it came to attacking cloud services in 2021 . In September , four critical vulnerabilities were discovered in the Microsoft Azure software agent that enabled users to manage configurations across remote and local environments . An estimated 65 % of Azure ’ s customer base was made vulnerable by this exploit , putting thousands of organisations and millions of endpoint devices at risk . Through this OMIGOD flaw , threat actors were able to execute remote arbitrary