{"id":88502,"date":"2023-03-16T20:44:27","date_gmt":"2023-03-16T20:44:27","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4050556"},"modified":"2023-03-16T20:44:27","modified_gmt":"2023-03-16T20:44:27","slug":"the-biden-administration-may-eye-csps-to-improve-security-but-the-real-caveat-emptor-secure-thyself","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=88502","title":{"rendered":"The Biden administration may eye CSPs to improve security, but the real caveat emptor? Secure thyself"},"content":{"rendered":"<figure id=\"attachment_4050564\" aria-describedby=\"caption-attachment-4050564\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-article wp-image-4050564\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/03\/the-biden-administration-may-eye-csps-to-improve-security-but-the-real-caveat-emptor-secure-thyself.jpg\" alt=\"The White House press conference podium.\" width=\"770\" height=\"578\"><figcaption id=\"caption-attachment-4050564\" class=\"wp-caption-text\">Image: Maksym Yemelyanov\/Adobe Stock<\/figcaption><\/figure>\n<p>President Joe Biden\u2019s administration, as part of its recently released <a href=\"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2023\/03\/National-Cybersecurity-Strategy-2023.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">National Cybersecurity Strategy<\/a>, said <a href=\"https:\/\/www.cisa.gov\/topics\/critical-infrastructure-security-and-resilience\/critical-infrastructure-sectors\" target=\"_blank\" rel=\"noopener noreferrer\">critical sectors<\/a> such as telecommunications, energy and healthcare rely on the cybersecurity and resilience of cloud service providers.<\/p>\n<p>Yet, <a href=\"https:\/\/www.politico.com\/news\/2023\/03\/10\/white-house-cloud-overhaul-00086595\" target=\"_blank\" rel=\"noopener noreferrer\">recent reports<\/a> suggest the administration has concerns that major cloud service providers constitute a massive threat surface \u2014 one through which an attacker could disrupt public and private infrastructure and services.<\/p>\n<p>That concern is hard to argue with given the monolithic nature of the sector. Research firm Gartner, in its most recent look at worldwide cloud infrastructure-as-a-service market share, put Amazon on top, leading with revenue of $35.4 billion in 2021, with the rest of the market share breakdown as follows:<\/p>\n<ul>\n<li><strong>Amazon:<\/strong> 38.9%<\/li>\n<li><strong>Microsoft:<\/strong> 21.1%<\/li>\n<li><strong>Alibaba:<\/strong> 9.5%<\/li>\n<li><strong>Google:<\/strong> 7.1%<\/li>\n<li><strong>Huawei:<\/strong> 4.6%<\/li>\n<\/ul>\n<p>The <a href=\"https:\/\/www.srgresearch.com\/articles\/q3-cloud-spending-up-over-11-billion-from-2021-despite-major-headwinds-google-increases-its-market-share\" target=\"_blank\" rel=\"noopener noreferrer\">Synergy Group<\/a> reported that together, Amazon, Microsoft and Google accounted for two-thirds of cloud infrastructure revenues in three months ending Sept. 30, 2022, with the eight largest providers controlling more than 80% of the market, translating to three-quarters of web revenue.<\/p>\n<p><strong>Jump to:<\/strong><\/p>\n<h2 id=\"focus\">A focus on cloud service providers?<\/h2>\n<p>The administration\u2019s report noted that <a href=\"https:\/\/www.techrepublic.com\/article\/crowdstrike-attackers-cloud-exploits-data-theft\/\">threat actors<\/a> use the cloud, domain registrars, hosting and email providers, as well as other services to conduct exploits, coordinate operations and spy. Additionally, it advocated for regulations to drive the adoption of secure-by-design principles and that regulations will define \u201cminimum expected cybersecurity practices or outcomes.\u201d<\/p>\n<p>Also, it will \u201cidentify gaps in authorities to drive better cybersecurity practices in the cloud computing industry and for other essential third-party services and work with industry, congress and regulators to close them,\u201d according to the administration report.<\/p>\n<p>If the administration is speaking to CSPs controlling traffic through vast swaths of the global web with an eye to regulating their security practices, it may be moot, as CSPs already have strong security protocols in place, noted Chris Winckless, senior director analyst at Gartner.<\/p>\n<p>\u201cCloud providers appear from all evidence to be highly secure in what they do, but the lack of transparency on how they do so is a concern,\u201d Winckless said.<\/p>\n<p><strong>See: <\/strong><a href=\"https:\/\/www.techrepublic.com\/article\/cloud-security-tools-trees-problem\/\"><strong>Cloud security, hampered by proliferation of tools, has a \u201cforest for trees\u201d problem<\/strong><\/a><strong> (TechRepublic)<\/strong><\/p>\n<p>However, Winckless also said there are limits to resilience, and the buck ultimately lands on the customer\u2019s desk.