Research published Thursday by Valtix found that 95% of IT leaders say Log4Shell was a wake-up call for cloud security, changing it permanently. Some 87% now feel less confident about their cloud security now than they did before the incident.
The research also found that even three months after the incident, 77% of IT leaders are still dealing with the Log4Shell patch and 83% say Log4Shell has affected their ability to address business needs.
Business operations are built around software, and when a foundation of that software becomes vulnerable, it disrupts business operations at scale, across industries, said Davis McCarthy, principal security researcher at Valtix. McCarthy said that IT teams now have a vulnerability built in that isn’t just in the software stack, it’s in the business stack.
“Years of software development will turn into years of remediation,” McCarthy said. “There is no such thing as an invulnerable application. As IT leaders refocus their efforts to gain visibility and control, applying defensive strategies outside of the application, including in the cloud, is imperative.
Matthew Warner, co-founder and CTO of Blumira, said that for organizations that do not yet have a solid understanding of their exposed attack surface, moving to a cloud environment can create critical gaps in security visibility, further emphasizing that lack of knowledge. Warner said that Log4Shell was a reminder to IT professionals that it’s important not only to understand their attack surface from a port exposure perspective, but also the actual applications used.
“The introduction of cloud architecture may introduce some new risks, such as misconfigurations and insufficient identity and access controls,” Warner said. “These risks existed before remote work, but have grown rapidly, such as lack of employee awareness, solution sprawl, and lack of visibility into employee actions. There are also cloud misconfigurations, which leave an unencrypted data store exposed to the public internet with no need for authentication or the principle of least privilege is not applied. And organizations have also experienced data loss due to the ease of sharing data from cloud services with internal and external parties.”
Casey Ellis, founder and CTO of Bugcrowd, said it’s no surprise to learn that 87% of respondents to this report feel less confident about cloud security now than they used to.
“They just had a crash course in demonstrating the fact that the cloud is based on open source software, which is just as subject to vulnerabilities as its own code,” Ellis said. “And as defenders, there is literally nothing that is 100% secure, even with all the other security benefits that come from using the cloud.”
Chris Olson, CEO of The Media Trust, said IT leaders are right to see Log4Shell as a wake-up call for cloud cybersecurity. Olson said that as one of the many software supply chain vulnerabilities that have emerged in the past two years, it reminds us that cloud configurations are built on many third-party dependencies, from cloud service provider products to software components.
“A vulnerable partner can be the weak link in a chain that leads to crypto mining, botnets, ransomware attacks and data breaches,” Olson said. In response, organizations need [determine who’s in their digital ecosystem] — and then take ownership to protect themselves and their customers from attack. This precaution extends to all digital surfaces, including cloud platforms, but also to websites and mobile applications. From the setup stage onwards, cybersecurity should be a top priority, with ongoing monitoring to detect and remove vulnerable third-party components.”