Misconfiguration still remains the number one cause of data breaches in the cloud because change control is so challenging in this environment. It routinely tops the leader board of the Cloud Security Alliance and was top in the State of the Cloud Security 2021 report while the Cloud Configuration Risks Exposed report found 90 per cent of organisations are vulnerable to security breaches due to cloud misconfigurations.
It’s also a growing problem. An IBM study found of the more than 8.5 billion breached records reported in 2019, seven billion of those, or over 85%, were due to misconfigured cloud servers and other improperly configured systems compared to 2018 when these records made up less than 50 per cent.
What is misconfiguration?
Misconfiguration can broadly be interpreted as a failure to adequately apply restrictions on a service or system residing in the cloud. It occurs when applications are spun up into the cloud and new services are activated and can happen in various ways. There could be a failure to configure from day one, leaving systems with default settings or a failure to apply access restrictions and enforce the least privilege. Or perhaps unapproved changes were made in contravention of the security policy. Or systems were left publicly exposed to the internet – a common failing with object storage buckets.
The potential for misconfiguration is vast – the State of Cloud Security report found 49 per cent of teams experience over 50 misconfigurations per day – but there are hotspots. Identity and entitlement access management due to the proliferation of identities within the cloud is a case in point, as each of the permissions for each of these has to be nailed down. Other areas include security group/firewall rules, whether logging has been disabled/enabled, encryption controls for data at rest and in transit. And there’s also the potential for orphaned resources which then fly under the security radar.
Current and future issues
The ramifications of misconfiguration can be devastating, with any data breach potentially providing a foothold into the cloud environment. This can lead to the harvesting of credentials which are then leaked or sold on and used for credential stuffing attacks, the automated injection of username/password pairs to website log-ins. Or can pave the way for lateral attacks, such as ransomware or cryptojacking, whereby cloud resources are hijacked and used to power cryptomining operations.
And it’s a problem is that is set to worsen because of the way the cloud is evolving. We’ve seen rapid migration to the cloud under the pandemic but also expansion leading to higher uptake of hybrid and multi-cloud environments. Using a number of different platforms can make it difficult to maintain visibility and because service provider offerings are platform-specific and few organisations have pan-cloud security, gaps can result, leaving the business exposed. Many also don’t have the internal expertise needed to manage and maintain these environments.
Mitigating misconfiguration
Keeping on top of configuration requires a multi-faceted approach. A priority is maintaining visibility of cloud assets, entities and identities and to do that you’ll need to consider if your Identity and Access Management (IAM) is fit for purpose and can right size privileges to ensure the appropriate level of access is assigned to cloud services.
You’ll also need to consider how you can maintain a unified approach to the configuration as your cloud footprint grows and ensure policies are applied across different computing environments ie hybrid and multi-cloud. That’s often more difficult than it sounds because determining who is responsible for configuration can be complex, with implementations typically spanning multiple teams ie DevOps, security/compliance teams and external advisors.
The need to continually spin up and make changes to services often on a daily basis means you’ll also need oversight of all APIs and interfaces, requiring some form of automation of cloud compliance. Policy as code (PAC) and infrastructure as code (IAC) can both be used to help monitor the environment while Cloud Security Posture Management (CSPM) can help with managing compliance and monitoring across the multi-cloud – although it can’t perform identity and entitlement management – for that you’ll need Cloud Infrastructure Entitlements Management (CIEM).
Yet even with these advanced automation tools, you’ll need eyes-on to resolve issues. Having the expertise to manage, interpret and respond appropriately remains a real concern for cloud teams, with 35 per cent of those surveyed in the State of Cloud Security report saying they need better guidance on the remediation of cloud misconfiguration in cloud environments and IAC.
For this reason, many organisations periodically carry out a cloud security configuration review using a third party to establish where misconfigurations are and obtain remediation advice. This inventories the cloud estate across all cloud provider platforms and highlights any weaknesses in the security profile, giving a true indication of where the issues are as well as a clear means of resolution.
Phil Robinson is the founder of Prism Infosec which offers cutting edge penetration testing, red teaming and security consultancy services of cloud and traditional on-prem architectures and enterprise applications. He has been instrumental in the development of numerous penetration testing standards and certifications and has worked as a CLAS Consultant/Senior CCP Security and Information Risk Advisor. He regularly speaks out about penetration testing and e-crime to help promote cybersecurity awareness and industry best practice.