Advertisment

The Toxic Cloud Trilogy

In this interview, Eitan discusses the unique vulnerabilities of cloud environments, systemic issues preventing organisations from fully addressing weaknesses and practical steps Indian organisations can take to mitigate these risks.

author-image
Aanchal Ghatak
New Update
toxic cloud

Ari Eitan, Director of Research at Tenable

Listen to this article
0.75x 1x 1.5x
00:00 / 00:00

As Indian organisations increasingly migrate to the cloud, they face a complex and evolving security landscape. Ari Eitan, Director of Research at Tenable, highlights the “Toxic Cloud Trilogy” - a convergence of publicly exposed workloads, critical vulnerabilities, and over-privileged identities - as a critical threat to Indian organisations. In this interview, Eitan discusses the unique vulnerabilities of cloud environments, systemic issues preventing organisations from fully addressing weaknesses and practical steps Indian organisations can take to mitigate these risks.

Advertisment

Could you explain what the “Toxic Cloud Trilogy” entails and why it poses such a critical threat to Indian organisations?

The toxic cloud trilogy is a convergence of publicly exposed workloads, critical vulnerabilities, and over-privileged identities. Separately, each of these factors poses a security risk. Together, they create a scenario that warrants attention.

In the cloud, publicly exposed workloads can function as beacons, accessible from the internet. Such exposure, even when unintentional, allows cybercriminals to identify potential entry points with ease. Add unpatched vulnerabilities into the mix, and the risk is amplified. These gaps create a straightforward exploitation pathway.

Advertisment

The third factor – over-privileged identities – further raises the stakes. When access permissions exceed what is necessary, attackers can move more freely across systems, accessing data and services with fewer barriers. This toxic cloud trilogy turns what might have been a limited security issue into a broader operational concern, allowing attackers to extend their reach if they gain access.

Many organisations continue to face challenges in securing cloud data effectively. What specific aspects of the cloud make it uniquely vulnerable, particularly in complex environments?

It’s much easier to store data in the cloud because every time organisations want to store new data, they can increase cloud storage with the click of a button. With data storage becoming easier, organisations are motivated to store more data that they can leverage to advance their AI capabilities. Over the last few years, LLMs have become more accessible, introducing new challenges.

Advertisment

Securing the cloud is challenging due to separating sensitive data, large data volumes, and risks like data poisoning, where attackers manipulate exposed data to disrupt AI responses.

Securing the cloud is a big challenge, and not because organisations aren’t careful enough. It’s because of separating sensitive and non-sensitive data in the cloud. Additionally, the vast volumes of data make it vulnerable to data poisoning. If the data is publicly exposed, attackers can tamper with it and have AI respond in a way that was not intended.

Despite heightened awareness and efforts to protect against cyberattacks, critical vulnerabilities persist. In your view, what systemic issues are preventing organisations from fully addressing these weaknesses?

Advertisment

Vulnerability management is even more challenging in the cloud as these environments contain numerous interconnected services. As cloud adoption rapidly scales up, cloud security practices aren’t necessarily scaling along with them. That means many organisations have cloud risks like unpatched, known vulnerabilities to misconfigurations and identity and excess privilege issues.

For organisations just beginning to tackle cloud security, what key areas should they prioritise to build a more secure foundation?

Most cloud security solutions offer valuable protection, but they lack the analysis capabilities that help organisations prioritise remediating the most sensitive assets. For organisations that are beginning their cloud security journey, it would benefit them to look for tools that not only excel at securing the cloud environment itself but also protect the data and AI resources residing within.

Advertisment

This requires investing in DSPM and AI-SPM tools that help identify data and AI resources and contextualise it with broader cloud security measures. This enables preventive security, aiding organisations in stopping unauthorised access or breaches that exploit vulnerabilities in the cloud infrastructure.

Given the specifics of India’s regulatory landscape and common cloud usage patterns, what practical, immediate actions can Indian organisations implement to mitigate these risks?

Regulatory norms exist to provide organisations with guidelines on doing the bare minimum when it comes to security. However, organisations mustn’t wait for regulatory norms to implement cloud security measures. Given the evolving threat landscape, having Cloud Security Application Protection Platforms (CNAPPs) act as the central nervous system, integrated with DSPM and AI-SPM tools, will eliminate blind spots in the cloud. Such deep data discovery and classification where sensitive information is identified and prioritised for protection offers greater visibility for focused security measures, simplifying compliance efforts.

Advertisment

With identity management cited as a major risk factor, how can organisations improve their approach to managing cloud permissions effectively, especially given the rise of both human and non-human (machine) identities?

It’s important to understand the difference between service and human identities and the various approaches to securing them to roll out the least-privilege model. Non-human or service identities operate on a consistent and predictable basis. Evaluating which permissions are assigned vs. which are used is important to determine excessive privilege. Non-human identities are programmed for specific purposes, and they seldom change, making it possible to implement the zero-trust model.

However, human identities are used by people, making it unpredictable and difficult to implement the least-privilege model. To execute on zero trust, organisations must implement a just-in-time (JIT) access programme. It’s impossible to eliminate all access to the cloud by human users.

Advertisment

However, as an alternative, organisations can give DevOps teams the ability to programmatically request short-term access to the cloud for specific tasks in critical environments and ensure that the short-term access integrates into existing communication tools like Slack, Microsoft Teams, and more. Security programs that don’t account for differences between how to tackle human and non-human identities can lead to friction between DevOps and IT teams. Security must be embedded in workflows to ensure it’s scalable.

Advertisment