It’s been about 15 years since public cloud stormed onto the scene and established itself as a core component of any enterprise’s digital transformation strategy. Over that time, the threat landscape has changed radically. As such, enterprises need to take that point into account when planning for what's next in security. Here is why:
First and foremost, it’s important to note that while public clouds are a core component, they’re not the only component. To be honest, it never was, but it’s taken nearly a dozen years for the market to realize that the future is, most undeniably, hybrid. Our research has been showing that for nearly as long.
Second, it’s important to understand how public cloud fits in the context of the evolving threat landscape because the fears and security concerns we had when cloud emerged are not the ones we have today.
Back then, most folks were primarily worried about the security of the cloud itself: its underlying infrastructure and systems. Folks eyed “shared compute” as a serious risk and grappled with the shared responsibility model established by AWS and subsequent providers.
The threat landscape changes over time
Through more than a decade of use, there have been many high-profile, public-cloud-related breaches. But digging into the details of those breaches, we find a common theme, and it is not public cloud infrastructure or shared compute. The point of entry for attackers has almost always been a misconfiguration that opened a security hole attackers could drive a truck through. Misconfigured S3 buckets, open administrative access to Kubernetes' consoles, and standard API/app vulnerabilities that could have been blocked with a traditional web application firewall.
These are basic security errors that transcend technology.
And though these remain, the risk posed by identity-related threats is far greater today.
Indeed, one could posit that a decade of misconfigurations and failure to block vulnerability exploits have given rise to today’s identity threats. Every breach leaked more credentials, and every credential deposited on the dark web drives a vast network of attackers whose goal is to take over accounts to get access to data and financial resources. Credit cards. Bank accounts. Payment processors. Corporate assets that can be encrypted and held for ransom.
To say that identity is the biggest threat today is not hyperbole.
- A combined 47% of cyber-attacks were focused on password credential vulnerability, using password spraying, credential stuffing, and brute force attacks. (Enzoic)
- Stolen credentials are the primary method threat actors use to access a business. (Verizon)
- In the first half of 2023, Americans have already reported nearly 560,000 cases of identity theft nationwide, according to the Federal Trade Commission (FTC). That puts 2023 on track to exceed 1 million identity theft complaints — far higher than any pre-pandemic year on record, dating back to 2001.
The importance of protecting identity – and the apparent ease with which attackers can steal it – is made far more difficult by hybrid IT and the inclusion of multiple public clouds in the enterprise architecture.
A Strata survey this year found that “managing fragmented applications and user identities across multiple cloud platforms” was the top concern cited by 67% of CISOs, with only 41% reporting they can enforce consistent access policies. That was a 25% year-on-year decline, which bodes well for attackers looking to compromise credentials to get their foot in the corporate door.
Hybrid and multi-cloud compound security problems
This challenge is giving rise to a significant shift we’re seeing around identity. Many organizations and providers are now looking beyond credentials to emerging technologies like passwordless to help reign in credential chaos. In the latter half of 2023, passwordless support and implementations has skyrocketed. And not just from consumer-facing companies either. It's coming to the corporate world, too, and faster than you might think, especially from companies delivering multi-cloud (hybrid) solutions – from networking to identity management to DevOps.
The threat of credential abuse has reached a critical stage. Attackers have pilfered so many credentials that I, and probably most of you, could use the dark web as a password manager. With the emergence of generative AI, attackers can abuse those credentials faster than we can develop the solutions to stop them. A radical shift in how we view identity is a good step toward stopping attackers and solving cybersecurity challenges associated with identity management across cloud, core, and edge.