Another week and another cloud misconfiguration has hit the headlines. It seems as though a day doesn’t go by where the news cycle doesn’t contain a story relating to a leaky storage bucket or accidentally exposed database due to a security misconfiguration within infrastructure-as-a-service (IaaS). Noted as an end-user mistake, studies show 90 percent of UK data breaches were a direct result of human error, while the Verizon Data Breach Investigations Report revealed that more than 40 percent of all error-related breaches involved misconfigurations.
You only need to be reminded of the devastating 2019 Capital One breach, which impacted over 100 million people and was a direct result of a misconfigured system within the hosted Amazon Web Services cloud architecture – an estimated $150 million mistake that many organizations will want to avoid. The concern is that this critical cloud security issue will continue as more businesses rapidly adopt this technology in the wake of the recent pandemic. Indeed, Gartner predicts that by 2022, roughly 95 percent of cloud security failures will be because of the failure of the customer i.e., misconfiguration mistakes.
There are a number of reasons why misconfigurations occur, especially in the cloud. For example, often there is a misunderstanding as to who is responsible for protecting the cloud server. Is the cloud service provider responsible or the customer/data owner? Popular cloud service providers, such as Google, Amazon and Microsoft Azure, all protect the physical data centers and the hardware these operate on. The responsibility for securing the actual data, applications and virtual machines falls to the customer. There are security tools that the customer can leverage from the cloud service provider, but these must be implemented by the end user.
Typically, a security breach occurs because a hacker has taken the initiative to exploit a system or database that has been left open or misconfigured. This method of attack is purely opportunistic, but there are many tools and services available to cybercriminals to automate detection and location of misconfigured cloud servers. Furthermore, with organizations adopting multi-cloud environments, and a lack of knowledge around cloud security, the likelihood of cloud misconfigurations will escalate.
To assist organizations and security teams get a foothold on their cloud security duties, here is a 7-step checklist to follow:
1. Determine responsibility
It’s important to identify who in your business has the responsibility for implementing cloud security controls. Whilst DevOps teams are known for being agile and thrive on increased efficiency through automation, they aren’t security minded. SecOps on the other hand, are intrinsically risk-averse and prone to slow down development speed. It’s then essential to work together to understand your cloud needs and integrate security that works for your business, so any security ambiguities and gaps are avoided.
2. Ensure cloud visibility
With the fast adoption of cloud and the increased complexities in shared responsibility, this can introduce security blind spots including cloud sprawl and supply chain risks. To keep a close eye on your critical assets and data, make sure you leverage cloud APIs to maintain maximum visibility through auto-discovery to ensure every cloud service is known to avoid shadow IT.
3. Protect your workloads
Workloads in and out of cloud are still your responsibility and as Gartner states, ensure your cloud workloads are secured when passing through public cloud IaaS with Cloud workload protection platforms (CWPP) with integrated vulnerability management. This will help continuously detect rogue workloads including malware and cryptomining causing problems later, including data leakage and costing you more time and budget to fix.
4. Secure DevOps
Security needs to keep up with your agile DevOps workflow and be fully integrated into your CI/CD pipeline, ensuring vulnerabilities can be remediated with ease before moving onto release. Introducing continuous application security testing and container inspection tools into your SDLC will ensure security flaws are flagged early on and your developers aren’t hindered by security controls and you remain compliant.
5. Harden cloud configurations
Cloud Security Posture Management (CSPM) provides enterprises with enhanced visibility and automated hardening of public cloud environments and with the vast amount of complexity within the cloud it’s easy for problems to arise and be missed. CSPM automatically checks all elements against the CIS security benchmark, removing the need for manual checks and keeping your business secure against the industry cloud security standard for reporting and auditing purposes.
6. Limit access
Access to cloud servers where sensitive data resides must be restricted utilizing multi-factor authentication and securing privileged access. Anomalous and suspicious activity needs to be monitored continuously to spot irregular behavior for logging and auditing purposes. Using conditional access to enable a zero-trust approach when utilizing cloud is recommended as there have been instances where system administrators have granted global permissions on cloud servers to anyone that has an internet connection leading to costly data leakage and exposure.
7. Simplify multi-cloud security management
Each cloud service provider comes with its own set of security and access controls. If you are running multiple public clouds for different workloads, it’s almost impossible for the security team to master all controls without error. Taking a unified approach to multi-cloud security will mean organizations address issues before they occur, instead of allowing them to fester for exploitation later. Instead of relying on the native security tools by each vendor, opt for a cloud security solution that has the automated capabilities to provide continuous monitoring and visibility in multi-cloud environments to detect for misconfigurations and simplify ongoing security management across the most complex cloud setups.
Sergio Loureiro, Cloud Security Director, Outpost24