How to Assess Risks in Public Cloud Security

If I were assessing a high risk SaaS vendor here are 8 things I would ask for: 𝟭. 𝗖𝗼𝗻𝘁𝗲𝘅𝘁 𝗶𝘀 𝗞𝗲𝘆 First, I would understand what they do for my company. What data do they collect, what access do they have, what services do they provide? I would let that context steer how deep I dive. 𝟮. 𝗦𝗢𝗖 𝟮, 𝗜𝗦𝗢 𝟮𝟳𝟬𝟬𝟭, 𝗼𝗿 𝗘𝗾𝘂𝗶𝘃𝗮𝗹𝗲𝗻𝘁 I would ask for their third party audits. I would read the reports to see if they engaged a reputable firm. I would see if the scope, audit period, and controls are applicable to me. This will prevent me needing to ask for basics like copies of policies. 𝟯. 𝗣𝗲𝗻𝗲𝘁𝗿𝗮𝘁𝗶𝗼𝗻 𝗧𝗲𝘀𝘁 I would get a copy of their latest penetration test. I would look at the scope, when it was performed, who performed it, and track down any findings. It is important to make sure the pentest covers the product/network that matters to you. 𝟰. 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗦𝗰𝗮𝗻𝘀 I would get a sample of 3 months of vulnerability scans including the latest month results. Both network and application level scans. I would make sure they have the right coverage and that there are no red flags. 𝟱. 𝗩𝗲𝘁 𝗔𝗻𝘆𝗼𝗻𝗲 𝘄𝗶𝘁𝗵 𝗔𝗰𝗰𝗲𝘀𝘀 𝘁𝗼 𝗠𝘆 𝗦𝘆𝘀𝘁𝗲𝗺𝘀 I would want to make sure that anyone with access to my systems are appropriately vetted. That likely means via a background screening and qualification requirement in contract. If they are getting remote admin access to my network I probably want to vet them myself or have my company be in on the screening. 𝟲. 𝗣𝗿𝗼𝗼𝗳 𝗼𝗳 𝗦𝘁𝗮𝗯𝗶𝗹𝗶𝘁𝘆 If the company is mission critical to my business, I may request some evidence that the company is stable. Up to and including audited financials, reserving rights to the source code if the company goes bankrupt, or equivalent. This is rare, but important when applicable. If it is serious enough, you may even ask to speak with executives and get commitments directly. 𝟳. 𝗖𝗼𝗺𝗽𝗮𝗻𝘆 𝗜𝗻𝘀𝘂𝗿𝗮𝗻𝗰𝗲 This is just housekeeping for most companies, but I want to make sure they are insured. I am looking for the typical General Liability, E&O, Cyber, etc. at acceptable limits. 𝟴. 𝗟𝗶𝘀𝘁 𝗼𝗳 𝗧𝗵𝗶𝗿𝗱 𝗣𝗮𝗿𝘁𝗶𝗲𝘀 𝗮𝗻𝗱 𝗦𝘂𝗯-𝗣𝗿𝗼𝗰𝗲𝘀𝘀𝗼𝗿𝘀 I may ask for a list of my vendor's critical third parties. I want to be sure that they are using credible vendors that may impact me. I would pay close attention to things like technology providers, contractors, anyone who processes my data, etc. --- Anything you would add to this list?

