Public cloud adoption enables enterprises across all sectors to collaborate more efficiently, especially in today’s highly remote business environment. The cloud offers many advantages: faster deployments, increased agility and resilience, lower risk, auto-scalability, and cost-effectiveness for enterprises of all sizes.
The use of public clouds is growing, and so are the attacks targeting them. But that doesn’t mean public clouds are risky or that organizations should stay away from them. While even public cloud infrastructure is now far more secure, data in the cloud is still vulnerable due to a significant challenge: misconfiguration. High-profile data breach incidents have shown that the cause of most successful cyberattacks on public cloud instances is due to misconfigurations rather than vulnerabilities. Therefore, adequately configuring systems is critical for reducing the chance of a breach.
Why misconfiguration is the top cloud vulnerability
Cloud providers are continuously introducing new features and functionalities to their services, which is exciting and promising. At the same time, however, these changes add complexities to cloud environments that make it harder to protect against misconfigurations and compliance risks and keep data secure. While CSPs often provide tools to help manage cloud configuration, misconfiguration of cloud resources remains the most prevalent cloud vulnerability that the bad actors can exploit to access cloud data and services. Often arising from cloud service policy mistakes or a misunderstanding of shared responsibility, misconfiguration has an impact that varies from denial-of-service susceptibility to account compromise.
The impact of cloud misconfigurations
Misconfigurations create entry points for hackers. It can only take a few minutes for a system to be compromised. However, many organizations still take days, months, or longer to realize that an intruder has accessed their data, and then they start taking corrective action.
Cloud misconfiguration errors related to public access to storage buckets, account permissions, password storage and management, unencrypted data stores, etc., have led to numerous data breaches and the exposure of billions of records. Victims included high-profile companies such as Capital One, Facebook, Ford, and Netflix.
There are countless examples of cloud misconfiguration–related data breaches, but one worth mentioning occurred in 2018 when FedEx unknowingly exposed thousands of scanned documents due to the company’s failure to secure an Amazon Web Services (AWS) cloud storage server. The breached documents included passports, drivers’ licenses, and applications for delivery of mail forms that contained customers’ names, home addresses, phone numbers, and zip codes.
The causes of cloud misconfiguration that can lead to data breaches
According to Gartner, nearly all successful attacks on cloud services result from customer misconfiguration, mismanagement, and mistakes.
As more organizations store data in the cloud, cases of cloud configuration errors are bound to increase. Cloud misconfiguration is most frequently caused by:
Lack of understanding of the shared responsibility model: Cloud security and compliance are shared responsibilities between the cloud service provider (CSP) and the customer. The CSPs provide the security “of” the cloud service and infrastructure, and the security “in” the cloud service is the customer’s responsibility. In all cases, it is the enterprise’s responsibility to ensure that its data is adequately protected. CSPs are responsible for detecting threats, updating, patching, and incident response to the cloud infrastructure. The enterprises are responsible for detecting, responding to, updating, and patching their cloud assets and resources. Understanding the shared responsibility model and the proper configuration of the account can help enterprises align and implement compliance and security policies as per their industry domain.
Lack of visibility and control: If you can’t see the data in the public cloud, you can’t secure it. It is essential to accurately discover and track assets and inventory with complete context, configuration status, and weak spots. Potential risk areas include databases with ports open to the public internet that could allow attackers to access cloud storage services set to public. While it might take some time and effort for the IT and security teams to have visibility into all assets and resources, it is necessary for securing the platform.
Poor access and permission management: Access management is one of the most common security risks. Incorrect access management configuration often leads to over-privileged users gaining access to sensitive data. Extensive access permissions to IAM users, groups, and cloud services is a risky practice. If such credentials get compromised, cybercriminals may access any services and data, expose assets, and compromise data. In a notable example, poor access management at Uber leaked the personally identifiable information (PII) of 57 million users.
