Cloud Security Blind Spots: Where Do They Exist and How Can They Be Avoided?

Experts address often overlooked aspects of cloud protection and advise companies looking to improve their security posture.

2021 RSA CONFERENCE – For both companies and attackers who threaten them, enterprise cloud adoption offers a slew of advantages, threats, obstacles, and opportunities. Also, seasoned users of cloud technology and services will benefit from some additional security training.

Given the year that preceded this year's all-virtual RSA Conference, when companies became increasingly reliant on cloud services and struggled to protect completely remote teams, it's no wonder that cloud protection was a hot topic during the COVID-19 pandemic. Speakers looked at the holes that are often ignored and provided practical advice about how to minimize risks.

According to Matthew Chiodi, Palo Alto Networks ' chief security officer for public cloud, identity and access control (IAM) in the cloud are one of these blind spots. A generic cloud account may have two roles and six assigned policies, but determining what someone can and can't do is usually much more complicated and difficult.

"It's normally hundreds of positions and maybe even thousands of policies," Chiodi said of most development accounts he's seen. "Understanding what we call net efficient permissions becomes extremely difficult." When businesses use more cloud accounts, the problem becomes even worse.

Palo Alto Network gathered "a huge, massive data collection" of publicly accessible Github data to better understand how widespread the problem is: 283,751 files and 145,623 repos, from which they were able to derive 68,361 position names and 32,987 possible cloud accounts. Researchers used a combination of the 500 most popular position names and verified cloud account lists to find potential misconfigurations.

According to what they discovered, these misconfigurations may have given them access to thousands of EC2 snapshots, hundreds of S3 bins, and a plethora of KMS keys and RDS snapshots.

"It's almost certainly much worse than a compromised cloud host when you have a compromised cloud account due to one of these forms of misconfigurations," Chiodi said.

An attacker who can compromise a single host can exploit a bug and gain access to data, but if network segmentation is used, their options are restricted. Patches and multi-factor authentication wouldn't help in this case because "[an attacker] can weave through all of that stuff when you have an identity-based misconfiguration at the CSP level," according to the researchers.

The Risks of Infrastructure-as-Code

According to Chiodi, Infrastructure-as-code (IaC), a method of managing and provisioning infrastructure using code rather than manual processes, is "very blossoming" for most businesses. Although this approach has advantages for security teams, it also has drawbacks.

Palo Alto Networks combed through nearly a million IaC models on Github. They discovered that 42% of AWS CloudFormation template users have at least one vulnerable configuration and that over 75% of cloud workloads expose SSH. Cloud storage logging is turned off in 60% of cases. Encryption at the database layer is fully disabled in 43% of organizations configuring cloud-native databases via IaC.

"We discovered that when companies use infrastructure-as-code to establish external and even internal security boundaries, they expose sensitive ports like SSH directly to the Internet 76 percent of the time," he said.

The numbers were lower for Terraform, allowing companies to use multi-cloud IaC models across all major cloud service providers, but "consistent inconsistencies" remained. More than 20% of all Terraform configuration files had at least one unstable configuration; access logging for S3 buckets was disabled in 67%, and object versioning was disabled in more than half.

More companies have a "converged perimeter," which he defines as environments with assets both behind an Internet gateway and in the cloud, such as DevOps and ITOps. In these settings, there are many intruder methods, strategies, and procedures (TTPs) to be aware of.

The development of temporary or permanent keys is one example. "For example, we've seen cases where developers had root keys on an AWS environment, which is pretty bad," Soto explained. "You should never offer root access; instead, you should uphold the principle of least privilege and division of duties... You can do whatever you want and take control once you have a root key "Added he.

Spilling Secrets in the Cloud

While most security professionals are aware that accidental data disclosure is a shared cloud security problem, many are unaware when it occurs. Jose Hernandez, principal security researcher, and Rod Soto, chief security research engineer, both of Splunk, talked about how corporate secrets are revealed on public repositories.

Credentials are everywhere in today's environments: SSH key pairs, Slack tokens, IAM secrets, SAML tokens, API keys for AWS, GCP, and Azure, and so on. When credentials aren't correctly secured and left exposed, most commonly in a public repository – Bitbucket, Gitlabs, Github, Amazon S3, and Open DB are the most popular public repositories for apps – it's a shared risk scenario.