<\/p>\n<p>\u201cThe use of the cloud is not secure, either from individual tenants, who don\u2019t configure well or don\u2019t design for resiliency,&nbsp; or from criminal\/nation-state actors, who can take advantage of the dynamism and pay for flexibility model,\u201d he added.<\/p>\n<h2 id=\"providers\">Cloud providers already offering enough<\/h2>\n<p>Chris Dorman, chief technology officer of cloud incident response firm Cado Security, said major cloud service providers are already the best at managing and securing cloud infrastructure.<\/p>\n<aside class=\"pinbox right\">\n<h3 class=\"heading\">Must-read security coverage<\/h3>\n<\/aside>\n<p>\u201cTo question their abilities and infer that the U.S. government would \u2018know better\u2019 in terms of regulation and security guidance would be misleading,\u201d Dorman said.<\/p>\n<p>Imposing \u201cknow-your-customer\u201d requirements on cloud providers may be well intentioned, but it risks pushing attackers to use services that are further from the reach of law enforcement, he said.<\/p>\n<p>The biggest threat to cloud infrastructure is physical disaster, not technology failures, Dorman said.<\/p>\n<p>\u201cThe financial services industry is a great example of how a sector diversifies activity across multiple cloud providers to avoid any points of failure,\u201d said Dorman. \u201cCritical infrastructure entities modernizing towards the cloud need to think about disaster recovery plans. Most critical infrastructure entities are not in a position to go fully multicloud, limiting points of exposure.\u201d<\/p>\n<h2 id=\"customers\">Cloud customers need to implement security<\/h2>\n<p>While the Biden administration said it would work with cloud and internet infrastructure providers to identify \u201cmalicious use of U.S. infrastructure, share reports of malicious use with the government\u201d and \u201cmake it easier for victims to report abuse of these systems and \u2026 more difficult for malicious actors to gain access to these resources in the first place,\u201d doing so could pose challenges.<\/p>\n<p>Mike Beckley, founder and chief technology officer of process automation firm Appian, said that the government is rightly sounding the alarm over the vulnerability of government systems.<\/p>\n<p>\u201cBut, it has a bigger problem, and that is that most of its software isn\u2019t from us or Microsoft or Salesforce or Palantir, for that matter,\u201d said Beckley. \u201cIt\u2019s written by a low-cost bidder in custom contracts and, therefore, sneaks by most rules and constraints we operate by as commercial providers.<\/p>\n<p>\u201cWhatever the government thinks it\u2019s buying is changing every day, based on least experience or least qualified, or even the most malicious contractor who has the rights and permissions to&nbsp; upload new libraries and codes. Every single one of those custom-code pipelines has to be built up for every project and is therefore only as good as the team that is doing it.\u201d<\/p>\n<h2 id=\"defend\">It\u2019s on customers to defend against major cloud-based threats<\/h2>\n<p>Seeking out malefactors is a big ask for CSPs like Amazon, Google and Microsoft, said Mike Britton, chief information security officer at Abnormal Security.<\/p>\n<p>\u201cUltimately, the cloud is just another fancy word for outside servers, and that digital space is now a commodity \u2014 I can store petabytes for pennies on the dollar,\u201d said Britton. \u201cWe now live in a world where everything is API- and internet-based, so there are no barriers as there were in the old days.<\/p>\n<p><strong>SEE: <\/strong><a href=\"https:\/\/www.techrepublic.com\/article\/top-open-source-security-risks\/\"><strong>Top 10 open-source security and operational risks<\/strong><\/a><strong> (TechRepublic)<\/strong><\/p>\n<p>\u201cThere is a shared responsibility matrix, where the cloud provider handles issues like hardware operating system patches, but it is the customer\u2019s responsibility to know what is public facing and opt in or out. I do think it would be good if there were the equivalent of a \u2018no\u2019 failsafe asking something like \u2018Did you mean to do that?\u2019 when it comes to actions like making storage buckets public.<\/p>\n<p>\u201cTaking your 50 terabytes in an S3 storage bucket and accidentally making it publicly available is potentially shooting yourself in the foot. So, cloud security posture management solutions are useful. And consumers of cloud services need to have good processes in order.\u201d<\/p>\n<h2 id=\"major\">Major threats to your cloud operations<\/h2>\n<p>Check Point Security\u2019s 2022 Cloud Security report listed leading threats to cloud security.<\/p>\n<h3>Misconfigurations<\/h3>\n<p>A leading cause of cloud data breaches, organizations\u2019 <a href=\"https:\/\/www.checkpoint.com\/cyber-hub\/cloud-security\/what-is-cspm-cloud-security-posture-management\/\" target=\"_blank\" rel=\"noopener noreferrer\">cloud security posture management<\/a> strategies are inadequate for protecting their cloud-based infrastructure from misconfigurations.