SolarWinds breach exposes hybrid multicloud security weaknesses

A hybrid multicloud strategy can capitalize on legacy systems’ valuable data and insights while using the latest cloud-based platforms, apps, and tools. But getting hybrid multicloud security right isn’t easy.

Exposing severe security weaknesses in hybrid cloud, authentication, and least privileged access configurations, the high-profile SolarWinds breach laid bare just how vulnerable every business is. Clearly, enterprise leaders must see beyond the much-hyped baseline levels of identity and access management (IAM) and privileged access management (PAM) now offered by cloud providers.

In brief, advanced persistent threat (APT) actors penetrated the SolarWinds Orion software supply chain undetected, modified dynamically linked library (.dll) files, and propagated malware across SolarWinds’ customer base while taking special care to mimic legitimate traffic.

The bad actors methodically studied how persistence mechanisms worked during intrusions and learned which techniques could avert detection as they moved laterally across cloud and on-premises systems. They also learned how to compromise SAML signing certificates while using the escalated Active Directory privileges they had gained access to. The SolarWinds hack shows what happens when bad actors focus on finding unprotected threat surfaces and exploiting them for data using stolen privileged access credentials.

The incursion is particularly notable because SolarWinds Orion is used for managing and monitoring on-premises and hosted infrastructures in hybrid cloud configurations. That is what makes eradicating the SolarWinds code and malware problematic, as it has infected 18 different Orion platform products.

Cloud providers do their part — to a point

The SolarWinds hack occurred in an industry that relies considerably on cloud providers for security control.

A recent survey by CISO Magazine found 76.36% of security professionals believe their cloud service providers are responsible for securing their cloud instances. The State of Cloud Security Concerns, Challenges, and Incidents Study from the Cloud Security Alliance found that use of cloud providers’ additional security controls jumped from 58% in 2019 to 71% in 2021, and 74% of respondents are relying exclusively on cloud providers’ native security controls today.

Taking the SolarWinds lessons into account, every organization needs to verify the extent of the coverage provided as baseline functionality for IAM and PAM by cloud vendors. While the concept of a shared responsibility model is useful, it’s vital to look beyond cloud platform providers’ promises based on the framework.

Amazon’s interpretation of its shared responsibility model is a prime example. It’s clear the company’s approach to IAM, while centralizing identity roles, policies, and configuration rules, does not go far enough to deliver a fully secure, scalable, zero trust-based approach.

The Amazon Shared Responsibility Model makes it clear the company takes care of AWS infrastructure, hardware, software, and facilities, while customers are responsible for securing their client-side data, server-side encryption, and network traffic protection — including encryption, operating systems, platforms, and customer data.

Like competitors Microsoft Azure and Google Cloud, AWS provides a baseline level of support for IAM optimized for just its environments. Any organization operating a multi-hybrid cloud and building out a hybrid IT architecture will have wide, unsecured gaps between cloud platforms because each platform provider only offers IAM and PAM for their own platforms.

While a useful framework, the Shared Responsibility Model does not come close to providing the security hybrid cloud configurations need. It is also deficient in addressing machine-to-machine authentication and security, an area seeing rapid growth in organizations’ hybrid IT plans today. Organizations are also on their own when it comes to how they secure endpoints across all the public, private, and community cloud platforms they rely on.

There is currently no unified approach to solving these complex challenges, and every CIO and security team must figure it out on their own.

But there needs to be a single, unified security model that scales across on-premises, public, private, and community clouds without sacrificing security, speed, and scale. Averting the spread of a SolarWinds-level attack starts with a single security model across all on-premises and cloud-based systems, with IAM and PAM at the platform level.

Amid hybrid cloud and tool sprawl, security suffers

The SolarWinds attack came just as multicloud methods had started to gain traction. Cloud sprawl is defined as the unplanned and often uncontrolled growth of cloud instances across public, private, and community cloud platforms. The leading cause of cloud sprawl is a lack of control, governance, and visibility into how cloud computing instances and resources are acquired and used. Still, according to Flexera’s 2021 State of the Cloud Report, 92% of enterprises have a multicloud strategy and 82% have a hybrid cloud strategy.

Cloud sprawl happens when an organization lacks visibility into or control over its cloud computing resources. Organizations are reducing the potential of cloud sprawl by having a well-defined, adaptive, and well-understood governance framework defining how cloud resources will be acquired and used. Without this, IT faces the challenge of keeping cloud sprawl in check while achieving business goals.

Overbuying security tools and overloading endpoints with multiple, often conflicting software clients weakens any network. Buying more tools could actually make a SolarWinds-level attack worse. Security teams need to consider how tool and endpoint agent sprawl is weakening their networks. According to IBM’s Cyber Resilient Organization Report, enterprises deploy an average of 45 cybersecurity-related tools on their networks today. The IBM study also found enterprises that deploy over 50 tools ranked themselves 8% lower in their ability to detect threats and 7% lower in their defensive capabilities than companies employing fewer toolsets.

Rebuilding on a zero trust foundation

The SolarWinds breach is particularly damaging from a PAM perspective. An integral component of the breach was compromising SAML signing certificates the bad actors gained by using their escalated Active Directory privileges. It was all undetectable to SolarWinds Orion, the hybrid cloud-monitoring platform hundreds of organizations use today. Apparently, a combination of hybrid cloud security gaps, lack of authentication on SolarWinds accounts, and lack of least privileged access made the breach undetectable for months, according to a Cybersecurity & Infrastructure Security Agency (CISA) alert. One of the most valuable lessons learned from the breach is the need to enforce least privileged access across every user and administrator account, endpoint, system access account, and cloud administrator account.

The bottom line is that the SolarWinds breach serves as a reminder to plan for and begin implementing zero trust frameworks that enable any organization to take a “never trust, always verify, enforce least privilege” strategy when it comes to their hybrid and multicloud strategies.

Giving users just enough privileges and resources to get their work done and providing least privileged access for a specific time is essential. Getting micro-segmentation right across IT infrastructures will eliminate bad actors’ ability to move laterally throughout a network. And logging and monitoring all activity on a network across all cloud platforms is critical.

Every public cloud platform provider has tools available for doing this. On AWS, for example, there’s AWS CloudTrail and Amazon CloudWatch, which monitors all API activity. Vaulting root accounts and applying multi-factor authentication across all accounts is a given.

Organizations need to move beyond the idea that the baseline levels of IAM and PAM delivered by cloud providers are enough. Then these organizations need to think about how they can use security to accelerate their business goals by providing the users they serve with least privileged access.

Adopting a zero trust mindset and framework is a given today, as every endpoint, system access point, administrative login, and cloud administrator console is at risk if nothing changes.

The long-held assumptions of interdomain trust were proven wrong with SolarWinds. Now it’s time for a new, more intensely focused era of security that centers on enforcing least privilege and zero-trust methods across an entire organization.