How a reliance on the cloud still poses security risks

Most of the cyberattacks on cloud environments have been due to compromised credentials, says Centrify.

Cloud computing concept

Image: iStock/Melpomenem

Moving your assets and infrastructure to the cloud is a key way to offload some of the time, money and resources required to manage everything internally. With the coronavirus pandemic and lockdown forcing a dramatic shift toward remote working, more organizations have been migrating to the cloud over the past year.

SEE: Managing the multicloud (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Of course, cybercriminals have been keen to exploit this new reliance to hack into cloud-based accounts and data in order to compromise more victims. Survey results released Wednesday by security firm Centrify show how cloud environments can be vulnerable, while its CEO offers advice for protecting your cloud-based assets.

Sponsored by Centrify and conducted by CensusWide, a survey of 150 IT decisions makers in the U.S. found that 63% had already moved to the cloud three to five years ago, while 25% started their migration over the past two years. Almost a third of the respondents use both hybrid and multicloud environments, almost half take a private cloud-only approach and almost a quarter rely on a public cloud.

Asked about the top benefits from using the cloud, 46% cited availability, 28% pointed to collaboration, 15% mentioned cost savings and 9% scalability.

"After a year of remote working, enterprises have learned that the cloud is no longer just a 'nice to have,' but a requirement of the new reality," Centrify CEO Art Gilliland said. "Even as we begin to see a light at the end of the tunnel with the vaccine rollout, cloud has emerged as a game changer in terms of availability and scalability as well as flexibility and reliability, making it a must-have moving forward."

But this reliance on the cloud also brings with it several challenges. Some 36% cited the management of a multicloud environment as the biggest challenge. Some 22% pointed to security risks, another 22% to the actual migration and 19% to compliance issues.

The survey focused particularly on the security risks involved in a cloud environment. Some 65% of those surveyed said they've witnessed attempted cyberattacks on their cloud environments. A full 80% revealed that their cloud environments were successfully compromised. Among the respondents who were hit by a successful attack, 90% said that compromised administrative credentials played a role in the breach.

Such attacks have proved to be successful even though many of those surveyed are taking certain security precautions. Some 80% said they do use the identity and access management (IAM) tools available from their cloud provider to ensure that the right people have the appropriate access. Asked what types of IAM tools they use, 57% cited Privilege Elevation and Delegation Management, 52% pointed to multifactor or two-factor authentication, 50% to password vaulting, 35% to single sign-on and 25% to AD Bridging.

But to further strengthen an organization's security, Gilliland recommends using a privileged access management (PAM) tool. Such tools are available not only from Centrify but from a range of vendors, including Archon, Thycotic, CyberArk and Beyond Trust.

"To address cloud-based threats, the IT stack should be secured by a centralized privileged access management (PAM) solution architected in the cloud, for the cloud," Gilliland said.

"Centralized identities and privilege elevation strategies empower granular access controls to hybrid environments, even as digital transformation accelerates and workforces evolve post-COVID-19," Gilliland added. "With multicloud strategies becoming the norm, the ideal security approach relies on zero trust principles for strong authentication, employs least privilege to restrict lateral movement, and leverages key benefits of the cloud economy in order to minimize attack surfaces."

Also see

By Lance Whitney

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.