The cloud is large and everywhere and presents a nearly irresistible attack surface to those looking for a way in. Much has been written broadly about cloud security (including lots of books) and with good reason: It’s impossible to pursue organizational security without coming to terms with what’s going on in the cloud. But the concept of “cloud security” is rather like a shapeshifter, with different meanings, implementations, and outcomes depending on the organizational culture.

Here’s our (very opinionated) take on a somewhat overlooked but very mission critical part of cloud security – the attack surface – including what it is, why it matters, and how so many companies take the wrong approach.

What is cloud security?

The term “cloud security” refers to a bucket list of practices and tools designed to help organizations more safely manage their assets in the cloud. Cloud security can mean what a cloud provider does to physically protect data (through the network, the data centers, the hosts), but can also encompass encryption, security keys, Zero Trust, and secure APIs. Cloud security includes a number of moving parts and is made more complex by the fact that the vast majority of organizations (an estimated 84%) are multi-cloud, meaning they use services from at least two different cloud providers. 

What is a cloud security attack surface?

A cloud security attack surface is another term for all of the known or unknown assets stored or operating in the cloud. The cloud is a favorite attack surface for bad actors because so many organizations cannot or do not track what they own. Unfortunately this is a case where “out of sight, out of mind” come into play.

Why does cloud security matter?

More than 90% of organizations use cloud services, which roughly translates to 90% of organizations at risk of cybersecurity breaches in the cloud. Cloud usage is ubiquitous – the cloud computing market is expected to be worth $1.6 trillion by 2030 according to Precedence Research – and IBM’s Cost of a Data Breach Report 2023 found 45% of breaches are cloud-based. 

But while the cloud is widely recognized as being in need of rigorous security, recent survey data is concerning. For starters, the percentage of organizations with sensitive data in the cloud has increased, according to a 2023 survey from Thales. Three-quarters of those surveyed said more than 40% of their cloud data contains security-sensitive information, up from just 26% last year. And 82% of organizations report their number one cloud priority is spending and not security, a significant change over years past. 

It’s unrealistic to expect any organization to prevent all possible attacks, but we strongly believe now is not the time to slow the security momentum. Cloud usage and breaches are both increasing, and that’s not a coincidence.

Why is it important to secure a cloud attack surface?

All the latest technologies, processes, and plans aren’t going to be enough to buffer any organization against risk unless their cloud security includes a comprehensive and ongoing catalog of assets. Securing your cloud attack surface has to be a priority because of both shifting nature of the scale and scope. 

Cloud sprawl is a real and pervasive problem that leaves the door wide open to potential attackers. Most organizations have no idea of what’s in their cloud and struggle with how to approach managing security for these assets. Having a strategy to keep this evolving landscape protected is crucial to comprehensive security plan for any organization.  

Why organizations struggle with cloud security attack surfaces

What’s great about the cloud - it’s vast and capable of storing and running nearly anything - is exactly what makes it a such a challenge when it comes to finding, identifying, and categorizing what’s there. To effectively map the entire cloud footprint, organizations must gather all cloud asset data from providers, assemble DNS records, and then make sure that internal data sources match external cloud assets. Companies then must conduct comprehensive searches to see what they missed, because simply looking for known assets is entirely missing the point of securing a cloud attack surface. 

If that sounds like a lot, it is. The vastness of this undertaking matches the cloud itself. For many organizations, one or two of these steps is likely all they’re able to do without help. 

What are cloud security attack surface best practices?

The most secure cloud assets belong to organizations that have flipped the narrative and started looking from the outside in; these are companies that have begun to think like attackers.

Here is how your organization can re-think its approach to cloud attack surfaces.

1. Identify what’s in the cloud: As we’ve said, this is easier said than done, but there are open source tools that can make the task much easier. Don’t forget to cross check all results and to push the boundaries to look for assets that could exist unintentionally.
2. Analyze the assets: With potentially tens of thousands of assets discovered, it’s important to remember not all of them are vulnerable, and even those that are might not have exploitable vulnerabilities. Or, the asset might be exploitable but the risk factor for your particular organization might not be that high. That’s all a long way of saying that it’s important to assess both the assets and the organizational appetite for risk and pair them as needed. 
3. Communicate regularly: Establish a process and a regular cadence of communication that both security pros and developers can live with, and check-in to ensure that this step is working. Finding and risk-rating assets can only take cloud attack surfaces so far - to make them safer devs need to address the remediations, so two-way communication is key.

Make the cloud attack surface more secure

While it’s impossible to eliminate all cybersecurity risks, it is possible to be better prepared against future breaches, and that’s where a more shipshape cloud security attack surface comes in. By doing the work to know what’s there and what’s at highest risk organizations can level the playing field a bit when it comes to bad actors. After all, attackers are constantly looking to see where they can get in, and organizations now have the tools to allow them to do the same. 

Want to know more about how to think and act like a hacker?

• Read our five-part series on reconnaissance (start with part one)
• Learn more about how to use ProjectDiscovery tools to find a subdomain takeover
• Take a deep dive into DNS takeovers