Misconfigurations in network security groups: Misconfigured network security groups allow attackers to abuse the exposed services and ports to make their way into the cloud-based systems through a brute-force attack or by exploiting known vulnerabilities. It is the second most widely reported security risk after storage bucket misconfiguration.
Human errors: Human error is the most common cause of misconfiguration due to complex and multiple levels of configuration. In the absence of automation, cloud workloads and cloud security services are manually configured, increasing the chance of human error. Relying on a CSP’s default configurations can also cause problems and lead to increased security risk.
Lack of adherence to compliance regulations and controls: Compliance with standards such as PCI-DSS or SOC communicates an organization’s commitment to doing business the right way and aligning with globally accepted security benchmarks. In many cases, companies may achieve compliance once but find it challenging to manage in the long run, which can lead to financial loss and damage to the company’s reputation.
Lack of encryption: The “Public mode” setting to databases, shared storage, and other cloud provider services is a significant cause of data breaches. It allows cybercriminals to automate their searches for weak security points. The most common misconfigurations still revolve around cloud storage buckets and the objects that are not encrypted, which pose a significant confidentiality risk and make them the number-one target for data breaches.
CI/CD pipelines: With the rapid-release cycles employed by development and DevOps teams, the security and risk management teams struggle to keep up with the changes and gain control over these deployments. The CI/CD pipeline can contain vulnerabilities that have the potential to compromise all systems. Most vulnerabilities relate to configuration or management. A significant portion of security and risk concerns can be addressed during the design and development phase.
Log monitoring disabled: Security incidents and event logs are critical to determine security failures. In case of a compromise, logs are often the first source of information. CSP tools, such as AWS CloudTrail and Azure Monitor, can help ensure that you have security incidents event logs. But they only work when enabled.
Delayed incident response: Serious misconfigurations often go undetected for days or weeks, and it can be very challenging to secure cloud services and applications. Compared to periodic assessments, real-time alerts and notifications help enterprises identify incidents proactively, so they can measure and mitigate violations and risks to critical infrastructure, systems, and data on an ongoing basis.
How can you prevent cloud misconfigurations?
Now that you have a better idea of the common causes of cloud misconfiguration that can lead to security breaches, here are some tips that can help you avoid them.
Gain visibility and control
- Know your cloud environments and define a security foundation.
- Continuously monitor cloud assets and resources for current configuration status.
Audit access and permission
- Review access controls to ensure only authorized users can act.
- Ensure the IAM policies are correctly implemented, such as bucket policies on storage accounts inside of CSPs.
- Enforce the principle of least privilege by only giving users the permissions they need to do their jobs.
- Consider setting up multifactor authentication for credentials to provide an extra layer of security. Access keys can be helpful with periodic rotation.
- Implement logging, which can identify changes to cloud environments and help determine the cause and extent of misconfiguration incidents.
- A dedicated team should monitor logs regularly, as they are a crucial part of incident response.
Enable encryption and backup
- Conduct frequent assessments and audits of storage bucket configuration settings and access policies.
- Encryption, uniform access, and backup of the contents within storage buckets will help to minimize the damage if an incident occurs.
Automate incident response, policy enforcement, and remediation
- Automation eliminates human error and delays caused by workforce bottlenecks. Configure custom/automated alerts and notifications that promptly notify cloud admins and users about misconfigurations with robust remediation.
- Enforce compliance standards with the right tools and processes that can help organizations benchmark against multiple compliance frameworks, such as PCI DSS for retail and HIPAA for healthcare, and established best security practices with the help of cloud-specific benchmarks like Center for Internet Security (CIS).
- Embrace a culture of security and DevOps. Define and integrate strong security policies into all processes used to build or enhance cloud infrastructure.
According to Gartner, 99 percent of cloud security issues over the next several years will be the fault of customers, not cloud services. Cybercriminals are constantly inventing new ways to penetrate the defenses of modern enterprises. Security controls such as Zscaler CSPM offer you the best chance of preventing, detecting, and remediating potential breaches due to misconfiguration and staying compliant.
Zscaler CSPM At a Glance (PDF)