Permiso, a Palo Alto-based cloud detection and response startup that finds evil in cloud environments, has released the findings of its 2023 Cloud Detection and Response Survey that reveals an alarming paradox among cloud security professionals.
While many respondents admitted to leveraging high-risk practices and behaviours in their cloud environments, they remain confident that their security tools and processes will protect their organisations against well-orchestrated attacks. That high confidence level persists even among organisations that have already experienced unauthorised access or a data breach in their environment.
Cloud security practices
“Our findings are both fascinating and worrisome,” said Jason Martin, Co-Founder and Co-CEO of Permiso, adding “There's a clear gap between perceived protection and the harsh reality of preparedness. While organisations are confident in their defense capabilities, their acknowledgment of existing risky practices coupled with the vast concern over their ability to effectively respond to a breach not only increases the likelihood of being breached, but means they are very unlikely to detect the breach in a timely fashion.”
Permiso polled over 500 security, IT, and engineering professionals to understand how their organisations address security challenges within their cloud environments.
The survey assessed both the respondents' cloud security practices and the scale of their environment, including the number of identities and secrets they manage, response time to an attack, the different methods of access into their environment, and the types of solutions they utilise to help secure their environments. It also assessed their confidence level in the ability of their tools and teams to both defend against or detect a breach in their environment.
Data Breach Investigations Report
Permiso compared its findings with benchmarks like Verizon’s 2022 Data Investigations Report
Permiso compared its findings to related industry benchmarks such as Verizon’s 2022 Data Breach Investigations Report, research from several pioneering security experts, and production data from tens of thousands of cloud environments and cloud incident responses from Palo Alto Networks and Google/Mandiant, respectively.
“We found that most respondents (70%) would characterise their response time to an attack to be between 12 and 24 hours. Data from actual production environments and incident responses show that number is more than two weeks (16 days). There is a significant disconnect within the survey data we collected and even more significant disparity when you compare that with actual data from cloud environments,” added Permiso Co-Founder and Co-CEO, Paul Nguyen.
Valuable insights
The resulting report provides a holistic view of the current state of cloud security and offers valuable insights into best practices and potential areas for improvement. Among the key takeaways:
- 50% of respondents reported a data breach due to unauthorised access to their cloud environment.
- 95% expressed concern that their current tools and teams may be unable to detect and respond to a security event in their cloud environment.
- More than half (55%) described their level of concern as “extremely concerned” and “very concerned.”
- Despite high-risk practices and widespread concern over a breach in their cloud environment, more than 80% of respondents feel that their existing tooling and configuration would sufficiently cover their organisation from a well-orchestrated attack on their cloud environment.
More (and more) identities to manage
Permiso found that managing identities across on-premise and cloud environments is a growing challenge for many enterprises. Over 80% of respondents manage at least 1,000 identities across their cloud environment. Roughly 44% manage at least 5,000 identities across on-premise and cloud environments.
Many organisations manage a large number of identities across cloud authentication boundaries in federated environments. This management, especially when actions involve shared credentials and roles, makes it challenging to identify change attribution. While 25% of the respondents use federation to access their cloud environment, only a little more than half of them have full visibility into the access activity of those federated users.
Local IAM users
This inability to effectively manage the ever-growing number of identities creates significant risk
This inability to effectively manage the ever-growing number of identities creates significant risk. Nearly half (46.4%) of respondents allow console access via local IAM users, which presents numerous security risks and violates some enterprise security policies. Of those respondents, more than 25% don’t have full visibility into the activity of those users.
Additionally, 38% of respondents also stated that they leverage long-lived keys to grant access to their environment. Still, almost a third of them do not have visibility into the use of those keys to access their environments. Long-lived access keys can present a security risk to organisations and are more prone to being compromised the more they age.
Exposing secrets
As the number of API-driven ecosystems like CI/CD pipelines, data lakes and microservices grows, so do the number of secrets (i.e., keys/tokens/certificates) organisations need to secure the connections between applications and services.
Over 60% of respondents manage at least 1,000 API secrets across their cloud environments, and a little over 30% (30.9) manage at least 2,000 API secrets. This explosive growth of APIs and corresponding secrets has resulted in secrets leaking across development and deployment systems at an alarming rate.
A new approach to cloud security
Numerous organisations realise that many security tools and techniques that protected their data centres are ineffective for the cloud. The Permiso survey found the two most significant categories of tools adopted in the cloud are those that cloud providers offer and cloud security posture management (CSPM) solutions.
Permiso survey found most important categories of tools in the cloud are providers and CSPM
Many organisations leverage a combination of these cloud-native tools, in addition to CSPMs and SIEMs, as a set of solutions to help ensure the workloads they deploy are secure and compliant and are querying logs to help detect potential threat actors in their environments.
Recommendations
In addition to adopting and enforcing sound security practices such as highly limited or prohibited use of root access or local IAM users, enforcing MFA to any console access and stringent key rotation in order to prevent attacks from ever occurring, there are a number of steps organisations can also adopt to better detect threat actors in their environment.
“The first step is to have a comprehensive inventory of the identities in your environment and categorise their potential blast radius to help determine their risk. You should also be equally vigilant with taking inventory and tracking keys/tokens/credentials that are used in those environments. Ultimately these identities assume a role in order to make changes, which makes tracing behaviour back to a single identity very difficult. Once you have a true stranglehold on the identities in your environment and the credentials they’re using, you want to baseline activities to understand the user’s ‘normal’ behaviour so that you can develop rules and alerts from logs to detect access and behavioural anomalies in your environment,” suggested Martin.