Morphisec Cybersecurity Blog

Busting Cloud Security Myths

Written by Daniel Petrillo | December 3, 2020 at 4:00 PM

Although far from new in technological terms, the ubiquity of public and hybrid cloud use is a relatively recent phenomenon. Driven in part by the current COVID-19 pandemic, it would be difficult to find an organization that isn't relying on a cloud-based service right now.

In 2018, it was estimated that over 83 percent of workloads would be run on the cloud by the end of 2020. Today, the percentage of cloud workloads is likely even higher. As this trend makes onsite servers increasingly a relic of a pre-pandemic past, the world's reliance on the cloud marks a profound shift in how businesses of all kinds operate. However, businesses’ understanding of the responsibilities, risks, and requirements of secure cloud use is still far behind where it needs to be to ensure cloud use is safe from threat actors.

As cloud migrations have rapidly accelerated, so too have misunderstandings and "myths” surrounding cloud environments. One area that is worryingly unclear to many is cloud workload security. While the distributed nature of cloud servers provide users with increased security in some areas, the permission-based nature of cloud security can also lure unwary cloud users into a potential cybersecurity trap. As organizations migrate more business-critical processes to the cloud without adequate security controls, unwary IT teams quickly become their own biggest cybersecurity weakness.

Just as it has changed how organizations operate, cloud use has also changed the security paradigm they face. By increasing the number of access routes to workloads, cloud use creates new attack surfaces and drastically increases the likelihood and consequences of misconfigurations. This is evident in how the majority of cloud data breaches occur. At least 80 percent of cloud breaches are the result of avoidable misconfigurations. The continued prevalence of untrue "facts" about cloud security is partly to blame for this statistic. Here are three myths about the cloud that need to disappear.

The Provider Is Responsible for Cloud Workload Security

Using a public cloud provider means offloading some security responsibilities, but not all. As organizations deploy increasingly sensitive workloads in cloud environments, they often miss this fact. Misunderstandings about the shared responsibility model that cloud use usually entails are often not far behind headline-grabbing data breaches.

For any business deploying cloud workloads, understanding their portion of the shared responsibility model is vital. In a simplistic sense, shared responsibility means that while the cloud service provider is responsible for the security of the underlying cloud architecture, the burden of data security within the cloud falls on businesses themselves. In other words, the cloud provider keeps the physical infrastructure secure, whereas the cloud user ensures the safety of whatever happens within their cloud workloads. This includes protecting their workloads from threats such as fileless attacks, ransomware, and data breaches.

However, although the basic theory is easily understandable, the reality of shared responsibility often isn't. Responsibilities vary between cloud providers, and with the increasing popularity of multi-cloud workloads, the line between safety and risk is sometimes unclear to even the most diligent cloud users.

Many businesses' understanding of the shared responsibility model has lagged severely in their haste towards cloud migration. Research conducted last year indicates that at least 60 percent of companies misunderstand the shared responsibility model when securing their cloud workloads. With more businesses than ever using the cloud right now, this percentage is only likely to grow.

Cloud Workloads Can Be Secured With Existing Security Controls

With no on-premises servers and with some responsibility taken on by the provider, cloud workload security might seem like a more straightforward task than securing onsite workloads. In reality, securing their cloud workloads is often a far more complicated process than businesses expect due to the unique security challenges that cloud environments create. Because cloud workloads are permanently connected to the internet and lack the protection of a physical perimeter, they’re exposed to anyone who can garner the correct access credentials.

The oft-misconfigured nature of cloud environments makes the consequences of any security breach particularly devastating. Mitigating the increased attack surface requires a different approach than protecting traditional endpoints does. This is partly because the nature of public cloud use means that relying on traditional controls such as antivirus platforms is often unsustainable and unsafe.

Running most AV agents in the cloud results in higher usage costs on the cloud service and nullifies the economic advantage of migrating to the cloud in the first place. The reactive nature of how AV solutions work also makes them unsuitable for cloud environments where a lot of harm is done long before security teams can respond to a breach. Taking a trust centric approach via application allowlisting can also be ineffective in the cloud as threat actors exploit vulnerabilities in allowlisted applications to deliver malware.

Since most client-grade AV and EDR technologies fail to include exploit prevention and memory protection, they are better at generating false positives than actually securing workloads in the cloud. Moreover, as 90 percent of cloud workloads are run on Linux servers, end-users need to be even more aware of choosing the right solution. Ultimately, providing real in-depth protection for cloud workloads requires a proactive approach to cloud security combined with a lightweight, set and forget solution such as Moving Target Defense.

Public Clouds Are Inherently Less Secure Than Private Ones

While certain aspects of cloud security are often underappreciated, cloud adoption can also be held back by unfounded security fears. Businesses often hesitate to migrate their workloads to public clouds due to concerns about whether they can be trusted with critical processes or data. The reality is that public clouds are as secure as their users are. This statement is borne out by Gartner's 2019 study, “Is the Cloud Secure?" According to Gartner, by 2025, 99 percent of cloud security failures will be the customers’ fault.

Private clouds don't necessarily present a more secure alternative to their publicly accessible counterparts. While they offer greater control over infrastructure and enable data locality concerns to be managed easier, private clouds also need a greater time commitment from the IT teams that run them. As they present a physical target for threat actors, they run a greater risk of onsite security breaches or targeted phishing attacks. Running a private cloud essentially means running your own data center and accounting for all security risks that this involves.

On the other hand, public clouds provide a distributed, often geo-asynchronous service that negates some of these risks while also giving workloads the benefit of enterprise-class firewalls. Generally speaking, cloud workloads deployed in public clouds are no less secure than if they were run in an organization's private cloud.

Final Thoughts

Safe, effective use of the capabilities that cloud computing brings has long been restricted by misunderstanding. While even the name "cloud" makes cloud computing seem wooly and distant, the consequences of a security breach within a cloud workload have always been very real.

With the cloud becoming the first choice for workload deployment, businesses need to intuitively separate fact from fiction when it comes to cloud cybersecurity. Doing so means knowing where their security responsibilities lie, applying appropriate controls, and not dwelling on misrepresented aspects of cloud security. However, with over 80 percent of companies hosting a neglected cloud-based workload, cloud security is still more nebulous than it should be.