Cloud environment: protect against misconfigurations, vulnerabilities and insider threats

Over the past decade, Microsoft has expanded its product portfolio. In addition to its status as an operating system provider, the company now offers various solutions covering productivity, collaboration and the cloud.

Some companies today choose Microsoft 365 and Microsoft Azure to streamline their vendor portfolio, which often leads them to have to compromise on certain features that can be critical. This approach creates significant risks, as companies are dependent on a single supplier.

Today, all Microsoft services depend on Azure Active Directory for identity and access management (IAM). The weakest element in a Microsoft environment has therefore become the user’s identity. If a malicious actor succeeds in compromising this identity via elevated privileges such as those of a security administrator, he will evade all Microsoft security measures and tools.

So how do you identify and protect against common cloud vulnerabilities, insider threats, and cloud misconfigurations?

Cloud vulnerabilities

Cloud services offer businesses significant advantages in terms of scale and cost. It is therefore not surprising that 89% of them use multicloud services for their operations. However, faced with their growing adoption, cyberattackers are modifying their attacks to now directly target these types of services.

Organizations trying to protect the already large attack surface of the Windows operating system now also have to deal with the exponential increase in vulnerabilities in cloud and security services.

Due to often limited visibility in cloud environments, many companies struggle to effectively secure their data and devices or assume to protect their cloud instances with a cloud service provider (CSP). According to the IBM Data Breach report, misconfigurations in the cloud exposed more than 33 billion pieces of data in 2018 and 2019 alone.

Threat coming directly from people

Cybersecurity Insiders Human Threat Report 2022 highlights that this type of incident has become more frequent over the past 12 months. There are two types of insider threats: negligent people, who gain access to the corporate environment and make an unintentional mistake resulting in a cyberattack, and malicious people, who gain access to the corporate environment and accept to help cybercriminals out of greed.

Bad cloud configuration

As enterprises accelerate their adoption of cloud services to facilitate their digital transformation, security has often become an afterthought. The assumption that securing the cloud is the sole responsibility of cloud service providers (CSPs) is very risky.

The study 2022 Cloud Security Report from Check Point confirms that 27% of companies have experienced a security incident in their public cloud infrastructure. 23% of these incidents were caused by poor cloud configurations.

The countermeasures provided by Microsoft

What all of these attacks have in common is weak identity security policies. Microsoft claims that 99.9% of account compromises could be prevented with multi-factor authentication (MFA). The problem is that only 22% of corporate clients use this method, which is often poorly implemented and can still be circumvented.

As many companies have moved from an on-premise user identity to a hybrid or cloud identity with Azure Active Directory (Azure AD), new security risks have emerged. To better understand them, it is important to understand the mechanisms of Azure AD and their relationship with Microsoft services.

To help manage access controls, Microsoft offers several built-in roles, typically assigned to security personnel in a company: “Global Administrator” is the highest-privileged account, providing full access to all Microsoft services. In general, this role is highly protected.

The “Security Administrator” has full access to all Microsoft security services, including Microsoft 365 Defender, Microsoft Defender for Endpoint, and Microsoft Sentinel. Finally, the “Security Reader” allows read-only Microsoft security products.

Recognizing the influence of these roles and the risk when they are compromised, Microsoft advocates the use of Just-In-Time Access features and broader Privileged Identity Management (PIM) services. However, like MFA, only a limited number of companies use these services due to their complex implementation.

The others are likely to see a hacker compromising a user’s identity, for example via security administrator privileges, accessing the majority of Microsoft services and thus evading the integrated security features.

People, process and technology

So how can organizations reduce the risk of cloud misconfiguration, Microsoft product vulnerabilities, and insider threats? First, it is essential to understand the people, process and technology requirements.

People

According to a Mimecast study, 90% of security breaches are due to human error. It is therefore important to set up an effective security awareness program in order to reduce the risk of negligence that could lead to a cyberattack.

No one is immune to error or a targeted social engineering attack. This is why the internal culture of cyberconsciousness is essential. Employees should know their privilege levels, understand how to help protect the business, and report suspicious activity.

Process

Consistent processes are essential and must be tested. For example, the policy for the use of equipment by employees must not leave room for interpretation. It should clearly state what they can or cannot do and describe the relevant security controls that need to be in place.

Additionally, it should clearly outline how to effectively report potential security incidents. When implementing these processes, you should not just define them, but test them so that the security team can identify weak points in advance.

Technology

According to the Verizon 2022 Data Breach Investigations Report, 61% of all attacks involve user identity. In many companies today, the IT and security team must support a variety of operating systems, cloud services, and endpoint types. These environments are often a combination of legacy and modern systems.

It’s no surprise, then, that many organizations today have 25-49 independent tools from 10 or more vendors to detect, triage, and investigate threats. However, as companies consider bringing them together, they are looking for unified platforms that can help them do so. Companies must therefore consider the integration of security capabilities capable of detecting, protecting and responding to threats thanks in particular to the complementarity of XDR and ITDR technologies.

As businesses use cloud services, it’s critical to understand new threat typologies and be aware that securing cloud services is not just a CSP job. Security teams need to focus on securing the cloud, get the big picture of the business environment, understand the risks on any surface – identity, email, endpoints, network – and identify ways to protect, detect and respond to cyber threats across all digital assets.

Leave a Comment