In the last several years, IT has undergone a major transformation - spurred by the global pandemic and subsequent economic and societal upheavals, cloud adoption has skyrocketed. In fact, a recent survey we conducted found that 69% of organizations host more than half their workloads in the cloud, a trend only expected to grow. As part of this, cloud-native application development is also on the rise as organizations aim to use their cloud environments to deliver with more speed and efficiency and boost their overall competitiveness.
But this market-fueled, developer-driven cloud-native push comes with a host of risks. How? To meet demand, developers must move fast to create applications that organizations need to manage and run their cloud environments. As a result, many are leveraging pre-developed open-source code rather than writing code from scratch to keep up with the rapid pace.
As powerful and convenient as it is, open-source software can introduce many vulnerabilities early on in the application lifecycle pipeline. A single software vulnerability alone can lead to hundreds of vulnerabilities in organizations’ applications when deployed at runtime. In fact, Forrester found that more than 75% of application code is open-source, and developers are often using versions with vulnerabilities, many of which are not known or apparent to the untrained eye.
To help organizations better protect their valuable applications and infrastructure from the possibility of attack, here are five key cloud security risks they should be aware of:
- Application vulnerabilities: The biggest risk for many organizations can come from the application development process itself. Considering applications remain vulnerable at runtime while they are deployed, security professionals have to consider all avenues of threats and can’t hesitate when it comes to securing the full application lifecycle. To that point, 96% of third-party container applications deployed in cloud infrastructure were found to contain known vulnerabilities. From code changes that have not been tested to zero-day attacks, runtime applications will continue to require examination.
- Infrastructure misconfigurations: Cloud misconfigurations and unpatched software leave the door wide open for network attacks and exploits. The most common misconfiguration is leaving ports open, and any port left open to the internet provides hackers with an attack vector.
- Malware: Malware isn’t new, but it is evolving at a breakneck speed in the cloud. Unfortunately, the process of spotting potential cloud-native malware can be challenging due to “noisy” security tools. In essence, these “noisy” tools provide more alerts than security teams can reasonably respond to, resulting in ‘alert fatigue’ and, eventually, missed red flags.
- Overprovisioned access: Overprovisioned access opens organizations up to major cloud security threats and malicious insiders. Nearly all (99%) of cloud users, roles, services, and resources in our survey were granted excessive permissions. As a result, organizations can experience more frequent attacks and account takeovers.
- Insecure APIs: APIs are the lifeblood of cloud-native and app-based economies. Because of this, one fact has become increasingly clear: failing to protect your APIs can have devastating consequences. For example, just one API breach can lead to the downfall of an organization’s entire digital software strategy and development efforts.
Attackers will never stop looking for vulnerabilities to exploit, and new technology provides a bountiful opportunity as organizations often learn too late how to secure infrastructure "the hard way." Luckily, there are several actions organizations can take to defend against these risks.
Achieve Simplicity with Shift-Left Security
Shift-left security is an operating model that provides security feedback and guardrails as early in the development process as possible. Because cloud computing environments are increasingly defined and controlled by containers, infrastructure-as-code (IaC), and Kubernetes, it's vital that DevOps and cloud teams prioritize security early in the design cycle so they can catch potential vulnerabilities before applications are deployed. This will prevent potential vulnerabilities from becoming larger problems down the line and eliminate the costs to remediate.
Zero Trust with Zero Exceptions
Taking a Zero Trust security approach is vital to protecting an organization’s valuable data, applications, and infrastructure. To achieve this, organizations must limit access to these assets and remove implicit trust within their environments. This will ensure that no employee, partner, or customer has access to data they aren’t supposed to while enabling organizations to have more control and visibility across their IT environments.
Consolidation is Key
While leveraging dozens of vendors can create the illusion of providing organizations with comprehensive security, it ultimately creates more complexity. From higher costs to introducing new security gaps, using a number of different security tools makes managing and securing IT environments more challenging. Luckily, organizations are becoming more aware of this issue, and according to Gartner, it is estimated that by 2025, 70% of organizations will consolidate the number of vendors securing the life cycle of cloud-native applications to a maximum of three vendors. By taking a consolidated security approach, organizations can enable more comprehensive and scalable security controls.
To provide efficient security across cloud environments, both developer and security teams have an equal role in reducing risk at every stage. For developers, this means shifting mindsets left and leveraging tools and processes to remove application vulnerabilities and misconfigurations at the earliest possible stage. For security teams, it means having visibility with Zero Trust and a consolidated security strategy to identify and respond to threats quickly. By taking these actions, organizations can improve their cloud security postures to address the many challenges of cloud-native development.
Ankur Shah is SVP and GM, Prisma Cloud, at Palo Alto Networks.