NEW: Zero Trust Security For Dummies ebook. Get your free copy now!

Cross-Cloud Attacks: Why a Unified Network Security Strategy is Urgent

The near-ubiquitous use of cloud has opened new cyber attack vectors organizations need to prepare for and address. One the one hand, major cloud service providers (CSPs) like Amazon, Microsoft, and Google bring to the table security controls that enterprises would otherwise have to buy or build for their on-premises data centers — likely with fewer dedicated resources than the CSPs can provide. On the other hand, the shared responsibility model of the cloud means that companies can’t simply put their faith in the CSP and hope for the best. Unfortunately, this model—the fact that some but not all security is included in cloud usage—has led to a scattershot approach to cloud security. Security teams have spent the last decade trying to adapt network security tools built for private, on-premises data centers to public, private, and hybrid cloud models. For myriad reasons, this hasn’t worked well and has left organizations vulnerable to exploit.

It didn’t take attackers long to clue in to the gaps in protection. Per a recent McAfee Cloud Adoption and Risk Report, more than 2,000 cloud security incidents per customer were reported via survey respondents in the last 18 months. While security pros know that perimeter defenses don’t do anything to stop internal attacks, cloud networks remain largely “secured” with perimeter-based tools, and the rest is monitored for compromises in progress, like data exfiltration or malware already moving laterally through the cloud, spreading to new users and systems due to flat network designs, mesh networks, or insufficient security controls.

East-west traffic today comprises a significant portion of data center traffic (on-prem, cloud, container) and Cisco predicts that by 2021 85% of network traffic will be east-west, signaling that companies must pay more attention to how (and what) traffic is communicating inside and across clouds. Trusted communications governed by a perimeter are no longer an option.

Using public cloud to launch secondary attacks

Yet the security industry hasn’t yet shifted in-use tools and techniques to appropriately counter the risk of lateral movement in the cloud. As a result, one emerging attack type is cross-cloud attacks, moving from a public cloud environment to the on-premises data center or hosted private cloud. The theory (from an attacker’s point of view) is that organizations are not putting as much sensitive data in the public cloud as they keep on their internal networks. If the McAfee report is to be taken at face value, this is the case. Reportedly, “sensitive” data in the cloud, including company-confidential, password-protected, personally-identifiable, payment, and personal health data are stored at much lower rates (though climbing year-on-year) than internally-hosted data. Therefore, it makes sense that attackers would use the cloud as a pivot point to reach their intended target: databases containing sensitive data.

To commit a cross-cloud attack, an adversary would leverage a vulnerability in public cloud, piggyback on address-based controls/standard protocols that fly under the radar of traditional tools, and spread malware into the private cloud or on-premises data center using existing connections that are in place for normal business data. 

Subscribe to our newsletter:

Cross-data center tools limit east-west effectiveness

The reason cross-cloud attacks are possible is because defenses in cloud environments are weaker than traditional on-premises controls. For one thing, the use of cloud-native tools means that a significant portion of cloud-based traffic never passes through a perimeter, meaning it’s never checked against a security control before being permitted to communicate on the network. Second, even if a company has traditional microsegmentation implemented, address-based controls don’t scale well in elastic, dynamic environments such as public cloud. This leads to a fragmented security strategy where organizations are using one set of tools for securing on-premises networks and a different set for cloud environments. That, in and of itself, is problematic for defenders. Managing, monitoring, and correlating data from disparate sources is time consuming, inefficient, and more often than not causes missed alerts, misconfigurations, and even security incidents.

The shared responsibility model of the cloud requires organizations to understand how they’re using cloud (i..e., private hosted cloud, public cloud, hybrid cloud), what data they have in the cloud, and how data is transmitted in and across cloud platforms. Cross-cloud attacks are indicative of inattention to exposed pivot points and a fundamental misunderstanding of whose responsibility it is to do what.

A holistic security strategy

Adopting environment-agnostic tools that are not reliant on network constructs (e.g., IP addresses, ports, and protocols) is one way to ensure security teams unify their security strategy and are able to build and monitor centralized policies and monitoring across networks.

Another important aspect of a cross-cloud security strategy is moving focus inside the network, in other words, away from the perimeter and to the data asset. Since attackers are targeting sensitive data inside data centers, it’s imperative that the most hardened controls are centered around data-rich targets and limit:

  • Who has access to what network resources

  • Which systems can communicate with each network resource (inbound connections)

  • Which systems network resources can communicate with (outbound connections)

  • How connections are established

Finally (but not lastly), implementing the principles of zero trust will help ensure that malicious traffic cannot communicate freely or that network communication paths are not overexposed, giving attackers the advantage. Applying data-centric security controls that are governed by zero trust (i.e., require verified authentication and authorization for each sent/received communication; implement least-privilege access; use machine learning to ensure policies dynamically update and adapt) will greatly reduce the probability that attackers can use organizations’ own networks against them.

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.