On-premises infrastructure has long been considered safer and more securable than its cloud counterpart. An increase in cyberattacks on on-premises systems is challenging this surety.
There are advantages and disadvantages of on-premises and cloud-based IT infrastructure. On-premises IT infrastructure can allow for more granular control of security configuration and ongoing management, but maintenance of on-prem systems requires more involvement than provider-maintained cloud-based IT.
On the one hand, vulnerabilities in on-premises systems can be assigned a Common Vulnerabilities and Exposures (CVE) categorization, and a procession of patches and updates will follow. On the other hand, such a clearly indexed catalog of flaws increases the discoverability and exploitability of these vulnerabilities for cybercriminals.
Despite greater granularity and helpful CVEs, remaining current on security patches and updates is particularly challenging for security operations (SecOps) teams amidst today’s reported shortage of cybersecurity staff. This heavily involved upkeep — updates, patches, security posture monitoring — is why on-premises systems are harder to keep secure and why they’re more popular targets for cybercriminals to breach.
Cloud flaws often are not categorized with a CVE, so criminals have more difficulty identifying and exploiting cloud vulnerabilities. Additionally, security for cloud-based infrastructure requires less involvement from SecOps functions than on-premises security maintenance, as much of the upkeep and security updates are maintained by the cloud provider.
Due to the nature of shared security responsibilities with a provider and the subsequent lighter upkeep needs, software as a service (SaaS) is proving to be more securable than on-premises configurations. However, it is imperative that SecOps leaders are hyper-aware of the consequences of taking the automatically updated security of cloud-based systems for granted. SaaS is not inherently safer from the get-go — it must be correctly configured, operated and maintained. Misconfigured (or worse yet, under-configured) SaaS environments are as vulnerable as outdated on-premises systems, and a cloud breach has more potential for widespread data exfiltration than a breach of on-premises systems. A cloud breach can compromise data from multiple customers who are using the specific service, for example, whereas in on-premises infrastructure, a data breach will likely expose data from only a single organization.
Increasing attacks against on-premises systems
As the walls and defenses around cybersecurity are built higher and bolstered, craftily engineered advanced persistent attacks against on-prem systems such as the 2020 SolarWinds and 2021 Kaseya events will become a trend.
In December 2020, SolarWinds discovered that nation-state threat actors had placed a backdoor in software updates for the vendor’s Orion platform. As SolarWinds pushed out the updates to thousands of customers, the hackers exploited the backdoors to breach high-value targets, including large tech firms, service providers and U.S. government agencies. The threat actors’ toolkit included tactics to use administrative permissions acquired via on-prem compromises to forge trusted tokens and impersonate existing users and accounts.
In July 2021, Kaseya’s on-premises appliances were the target of a sophisticated supply chain attack. While the vendor was working on a patch for a vulnerability that had been flagged to them back in April, a ransomware gang exploited the flaw. Though Kaseya shut down their own cloud and advised customers to power off their on-premises Kaseya VSA servers, about 60 of their managed service provider (MSP) customers’ on-prem servers were also infected, leading to up to 1,500 downstream infections.
Supply chain attacks, and persistent ones, are attractive to threat actors because they’re silent, and victims never know where and when the attack lands. Such an attack can be ongoing for an extended period before a security team detects it, just as in the SolarWinds breach, which was instigated as early as September 2019 and discovered in December 2020.
Where does this leave security leaders at small- and mid-sized businesses? Decision-makers and leaders would do well to pursue the more secure, cloud-based infrastructure and to ensure their security posture is healthy, particularly their SaaS security posture.
Proceed with cloud caution: Do not set it and forget it
Many organizations have embraced cloud-based infrastructure and readily adopted a SaaS model. Unfortunately, many businesses also tend to outsource as much of their security operations as possible and hope for the best.
CISOs and leaders of small security teams, however, must not get too comfortable once they have outsourced their infrastructure or operations. Any certainty or assuredness that manifests from outsourcing security or pivoting from on-prem to SaaS must be curbed. Rather than bask in the perceived safety of managed services and cloud-based infrastructure, SecOps leaders need to embrace tools, approaches and tactics to ensure their security in a SaaS and hybrid environment.
The security posture of every organization is measured by its weakest link, so if a single vulnerability or point of failure coexists with a buttoned-up SaaS environment, a rich portfolio of cybersecurity tools, vendors and services, and all the top-rated managed security services on the market will fall short.
For example, the pandemic-induced global dispersal of workforces into remote locations has increased the use of both company-issued and personal mobile and handheld devices for work purposes. There are more handheld endpoints than ever, which complicates and convolutes the figurative security perimeter.
Routine check-ups of the organization’s security posture are mandatory. Finding any security gaps — in the organization’s IT assets, from SaaS applications, data pipelines, services and networks to code repositories, appliances, company-issued endpoints and personal mobile devices — is critical to ensure that vulnerabilities are known and SaaS security is watertight.
Enlisting MSPs and managed security service providers (MSSPs) is a resourceful tack for organizations of all sizes, especially for small- and mid-sized businesses or short-staffed IT or security functions. MSPs and MSSPs are generally more aware of cyber hazards than the typical organization, and they are quicker to both detect and act when events occur. However, when security leaders outsource some security operations to a service provider, it’s critical not to entrust them with permissions to the entire IT infrastructure. No service provider should ever be granted all permissions. If the headline-topping supply chain attacks this year were any indication, it’s evident that mid-sized businesses are vulnerable to the damaging downstream impacts of large-scale supply chain attacks that affect their service providers. If an SMB’s service provider suffers a cyberattack or is breached, and that MSSP or MSP has credentials to that SMBs entire environment, then that SMB’s systems are also compromised.
SecOps, by policy, must only grant relevant permissions to what’s necessary for a service provider to do their job.
At this point, a zero-trust model is non-negotiable, especially given the proliferation of supply chain attacks and the use of personal mobile devices for work purposes throughout the course of the pandemic. A zero-trust approach to security is not a panacea, though, and SecOps leaders cannot take a set it and forget it attitude, just as they mustn’t forgo routine checks to ensure their hybrid or cloud-based environments are configured and operating correctly.
SMBs should consider turning to SaaS
The increase of attacks against on-premises systems is a harbinger of trends to come. Even known, CVE-assigned flaws are risk-laden points of failure because they exist until they are manually patched. And patching requires the investigative resources, tools, and the ability to get ahead of any third parties who are also privy to a vulnerability or, in many cases, to mend a disclosed breach before more damage occurs.
The cloud certainly has its risks, but SaaS environments also enable quicker time-to-respond to a breach or to push an update or patch. With today’s dispersed workforces, the agility, speed and reach inherent to SaaS environments are tangible advantages most organizations should not pass up. When it comes to cloud-based security, SMBs particularly have a great opportunity to balance the SecOps resources they do have with the support of SaaS providers or MSSPs.