The cloud is an environment full of potential, providing easy access to technologies that weren’t available a decade ago.
You can now launch the equivalent of an entire data center with a single command. Scaling to meet the demands of millions of customers can be entirely automated. Advanced machine learning analysis is as simple as one API call.
This has allowed teams to speed up innovation and focus almost exclusively on delivering business value.
At the same time, security is a constant, critical issue, and consumers of cloud services must understand the shared responsibility model where their setup, configuration and use of the cloud is an equally important element of their overall security posture.
Few Breaches Originate with Service Providers Themselves
Moving into the age of the cloud, the assumption was that alongside its increased potential, security challenges would grow as well. But where the industry thought that teams would be struggling with zero-days, vulnerability chains, and shadow IT, it turns out those issues are not the top concerns.
The top security challenge for builders in the cloud is very straightforward — mistakes, in the form of service misconfigurations.
People also assumed that cloud service providers themselves would pose the biggest risk, but the data doesn’t support this at all. Although each of the big four cloud service providers — Alibaba Cloud, AWS, Google Cloud, and Microsoft Azure — have had to deal with many security vulnerabilities over the past five years, they have only experienced two actual security breaches combined.
Although each of the big four cloud service providers have had to deal with many security vulnerabilities over the past five years, they have only experienced two actual security breaches combined
The first took place in March 2020. In this case, Google Cloud paid out a $100,000 reward through their bug bounty program to a security researcher who found a privilege escalation issue in Google Cloud Shell.
This is a service that provides a browser-based interface to the command line of a virtual machine. Under the covers, this shell is simply a container running an application to provide access.
The researcher noticed that they were able to use a socket connection in the container to compromise the host machine and escalate their access. The root cause? A misconfiguration in the access to that socket.
The second example took place in January 2020 and it involved a service offered in Microsoft Azure. Here, an issue was reported in the Microsoft App Service offering. This vulnerability allowed an attacker to escape the expected boundaries of the service and access a limited-scope deployment server with elevated privileges.
The reason? A misconfiguration in the open source tool used to provide this web app hosting service.
In both cases, the vulnerabilities were responsibly disclosed and quickly fixed. Neither issue led to any reported customer impacts. Both of these cases were in higher-level cloud services.
Misconfiguration is Usually a Prime Suspect
Over the same timeframe, there have been many other high-profile breaches outside of those four primary service providers. Here’s a list of some of the most visible:
- MCA, 500,000 loan documents
- RNC, 187,000,000 voter records
- THSuite, 30,000 cannabis dispensary records
- Booz Allen Hamilton, top secret records
- Dow Jones, 2,200,000 customer records
- WWE, 2,000,000+ customer records
- Verizon Wireless, 6,000,000 customer records
- Accenture, 40,000 infrastructure passwords & details
- Capital One, 100,000,000 customer records
- US DoD, 1,800,000,000 data records for analysis
- Alteryx, 120,000,000 personal records
- CAM4, 10,000,000 personal records
Filter out all the reports of cloud hacks and breaches to remove incidents where the issue wasn’t related to cloud but the service just happened to be there—and over two billion sensitive records have been exposed through a breach in cloud security.
Take this further and remove every single breach that wasn’t due to a single misconfiguration — meaning the breach was caused by one wrong setting, one incorrect permission, one simple mistake — and that leaves only the Capital One breach.
This more complicated event was caused by two misconfigurations and a bug. An in-depth analysis of this breach shows that the bug was inconsequential to the overall impact, which was 100 million customer records being exposed.
It Can Happen to Anyone – Double Down on Ensuring Your Configs are Correct
It’s important to note that Capital One is a very mature cloud user. They are a reference customer for AWS, they’ve been a huge advocate of cloud within the community, and were the incubator for the very popular open source security, governance, and management tool, Cloud Custodian.
65-70% of security issues in the cloud start with a misconfiguration
This is a team that knows what they are doing. And yet, they still made a mistake.
That’s really what misconfigurations are. They are mistakes.
Security researchers that study cloud services agree: 65-70% of security issues in the cloud start with a misconfiguration.
Organizations should be pushing to move faster to the cloud in order to improve their security, and the shared responsibility model makes it easier to maintain a strong security posture — as long as the customer understands their responsibility to ensure proper configurations of cloud services.
Understand your service agreements. Understand your configurations, and build some redundancy into those processes. These simple steps can help eliminate the prime suspect in the majority of breaches today.