"If you're an intruder looking for someone who has embedded credentials that can be reused, either through omission or negligence, these will be your sources of leaked credentials," Soto said, adding that these can help attackers pivot between endpoints and the cloud.

According to Splunk, Github has 276,165 businesses with secrets that have been leaked. GCP service account tokens were the most commonly spread, appearing in 34% of instances, followed by "password in URL" (30%) and AWS API keys (20%). (12.7 percent ). Hernandez said that after discovering stolen secrets, it took an average of 52 days for the secret to be deleted from the Github project.

Attack Detection & Defensive Strategies

It's no secret that detecting malicious activity in the cloud is more complex, the fact that Alfie Champion, a cybersecurity expert with F-Secure Consulting, explained in an RSAC talk on attack detection. Fewer cloud behaviors are undesirable.

"When it comes to cloud detection, context is becoming increasingly important," Champion said. "With so much API activity going on, knowing an event, the meaning behind it, and the context in which it occurs can be critical to developing high-fidelity detections."

One of the most common mistakes companies make is aggregating telemetry without context when it comes to cloud migration. When an analyst performs an investigation, there's no way of knowing which account a log belongs to, and there's no way for them to pivot into that account to understand what's going on. "What is bad in one account can be good in another," he said, adding that "you need that background to find that out."

Many people overlook authentication logs and management interfaces, which link on-premise and cloud environments. Larger companies are more likely to handle several cloud accounts in a federated manner, he said. These logs would enable them to make explicit connections between the activities they observe.

It's worth remembering that each primary cloud provider has its approach to logging and threat detection, so administrators will need to take extra precautions to ensure they're getting the information they need. In his RSAC talk, Brandon Evans, a senior security engineer with Zoom Video Communications, noted that flow logging shows where traffic comes from, where it goes, and how much data is transferred, which can imply potentially malicious activity but isn't allowed.

"Stream logging is not allowed by default on any of the big three cloud providers," he said, adding that customers must expressly opt-in and specify a log retention policy. According to him, there are variations in the time it takes for AWS, Azure, and GCP to activate logs and receive them and overall log retention times, command line support, and logging of blocked ingress traffic.

According to Evans, businesses should ensure that they are collecting cloud API and network flow logs for each cloud provider they use. In the long run, they can work with engineering to harden permissions and apply the concept of least privilege when they discover flaws in cloud technology and configuration.

It's beneficial for companies to create a "cloud detection stack," which can assist in ingesting the appropriate logs and appropriately presenting them. In his conversation with Champion, Nick Jones, a senior security consultant with F-Secure, noted that while the industry likes to talk about a "single pane of glass" for this activity, he believes it is "useful, but maybe not important."

"The real issue here is that attacks rarely occur in isolation in a single environment," he said. "An intruder would most likely attempt to pivot or shift laterally from your on-premises estate into the cloud, or vice versa, or between two environments."

As a result, analysts would need to look at logs from one data source and pivot into the next, he added. Jones proposed prioritizing Control Plane audit logs such as CloudTrail and Audit Log for visibility of all administrative activities, even though there are many data sources to deal with. Storage access logs, function executions, and KMS key access are all critical service-specific logs because they display access and use of specific resources and facilities.

According to Champion, it's never too early to threat model and test offensive scenarios. What would an intruder do if they were to steal one of your assets? How can you get around your security measures? He suggested defining the company's sensitive data, thinking about the attacker's goals and starting points, and then prioritizing the attack route. What do you think their end target is?


  1. Williamsmesk

    over 50 dating singles
    [url=""]dating tv show uncensored naked[/url]

  2. Williamsmesk

    good free dating sites
    [url=""]piper perabo dating anjelah johnson[/url]

  3. Williamsmesk

    free adult dating sites
    [url=""]dating daddy part 2[/url]

  4. KevinLig

    gay dating in baltimore, md
    gay dating dallas
    [url=""]gay dating melbourne[/url]

  5. KevinLig

    oregon dating gay
    best gay dating sites in india
    [url=""]best free gay dating sites[/url]

  6. KevinLig

    gay dating websites 2021
    dating sites gay men
    [url=""]best online gay dating sites[/url]

