Palo Alto Networks’ biannual Unit 42 Cloud Threat Report found that the COVID-19 pandemic, and related shift to remote work, sent cloud security risks through the roof. While that’s become a common theme among recent reports, the numbers still shock, especially among those industries that faced the greatest pressures to adapt and move to the cloud because of the pandemic.

Cloud security incidents for retail, manufacturing, and government grew 402%, 230%, and 205%, respectively, according to Unit 42’s Cloud Threat Report 1H 2021.

“These numbers were definitely shocking, even to us, and we’re in this every day,” said Matthew Chiodi, chief security officer for public cloud at Palo Alto Networks. “These are those industries that are facing the greatest pressures to adapt and scale in the face of the pandemic: retailers for basic necessities, manufacturing, and government for COVID-19 supplies and aid.”

The same industries also saw huge spikes in cloud growth because of the pandemic, he added. “So, the question that I would be asking if I was an attacker: which industry would pose the best risk reward? The answer is retail, manufacturing, and government,” Chiodi said. “And likely because they don’t have the automated security controls in place, they also saw their incidents spike.”

In its most recent report, Palo Alto Networks’ Unit 42 threat intelligence team analyzed data from hundreds of cloud accounts collected between October 2019 and February 2021. The data came from organizations and industries globally, including the Americas, Europe, the Middle East and Africa, and the Japan and Asia Pacific region. It showed a correlation between increased cloud spending due to COVID-19 and security incidents, Chiodi said.

Using Synergy Research’s numbers, the report says organizations globally increased their cloud workloads by more than 20% between December 2019 and June 2020.

“And what we found was that cloud security incidents increased once the COVID-19 pandemic began,” Chiodi said. “The bottom line of everything we found is that without automation, sudden increases in cloud workloads leads to a dramatic growth in security incidents, and that most of the time overwhelms security teams.”

Companies still aren’t using infrastructure as code to mitigate cloud security risks, he added. This provides DevOps and security teams with a script to write and automate secure code before it reaches production, thus eliminating manual errors that introduce security risks. Chiodi compared infrastructure as code to Tesla’s autopilot driving function. If you drive down the highway in a regular car, and you lean over to pick up something you dropped, you may swerve into another lane and crash. “With autopilot, it automatically puts you back into the correct lane,” Chiodi explained. “You can almost think of infrastructure as code that same way.”

It provides automated security controls that “make sure what you build from the start is secure,” he added. “If somebody manually changes something, it’ll automatically put you back to that correct configuration. Infrastructure as code really offers DevOps and security teams a predictable way to enforce security standards, and unfortunately, at this point in time, this very powerful capability continues to go unharnessed.”

In an earlier spring 2020 report, Unit 42 noted that infrastructure as code templates, when regularly scanned for common security vulnerabilities, help secure cloud infrastructure from development through production. With its most recent report, Unit 42 found that some of the security incidents that saw the biggest spikes in frequency can be easily identified and fixed by automating security controls, auditing infrastructure as code templates for risks, scanning cloud environments for misconfigured ports, and comparing cloud configurations to industry-accepted security benchmarks.

These include incidents like malicious port scan activity, which increased 185% during the pandemic, and failure to encrypt SQL and relational databases. “Port scans are not new,” Chiodi said. “But this massive increase shows that attackers know that in the face of a worldwide pandemic, people don’t have the same focus,” and because of this attackers actively searched for vulnerabilities created by growing cloud use.”

Surprisingly, the report found that cryptojacking in the cloud declined between December 2020 and February 2021. Only 17% of organizations with cloud infrastructure showed signs of cryptojacking activity compared to 23% from July through September 2020. This is the first recorded drop since Unit 42 began tracking cryptojacking trends in 2018.

At the conclusion of the report, Palo Alto Networks provides five recommendations for companies to improve their cloud security. “We refer to these lovingly as the big cloud five,” Chiodi said. “These are five critical areas that, if all organizations, all industries across the board, if they implement and focus on these five areas, they will almost eliminate most of these issues that we talked about in the report.”

The first step is improving awareness and deep cloud visibility. Organizations need to know which clouds and cloud services their developers and business teams use. “Many organizations that have a multi-cloud approach, and most organizations do, they really don’t have a good sense of what they actually have from an asset perspective in the cloud,” Chiodi said. “So start with that. That’s number one.”

No. 2, he said, involves setting security guardrails and automating security controls. This goes back to using infrastructure as code templates and scanning those templates for common misconfigurations. Unlike a traditional data center, with a physical, four-walled perimeter, the cloud requires security teams to “think differently, like an attacker,” Chiodi said.

“Think: OK, what are the misconfigurations in a cloud environment that should never exist? Then you proactively look for those, and when you find them, take corrective actions,” he explained. “An example might be a storage bucket that’s open to the public. If you see that condition, automatically correct it. That’s what we’re talking about when we talk about setting automated security guardrails.”