The Incident
Automobile Giant Suffers Expose of Data, Credentials, and Cloud Access Keys
What did happen?
Extremely sensitive business data of a global automobile giant got exposed in a cyber incident recently. The organization’s IT infrastructure was hosted on cloud. However, there were vulnerabilities in how cloud resources, data and credentials were managed. The compromised IT assets include database connection strings, cloud access keys, blueprints, design documents, API keys, SSO passwords and more. The shocking and unfortunate part of the incident is that it occurred back in September 2023 but came into light at the end of January 2024. Initial investigation after the revelation suggests credential abuse by cyber crooks that gave them access to the organization’s valuable intellectual property, reports, data, credentials, and critical files. Eventually, the organization’s entire source code was exfiltrated through GitHub Enterprise server leading to a potential data breach.
Cloud Adoption is Happening Rapidly Giving Rise to Challenges
Global organizations are embracing cloud computing as it spurs operational effectiveness and innovation. With every major cloud service provider (CSP) offering increasing numbers of services, IT professionals are constantly migrating workloads to cloud for better outcomes.
McKinsey consulting predicted in one of the reports that almost 60% of the global organizations will have their IT infrastructure on cloud by 2025. Forrester in its study report named “Top Cybersecurity Threats in 2023”, had posed a question: what your organization’s plans are to adopt following cloud platforms: Hosted Private cloud, internal private cloud, and public cloud, (4,369 cloud decision makers), in which 83%, 83% and 84% of respondents respectively showed intention to adopt cloud.
But are the organizations equally equipped with cloud security measures? There are inherent risks when workloads are migrated to cloud hosting models.
Risks to Watch
# 1 Risk
Absence of Credential Vaulting and Security
There are multiple tokens, keys, and passwords in multi-cloud architecture. Critical among them are – OAuth2 credential, HMAC authentication, internal service account credentials, external service account credentials, privileged credentials etc. A single compromise of any of the credentials can be disastrous for the organization. There could even be multiple breaches in multi-level data repository.
Vaulting of credentials is the first step that should be enforced. In this incident, there was no credential vaulting which is why the cloud access keys and the GitHub token were compromised. Neither was there seamless monitoring of the sessions, which is why anomalous activities remained undetected.
# 2 Risk
Time Taken to Detect Data Breaches
The biggest concern behind a data breach is the time taken to detect a breach. According to Verizon “Data Breach Investigation Report,” more than 60% of data breach incidents are detected one month after the incident has occurred. The above incident happened in September 2023 but came into light at the end of January 2024 which is a gap of four long months. Such long tenure of data breach and detection of data breach creates situations where the compromised data is irrecoverable, and the damage is already inflicted.
Real-time monitoring of end-user activity and real-time detection of malicious activity is key to addressing similar challenges. If there would have been seamless monitoring and reporting mechanisms of privileged sessions in the cloud environment of the victim organization, things could have been different.
# 3 Risk
Absence of Adequate Access Control Measures in Multi-cloud Environment
In today’s IT context, an increasing number of organizations are adopting multi-cloud platforms. Each cloud platform may have hundreds of users accessing cloud instances for operational and computational purposes. For example, admins are granted console level access, application development teams/users access agile software development tools and business privileged users including consultants access business applications for various day-to-day IT tasks.
In such evolving scenarios, when more cloud platforms are added, resultantly, it leads to large multiple cloud environments, where the numbers of users explode. Against this backdrop, it is critical to govern and monitor a growing population of cloud users and their access to resources even as access paths dramatically increase in numbers.
Organizations migrating workloads to cloud must have policy enforcement, dynamic access control policies, control over too many privileges/entitlements as the bare minimum safeguards for cloud access security.
The Bottom-Line
The objective of better IT efficiency and outcomes through cloud adoption could go haywire without adequate cloud access security policies and practices.