The US Department of Homeland Security (DHS) late last week kicked off an investigation into the threat of cyberattacks against cloud computing environments as Microsoft faces intense scrutiny over its handling of a major attack on its Azure cloud infrastructure.
On Aug. 11, DHS announced the next project for its Cyber Safety Review Board (CSRB), a joint public-private subgroup which in the past year and a half has investigated the Log4j vulnerability, and the Lapsus$ group (the results of which were released on Aug. 10). This third endeavor will focus on “issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers,” DHS said in an announcement.
Some experts consider the move a good start to mending what’s broken in cloud security services today.
The CSRB review was spurred by the recent breach of Microsoft’s Azure cloud service, prosecuted successfully by a Chinese APT which Microsoft tracks as Storm-0558. The campaign compromised dozens of public sector agencies, as well as many private companies, and the full scope of the damage is not yet clear. DHS “began considering whether this incident would be an appropriate subject of the Board’s next review immediately upon learning of the incident in July,” it noted.
“The recent Microsoft incident opened the door to this type of direct action, and DHS walked right in,” explains Craig Burland, CISO at Inversion6. “While many will likely voice opposition to the government stepping, uninvited, into a new realm of regulation, organizations both large and small will benefit from a shift in shared responsibility to upgrade the default protections offered to all cloud clients.”
Rebalancing Shared Responsibility in the Cloud
As Karen Walsh, CEO at Allegro Solutions, points out, the review is a step towards implementing the US National Cybersecurity Strategy’s Objective 2.4, “Prevent Abuse of U.S.-Based Infrastructure,” an initiative meant to disrupt and dismantle threat actors targeting American organizations.
Beyond this broader initiative, there’s a deeper, more structural issue at hand.
Recent months have brought repeated instances of severe vulnerabilities in cloud infrastructure, even from the most sophisticated providers like Microsoft. AWS has leaked tokens, its new features have been compromised, and threat actors have regularly leveraged it to steal sensitive business data and perform follow-on attacks. Google Cloud has experienced its own issues with stolen tokens, as well as its database service and certain kinds of content, and has suffered its own breaches as of late.
Clearly the cloud is at risk, but end users often don’t hear about it, because cloud providers manage their own systems. Without the need for customers to patch, the model for disclosure changes as well. For example, cloud vulnerabilities are not assigned traditional CVEs.
The lack of clarity in who bears what responsibilities in securing cloud environments, and how to communicate between vendor and customer, has begun to have serious ramifications in real world cyberattacks.
Microsoft in the Hot Seat
Some see Microsoft Azure as an example of where the shared responsibility model failed, because it wasn’t merely that a hostile state-aligned APT breached Azure Active Directory (AD), affecting the government and up to millions of Microsoft 365 applications. The greater offense, they say, is the manner in which Microsoft has handled the disclosure and review process.
“For many customers and investors, it was disappointing to see Microsoft in the news yet again for security reasons,” says Claude Mandy, chief evangelist for data security at Symmetry Systems. More than a month after the breach was initially disclosed, he emphasizes, “the details on how the breach occurred and its potential impact are still vague, with no certainty provided by Microsoft. Instead, concerns and assessments are only being raised by outside cybersecurity researchers. As an industry, we are demanding more transparency.”
In particular, Mandy takes issue with how Microsoft, until recently, withheld security logging as an upcharge for 365 customers. Microsoft was “restricting companies from having essential security features unless they pay more,” he says, putting a burden on its customers. Microsoft has since reversed this policy.
That sentiment was seconded by security researchers at Tenable, who on Aug. 3 published the details of an entirely separate Azure vulnerability enabling certain unauthorized access to cross-tenant applications and the sensitive data, including authentication secrets. “To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,” Tenable CEO Amit Yoran wrote in a LinkedIn post.
In a statement provided to Dark Reading, Microsoft claimed that the issue was mitigated for a majority of customers in June, and has since been fully resolved.
But Tenable researchers push back on that explanation, writing that “Microsoft has remediated this vulnerability for any new applications using the affected service, however, existing applications that were developed and deployed prior to that remediation are still affected and vulnerable.”
A Microsoft spokesperson provided the following explanation:
“We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.”
Can DHS Fix Shared Responsibility?
Walsh and others are hoping that the government action can help bridge the kinds of security and communications breakdowns at the heart of stories like these.
“As the CSRB engages more deeply in this review, cloud service providers will likely bear more burden under the Shared Responsibility Model. A major through line from the National Cybersecurity Strategy is shifting responsibility to organizations that have more resources. In this case, providers have more resources than their customers,” she says.
Burland seconds the need to shift more security burden from customers to vendors. “Today, the CSPs hold much of the power in the shared responsibility model, essentially protecting their own assets while expecting less capable, less knowledgeable customers to do the same,” he bemoans.
“If the findings of the CSRB spark immediate changes to the shared responsibility model, it will have been a success and further the administration’s strategic goals. If the findings simply plant seeds that new regulations may be on the horizon, it will still be a success,” he says. “In either case, the review will advance another chess piece forward on the board, positioning the government to demand and ensure a common defense against cybersecurity threats.”