Are you addressing the root causes of your cloud security threats or just treating the symptoms? The Cloud Security Alliance's Top Threats to Cloud Computing 2024 report illuminates critical security challenges, but many of these threats result from overlooking foundational practices in favor of more complex solutions. My takeaways: 1️⃣ Misconfiguration and change control - Misconfigurations often signal that organizations advance to complex cloud setups without mastering the basics. For example, the Toyota data breach, where a decade-long exposure was due to human error and inadequate cloud configuration management, highlights the need for robust configuration management and continuous monitoring. 2️⃣ Identity & Access Management (IAM) - IAM issues frequently stem from inconsistent governance. The JumpCloud breach, where attackers exploited over-permissioned accounts and poor separation of duties, underscores the importance of regular policy reviews and strict governance practices. 3️⃣ Insecure interfaces and APIs - Securing APIs is crucial, but the rush to innovate can sometimes overshadow security. The Spoutible (an X alternative) API vulnerability, which exposed user data due to poor security practices, serves as a reminder to embed security into the API development process from the start. What can you do? 1) Focus on fundamentals: To address misconfigurations, prioritize strong configuration management and continuous monitoring. Look at tools like Prisma Cloud by Palo Alto Networks. 2) Regular governance reviews: Prevent IAM issues by regularly reviewing and adapting policies. Ensure all your applications are part of your IAM strategy, not just those supporting standards like SAML, OIDC, and SCIM. (Cerby can help you with these apps.) 3) Balanced innovation: Integrate security into development processes to avoid compromising security in a rush to innovate (see Secure by Design from the Cybersecurity and Infrastructure Security Agency). Focusing on the basics and doing them well can mitigate most of the risks in this report. Props to the authors Jon-Michael C. Randall, Alexander S. Getsin, Vic Hargrave, Laura Kenner, Michael Morgenstern, Stephen Pieraldi, and Michael Roza. #Cybersecurity #cloudsecurity #api Cloud Security Alliance

Vendor risk isn’t just about the vendor... It’s also about the use case. You’re not assessing “the vendor” as a whole, you’re assessing the risk of that vendor AND the specific product or service you’re consuming. "Approving" a vendor ≠ approving ALL their products and services Just because a vendor "passed" your security review for one product or service doesn’t mean you can blindly adopt everything else they offer. Their CRM might be secure, but their AI analytics tool could be a compliance nightmare. Different use cases = different risk profiles A vendor handling marketing emails has much different security profiles than one storing sensitive customer data. Treating all services the same is a waste of time and money. Tier the vendors based on their access, location within your data flow, and criticality to your operations. I like 3 tiers. More on that in a future post. One assessment doesn’t last forever Risk isn’t static. If the vendor updates their product, expands their scope, is acquired, or moves to a new hosting provider, your original assessment is outdated. For bonus points, build this into your change management program. How to Fix It -Assess risk at the vendor + product/service level you're consuming, not just the vendor. -Define clear use case boundaries. What exactly are you using, where is the data flowing, what access do they have, and what’s the impact if something goes wrong? -Require reassessments for new services. Don’t assume past approvals cover new use cases. -Document compensating controls if security gaps exist and mitigate, don’t ignore. This saved my ass once. Stop treating vendor "approvals" like a golden ticket to consume everything they offer. Risk is contextual. Assess accordingly. #ciso #dpo #msp #riskmanagement