  7. KevinLig

    "gay dating is not"
    dating gay jewish online
    [url=""]gay bears dating[/url]

  8. KevinLig

    free gay dating online
    gay dating in china
    [url=""]free older gay black dating[/url]

  9. KevinLig

    gay dating a narcissist reddit
    gay karate teenagers dating
    [url=""]elite gay dating site[/url]

  10. KevinLig

    gay male dating
    gay assplay dating
    [url=""]gay samoan men dating[/url]

  11. KevinLig

    gay dating site phone number
    gay dating augusta ga
    [url=""]professional gay men dating[/url]

  12. KevinLig

    gay bipolar dating
    gay dating wealthy guys
    [url=""]gay teenage dating site[/url]

  13. KevinLig

    gay dating success stories
    gay dating sites london
    [url=""]do gay guys dating transmen[/url]

  14. KevinLig

    gay dating etiquette
    gay old men dating sites
    [url=""]gay dating arrow sideays[/url]

  15. KevinLig

    dating brazilian gay men
    best gay dating websites usa
    [url=""]gay karate teenagers dating[/url]

  16. KevinLig

    gay online dating phone number
    who is william gay dating
    [url=""]34 dating a 19 year old gay[/url]

  17. KevinLig

    gay teen dating 76009
    gay s abd n dating site
    [url=""]gay dating sites california[/url]

  18. KevinLig

    dating a gay police officer
    gay free online dating
    [url=""]gay chubby dating tumblr[/url]

  19. KevinLig

    gay dating in pa
    gay dating albany, ny
    [url=""]gay short film dating[/url]

  20. Titismles - buy stromectol online no prescription

  21. Oscineded - viagra online without prescription overnight

  22. buy stromectol ivermectin

    Cialis Gр с–рўв˜nstig Kaufen 40mg

  23. Violette

    If you wish for to obtain a good deal from this article then you have to apply such strategies to your won weblog.

    My web site ... web hosting there

  24. buy cialis 20mg

    Kaufen Cialis

  25. Maroweawl
  26. Stromectol

    Misoprostol Dog

  27. poidayrap
  28. Reggie

    Appreciate this post. Will try it out.

    my website and quest bars - -

  29. Leon

    My developer is trying to convince me to move to .net from PHP.
    I have always disliked the idea because of the expenses. But he's tryiong none the less.
    I've been using Movable-type quest bars on ( a number of websites for about a year and am nervous about switching to another
    platform. I have heard fantastic things about
    Is there a way I can transfer all my wordpress content into it?
    Any help would be really appreciated!

  30. Refugio

    An outstanding share! I have just forwarded this onto a co-worker
    who asmr was ( conducting a little homework on this.

    And he in fact ordered me dinner due to the fact that
    I stumbled upon it for him... lol. So let me reword this....

    Thanks for the meal!! But yeah, thanx for spending time to
    talk about this issue here on your site.

  31. PatrickSix

    gay female dating websites
    indian gay website dating vegas
    [url=""]mature gay male dating sites[/url]

  32. Andra

    Hi, I do think this is a great web site. I stumbledupon it 😉 I will revisit yet again since I saved as a favorite it.
    Money and freedom is the best way to change, may you be
    rich and continue to help others.

    Look at my website :: but scoliosis surgery

  33. PatrickSix

    local gay dating websites
    best new gay dating sites
    [url=""]goggle matre gay dating[/url]

  34. PatrickSix

    asian gay dating site dragons
    gay dating uk
    [url=""]old gay dating[/url]

  35. Isobel

    Excellent way of explaining, and good piece of writing to
    take information about my presentation subject matter, which i am going to present asmr in institution of higher education.

  36. PatrickSix

    beantownbottom gay dating
    gay mens dating
    [url=""]gay san antonio dating events[/url]

  37. Del

    Hi to every one, it's genuinely a nice for me to go to see this
    website, it contains useful Information.

    Also visit my web page - asmr is (

  38. Viagra

    Amoxicillin Restrictions

  39. PatrickSix gay dating site
    gay russian dating scams
    [url=""]sjsu gay dating[/url]

  40. PatrickSix

    best gay dating sites 2021 utah
    free gay singles dating sites
    [url=""]free gay chub dating[/url]

  41. PatrickSix

    closet gay dating
    gay dating sims online
    [url=""]gay maryland dating[/url]

  42. Forrest

    Hey there! I'm at work browsing your blog from my new
    iphone 4! Just wanted to say I love reading through your scoliosis surgery blog and
    look forward to all your posts! Carry on the outstanding work!

