Cybersecurity never lacks challenges. This was as true as ever in 2022, as IT and security teams entered the year dealing with one of the most critical and ubiquitous vulnerabilities in recent memory in Log4Shell. The ransomware threat remained ever-present throughout the year. As the calendar turns to 2023, the cloudy economic outlook brings added pressures to drive efficiencies in IT and security operations.
Regardless of the current uncertainty, the need for business transformation is not going away and will continue to fuel a high rate of cloud adoption. In fact, Gartner expects worldwide spending on public cloud services will grow from $494.7B in 2022 to nearly $600B in 2023.
In our 2022 State of Public Cloud Security Report, we observed that while many organizations list cloud security as one of their top IT priorities, there are still many basic security practices that are not being followed. In the rush to move resources to the cloud, organizations still struggle to keep up with ever-expanding cloud attack surfaces and increasing multi-cloud complexity. The current shortage of skilled cybersecurity staff is further worsening the situation.
Against this backdrop, we offer the following cloud security trends to watch in 2023. We invite you to download the 2022 State of Public Cloud Report, as it offers recommendations to help plan for these trends.
The Continuous Threat of Leading Cloud Attack Vectors
We expect to continue seeing two major types of attack vectors.
- The ‘one vital cloud misconfiguration’: An example of this is Amazon RDS snapshots inadvertently being shared publicly. Organizations that still have an on-premises mindset are more prone to these kinds of mistakes, as they sometimes neglect the controls that are cloud-specific. Considering that some Amazon RDS snapshots can contain highly sensitive information, the fact that organizations are not aware of whether their RDS snapshots are publicly available is yet another example of organizations lacking visibility into their cloud environments. With today’s wide cloud adoption, it is imperative that organizations know exactly what is running and configured on 100% of their cloud assets.
- Starting with a vulnerability, traversing to a crown jewel: As we saw in the 2022 Public Cloud Security Report, 78% of identified attack paths use known vulnerabilities (CVEs) as an initial access attack vector and on average require only three steps to reach “crown jewel” data.
The good news is that the vast majority of attacker entry points can be prevented relatively easily since these CVEs are known, the vast majority have remediations available, and usually, only a very small percentage of them are externally exposed. In addition, by taking preventive measures to reduce an attacker’s ability to move laterally in the environment, organizations can ensure that even if an attacker is able to gain access, the potential damage can be kept to a minimum.
The Ever-evolving Shared Responsibility Model
As more organizations win or lose in the cloud, the shared responsibility model will evolve to include SLAs for vulnerability response from the cloud providers.
In the last year or so, we’ve seen that the cloud providers are not immune to vulnerabilities in their core offerings, with multiple vulnerabilities found in AWS and Azure. We’ve seen significant differences in the time it took the vendors to fix issues – from 26 hours in the case of BreakingFormation, a vulnerability discovered by Orca Security on AWS CloudFormation, to five months in the case of SynLapse, a vulnerability discovered by Orca Security on Azure Synapse service.
Enterprises are starting to demand that their cloud providers commit to stricter and shorter timelines when dealing with critical security issues, which will bring about a material change in the shared responsibility model. The traditional 90-day time window started when software patches were actually distributed and needed to be installed by the customer. Cloud providers can and should be held to shorter timeframes.
Changes in the Macroeconomic Environment Impacting the Way Security Teams Operate and Choose Security Solutions
We believe the impact of the uncertain macro environment that exists in 2023 can be summarized in two ways: Consolidation and Risk Prioritization.
Consolidation: Organizations will reduce the number of tools they’re using. Instead, they will focus on tools that, while on paper, may have fewer features, but will dramatically reduce both purchase and operational costs.
As part of this, we expect to see a consolidation of tools in more comprehensive platforms either through acquisition or in-house development.
Risk Prioritization: More and more organizations realize that it is not possible to fix each and every risk. As we found in our 2022 Cloud Security Alert Fatigue Report, nearly 6 in 10 security analysts receive more than 500 cloud security alerts per day, which is causing critical alerts to be missed, often on a daily or weekly basis.
As a result, more organizations will understand the critical need for cloud security solutions to prioritize risk based on the potential blast radius, which can only be accomplished with full context and wide visibility into the environment, something which siloed point tools don’t have.
Evolving Cloud Use Cases and the Impact on Risks for Enterprises
We see cloud use cases changing and evolving around the following dynamics:
Multi-cloud: Given the macroeconomic environment, we believe more enterprises will be moving to a multi-cloud strategy. This reduces lock-in and will allow putting the workload on the cloud platform where it is most cost-effective. In extreme cases, cost reductions of over 80% can be achieved by moving workloads between cloud providers.
While saving money, this increases the risk organizations will take, given the need to learn and secure environments running on multiple cloud providers, each with its own philosophy and terminology.
Increasing API risks: The proliferation of APIs will continue to expand and increase the API attack surface, due to zombie and shadow APIs, and the growing use of microservices and XaaS (Anything-as-a-service) that rely on API-based architectures. Since APIs provide access to sensitive application functions and data, they are
an attractive target for attackers. Many organizations lack visibility into their APIs and will likely be prioritizing API security for the coming year.
Cloud Security Trends I Am Most Excited About in 2023 and Beyond
I’m most excited about the adoption of passkeys by the major device and OS manufacturers, which removes the need for passwords when authenticating on the web. At Orca Security, we see secrets (namely static keys, passwords) as a major weakness in organizations’ cloud security posture, and are excited about limiting their use as much as possible.
As we all prepare for the new year, we know cloud security will continue to bring about old and new challenges alike. What trends do you see emerging in the coming year? I’d like to hear from you.
Is your cloud security infrastructure ready for the challenges of 2023? Start strengthening your cloud security posture today by signing up for a free, no-obligation cloud security risk assessment or requesting a free demo of the Orca Security Platform.