The complexity of attack surface management in cloud environments

Legacy attack surfaces were small and simple. There were fewer servers and endpoints to protect. The tooling required to secure it was basic – perimeter firewalls, antivirus software, and server/network/application monitoring tools. When organizations migrate to the cloud, things change and become complex. For starters, on-premise infrastructure and applications can’t be left out in favor of the cloud. Most organizations run hybrid setups. Further, partner and vendor applications, and open source code greatly expand the attack surface, adding components outside an organization’s sphere of control. What’s needed is an end-to-end attack surface management (ASM) solution that accounts for more than just the public cloud.

The digital supply chain – Past, present & future

The journey from legacy IT to where we are today included several key progressions. It began with on-premise servers and applications that were then transitioned to the internet and websites. This gave way to SaaS and PaaS applications that were cloud-based, followed by a mass migration of organizations’ IT infrastructure to the cloud computing model and even cloud-native architectures. However, today, we’re taking this a step further as we see the beginning of a new era of GenAI and LLM-powered applications that are adding a new layer to the already complex fabric of the cloud. 

What changed with the move to the cloud

Let’s dive into the various components that have changed with the move to the cloud:

1. Scale: While it’s easy to spin up and spin down cloud instances and container clusters, managing the sudden changes is a whole new challenge that the cloud introduced. It’s easy to leave orphaned instances running, and a slow buildup of shadow IT in the cloud.
2. Ephemeral workloads: Unlike bare metal servers, containers are easy to provision and delete, this makes them ideal for ephemeral workloads. This is more so with serverless functions that encourage workloads that last only a few seconds or minutes. The cloud brings a whole new perspective to the phrase ‘short-lived.’ But this also means that the rate of change in any cloud system is faster than before and organizations struggle to keep up with the change. Security gets overlooked, and attackers exploit the security gaps they find.
3. Release velocity: Rather than release a slew of new features every quarter, the cloud enables and encourages continuous deployment where features are launched as soon as, or even before they are completely ready for production. This makes it more likely for misconfigured applications to reach production. 
4. SaaS: A proliferation of cloud-based applications hosted by your organization, or used by your organization. SaaS centralized security, which is good only if the SaaS application itself is secure. If there’s a compromise in security, it affects all users and customers of the SaaS application.
5. IaaS: Infrastructure went from on-premise native applications to public cloud vendors like AWS, Azure, and Google Cloud. This introduced the shared responsibility model for security (more on this later).
6. Data: From vertical scaling of servers, data now resides in many places horizontally – in the cloud or on-prem, internal and external to your organization. This increase the number of attack vectors.
7. The human component: Authentication is split between cloud IAM services like AWS IAM and third-party providers like Okta. Authorization (what identities are allowed to do) is even more complex and has become policy-based. At large scale, policies can become daunting.
8. An exponential number of environments: There are many environment types – local dev IDE, cloud-based dev environments, testing, staging, and production. The various environments run across servers, VMs, and Kubernetes clusters. Configuring these environments in a secure way at scale is a tedious task. The environments also expand the attack surface of the organization and increase the load on security teams.
9. Digital supply chain: Slack, Jira, and GitHub enable seamless collaboration, but also introduce new layers of the digital stack that require protection. The digital supply chain is fragmented and is made up of numerous third-party tools, libraries, and frameworks. While these tools greatly benefit developer productivity, traditional security tooling is unable to scan, monitor, and account for the usage of these tools.
10. Partner organizations and their applications: Unsecured partner applications are a key reason for many data breaches. The numerous customers of Solarwinds and Snowflake found this out the hard way.

All these point to the fact that the cloud is great, but there is more to cloud attack surface management (ASM) than just migrating to the public cloud. Today, organizations need a complete revision of ASM as it applies to a new digital frontier. 

New security challenges the cloud introduces

In terms of security, this is what is at stake for organizations that migrate to the cloud:

