Organizations face an ever-growing threat landscape given the growth in the cloud-based platforms, tools, and services they leverage . As such, the concept of attack surface management, especially in the cloud has become critical for security practitioners to grapple with. We’ll briefly talk about attack surfaces before going on to specifically talking about the challenges of protecting cloud attack surfaces.
What is an attack surface?
An attack surface is a conceptual model used in security to refer to the total sum of “attack vectors,” or entry points by which a specific system can be compromised. Attack vectors refer to all the ways an attacker can move within a system to compromise accounts, exfiltrate data, or hijack components of a system for their own malicious purposes. Identifying individual attack vectors and understanding how they relate to one another is critical to cloud security, as cloud systems are large and distributed, unlike legacy applications and platforms which were often assumed to be part of an organization’s “perimeter” in the past.
What is a cloud attack surface?
Broadly speaking, a cloud attack surface refers to the cloud applications and services an organization is leveraging, as well as the data in these platforms and the people who have access to this data.
As stated above, the idea of a cloud attack surface introduces new challenges that don’t exist when thinking about securing hardware attack surfaces or network attack surfaces, because there is no traditional perimeter in cloud security. This is because unlike corporate intranets and networks, it’s often not possible to deploy controls like firewalls, traditional access controls, and other tools that “contain” or confine cloud data and cloud system access to one area of the cloud. Perimeter-less systems by definition tend to be open in order to allow for the rapid exchange of information across large and distributed teams. Because of this, many organizations struggle with managing this type of attack surface.
We’ve talked before about cloud attack surfaces at length, see the video below for a visual representation of how to think about how the attributes of cloud systems contribute to the growth of cloud attack surfaces.
Breaking down the cloud attack surface
There are broadly three sub-categories that the concept of a cloud attack surface can be broken into:
SaaS and IaaS attack surface
These refer to the cloud applications and infrastructure that your organization uses, as well as the configurations and permissions associated with any user accounts and resources within these platforms. Within IaaS, misconfigured resources, like S3 Buckets, often result in data leaks. Similarly, within SaaS, user accounts who have mispermissioned access within a service might see sensitive data not intended for them, or their account can be hijacked to access such information.
Data as an attack surface
As more companies have migrated to the cloud, security practitioners have begun adopting the stance that “data is the new perimeter,” which has made knowing when it's created in the cloud and when it shows up some place inappropriate of critical importance.
Human attack surface
The human attack surface reflects the idea that exploiting people is the fastest way to get to sensitive systems and information. It refers to the employees, contractors, and other individuals who interact with an organization's systems and data. Social engineering attacks, such as phishing or pretexting, exploit human weaknesses to gain unauthorized access to sensitive information or systems.
Taken together, these three aspects form the “where” “what” and “how” of cloud data security:
- SaaS and IaaS. Where cloud data breaches take place.
- Data. What attackers are after.
- Humans. How attackers most commonly get into the cloud.
Protecting your cloud attack surface
Defining, identifying, and protecting your cloud attack surface comes down to several important steps, including:
Knowing what cloud platforms are in active use
Having visibility into what cloud services and platforms are in use within your organization, as well as the resources associated with these cloud environments is going to be important for you to know what to monitor so that you can regularly harden and secure these environments.
Monitoring for cloud mispermissioning and misconfigurations
We have ample evidence that many cloud security breaches occur because of leaking credentials, inappropriate user permissions within SaaS accounts, and general misconfigurations regarding native cloud platform security settings.
Knowing what data is in cloud platforms
Organizations often don’t know what types of data have proliferated in their cloud environments, including whether credentials and API keys have been shared in these systems or whether employees have shared sensitive data with users who are not authorized to see such information. Implementing controls that provide proper visibility to determine if this is happening is essential to reducing the cloud attack surface.
Enforcing data security policies
Similar to the above point, organizations need a way to not only know if data security policies are being violated, like the sharing of credentials and other sensitive data, but they also need the ability to quickly correct these occurrences should they take place.
Educating employees about security best practices
Finally, organizations need to educate employees about the proper and safe ways to collaborate within cloud environments, without exposing or jeopardizing stakeholder data and sensitive data that can lead to the accusation of other environments.
Ultimately with the right tools and policies in place to secure your cloud data, you can harden your cloud environments and minimize your attack surface. Read our post on zero trust to understand the core principles of zero trust data security and how that can keep you safe in the cloud.