The high velocity of change in cloud computing environments makes security very challenging—with ramifications for everything from encryption levels to allowing unnecessary public internet access.
New research from the RedLock Cloud Security Intelligence (CSI) team shows an endemic lack of cloud infrastructure security best practices. Overall, on average, organizations fail 55% of compliance checks established by the Center for Internet Security (CIS). More than half the violations (54%) are high severity issues such as having security groups that allow inbound SSH connections. Medium severity violations such as not enabling multi-factor authentication for all IAM users represent 37% of the issues. Lastly, 9% of the violations are low severity issues such as not logging Amazon Simple Storage Service (S3) bucket access.
For instance, databases containing sensitive data should always be encrypted, especially in industries with compliance mandates such as PCI and HIPAA. Even so, it turns out that a whopping 82% of databases in public cloud computing environments (such as Amazon Relational Database Service and Amazon RedShift) are not encrypted.
Around a third (31%) of those databases also accept inbound connection requests from the internet, especially MongoDB. A full 40% of organizations using cloud storage services such as Amazon Simple Storage Service (Amazon S3) had inadvertently exposed one or more such services to the public.
This can have big security ramifications: In March 2017, at least 20,000 customer records containing sensitive data were exposed at Scottrade due to such a misconfiguration.
On the outbound access side, an alarming 93% of resources in public cloud environments do not restrict outbound traffic at all—opening the door to widespread data exfiltration.
Meanwhile, the fact that data in transit should generally be encrypted to avoid man-in-the-middle attacks is an accepted IT truism; yet, the research revealed that 51% of the network traffic in public cloud infrastructure environments is still occurring on port 80, which is the default web port that receives clear (unencrypted) traffic.
“Ideally, only load balancers and bastion hosts should be exposed to the internet,” the firm noted. “However, the team found that 9% of workloads that were neither load balancers nor bastion hosts were accepting traffic from any IP address on any port.”
Similarly, the research revealed that 58% of root accounts do not have multi-factor authentication (MFA) enabled, and 63% of access keys have not been rotated in the last 90 days. About 14% of user accounts are dormant, where credentials are active but no logins have occurred in the last 90 days, indicating there is a missed opportunity to close some of the security gaps.
“If any root user account is compromised, the hackers will have keys to the kingdom,” the report said.
To put things into perspective, it should be noted that complexity is the fly in the ointment for many cloud administrators.
“Securing public cloud infrastructure is not as simple as retrofitting on-premise security solutions to protect dynamic cloud environments,” RedLock said. “To put things in perspective, our research indicates that the average lifespan of a cloud resource is 127 minutes. The problem is further amplified in large cloud computing environments with thousands of resources.”