Chain locks over cloud showing the top threats for cloud security
2019 Sans Institute Cloud Security Survey Reveals Top Threats, Which Surprisingly Are Not DDoS Attacks by Scott Ikeda

2019 Sans Institute Cloud Security Survey Reveals Top Threats, Which Surprisingly Are Not DDoS Attacks

The SANS Institute has released a new cloud security study meant to bring the current state of business readiness into better focus. The study has a number of interesting findings, headlined by an increase in business awareness of threats but also an increase in breach occurrences.

Conducted by senior instructor Dave Shackleford to learn more about business security readiness, the cloud security survey included several hundred companies based in the United States, Asia, Europe and Canada. The companies work in a variety of fields: 32% in technology, 11% in finance and the remaining 57% representing a very broad mix of industries. Company size was also well-distributed: 40% with under 1,000 employees, 22% with under 10,000 and 17% with over 50,000.

The need for a cloud security survey

Public confidence in business data security has been shaken recently due to a rash of high-profile mishaps centered on data in the cloud. Amazon Simple Storage Service (S3) buckets have been a particular problem. The Pentagon, Verizon, Deep Root Analytics, Pocket iNet and Cultura Colectiva are recent high-profile examples of S3 leaks that have collectively exposed the personal data of hundreds of millions of users.

Personal data leaks are the main concern, but improperly secured cloud storage can also be used as an attack vector (as demonstrated by the early 2018 hijacking of the Los Angeles Times website). A late 2017 study by Skyhigh Networks estimated that 7% of all S3 buckets were unsecured and that 35% were not using even the default encryption that comes with the account.

The SANS cloud security survey asked companies what applications and data they had in the cloud, what their biggest concerns about cloud storage were, what the cause of any attacks they had experienced was, what security technologies they had implemented and what challenges they faced in implementing forensics and incident recovery processes.

A noteworthy increase in unauthorized access

According to the results, 19% of respondents said they had experienced a breach in the previous year, an increase of 7% since the 2017 SANS survey. While 7% looks small in isolation, nearly one in five companies experienced a breach in 2018 whereas the number was much closer to one in eight in the previous year’s survey results. Also, this number may be larger than it initially appears. Only 72% of respondents were absolutely certain they had not experienced a breach; there is a remaining group of about 9% that apparently isn’t sure.

Unsurprisingly, “unauthorized access by outsiders” was the leading concern for the cloud security survey respondents. However, a number of other concern categories were more likely to be realized than an intrusion: lack of skills and training for public cloud services, poor configuration of cloud components and interfaces, downtime and inability to audit were more common actual woes for companies than a breach event. Of course, these major concerns are potential precursors for an attack – an untrained employee making a database public without being aware or failing to configure it properly, for example. All it would take is an attacker port scanning the IP range that the database is in to discover the failing and exploit it.

Of the attacks that respondents experienced in the 2019 cloud security survey, account or credential hijacking was the most common attack method. Poor configurations leading to public exposure was second, and privileged user abuse was third. Other recurring attack methods included insecure interface compromise, shadow IT (unauthorized employee software concoctions), “denial of service” attacks and data exfiltration from a particular cloud app.

Misconfigured databases left open to the public are the things that make for the gaudiest news stories (and biggest PR nightmares), but it is interesting to learn that they still lag credential hijacking by a full 6.7 percentage points. “Credential stuffing” is a particular problem for retail businesses, as gigantic collections of leaked sensitive data are used by criminals in tandem with fully automated bots that can swiftly try targeted combinations and automatically make fraudulent purchases for the attacker.

One interesting sidebar here is that distributed denial of service (DDoS) attacks have dropped considerably, from the #1 attack method in the 2017 cloud security survey to a three-way tie for the #5 slot. SANS attributes this to better built-in protections from both cloud service providers and applications.

Implementing security technologies

Responses regarding currently implemented technologies indicate there is still a strong preference for in-house measures. That is relatively concerning as regards cloud storage and applications, as only about 20 to 30% of respondents had implemented either a security-as-a-service measure or some sort of hybrid system. Additionally, only 44% of respondents were taking the basic measure of using the APIs provided by their cloud services company.

Over 65% of businesses surveyed have integrated in-house and cloud multi-factor authentication, and over half have integrated vulnerability scanning, anti-malware measures and network access controls. Numbers lag from there, though, with only 29% having integrated their incident response measures and forensics tools. SANS reports that the main factor driving successful integration is the use of vendor products that work well in each environment and streamline the process with central management capabilities.

Automated controls and tools are vital in keeping up with cloud security demands. The companies using them have implemented a roughly even mix of infrastructure-as-code in templates, SOAR tools, configuration orchestration tools, serverless technologies and plugins for continuous integration.

Final thoughts from the 2019 Cloud Security Survey

SANS concludes that in spite of a notable increase in breaches, the general state of cloud security appears to be improving. Factors in this assessment include the improvement of built-in security features in cloud services (such as Amazon’s improved public access settings), better availability of vendor solutions to cover gaps in home-to-cloud integration, increased acceptance of and frequency of penetration testing, and increased familiarity with the leading threats.

Challenges highlighted by the 2019 cloud security survey include a general continuing reticence to use in-cloud security services and controls, lack of in-house cloud security training, and inadequate API and automation options for managing the multi-cloud environments that companies increasingly find themselves navigating.