• CNAPP’s blindspot: A cloud-native application protection platform (CNAPP) is purpose-built to secure cloud infrastructure from the inside out. While it’s great at solving for cloud security issues internally in an organization’s cloud stack, organizations need to view their cloud attack surface from the eye of the attacker. This is something a CNAPP is not built to deliver. Organizations that rely exclusively on CNAPP today are easily blindsided by the next attack.
• Shared responsibility for security: With the advent of cloud computing, the ‘shared security model’ was popularized by AWS. This means that AWS is responsible for security ‘of’ the cloud, and you as the customer organization are responsible for your own security ‘in’ the cloud. This puts the onus of security on your organization’s security teams whose jobs are only becoming more difficult.
• The rise of open source: Open source software has completely transformed application development, and cloud infrastructure management. But many of these projects are not as well-maintained or secured. Widely-used open source projects like Log4j have been compromised affecting thousands of organizations that rely on them. Open source software needs security monitoring.
• From IAM to CIEM: Shifting from on prem networks to multi-cloud environments requires a change of paradigm from “static” identity access management to dynamic and agile entitlement management, allowing individual users different sets of permissions, to different silos and environments, with complete control, from one dashboard. Thus, reducing the exposure through over permissions. 
• Security testing against the actual attack surface: The modern attack surface is not just exponentially expanding but is getting more complex. This makes it difficult for security teams to accurately test against the real attack surface. 
• Scanning all code before it reaches production: Though checkposts need to be set up and security hygiene needs to be practiced all through the CI/CD pipeline, it is still essential to scan all code just before it is released to production. While many code scanning tools exist today, they do not provide context on the type of issues detected, and are unable to quickly surface the root cause of the vulnerability.  

Now that we’ve discussed the challenges threatening the modern digital supply chain in detail, let’s take a look at how to secure the supply chain. We start by understanding the difference between two key approaches – CNAPP and ASM.

CNAPP vs EASM – Go beyond the cloud

A CNAPP provides visibility into cloud environments and allows to enforce security policies. But as we’ve mentioned earlier, the digital supply chain is more than the cloud, hybrid environments are reality for most organizations. This requires a solution with a wider scope. That’s what external attack surface management (EASM) is.

EASM is more far-reaching in its purview, covering cloud, on-prem, partner assets, open source components, runtime threats and more. It monitors your organization’s entire digital footprint leaving nothing out. While many security solutions give you visibility within your organization’s digital premises, EASM takes the opposite route of giving you an outside-in view of your exposed risks, including the digital supply chain. It gives you an attacker’s view of your organization highlighting all externally visible vulnerabilities, misconfigurations, and exposures. 

Building on this, EASM enriches each vulnerability with contextual information such as who owns the compromised asset, when it was created, what caused the exposure, when the exposure began, related digital assets that are at risk due to the exposure, and the blast radius of the exposure. It can show you the exact path of the attack, telling you the story behind seemingly isolated events. This critical insight gives you all you need to prioritize various threats and take a strategic approach to threat exposure management. 

6 ways to protect the digital attack surface  

1. Reduce the attack surface: Do not allow asset sprawl to creep into your digital supply chain. Constantly look for ways to reduce the size of the attack surface. You can do this by removing unused cloud instances, consolidating tooling, and retiring legacy applications. 
2. Broaden your definition of an asset: New asset types are being added with every passing year. This calls for an ever-broadening definition of what an asset is. This is especially true in the case of software assets that can easily proliferate. 
3. Monitor the entire attack surface from the outside-in: As mentioned earlier, there’s more to your organization’s digital ecosystem than just the cloud, and ASM accounts for it all. ASM knows your platforms and environments by performing deep scanning of internal technologies and external sources. It gives you visibility into every single internet-facing asset from an attacker’s point of view. This is as close to reality as it gets for security teams that are in a race against evolving external attacks. 
4. Context-aware threat intelligence: ASM enables you to understand who owns each internet-facing asset based on the metadata associated with it. This rich contextual data on assets can be used to assess risk levels and then prioritize threats accordingly. ASM transforms your organization’s security efforts from knee-jerk reactions to proactive threat hunting, and risk prioritization. 
5. Enforce security policies to stay compliant: Increase the organizational overall security posture and reduce security incidents by adhering to security protocols, safeguarding data and meeting compliance requirements. Once this is defined, you can get notified immediately when a policy is violated. Going a step further you can add automated remedial actions that are triggered by specific alerts. All this enables you to not become one-time compliant, but stay compliant.
6. Foster a healthy organizational cyberculture: Conduct regular training, and facilitate open communication across teams internally so teams across the organization speak the same language, and can find shared solutions to the security challenges they face. Educate employees on the need to gain an attacker’s view of their organization and take this into account for security planning.

Leveraging ASM to secure the entire digital supply chain

CNAPP solutions are great at what they do – securing cloud platforms. They are an improvement over traditional vulnerability management that is static and lacks prioritization of risks. However, they fall far short of securing the entire supply chain beyond the cloud vendors. What organizations need is an EASM tool that can discover, classify, prioritize, and monitor all assets that belong to the organization, its partners, vendors, and suppliers – the entire digital supply chain, irrespective of on-prem, cloud, or edge. 

IONIX is an EASM platform that does just this. Its external attack surface management (EASM) capabilities cover asset discovery, attack surface intelligence, and risk-based prioritization. It gives you an attacker’s view of your entire organization’s digital attack surface, and exposes threats with 50% more visibility than any other tool.