Cloud applications and services have proved crucial to maintaining operations during the pandemic. As workforces vacated the office and worked from home, the cloud made resources and tools accessible from anywhere, on multiple devices. This demand for flexibility looks set to continue, with a hybrid approach to working becoming the norm for many organisations. However, for all of the benefits that the cloud provides, it also brings its share of security risks, with threat actors increasingly targeting and infiltrating cloud with malware.
New research conducted by SASE provider Netskope has revealed that cloud security risks from malware delivery, third party plugins and exposed cloud workloads are on the rise. This calls for a security strategy that encompasses all devices (both managed and unmanaged), as well as the entire application infrastructure (both authorised and unauthorised), adopting agile parameters and a zero-trust approach.
Malware and shadow IT
In Netskope’s July 2021 Cloud and Threat Report, the latest instalment of Netskope Threat Labs’ biannual research, the data reveals cloud-delivered malware to be at an all time high, accounting for 68% of all malware delivered.
This growth is happening against a backdrop of continued cloud app proliferation within the enterprise, with adoption increasing 22% during the first 6 months of 2021, and the average company with 500-2,000 employees now using 805 distinct apps and cloud services. 97% of these apps were found to be ‘shadow IT’ – unsanctioned, unsupported and widely unsecured by corporate IT teams.
“Threat actors are like water in that they always travel through the easiest path with the fewest barriers. Right now that path is the cloud,” explains Paolo Passeri, cyber intelligence principle at Netskope. “With most organisations still struggling to get the most basic oversight of the myriad cloud apps in use, every cloud app – whether authorised or not – is like a new window or door that those with malicious intent may be able to just walk right though into corporate data caches.”
Ensuring secure innovation with Secure Access Service Edge (SASE)
Cloud application management and IaaS
This is no hypothetical risk, and sanctioned apps are seemingly no less risky than ‘shadow IT’. Netskope’s report shows that over a third (35%) of all workloads within AWS, Azure and Google Cloud Platform are ‘unrestricted’: open to public viewing by any internet user. With workloads very likely to contain sensitive data, it’s vital that sufficient protection is in place for all working files.
Vulnerable third-party security
The report also highlights an emerging attack opportunity which harvests corporate Google credentials through third party apps. The researchers found that 97% of all corporate Google credentials were being used as a convenient shortcut to log into third party apps. Employees are used to apps allowing speedy logins using personal Google or Facebook accounts, and are clearly confident using the same shortcut with corporate accounts.
When using Google logins to shortcut access, a third-party app requests a scope of permissions, which can vary from “view basic account info,” to “view and manage the files in your Google Drive”. Third-party apps that request to view and manage Google Drive files, in particular, can pose a significant threat of corporate data exposure. Many of these permissions are being granted by employees on unmanaged devices and networks, making legacy security approaches entirely powerless to see the activity or intervene.
“Threat actors make it their business to be one step ahead, which is why we work hard to identify potential entry and attack surfaces before they are commonly used, and then ensure organisations can lock down securely before a corporate data loss event,” concluded Ray Canzanese, threat research director at Netskope.
“The trends revealed in the research show that enterprises must rethink security based on the reality of cloud application use. They should favour a security architecture that provides context for apps, cloud services, and web user activity, and that applies zero trust controls to protect data wherever and however it’s accessed.”
The Netskope Cloud and Threat Report examined and analysed anonymised data collected from the Netskope Security Cloud platform, across millions of users around the world, from the 1st January 2021, through to the 30th June 2021. The full report can be found at netskope.com/netskope-threat-labs/cloud-threat-report.
