Misconfiguration on the Cloud is as Common as it is Costly

There’s never been a better time to be a cyber-criminal. I’ve spent the past 20 years defending infrastructure and securing data from attacks by cyber-criminals and foreign adversaries. I’ve seen firsthand how cybercrime has grown from isolated cases of fraud and theft to a $600 Billion per year industry.

Dark web marketplaces are aggressively hawking a huge assortment of hacking tools at fire sale prices, all over the world. Opportunistic individuals and teams of criminals are impounding credit card accounts and extorting local institutions for ransom payments from their out-of-reach shelters in Asia, Africa, and Eastern Europe. They are all constantly on the lookout for new opportunities, and in America’s current rush toward cloud infrastructure, they may have found them.

In just the past two years, cloud breaches exposed a whopping 33.4 billion records, racking up a staggering $5 trillion in costs to enterprises worldwide. Most of the exposures initially resulted from misconfigurations – typically human errors that take place in key settings of portals and other cloud components.

Malicious actors are then able to use automation tools, often purchased on the Dark Web, to scan the internet for cloud misconfigurations within minutes of their inception. It doesn’t take long for them to find opportunities. A survey of cloud engineering and security teams revealed that 73 percent cited more than ten incidents a day, with more than a third experiencing over 100 and ten percent suffering more than 500. Yet, once they’re found, it frequently takes administrators days to correct them.

What’s worse, in the rush toward cloud services much of the misconfigurations are often overlooked. Although public clouds have a reputation for strong security, the responsibility for data security is actually a shared one.

The security of what customers put into the cloud – often their most sensitive data – is actually their own responsibility. It is the customer who configures the application, role based access controls, and data sharing. As the major cloud providers put it in explaining their Shared Responsibility Model: the vendor is responsible for the security of the cloud; the customer is responsible for security in the cloud. Yet most users either ignore that need or approach it using obsolete toolsets that migrated with them from their previous on-site data centers.

Earlier this year, in response to the coronavirus pandemic, corporate offices in many parts of the world emptied out as staff members were directed to work from home. The systems and networks designed for remote workers were mostly aimed at checking email from home, and perhaps accessing some internal applications via VPN. Very few companies had the IT systems in place to handle even 10% of employees working remotely at any given time. They definitely were not built to handle a 100% remote workforce.

To solve this problem and enable business operations, organizations of all sizes turned to the public cloud. The public cloud was built to be always on, available from anywhere, and could handle the surges in capacity that legacy infrastructure could not. Cloud applications were the solution to enabling remote workers and continuing business operations.

With that transition came new risks: organizations were forced to rapidly adopt new access policies, deploy new applications, onboard more users to the cloud, and support them remotely.

To make matters worse, the years of investment in “defense in depth” security for corporate networks suddenly became obsolete. IT teams were making huge changes on tight timelines, and without the safety net of the perimeter firewalls.

No one was prepared for this. It should come as no surprise that the leading causes of data breaches in the cloud can be traced back to mistakes made by the customer, not a security failure by the cloud provider. When you add to that the IT staff’s relative unfamiliarity with SaaS, the opportunities to misconfigure key settings proliferate.

The list of top challenges enterprises face are highlighted in Cloud Security Alliance’s (CSA) most recent research. Here are some of the most significant threats identified:

  • Misconfiguration and Inadequate Change Control - Misconfiguration occurs when computing assets are set up incorrectly, often leaving them vulnerable to malicious activity. Misconfiguration of cloud resources is a leading cause of data breaches and could allow deletion or modification of resources and service interruption.
  • Lack of Cloud Security Architecture and Strategy - With the increasing pace of public cloud adoption, organizations simply cannot pause to synthesize a well thought out architecture and strategy. Without a cohesive strategy on governing different types of users, third party applications, and blacklist/whitelist policies, configurations of cloud services will most certainly leave gaps in the security coverage.
  • Insufficient Identity, Credential, and Access Management - Identity, credential, access management systems include tools and policies that allow organizations to manage, monitor and secure access to valuable resources. Incorrect access management configuration often leads to over-privileged users gaining access to sensitive data that otherwise should be restricted.
  • Insecure Interfaces and APIs - From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent the security policy. Poorly designed APIs could lead to misuse or—even worse—a data breach. Broken, exposed, or hacked APIs have caused some major data breaches.

The transition to cloud services has greatly increased the opportunity for productive work, providing subscribers with a technical infrastructure that few private organizations could ever hope to create for themselves. However it has also created a new set of opportunities for malicious actors by expanding the attack surface for various types of access, and overwhelming IT staff unfamiliar with the complex SaaS settings and associated security ramifications. Maintaining resiliency is a constant challenge.

In the highly fluid cat-and-mouse world of network security personnel versus bad actors, automation is available to both sides. Services like Salesforce release new capabilities, including security features, on a regular basis. Software to keep up with those changes that can automatically scan, detect, analyze, and remediate misconfigurations before attackers have the opportunity to exploit them, is available from multiple sources.

Installing tools to effectively manage your organization’s security posture on the cloud can become an essential safeguard against potentially ruinous attacks. 

What’s Hot on Infosecurity Magazine?