Since you’re reading these words, chances are you have some reservations about cloud security. You may even be considering limiting your use of cloud services to prevent security issues from impacting your operations.
Yet as Gartner recently pointed out, the challenge of protecting data lies not in the security of the cloud itself but the policies and technologies used for securing it. In fact, Gartner predicts that through 2025, 99 percent of cloud security failures will be the customer’s fault.
What’s more, Gartner also predicts that through 2024, the majority of organizations will continue to struggle to appropriately measure cloud security risks. This is largely due to a widespread lack of visibility and control over data assets and identity and access management (IAM). It’s difficult to calculate risk if you don’t know where your information lives and who has access to it.
That said, one of the most important things you can do when forming a cloud risk management strategy is to understand your blast radius and its potential impact on your company.
With that in mind, let’s take a closer look at this critical security term.
What is a Blast Radius?
A blast radius is a way of measuring the total impact of a potential security event. For example, imagine an intruder worms their way into a cloud server. In this scenario, the blast radius would be the overall amount of damage that the intruder could inflict after gaining access into the system.
It’s important to remember that your blast radius is usually much larger and more significant in the cloud. If someone compromises an account with admin privileges or a root account, for example, they could easily cascade across an entire data center and cause catastrophic damage to the business.
While cloud providers often advertise strong security and compliance measures, security is almost always a shared responsibility. Unfortunately, many companies rush into cloud migrations and recklessly spin up servers, assuming that providers like AWS will manage and fortify their accounts. As a result, these companies are often exposed to a variety of threats. Some of the most common cloud threats include unauthorized access (42 percent), insecure interfaces (42 percent), platform misconfiguration (40 percent), and account hijacking (39 percent).
How to Determine Your Blast Radius
As AWS VP and Distinguished Engineer Peter Vosshall explains, failure isn’t binary. Rather, there is always a degree of impact to consider. In this light, there is no single way to determine the blast radius. It turns out there are a few different ways to approach the topic and measure blast radius, which we’ll examine next.
One of the most obvious ways of measuring blast radius is by customer impact. Your blast radius can describe the overall number of customer accounts that are at risk from a security incident.
Another way to measure blast radius is to think about account functionality or the individual processes that may be impacted during an attack.
You can also determine blast radius by location. A small radius may include a compromised server or rack. In a larger attack, a blast radius could even include an entire region.
How to Reduce Your Blast Radius
Ideally, companies should plan ahead to limit the amount of damage that a bad actor could cause. As Murphy’s Law goes, anything that can go wrong will go wrong; it’s only a matter of time. That being a case, you should anticipate that your cloud environments will be compromised eventually. Don’t wait until after you detect a breach to spring into action. At that point, it could be too late. By taking a proactive stance to reducing your attack surface with strong security measures, you can limit the spread of the attack.
One of the most effective ways of limiting your blast radius is to isolate your cloud accounts. Create different accounts for developers, security teams, operations, and business units, and grant access only as needed.
The reason for doing this is simple: In a network with multiple isolated accounts, a hacker would be unable to move laterally, and the blast radius would be very small. When accounts and workloads are linked, the blast radius can be massive, stretching across the entire organization.
Beyond access control, it’s also important to relentlessly monitor all of your data, resources, and microservices. Consider investing in a security platform that provides complete visibility into where your data lives, who is accessing it, and from where. You should also have direct visibility into what normal access behavior looks like. The platform should be able to flag suspicious access activity or unwanted changes in access rights.
For example, if someone logs into a server in the middle of the night from a country where you don’t do business, an alert should be immediately triggered, and predefined security actions should be automatically deployed — like temporarily shutting down the account and terminating user access.