8 cloud security gotchas most CISOs miss

While many of our business processes are making a home in the accessible cloud , many enterprise CISOs (chief information security officers) find themselves in a love/hate relationship with this new environment. While the cloud could be readily accessible and seamless to users, there are still security threats and policies that need to be in place to keep your company’s data secure. Technology expert Evan Schuman shares an article on CSO Online explaining how the very nature of cloud use in the enterprise can deliver a wide range of insidious cybersecurity problems that can be difficult to detect. Schuman spoke with a range of cloud security experts about under-the-radar cloud security issues most likely to surprise the enterprise SOC.

IT inventory excuses don’t cut it in the cloud. “Security specialists often avoid dealing with performing inventory of IT assets on-prem. What many don’t realize is that taking inventory in the cloud is far easier and there are no excuses for avoiding doing it anymore,’ says Scott Piper as such inventory avoidance can deliver severe cybersecurity problems.”

Cloud bills help track attacks — but with caveats. “Some attackers aren’t interested in stealing enterprise data via ransomware or shutting down operations via DDoS. Instead, they are saboteurs looking to punish the enterprise for whatever reason. One such method includes denial of wallet (DoW) attacks designed to force your enterprise to run up lots of extra cloud charges.”

Your IDP strategy is likely lacking. “Identity provider (IDP) outages are relatively rare and don’t last very long. Plus, switching to a backup service can cause bigger disruptions for end-users — given the possibility of requiring a behavioral change — than simply waiting a few more minutes to see whether the primary system gets restored. ‘But because there’s no way to determine when restoration will happen, enterprises still need an IDP backup strategy,’ says Martin Kuppinger, principal analyst for German consulting firm Kuppinger Cole Analysts. Unfortunately, for the reasons cited above, many companies forego having one.”

SaaS is a security issue you’re not fully dealing with. “‘SaaS providers vary hugely in risk. SaaS apps are radically different in how much risk they present to the organization. The biggest are very good. The next couple of tiers are usable but there is a long tail of SaaS apps that are very hard to assess,’ says Gartner analyst Charlie Winckless. ‘This issue is compounded by the fact that many CISOs have a massive focus on the three big hyperscalers and ignore SaaS. Code repositories are often in SaaS and may be open or much less secure than you expect.'”

Dangling DNS pointers can be big problems. Winckless adds about DNS, ‘It’s easy in the dynamic nature of cloud to be exposed by DNS. [Let’s say your team] sets up a site in Azure with an azurewebsites.net DNS and creates a CNAME for yourself and points it to the site. If you delete the site, which is common, and not the CNAME, an attacker can masquerade under your dangling DNS. This isn’t cloud-unique, but the cloud dynamism makes it much easier to accidentally leave yourself with the dangling DNS pointer.'”

API access is a security incident waiting to happen. “‘Local API keys in apps are a surprisingly common yet overlooked cloud security gap,’ says Paul Querna, CTO of ConductorOne, an identity governance firm. ‘In many cases, there’s a local API key that will continue working even after SSO has been disabled. That’s because local API keys operate independently of the user’s SSO status and are not automatically revoked when SSO is turned off. This means that the user might still have access to some systems or data, which poses a serious security risk.'”

IMDSv2: What you don’t know could kill your cloud. “In March 2024, Amazon quietly rolled out an update to a critical piece of the AWS platform: the Instance Metadata Service (IMDS). Some SOCs ‘might not even realize that they are using [IMDS]’ and therefore they are exposing their operation to a serious ‘security threat related to metadata exposure,’ says Pluralsight’s Firment. AWS introduced a second version of IMDS to improve the security of unauthorized metadata, although many organizations are still using the original IMDSv1 as the default. To help CISOs close this potential security hole, AWS recently announced the ability to set all newly launched Amazon EC2 instances to the more secure IMDSv2 by default. IMDSv2 ‘was launched by AWS in November 2019 but the ability to set the default to the new version was not introduced until March 2024. As a result, many organizations continued to use the original vulnerable IMDSv1. Interesting to note that the default only applies to new instances launched, so existing instances with IMDSv1 still need to be reconfigured,’ Firment says.”