Table of Contents
1. Complex Access Controls
2. Heightened API Security Risks
3. Multiple Clouds
4. Perimeterless Networks
5. New Types of Cloud Cybersecurity Attacks
6. The Growing Security Cost of the Cloud
Cybersecurity has become tremendously more challenging over the past decade. The number of cyberattacks increased by about 60-fold. The average cost of attacks has also surged, growing from about $3.8 million per incident in 2015 to $4.35 million in 2022.
But you probably know that, thanks to widespread coverage of persistent cybersecurity challenges. The more interesting issue to consider is why cybersecurity attacks have become so prevalent and costly.
If I had to name the top reason, I’d point to cloud computing. Applications in the cloud aren’t any inherently less (or more) secure than on-premises apps. But the cloud has upended cybersecurity practices and created a host of new security challenges that simply didn’t exist in the pre-cloud world. Given the massive adoption of cloud computing services over the past decade, the growth of the cloud would seem to be a major reason why cybersecurity challenges have grown.
Related: What Happened in That Cyberattack? With Some Cloud Services, You May Never Know
Let me explain by detailing the multiple ways in which the cloud has changed cybersecurity, and why these changes make security fundamentally more challenging.
Complex Access Controls
Access controls, which define who can access which resources in a software environment, have been a part of security architectures for decades.
The advent of the cloud, however, has led to an explosion in the scale and complexity of access control rules. Whereas in the past businesses had to worry only about ensuring that access rights defined within operating systems and directory services were secure, they now have to protect access controls within cloud environments, too.
Related: Cloud Security: Why Understanding Vulnerabilities vs. Threats vs. Risks Matters
A single cloud environment could have hundreds of users and services with thousands of permissions or entitlements spread across them, and each cloud provider uses its own proprietary access control framework. That makes it easy for admins to overlook important access control settings or define excessive permissions.
These risks have bred a new set of cloud security tools, such as CIEM solutions, which help protect against insecure cloud access control settings. But even with the automation that such tools provide, cybersecurity teams still face a fundamentally steeper challenge when it comes to access controls than they did in the pre-cloud world.
Heightened API Security Risks
The cloud has also led to the proliferation of APIs, which create a whole new category of security risk.
Admittedly, APIs existed before the cloud. But the cloud has made APIs absolutely central to the way modern workloads are deployed and operated. The typical business today depends on dozens, if not hundreds, of internal and external APIs to run its cloud workloads. Each of those APIs could potentially be abused in ways that give attackers access to sensitive data or allow them to take control of critical services.
Thus, the cloud has dramatically expanded the security challenges businesses face related to APIs, which is something most teams barely thought about in the pre-cloud era.
The advent of multicloud architectures, too, exacerbates modern cybersecurity challenges.
The reason why isn’t that multicloud environments are less secure than single-cloud environments. It’s instead that the more clouds you have, the harder it is to monitor, audit, and secure all of them. Some security tools only support certain clouds, making it difficult to centralize security when you have a multicloud architecture. Plus, differences in the way each cloud vendor’s services are configured can make it more challenging to identify security risks because a setting that is not risky on one platform might be insecure on another.
Granted, it has always been challenging in some cases to centralize security. In an on-prem or single-cloud environment, you might have to use multiple security tools because you run multiple operating systems, for instance. But at the end of the day, the diversity and complexity of your on-prem or single-cloud environment is likely to be a magnitude lower than that of a multicloud environment. By extension, the multicloud environment is a lot harder to secure.
Remember when all of your applications ran on on-premises servers that you could neatly segment from the internet using firewalls? Those days are gone. Almost by definition, cloud computing environments expose workloads to the internet, which makes them significantly harder to protect against abuse.
Sure, you can use services like web application firewalls and virtual private clouds to provide some buffer between cloud workloads and the internet. But you still can’t define a tight network perimeter in the way you could with an on-premises environment. Unless you adopt a complex strategy, like air-gapping with a hybrid cloud, you’ll face increased network-borne security risks.
New Types of Cloud Cybersecurity Attacks
The cloud has also opened the door to new types of cybersecurity attacks that wouldn’t be possible to execute in traditional environments.
One is so-called denial-of-wallet attacks, in which attackers find ways to run up the cloud computing bills of their victims by, for instance, triggering high-cost serverless functions.
A related attack is cryptojacking, where the bad guys use compromised infrastructure to mine cryptocurrency. They keep the coins while their victims foot the crypto mining bill. Technically, a cryptojacking attack could occur with on-premises infrastructure, too. But cryptojacking is likely to be more damaging in the cloud, where attackers can take advantage of infinitely scalable infrastructure to mine massive amounts of coins at their victims’ expense.
Conclusion: The Growing Security Cost of the Cloud
To be sure, none of the modern cybersecurity challenges that result from widespread adoption of the cloud is a reason to avoid using the cloud. In most cases, the flexibility and convenience that the cloud offers is worth the added security risks.
But these risks exist nonetheless, and it’s critical to recognize and manage them in order to use the cloud responsibly. The cloud has ushered in a fundamentally different cybersecurity world than the one that existed a decade ago.
About the authorChristopher Tozzi is a technology analyst with subject matter expertise in cloud computing, application development, open source software, virtualization, containers and more. He also lectures at a major university in the Albany, New York, area. His book, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” was published by MIT Press.