As a result, what is considered 'inside' in an on-premises based world is suddenly 'outside' in a publicly hosted cloud infrastructure.
Hackers can have similar access to publicly hosted workloads as IT administrators using standard connection methods, protocols and public APIs. As a result, the whole world becomes an insider threat. Workload security, therefore, is defined by the people who can access those workloads and the permissions they have.
The problem lies with the practicality and flexibility associated with cloud environments. Cloud administrators frequently grant extensive permissions to groups of users to enable them to accomplish tasks seamlessly.
In practice, most users use only a small portion of the permissions granted to them and have no business need for all of them. This represents a serious security gap since if these user credentials were ever to fall into malicious hands, attackers would have extensive access to sensitive data and resources.
According to Gartner's Managing privileged access in cloud infrastructure report, by 2023, 75% of cloud security failures will be attributable to inadequate management of identities, access, and privileges.
The top three blind spots are:
1. Not understanding the difference between used and granted permissions
Eighty percent of excessive permissions are based on roles. In a cloud environment where the resources are hosted 'outside' the organisation, the access permissions to the network define the organisation's threat surface.
Unnecessary permissions stem from the gap between what users need to get their job done and what they have in terms of permissions. Put differently, it is the gap between defined and used permissions. The difference between these two is your organisation's attack surface.
Understanding the difference between used and granted permissions is one of the biggest blind spots that lead to a data breach. This is why it is important to monitor and analyse this gap constantly to make sure that it is as small as possible, and consequently, that the attack surface is equally small.
2. The problem isn't detection, it's correlation
Cyber security alerts have become the proverbial 'boy who cried wolf.' According to a multitude of third-party reports, the average security operations centre handles approximately 10,000 alerts per day.
When security teams are overloaded with alerts, indicative alerts of potentially malicious activity are often overlooked and lost in the sea of warnings. The lack of visibility to delete all the alerts that matter the most is the driver behind one of the biggest cloud security blind spots for organisations. It is critical that security teams have a unified view across multiple cloud environments and accounts with built-in alert scoring for efficient prioritisation.
3. An inability to connect the dots
Data breaches don't happen instantly, they unfold over time. They're a long process of trial and error by the attacker, comprising numerous small steps and activities as the attacker attempts to gain access to sensitive data.
These small steps and activities, many of which are low or medium-priority events, are frequently overlooked. Making matters worse, the average time for detecting a data breach is six months. Even if individual events are detected, they are frequently forgotten when the next related event is detected. The 'dots' never get connected.
The ability to correlate individual events/alerts over time into an attack 'storyline' can help mitigate another major cloud security blind spot for organisations and is critical to stopping a data breach before it happens.