Full Report
As more organizations move to the cloud, so do attackers. What can you do to better protect your cloud environment in 2022? Wiz Research has compiled the most pressing cloud security threats and how you can protect against them.
Analysis Summary
# Best Practices: Cloud Security Threats and Protection (2022 Focus)
## Overview
These practices address the pressing cloud security threats identified in research, focusing on mitigating risks introduced by rapid cloud adoption, developer independence, complex permissions, supply chain vulnerabilities (like Log4j), and ensuring comprehensive visibility across modern cloud assets (VMs, containers, serverless, PaaS).
## Key Recommendations
### Immediate Actions
1. **Scan Deployed Assets for Critical Vulnerabilities:** Immediately identify all running compute workloads (VMs, containers, serverless functions) and PaaS to detect instances of critical, well-known vulnerabilities, specifically referencing the Log4j remediation checklist (CVE-2021-44228).
2. **Audit External Exposure of Critical Assets:** Identify any cloud assets accidentally deployed with secrets or misconfigurations that result in external exposure via the CI/CD pipeline. Remediate any immediate public access rights found.
3. **Establish Basic Cloud Asset Visibility:** Implement immediate tooling or configurations to gain visibility into running compute workloads and the software installed on them, as this visibility is crucial for effective vulnerability detection.
### Short-term Improvements (1-3 months)
1. **Integrate Security Scanning into CI/CD Pipeline:** Integrate security checks ("shifting left") into the CI/CD pipeline to prevent developers from unintentionally pushing assets containing secrets or vulnerable libraries into production deployment stages.
2. **Centralize Permissions Model Review:** Conduct a thorough review of the cloud's complex permissions model, focusing on identifying and restricting overly permissive roles or unused access keys granted across different teams (DevOps, Engineering, Security).
3. **Supply Chain Risk Mapping:** Begin mapping third-party dependencies and prevalent libraries used across your cloud-native applications to proactively identify potential exposure points similar to the OMI vulnerability concerns.
### Long-term Strategy (3+ months)
1. **Implement Holistic Cloud Security Posture Management (CSPM):** Deploy tools capable of monitoring all cloud assets (IaaS, PaaS, containers, serverless) to maintain continuous, comprehensive visibility and configuration compliance across the entire environment.
2. **Formalize Cross-Team Cloud Governance:** Establish clear security standards and governance processes that bridge the gap between developer independence and required security posture, ensuring security knowledge is integrated early in development workflows.
3. **Automate Remediation Workflows:** Develop automated processes to handle the discovery and remediation of common cloud misconfigurations and known vulnerabilities across large fleets of compute resources.
## Implementation Guidance
### For Small Organizations
- Focus initial efforts on enabling basic CSPM capabilities provided by the major Cloud Service Providers (CSPs) to gain immediate visibility into configuration drift.
- Mandate two-person review (peer review) for all infrastructure-as-code (IaC) templates before deployment to catch inadvertent exposures or secrets placement.
### For Medium Organizations
- Prioritize integrating security scanning tools directly into developer workflows (e.g., IDE plugins or pre-commit hooks) to enforce security standards before code reaches the central CI/CD pipeline.
- Document ownership boundaries clearly between development, DevOps, and security teams regarding configuration management and vulnerability response.
### For Large Enterprises
- Implement a dedicated Cloud Security Posture Management (CSPM) solution that can aggregate findings across multiple CSPs (AWS, GCP, Azure) and provide context on potential attack paths combining identity, network, and configuration data.
- Establish a centralized Cloud Center of Excellence (CCoE) tasked with creating standardized, secure baseline configurations (golden AMIs, hardened container images, secure IaC modules) that all development teams must consume.
## Configuration Examples
*Note: Specific technical configuration examples were not detailed in the summary context, but general guidance focuses on configuration integrity.*
- **For CI/CD Security:** Configure pipeline stages to fail build/deployment if static analysis tools detect secrets or if dependency scanning reports high-severity, known vulnerabilities in required libraries.
- **For Network Isolation:** Ensure that production compute workloads identified as being externally exposed (a common attack vector) are immediately moved to private subnets with secured ingress/egress rules reviewed against least privilege principles.
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Focus on **Identify** (asset inventory, risk assessment for supply chain) and **Protect** (access control, maintenance).
- **CIS Benchmarks (Cloud-Specific):** Strictly adhere to the configuration hardening standards for the organization's utilized CSPs (e.g., CIS AWS Foundations Benchmark).
- **ISO 27001:** Address the need for secure development practices and third-party supplier management related to software libraries.
## Common Pitfalls to Avoid
- **Assuming Legacy Security Models Apply:** Do not treat cloud environments like on-premises data centers; the shared responsibility model and identity-centric security require fundamentally different controls.
- **Security Silos:** Allowing developers to operate independently of security requirements creates unmonitored blind spots between how the cloud is used and how securely it should be used.
- **Lack of Runtime Visibility:** Failing to monitor running workloads (VMs, containers) means critical vulnerabilities existing in deployment cannot be detected until they are actively exploited.
## Resources
- **Cloud Threat Landscape Report:** Review the full report referenced by Wiz Research for the complete analysis of the top four cloud-native security threats.
- **Supply Chain Security Guides:** Consult vendor documentation for remediation guidance on specific widespread vulnerabilities (e.g., Log4Shell remediation guides from Cloud Providers).