  43. Linda

    I used to be recommended this web site by way of my cousin. I'm now not positive whether or not this publish is written via him as nobody else recognise such specific approximately my asmr difficulty.

    You're incredible! Thank you!

  44. traitly
  45. propecia canada

    Marcas De Propecia

  46. Michaelnix

    gay daddy dating site
    dating sites for gay bears
    [url=""]gay daddy dating[/url]

  47. Michaelnix

    man hunt gay dating
    i'm dating a gay asian man
    [url=""]gay asian dating white guy[/url]

  48. Michaelnix

    dating sites for older gay men
    best european gay dating sit
    [url=""]gay dating site[/url]

  49. itewhex - propecia prostate cancer

  50. Henrybrura

    gay dating denver colorado
    dating site chubby gay male
    [url=""]michael brandes gay dating[/url]

  51. Henrybrura

    gay dating login
    gay dating format
    [url=""]trendy gay dating site[/url]

  52. Henrybrura

    buzzfeed lesbian gay dating
    canada free gay dating site
    [url=""]online dating sites for gay[/url]

  53. Henrybrura

    gay catholic dating sites
    gay females dating site
    [url=""]secret gay dating[/url]

  54. NoffAnend - cialis prescription online

  55. Henrybrura

    south asian gay dating
    dating sites for gay people
    [url=""]gay men dating new york[/url]

  56. Baimame - buy priligy generic

  57. Henrybrura

    best gay dating site uk
    dating a gay man of color
    [url=""]cinnamonfire gay dating[/url]

  58. Henrybrura

    gay military men dating site
    gay hippies dating
    [url=""]gay dating sites for daddies[/url]

  59. Henrybrura

    gay bbw men dating michigan
    gay jock dating
    [url=""]dating as a gay man[/url]

  60. suepext
  61. Plaquenil

    Kamagra Oral Jelly Side Effects

  62. FrauffLup
  63. Henrybrura

    dating gay lesbian services
    books gay dating
    [url=""]dating a gay man[/url]

  64. twilsOm
  65. Priligy

    Ivermectin Cost In India

  66. zithromax 250mg singapore

    Cialis Lo Puede Tomar La Mujer

  67. 202464 271497Hello there! Do you know if they make any plugins to protect against hackers? Im kinda paranoid about losing everything Ive worked hard on. Any suggestions? 976976

  68. Axiotolal - hydroxychloroquine and azithromycin

  69. Lasix

    cialis low cost

  70. addibly
  71. icolladia
  72. CoahPhoda
  73. 355217 754355cleaning supplies need to have earth friendly organic ingredients so that they do not harm the environment 290893

  74. 474616 677995Thank her so a lot! This line is move before dovetail crazy, altarpiece rather act like habitual the economizing - what entrepreneur groovy night until deal with starting a trade. 430749

  75. Laubrek - 300mg gabapentin

  76. Iminnafaf
  77. 838724 465238The Spirit of the Lord is with them that fear him. 696626

  78. Prednisone

    Amoxicillin 250mg Capsules

  79. gabapentin doses

    Reasonable Drug Discounter

  80. Gustavonet

    help me write a thesis
    [url=""]paper help[/url]

  81. beaudge
  82. Matthewgof

    write a paper for me
    [url=""]custom essay meister[/url]

  83. 297749 695378I truly delighted to discover this internet site on bing, just what I was searching for : D too saved to fav. 300047

  84. Leonida

    Hello to all, for ps4 games the reason that I am in fact keen of reading this webpage's post to be updated on a regular basis.
    It consists of good material.

