Cloud adoption and industry transformation are accelerating as the world looks for efficiency. Let’s face it, 2022 promises to be another busy year for cybersecurity and cloud security specialists.
According to the 2021 ISC Cybersecurity Workforce Study, we are still short 2.7 million cybersecurity professionals globally. There aren’t enough people to keep up with the rising threat, so we need to deploy automation heavily to tackle it.
This is compounded by the stark reality that attackers only have to be right once to pull off a successful cyberattack, while defenders have to do so 100% of the time.
In this post, I want to highlight the three particular threat vectors that, in my opinion, have the potential for large-scale and global impact in 2022:
- Nation-state actors and critical infrastructure
- The curse of abundance
- More clouds, more challenges
- Governments also get on the multi-cloud bandwagon
Nation-state actors and critical infrastructure
Tensions between Russia and Ukraine are compounding with a troop buildup at their common border. As NATO gets involved, Russia is being pressured from all sides, yet it is unlikely to back down. However, as we have seen recently, acts of aggression don’t start with bullets being fired and bombs being dropped.
Cyber attacks are the first line of aggression, and Russia has not been shy in this regard. In his book Sandworm, Andy Greenberg details the large-scale investment Russia has been making into state-sponsored cyberattack capabilities.
As tensions escalate, the most interesting targets for 2022 will be critical infrastructures such as electricity, fuel pipelines, telecommunications, and broadband.
Similar tensions have been taking place between China and the US in relation to Taiwan. There will probably be activity in this region in 2022 because Taiwan’s chip production capabilities are strategic for the American tech sector.
As the US scrambles to create production capacity elsewhere, Taiwan will remain its important defense point in the short and medium terms. Similar to the Russian case, initial strikes will likely come on the cyber front. China has very capable cybersecurity threat actors, both internally and in cooperation with North Korea.
Security risks of moving government workloads to the cloud
Complexity increases as government organizations are moving to the cloud. For example, we have seen a big push from cloud providers such as AWS, Azure, GCP, Oracle, and IBM to lure governments into their versions of secure data centers.
We have even seen ‘air gap’ offerings targeted at top secret organizations that provide for fully disconnected regions that operate independently from Internet connectivity.
The movement of workloads from private underground facilities to cloud provider-operated data centers can potentially introduce significant efficiencies but also security risks.
This is a vulnerable transition point that attackers will certainly exploit.
Growing adoption of containers and cloud-native technologies
At CAST AI, we are super bullish on adopting containers and cloud-native technologies such as Kubernetes.
However, the security profile for containers is significantly different than for Virtual Machines.
In VMs, there is a Hypervisor that sits between customers and workloads providing solid isolation. The isolation model for containers is much weaker and comes with its own threat vectors and challenges. Organizations have to understand these differences and prepare appropriately to safely unlock the benefits of lightweight containerization.
In fact, AWS was so concerned about this difference in isolation that they created Firecracker microVM.
Specifically, with Function-as-a-Service (aka ‘Lambda’), a customer may be running their function workload right beside a competitor or bad actor on the same infrastructure. We don’t believe Firecracker has been rolled out ubiquitously across all AWS services, but the concern is real.
Just a few years ago vulnerabilities such as Spectre and Meltdown were reported, and the world rushed to close the gaps. These were precisely the types of hardware processor flaws that allow computer processes to steal information from their neighbors.
Containers, which are essentially processes, are particularly vulnerable due to their lower isolation levels.
So will we see another Spectre and Meltdown in 2022?
This is yet to be seen, but one thing is certain. As an industry, we need to pay close attention to container security. That’s why at CAST AI we plan to increase our engagement in helping customers secure their containerized workloads and Kubernetes environments.
Security challenges with multi-cloud organizations
Most organizations are moving to a state where they work with multiple cloud vendors. Customers don’t want to put all of their eggs into a single cloud basket, nor should they.
We have seen recent outages at AWS and Google Cloud that brought down major consumer-facing services for hours. Customers using the cloud for IT infrastructure must diversify their usage of cloud vendors.
On the flip side of that movement comes the challenge of securing vastly different environments.
As an industry, we recently went through the turmoil of migrating security from on-prem to cloud. Vendors such as AWS, Azure, Oracle, and GCP now provide proprietary security solutions that deal with their specific cloud nuances.
The curse of abundance
Just looking at the list of AWS security services, many of which overlap, is enough to make your head spin: AWS Identity & Access Management (IAM), Amazon Cognito, AWS Resource Access Manager, AWS Security Hub, Amazon GuardDuty, Amazon Inspector, AWS Config, AWS CloudTrail, AWS IoT Device Defender, AWS Web Application Firewall, AWS HSM, Key Management Service…
The list goes on for dozens of services related to securing your environment. Just trying to configure these services to get your AWS posture secure is extremely difficult.
Ask the security team at Capital One. In July of 2019, the bank leaked the personal information of over 100 million customers. The root cause was a security misconfiguration tied to the Web Application Firewall and S3 object store.
The configuration issue was so complex that it took weeks for industry experts to unravel the entire scenario. Adding insult to injury, Capital One had to pay an $80 million fine to US bank regulators.
More clouds, more challenges
Now imagine a team responsible for multiple cloud environments.
Not only do they have to navigate the dozens of AWS services available, but also become experts in Azure Security Center or Google Cloud security services. The complexity of the task grows exponentially as cloud vendors are introduced.
Organizations have to turn to third-party vendors to implement a category of solutions called CASB – cloud access security broker – to detect multi-cloud configuration drift and best practices.
As organizations move to multiple cloud providers, the multi-cloud misconfiguration may become the next source of cloud vulnerabilities and attack surfaces.
Governments also get on the multi-cloud bandwagon
Interestingly, governments are also moving to leverage multiple cloud vendors.
The US government recently canceled project JEDI and replaced it with Joint Warfighter Cloud Capability, which is touted as a multibillion-dollar procurement project spanning several vendors.
As governments move to adopt multiple clouds, what are the prospects for nation-state actors and the exploitation of these new attack vectors? This brings us back full circle to the first category of vulnerabilities we identified, that is, critical infrastructure.
Will 2022 be a benign year for cyberattacks, or will these new attack surfaces become an acute threat? The future will show, but organizations should not wait and prepare for all eventualities.