The Cloud Edge Is the New Attack Surface

Source: rdonar via Shutterstock

As companies expand their use of cloud computing beyond a few dozen applications to build the connective tissue between data centers and endpoints, their attack surface — the cloud edge — has grown.

But securing that edge can be difficult. While security and operations teams are used to applying security at the edge of their own networks, the cloud edge is not always theirs to manage. Communications between cloud workloads often traverse the public Internet, putting data at risk of interception and opening up new holes in an organization's attack surface, experts say.

Most companies do not have visibility into the Internet of Things (IoT) devices connected to their cloud services, the workloads spun up by every developer, or the service accounts and artificial intelligence (AI) agents that increasingly connect to services and hardware through the cloud, says John Qian, CISO at Aviatrix, a network security vendor.

Users have to make sure that their connection from the edge to the cloud is secure and encrypted end-to-end — not being decrypted before going to the cloud — and that the edge devices are considered untrusted, he says.

"You almost have to assume that attackers can break into those edge devices, and if they do break in, [you] have to ask, 'What sort of blast radius do they have coming into your cloud?'" Qian says.

Related:An NVIDIA Container Bug & Chance to Harden Kubernetes

Traditionally, the network edge has been defined as an organization's infrastructure geographically and logically close to the end user. Increasingly, the infrastructure is cloud-based and not owned by the company — meaning, the cloud edge. Companies have moved to secure access service edge (SASE), software-defined WANs, and zero-trust frameworks to help manage and secure the attack surface, but they have run into manageability and performance issues.

Essentially, cloud services and infrastructure connect workstations, devices, workloads, and applications, allowing the distributed workforce to access the company's resources. But if they are not secure, attackers can compromise those resources, says Lawrence Pingree, a technical evangelist at Dispersive, a provider of zero-trust networking.

"The entire network needs to have an extended trust layer from the cloud all the way to the edge locations, and we need to be able to deliver an isolated enclave in that location," he says.

Going Private on Public Clouds

Identity and endpoint protection are two key facets that form the foundation of security, says Aviatrix's Qian. However, much of the cloud edge relies only on usernames and passwords — and, perhaps, two-factor authentication — to protect assets. Additionally, many devices connected to or accessible from the cloud are lightweight and do not have the resources to run security agents.

Related:AWS Enhances Cloud Security With Better Visibility Features

"You don't really have endpoint protection because you can put agents on certain endpoints, as some of the edge devices are very low-powered," Qian says. 

Low-powered devices often rely on lightweight encryption and lack built-in protection. 

"In those cases, network-layer control becomes critical," he adds.

Aviatrix and Dispersive have both focused on microsegmentation to establish controls around collections of devices — or around a single device — and encryption to keep data and communications secure. This cloud-native security fabric (CSNF) allows for devices to communicate securely through the cloud and not be part of the organization's attack surface, Qian says.

"We're looking at workload-to-workload and cloud-to-cloud communication and want to be able to enforce network policies when we do that," he says.

Dispersive takes a similar approach, microsegmenting every workload and every service user from different edge device interactions and making devices uncontactable to nonauthenticated users — what Pingree calls a "deflection cloud."

Related:Orca Security Gets AI-Powered Remediation From Opus Deal

"The average security company is using open source [code] for darn near everything they deliver," he says. “You can't tell things like the type of cryptography used. You can't tell that it's even encrypted — it looks like junk."

Better Security, Better Performance

In contrast, Pingree says Dispersive has built its own patented capabilities and can actually obfuscate the network. By rearchitecting how devices at the cloud edge communicate, the approach delivers better security, more control, and better performance, he says.

On the performance side, the rapid move to AI workloads has changed traffic patterns, causing inefficiencies, Pingree says.

"The problem is, when you start doing AI, you're uploading binaries, you're doing all of these highly interactive things, and what that means is it's changing the way that the traffic itself is represented on the network," he explains. "So you switch to SASE, and then you add AI, and all of these traffic patterns are basically completely reversing."

In addition, the convergence of AI and quantum computing is a major future threat, capable of accelerating the discovery of zero-day vulnerabilities and breaking current encryption standards. Companies need to ensure the cloud edge does not become a wide-open attack surface, Pingree warns.

"Imagine that AI and quantum can do these [promised attacks] with full automation and break [weak] cryptography on demand," he says. "You have to be prepared. It's not something that you can do after the fact."

By combining microsegmentation and encryption on the network side with identity and endpoint protection, the cloud edge may finally be able to be trusted by users.