  85. Zack

    Thanks in support of sharing such ps4 games a good thinking, article is nice, thats why i have read it completely

  86. 796444 153120Hi there, just became aware of your weblog by means of Google, and located that it is truly informative. Ill be grateful if you continue this in future. Lots of folks will benefit from your writing. Cheers! 604449

  87. Viagra

    adverse recations of cialis and acetaminophen

  88. watermelon viagra effect

    buy cialis online free shipping

  89. cheap cialis online

    Hk Viagra Amazon

  90. ensusia
  91. trecesk
  92. Brandonabima

    write a reflection essay
    [url=""]write college essay[/url]
    legit essay writing services

  93. real propecia from canadian pharmacy

    Will Cephalexin It Treat Strep Throat

  94. Cialis

    Levitra Prostatite

  95. furosemide to torsemide conversion

    Get Valtrex Overnight

  96. idencerig
  97. uninuouff
  98. boonMoorp
  99. idencerig
  100. Prednisone

    Find Amoxicilina Visa Free Doctor Consultation

  101. DonaldSah

    collehe essay
    [url=""]essay proofreader[/url]
    essay crossword clue

  102. Priligy

    Generic Viagra Sildenafil 100mg

  103. sormive
  104. Wonda Loehrer

    Thanks a bunch for sharing this with all people you actually know what you're talking approximately! Bookmarked. Kindly additionally discuss with my website =). We can have a hyperlink trade agreement between us|

  105. Maribel

    I like it when individuals get together asmr and share ideas.

    Great site, continue the good work!

  106. ArthurPes

    best adult sex games online
    [url=""]futa sex games[/url]
    trusted aduld sex games

  107. DonaldBen

    amateur sex games cum
    [url=""]best sex games on steam[/url]
    young sex games

  108. Teena Flachs

    I'm curious to find out what blog system you happen to be using? I'm experiencing some minor security issues with my latest site and I would like to find something more safeguarded. Do you have any recommendations?|

  109. Issac Kaufman

    No matter if some one searches for his required thing, so he/she needs to be available that in detail, thus that thing is maintained over here.|

  110. RonaldCem

    play adult sex games
    [url=""]gay sex games janken[/url]
    new grounds sex games

  111. best place to buy cialis online forum

    Alli Acheter

  112. Acinnip
  113. RonaldCem

    keto cookies recipes
    [url=""]paleo vs keto diet[/url]
    keto chicken soup

  114. Envence
  115. where to buy plaquenil

    Propecia Familiar

  116. RonaldCem

    dark chocolate keto
    [url=""]cheap keto diet[/url]
    keto diet guide

  117. RonaldCem

    keto burger
    [url=""]keto vegetarian diet[/url]
    keto diet bad

  118. Mongroock
  119. Acinnip
  120. Envence
  121. buy cialis professional

    Buy Amoxicillin Capsules In Uk

  122. Durfark
  123. neurontin 100 mg

    se puede comprar viagra sin receta en farmacias

  124. Alfredder

    play free online sex games
    [url=""]group sex games spin the bottle gay[/url]
    japanese sex games porn

  125. neurontin for seizures

    Amoxicillin For Pink Eye

  126. Durfark
  127. gabapentin name

    Xenical Discount

  128. Chrisfub

    pc sex fuck games
    [url=""]sex rpg games[/url]
    sex games tube

  129. Chrisfub

    wife adult sex games
    [url=""]sex xxx games[/url]
    best sex games for pc

  130. Michaelprirm

    games to play during sex
    [url=""]sister sex games[/url]
    naked girl sex games

  131. Michaelprirm

    farm sex games
    [url=""]kill la kill sex games[/url]
    txxx sex games

  132. hey may

    Greetings! Very useful advice within this post! It is the little changes which will make the largest changes. Thanks a lot for sharing!

  133. RonaldAnori

    people having sex games
    [url=""]adult sex games mobile[/url]
    foreplay sex games

  134. RonaldAnori

    download sex games
    [url=""]mind control sex games[/url]
    raven and beast boy sex games

  135. to learn more

    ed meds online canada muse for ed – medication for ed dysfunction

  136. corporate secretary singapore

    I recently got a blogspot for my mixtapes that I uploaded but when I search my DJ name (even full url), it doesn't appear in the google search. Does it take about a week for it to appear or do I have to pay to get it to come up?.

  137. big nipple sex

    Thanks for the post.Really thank you! Awesome.

  138. DavidMix

    uncensored sex games
    [url=""]andriod sex games[/url]
    sex games sites

  139. singapore incorporation services

    Thanks again for the blog article.Really looking forward to read more. Awesome.

