Multicloud computing has become the foundation for digital businesses, with 86% of organizations having already adopted a multicloud approach. However, for all its benefits around increased agility, flexibility, and choice, Microsoft also see unique challenges with multicloud—including the need to manage security, identity, and compliance across different cloud service providers (CSPs), ensure data portability, and optimize costs.
Securing multicloud environments is a deeply nuanced task, and many organizations struggle to fully safeguard the many different ways cyberthreat actors can compromise their environment. In Microsoft’s latest report, “2024 State of Multicloud Security Risk,” Microsoft analyzed usage patterns across Microsoft Defender for Cloud, Microsoft Security Exposure Management, Microsoft Entra Permissions Management, and Microsoft Purview to identify the top multicloud security risks across Microsoft Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and beyond. This is the first time Microsoft has released a report sharing key insights across aspects of cloud security, including identity and data.
This multidimensional analysis is key because it provides deeper visibility into all of the angles cyberattackers can use to breach cloud environments. For example, Microsoft found that more than 50% of cloud identities had access to all permissions and resources in 2023. Can you imagine what would happen if even one of these “super identities” were compromised? Looking beyond identity and access, Microsoft also discovered significant vulnerabilities in development and runtime environments and within organizations’ data security postures. These threats and more are the driving forces behind Microsoft’s work to advance cybersecurity protections by sharing the latest security intelligence and through programs like the recently expanded Secure Future Initiative, which works to guide Microsoft advancements according to secure by design, secure by default, and secure operations principles.
Any practitioner who has worked in cloud security can tell you just how challenging it is to analyze, prioritize, and address the hundreds of security alerts they receive every day. Security teams are also responsible for managing all exposed assets and other potential risk vectors. The average multicloud estate has 351 exploitable attack paths that lead to high-value assets, and Microsoft discovered more than 6.3 million exposed critical assets among all organizations.
Cloud security posture management (CSPM) is one solution, but rather than taking a siloed approach, Microsoft recommend driving deeper, more contextualized CSPM as part of a cloud-native application protection platform (CNAPP).
CNAPPs are unified platforms that simplify securing cloud-native applications and infrastructure throughout their lifecycle. Because CNAPPs can unify CSPM with things like multipipeline DevOps security, cloud workload protections, cloud infrastructure entitlement management (CIEM), and cloud service network security (CSNS), they can correlate alerts and eliminate visibility gaps between otherwise disparate tools. This allows security teams to proactively identify, prioritize, and mitigate potential cyberattack paths before they can be exploited.
Properly securing cloud-native applications and infrastructure from initial code development to provisioning and runtime is a significant challenge area for many organizations. Microsoft found that 65% of code repositories contained source code vulnerabilities in 2023, which remained in the code for 58 days on average. Given that one quarter of high-risk vulnerabilities are exploited within 24 hours of being published, this creates a significant window for threat actors to take advantage and compromise your environment.
In addition to delivering proactive protection during runtime, CNAPP can act as a shared platform for security teams to work with developers to unify, strengthen, and manage multipipeline DevOps security. And because CNAPP unites multiple cloud security capabilities under a single umbrella, security teams can also enforce full-lifecycle protections from a centralized dashboard. This shifts security left and heads off development risks before they become a problem in runtime.
Multicloud security goes deeper than attack path analysis and strong DevSecOps. Organizations also need to examine how the growing use and variety of cloud workloads impact their exposure to cyberthreats. When cloud workloads span across multiple cloud environments, that creates a more complex threat landscape with additional complexities and dependencies that require proper configuration and monitoring to secure.
Microsoft’s CNAPP solution, Microsoft Defender for Cloud, has an extended detection and response (XDR) integration that provides richer context to investigations and allows security teams to get the complete picture of an attack across cloud-native resources, devices, and identities. Roughly 6.5% of Defender for Cloud alerts were connected to other domains—such as endpoints, identities, networks, and apps and services—indicating cyberattacks that stretched across multiple cloud products and platforms.
Rather than using individual point solutions to manage cross-cloud workload threats, organizations need an easy way to centralize and contextualize findings across their various security approaches. A CNAPP delivers that unified visibility.
Also central to multicloud security is the idea of identity and access management. In the cloud, security teams must monitor and secure workload identities in addition to user identities. These workload identities are assigned to software workloads, such as apps, microservices, and containers. The growing usage of workload identities creates several challenges.
For starters, workload identities make up 83% of all cloud identities within Microsoft Entra Permissions Management. When examining the data, Microsoft found that 40% of these workload identities are inactive—meaning they have not logged in or used any permissions in at least 90 days. These inactive identities are not monitored the same way as active identities, making them an attractive target for cyberattackers to compromise and use to move laterally. Workload identities can also be manually embedded in code, making it harder to clean them without triggering unintended consequences.
What’s concerning, though, is the fact that the average organization has three human super identities for every seven workload super identities. These workload super identities have access to all permissions and resources within the multicloud environment, making them an enormous risk vector that must be addressed. And because workload identities are growing significantly faster than human identities, Microsoft expect the gap between human and workload super identities to widen rapidly.
Security teams can address this risk by establishing visibility into all existing super identities and enforcing least privilege access principles over any unused or unnecessary permissions—regardless of the cloud they access.
Speaking of permissions, Microsoft’s report found that more than 51,000 permissions were granted to users and workloads (up from 40,000 in 2022). With more permissions come more access points for cyberattackers.
A CIEM can be used to drive visibility across the multicloud estate, eliminating the need for standing access for super identities, inactive identities, and unused permissions. Just 2% of human and workload identity permissions were used in 2023, meaning the remaining 98% of unused permissions open organizations up to unnecessary risk.
By using a CIEM to identify entitlements, organizations can revoke unnecessary permissions and only allow just-enough permissions, just in time. This approach will significantly mitigate potential risks and enhance the overall security posture.
Finally, organizations need a comprehensive data security approach that can help them uncover risks to sensitive data and understand how their users interact with data. It’s also important to protect and prevent unauthorized data use throughout the lifecycle using protection controls like encryption and authentication.
A siloed solution won’t work, as organizations with 16 or more point solutions experience 2.8 times as many data security incidents as those with fewer tools. Instead, organizations should deploy integrated solutions through a multilayered approach that allows them to combine user and data insights to drive more proactive data security. At Microsoft, Microsoft accomplish this through Microsoft Purview—a comprehensive data security, compliance, and governance solution that discovers hidden risks to data wherever it lives or travels, protects and prevents data loss, and investigates and responds to data security incidents. It can also be used to help improve risk and compliance postures and meet regulatory requirements.
Ultimately, multicloud security has multiple considerations that security teams must account for. It is not a check-the-box endeavor. Rather, security teams must continuously enforce best practices from the earliest stages of development to runtime, identity and access management, and data security. Not only must these best practices be enforced throughout the full cloud lifecycle, but they must also be standardized across all cloud platforms.
In a recent episode of Microsoft’s podcast, Uncovering Hidden Risks, Microsoft sat down with Christian Koberg-Pineda, a Principal Security DevOps Engineer at S.A.C.I. Falabella, to dive into his journey toward uncovering the challenges and strategies for safeguarding cloud-native applications across various cloud platforms. In it, he talks about the complexity of securing multiple clouds, including navigating differing configurations, technical implementations, and identity federation.
Source: 6 insights from Microsoft’s 2024 state of multicloud risk report to evolve your security strategy
As your trusted Cloud Solution & IT Service Provider, we empower your business to accomplish truly remarkable feats.