Cloud misconfigurations are becoming a major security risk among organizations using public clouds
The need for smart cybersecurity never gets a holiday. That was made clear in December, a time when many organizations slow down production or close shop for a few days, when several high-profile data breaches were announced. For example, hundreds of thousands of birth and death certificates were exposed, unprotected, while thousands of former Sprint customers learned that their phone bills (and all the sensitive information included on them) could be found online and compromised. And it was discovered also that the private information of Boeing employees was readily available to anyone who wanted it.
These data breaches weren’t the work of a skilled hacker or a malware infection. They were all the result of misconfiguration of a public cloud architecture. Cloud security has long been a challenge for many organizations, but this particular security problem is coming from the inside—mistakes occurring as IT teams set up their cloud architecture.
“As companies bring on extra hands to match the speed of business, networks become increasingly complex, ultimately leading to more human errors,” said Reggie Best, president of Lumeta at FireMon, via email. “To relieve this issue, companies hire multiple vendors to secure their networks, but having too many hands involved actually increases network complexity and leads to more human errors.”
Because of this, cloud misconfiguration is fast becoming a major security risk and could actually slow down overall cloud migration.
Cloud Misconfiguration Woes
One of the most common misconfigurations grants public access to storage buckets. These buckets often are unprotected by authentication methods such as passwords, making them open to anyone who knows where to look. However, access to storage buckets is just one type of misconfiguration—organizations face numerous types of misconfigurations as they migrate to public IaaS cloud environments, Best said. These include having overly permissive security group policies (any to any, for example), misunderstood (undetected, unused or leaking) internet connectivity paths and virtualized network functions that are improperly configured, such as the CapitalOne web application firewall breach.
Some other common issues, he noted, involve security teams not having a full view of the cloud environment, such as a shadow IaaS cloud infrastructure unknown to the IT team and, therefore, not managed even when connected to the enterprise network. Another problem is compute instances that are missed when not scanned for critical vulnerabilities embedded in running software or inappropriate identity-based controls governing access to cloud consoles.
“These misconfigurations pose serious risks to enterprise and other networks, as they enable a dedicated bad actor, either external or internal, to gain access to data or compromise the network for economic gain, espionage, terrorism or vandalism,” Best said.
The Rise in Misconfigurations
The reason cloud misconfigurations are increasing is due to a lack of visibility, as well as rapidly growing public cloud adoption. About 1 in 5 enterprise applications have transitioned to public cloud environments, yet too many security teams don’t have any visibility into what is occurring in these environments. As that percentage inevitably grows, the sheer volume of activity increases the likelihood of misconfiguration, especially due to human error, Best noted.
“This issue is compounded as many security automation tools haven’t kept up with the pace of continuous application development and deployment now used by organizations,” he continued. “There are few security systems that continuously test and validate that cloud and virtual network function policy settings are maintained in real-time in the face of constant development and deployment cycles.”
Fixing the Problem
As public clouds become more widely used within an organization, the risk of misconfiguration grows. But it can be avoided as long as organizations use cybersecurity and policy automation to keep up with the sheer volume of network activity. If more IT security tasks are automated, organizations are better prepared to reduce hybrid cloud complexity and improve network visibility to prevent cloud misconfiguration happening in the first place.
“Enterprises should embed security processes into their continuous development and deployment chain,” Best said. “By using a comprehensive mix of fully autonomous and human-controlled methods to conduct real-time network testing and validate policy settings, enterprises can ensure they have consistent security across all cloud environments.”