  140. DavidMix

    japanese father daughter sex games show
    [url=""]sex games to play with your boyfriend app[/url]
    sex games fun

  141. nyc ppc manager

    Aw, this was an exceptionally good post. Finding the time and actual effort to produce a good article... but what can I say... I hesitate a lot and never manage to get nearly anything done.

  142. Deweyzer

    top adult sex games
    [url=""]sex app games[/url]
    sex games tube

  143. Deweyzer

    lost bet games sex
    [url=""]brother sister sex games[/url]
    hardcore sex games

  144. roller door repairs

    Thanks for sharing, this is a fantastic blog article.

  145. ips news
  146. Davidrot

    essays to write about
    [url=""]writing compare and contrast essays[/url]
    essay writing help

  147. Davidrot

    writing a college application essay
    [url=""]write college essay[/url]
    writing essay conclusion

  148. Quintonbip

    write an analysis essay
    [url=""]write good essay[/url]
    write my essay 4 me

  149. Quintonbip

    wriВ­te an anaВ­lyВ­sis essay
    [url=""]writing persuasive essays[/url]
    help writing college essay

  150. for more info

    This is a topic that’s close to my heart... Thank you! Exactly where are your contact details though?

  151. check

    Muere el campeón de luge de los juegos olímpicos de lengua rusa Bibian a los 48 años

  152. pravo

    I am not sure where you're getting your information, but good topic.I needs to spend some time learning much more or understanding more.Thanks for fantastic information I was lookingfor this info for my mission.

  153. liaireelm
  154. wday-fun

    Thanks for another magnificent post. Where else could anybody get that kind of information in such a perfect way of writing? I've a presentation next week, and I am on the look for such info.

  155. Richardrurgy

    writing essay conclusion
    [url=""]help writing an essay[/url]
    writing college admission essays

  156. Richardrurgy

    writing an essay intro
    [url=""]writing argumentative essays[/url]
    websites that write essays

  157. family law reviews

    Excellent post. I'm going through many of these issues as well..My blog; wallpaper installation gaithersburg

  158. Tattoo Shops

    That was fun, lots of interestin stuff, now time for food!MzSheSoJaZZy

  159. DavidEmpiz

    essay writing service cheap
    [url=""]write my[/url]
    writing a personal essay

  160. stomatologija

    Superb post however I was wondering if you could write a litte more on this topic?I'd be very thankful if you could elaborate a littlebit more. Many thanks!

  161. DavidEmpiz

    college essay writing
    [url=""]write a narrative essay[/url]
    essay writing company

  162. free online books

    Hey, thanks for the post.Much thanks again. Fantastic.

  163. Vern

    Hi there, just became alert to your blog through Google, and found that it's really informative.
    I'm going to watch out for brussels. I will be grateful if you continue
    this in future. Many people will be benefited from your writing.

    my webpage is asmr

  164. elite power cbd gummies uk

    Really appreciate you sharing this article.Really looking forward to read more. Cool.

  165. elite power cbd gummies canada
  166. belly fat burner for men

    Thanks for sharing, this is a fantastic blog article.Really looking forward to read more. Much obliged.

  167. Test Water For Lead

    Thanks so much for the blog article.Thanks Again. Really Cool.

  168. curar un piercing

    hirsiz pic kurusu mustafa tugrul yilmaz bekle senin anani gotten sikicem ac kopek.

  169. gluco freeze reviews
  170. type my essay c

    essay for scholarship
    [url=""]expository essay format[/url]
    essay on leader

  171. Jinny Resper

    Excellent blog here! Also your website loads up fast! What web host are you using? Can I get your affiliate link to your host? I wish my site loaded up as quickly as yours lol|

  172. Shad Featherstone

    Right here is the perfect blog for anyone who really wants to understand this topic. You understand so much its almost hard to argue with you (not that I really will need to…HaHa). You definitely put a brand new spin on a subject which has been discussed for a long time. Excellent stuff, just excellent!|

  173. successful essay z

    essay reading
    [url=""]reword my essay[/url]
    how to put a quote in an essay


Your email address will not be disclosed. The required fields are marked with*.

Related recommendation

No related articles!


Cloud Security Blind Spots: Where Do They Exist and How Can They Be Avoided?