<\/p>\n<h3>Unauthorized access<\/h3>\n<p>Cloud-based deployments outside of the network perimeter and directly accessible from the public internet make unauthorized access easier.<\/p>\n<h3>Insecure interfaces and APIs<\/h3>\n<p>CSPs often provide a number of application programming interfaces and interfaces for their customers, according to Check Point, but security depends on whether a customer has secured the interfaces for their cloud-based infrastructures.<\/p>\n<h3>Hijacked accounts<\/h3>\n<p>Not a surprise, password security is a weak link and often includes bad practices like password reuse and the use of poor passwords. This problem exacerbates the impact of phishing attacks and data breaches since it enables a single stolen password to be used on multiple different accounts.<\/p>\n<h3>Lack of visibility<\/h3>\n<p>An organization\u2019s cloud resources are located outside of the corporate network and run on infrastructure that the company does not own.<\/p>\n<p>\u201cAs a result, many traditional tools for achieving network visibility are not effective for cloud environments,\u201d Check Point noted. \u201cAnd some organizations lack <a href=\"https:\/\/www.checkpoint.com\/solutions\/cloud-security\/\" target=\"_blank\" rel=\"noopener noreferrer\">cloud-focused security tools<\/a>. This can limit an organization\u2019s ability to monitor their cloud-based resources and protect them against attack.\u201d<\/p>\n<h3>External data sharing<\/h3>\n<p>The cloud makes data sharing easy, whether through an email invitation to a collaborator, or through a shared link. That ease of data sharing poses a security risk.<\/p>\n<h3>Malicious insiders<\/h3>\n<p>Although paradoxical since insiders are inside the perimeter, someone with bad intent may have authorized access to an organization\u2019s network and some of the sensitive resources it contains.<\/p>\n<p>\u201cOn the cloud, detection of a malicious insider is even more difficult,\u201d said CheckPoint\u2019s report. \u201cWith cloud deployments, companies lack control over their underlying infrastructure, making many traditional security solutions less effective.\u201d<\/p>\n<h3>Cyberattacks as big business<\/h3>\n<p>Cybercrime targets are mostly based on profitability. Cloud-based infrastructure that is&nbsp; accessible to the public from the internet can be improperly secured and can contain sensitive and valuable data.<\/p>\n<h3>Denial-of-service attacks<\/h3>\n<p>The cloud is essential to many organizations\u2019 ability to do business. They use the cloud to store business-critical data and to run important internal and customer-facing applications.<\/p>\n<h2 id=\"ethical\">Ethical hacking may secure operations in the cloud and on-premises<\/h2>\n<p>It\u2019s important for organizations to secure their own perimeters and conduct a regular cadence of tests on vulnerabilities internal and external.<\/p>\n<p>If you want to hone your ethical hacking skills for web pen testing and more, check out this comprehensive TechRepublic Academy <a href=\"https:\/\/academy.techrepublic.com\/sales\/the-2020-premium-ethical-hacking-certification-bundle\">ethical hacking course bundle<\/a>.<\/p>\n<p><strong>Read next: <\/strong><a href=\"https:\/\/www.techrepublic.com\/article\/minimizing-security-risks-best-practices\/\"><strong>How to minimize security risks: Follow these best practices for success<\/strong><\/a><strong> (TechRepublic)<\/strong><\/p>\n<p> <!-- default newsletter at the end --> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Image: Maksym Yemelyanov\/Adobe Stock President Joe Biden\u2019s administration, as part of its recently released National Cybersecurity Strategy, said critical sectors such as telecommunications, energy and healthcare rely on the cybersecurity and resilience of cloud service providers. Yet, recent reports suggest the administration has concerns that major cloud service providers constitute a massive threat surface \u2014 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":88503,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[37,134,40,788,783,56,154,152,287],"tags":[],"class_list":["post-88502","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-amazon","category-aws","category-cloud","category-cloud-security","category-cloudsync","category-cybersecurity","category-google","category-microsoft","category-security"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=88502"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88502\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/88503"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=88502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=88502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=88502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}