95% fear inadequate cloud security detection and response

Although numerous respondents acknowledged employing risky practices and behaviors within their cloud environments, they strongly believe in the effectiveness of their security tools and processes to safeguard their organizations against meticulously planned attacks, according to Permiso.

That high confidence level persists even among organizations that have already experienced unauthorized access or a data breach in their environment.

“Our findings are both fascinating and worrisome,” said Jason Martin, co-CEO of Permiso. “There’s a clear gap between perceived protection and the harsh reality of preparedness. While organizations are confident in their defense capabilities, their acknowledgment of existing risky practices coupled with the vast concern over their ability to effectively respond to a breach not only increases the likelihood of being breached, but means they are very unlikely to detect the breach in a timely fashion.”

Cloud security practices

The survey assessed both the respondents cloud security practices and the scale of their environment, including the number of identities and secrets they manage, response time to an attack, the different methods of access into their environment, and the types of solutions they utilize to help secure their environments. It also assessed their confidence level in the ability for their tools and teams to both defend against or detect a breach in their environment.

“We found that most respondents (70%) would characterize their response time to an attack to be between 12 and 24 hours. Data from actual production environments and incident responses show that number is more than two weeks (16 days). There is a significant disconnect within the survey data we collected and even more significant disparity when you compare that with actual data from cloud environments,” added Permiso co-CEO, Paul Nguyen.

The resulting report provides a holistic view of the current state of cloud security and offers valuable insights into best practices and potential areas for improvement.

• 50% of respondents reported a data breach due to unauthorized access to their cloud environment.
• 95% expressed concern that their current tools and teams may be unable to detect and respond to a security event in their cloud environment.
• 55% described their level of concern as “extremely concerned” and “very concerned.”
• Despite high-risk practices and widespread concern over a breach in their cloud environment, more than 80% of respondents feel that their existing tooling and configuration would sufficiently cover their organization from a well-orchestrated attack on their cloud environment.

More (and more) identities to manage

Permiso found that managing identities across on-premise and cloud environments is a growing challenge for many enterprises. Over 80% of respondents manage at least 1,000 identities across their cloud environment. Roughly 44% manage at least 5,000 identities across on-premise and cloud environments.

Many organizations manage many identities across cloud authentication boundaries in federated environments. This management, especially when actions involve shared credentials and roles, makes it challenging to identify change attribution. While 25% of the respondents use federation to access their cloud environment, only a little more than half of them have full visibility into the access activity of those federated users.

This inability to effectively manage the ever-growing number of identities creates significant risk. 46.4% of respondents allow console access via local IAM users, which presents numerous security risks and violates some enterprise security policies. Of those respondents, more than 25% don’t have full visibility into the activity of those users.

Additionally, 38% of respondents also stated that they leverage long-lived keys to grant access to their environment. Still, almost a third of them do not have visibility into the use of those keys to access their environments. Long-lived access keys can present a security risk to organizations and are more prone to being compromised the more they age.

Exposing secrets

As the number of API-driven ecosystems like CI/CD pipelines, data lakes and microservices grows, so do the number of secrets (i.e., keys/tokens/certificates) organizations need to secure the connections between applications and services. Over 60% of respondents manage at least 1,000 API secrets across their cloud environments, and a 30.9% manage at least 2,000 API secrets. This explosive growth of APIs and corresponding secrets has resulted in secrets leaking across development and deployment systems at an alarming rate.

A new approach to cloud environment security

Numerous organizations realize that many security tools and techniques that protected their data centers are ineffective for the cloud. The Permiso survey found the two most significant categories of tools adopted in the cloud are those that cloud providers offer and cloud security posture management (CSPM) solutions.

Many organizations leverage a combination of these cloud-native tools, in addition to CSPMs and SIEMs, as a set of solutions to help ensure the workloads they deploy are secure and compliant and are querying logs to help detect potential threat actors in their environments.

Recommendations

In addition to adopting and enforcing sound security practices such as highly limited or prohibited use of root access or local IAM users, enforcing MFA to any console access and stringent key rotation in order to prevent attacks from ever occurring, there are a number of steps organizations can also adopt to better detect threat actors in their environment.

“The first step is to have a comprehensive inventory of the identities in your environment and categorize their potential blast radius to help determine their risk. You should also be equally vigilant with taking inventory and tracking keys/tokens/credentials that are used in those environments. Ultimately these identities assume a role in order to make changes, which makes tracing behavior back to a single identity very difficult. Once you have a true stranglehold on the identities in your environment and the credentials they’re using, you want to baseline activities to understand the user’s ‘normal’ behavior so that you can develop rules and alerts from logs to detect access and behavioral anomalies in your environment,” concluded Martin.