2024 State of Cloud Security Study Key Insights A great morning read from Datadog ‘analyzed security posture data from a sample of thousands of organizations that use AWS, Azure, or Google Cloud.’ ↗️ Long-lived credentials -> remain a security risk, with 60% of AWS IAM users having access keys older than one year. Unused credentials are widespread, increasing attack surfaces across all cloud providers (AWS, Azure, GCP). Recommendation -> Shift to temporary, time-bound credentials & centralized identity management solutions. ↗️ Public access blocks on cloud storage increasing AWS S3 & Azure Blob Storage are increasingly using public access blocks, with S3 seeing 79% of buckets proactively secured. Recommendation -> Enable account-level public access blocks to minimize risks of accidental data exposure. ↗️ IMDSv2 adoption growing AWS EC2 instances enforcing IMDSv2 have grown from 25% to 47%, yet many instances remain vulnerable. Recommendation -> Enforce IMDSv2 across all EC2 instances & use regional settings for secure defaults. ↗️ Managed Kubernetes clusters Many clusters (almost 50% on AWS) expose APIs publicly, with insecure default configurations risking attacks. Recommendation -> Use private networks, enforce audit logs, & limit permissions on Kubernetes worker nodes. ↗️ 3rd-Party integrations pose supply chain risk 10% of third-party IAM roles are overprivileged, creating risks of AWS account takeover. Recommendation ->Limit permissions, enforce External IDs, & remove unused third-party roles. ↗️ Most cloud incidents caused by compromised cloud credentials Cloud incidents are often triggered by compromised credentials, particularly in AWS, Azure, & Entra ID environments. Patterns of Attack + Compromised identities + Escalation via GetFederationToken + Service enumeration + Reselling access + Persistence techniques Microsoft 365 -> Credential stuffing, bypassing MFA, & malicious OAuth apps for email exfiltration. Google Cloud -> Attackers leverage VPNs & proxies for crypto mining and follow common attack patterns. Recommendations -> Implement strong identity controls & monitor API changes that attackers may exploit. ↗️ Many cloud workloads are excessively privileged or run in risky configurations Overprivileged cloud workloads expose organizations to significant risks, including full account compromise & data breaches. Recommendation ->Enforce least privilege principles on all workloads. Use non-default service accounts with tailored permissions in Google Cloud. Avoid running production workloads in AWS Organization management accounts. The study shows improved adoption of secure cloud configurations -> better awareness + enforcement of secure defaults. However, risky credentials & common misconfigurations in cloud infrastructure remain significant entry points for attackers. P.s. use the info to strengthen your org cloud security posture. Full study report in the comment ⬇️ #cloudsecurity #cloudsec #cybersecurity

The CSA recently released a new report that shows top threats to cloud computing in 2024. Thales also released a report that describes top reasons for breaches in the cloud. 🧐 Here’s a summary and what you should know: Overall, “The survey […] shows a continuing drop in the ranking of traditional cloud security issues that are the responsibility of cloud service providers [...]” 🙌 Focusing on the top 4 from CSA, we have: 📌 Misconfiguration & inadequate change control 📌 Identity & Access Management (#IAM) ← why do you think I’m constantly talking about this and have entire courses & labs dedicated to this topic? 😉 📌 Insecure interfaces and #APIs 📌 Inadequate #cloudsecurity Strategy ⛔️ Misconfiguration & Inadequate Change Control ⛔️ ➡️ What this is: “Inadequate change control [...] can lead to improper configurations that remain undetected” “Misconfigurations are the incorrect or sub-optimal setup of cloud computing assets that can leave them vulnerable to unintended damage or external/internal malicious activity. Lack of cloud system knowledge or understanding of cloud security settings and nefarious intentions can result in misconfigurations” (train your team, folks 😉) 💡 Examples: - Secrets management - Disabled monitoring/logging - Ports/services left open/running - Storage access - Subdomain hijacking Etc… ⛔️ Identity & Access Management (IAM) ⛔️ I cover this a lot in other posts, workshops, training, etc, so I won’t expand on it here. ⛔️ Insecure Interfaces & APIs ⛔️ ➡️ What this is: “APIs and UIs become vulnerable for various reasons” 💡 Examples: - Inadequate authentication - Lack of encryption - Insufficient input validation, - Poor logging and monitoring, - Outdated or unpatched software etc… ⛔️ Inadequate Cloud Security Strategy ⛔️ ➡️ What this is: Strategically thinking about cloud deployments beforehand by “considering external factors, existing implementation, and selection of cloud technologies, priorities, and trends toward creating a high-level plan or approach.” 💡 Examples: Worries about vendor lock-in, out-of-control costs, picking the right tool/service for requirements today and in the future, etc… 👉👉 Shifting to the root causes from Thales, there are three I want to highlight because they have a common cause (human error): 📌 31% due to a misconfiguration or human error 📌 28% due to exploitation of a known vuln 📌 17% due to failure to use MFA for privileged user accounts 🙋♂️ I’d love to hear from you. What do you think about these results? Do they accurately represent your challenges? What you think leads to the top cloud threats and root causes of cloud data breaches? Let me know in the comments below! Also, be sure to share this with your colleagues. This is important info!