Cloud infrastructure, often referred to as IaaS (infrastructure as a service), is now the norm for the majority of businesses, and will be the fastest-growing cloud category over the next five years, according to IDC. For all its benefits of flexibility and agility, the cloud comes with its own risks. One such vulnerability is cloud misconfiguration, which is becoming a prevalent source of risk for organizations.
Why misconfigurations are a problem
Research from cloud security company DivvyCloud (which was recently acquired by Rapid7) found that between the start of 2018 and the end of 2019, breaches caused by cloud misconfigurations cost companies worldwide an estimated $5 trillion. Whilst large and costly data breaches have dominated the news in recent years, the reality is that these incidents, for the most part, were totally avoidable.
The word “misconfigurations” covers a wide gamut of sins, so to give you an idea of what they are and the risks they pose, here are some examples:
- Publicly accessible data storage: This example includes the infamous publicly-visible S3 bucket. In this misconfiguration, a bucket (which is roughly equivalent to a file repository) is set up such that it can be accessed by anyone who comes across it.
- Unsecured credentials: To understand the risk of this misconfiguration, let’s look at the example of access keys, which are credentials that act just like a username and password. The right access key gives the holder the ability to change any facet of a cloud environment. Despite this, far too often access keys are stored as plaintext in accessible places like public GitHub repositories.
- Overly permissive access rules: Even when infrastructure is running in the cloud, basic security best practices still apply. That includes locking down virtual machines so that they can’t be accessed via unused ports and protocols. Ingress and egress for any cloud-based asset should only be given when it's needed for the asset to function properly.
How misconfigurations happen
So how do these misconfigurations arise? The answer is human error. In a traditional on-premise environment, network infrastructure is configured and maintained by IT and security teams. These teams are usually staffed by experts with years of experience securing networks. Even then, mistakes happen. For example, in Rapid7’s 2018 Under the Hoodie report, we discovered that network and service misconfigurations were found 96% of the time during internal penetration testing.
Since misconfigurations don't exist within a computer’s operating system, they’re less visible to traditional security testing tools, which means they often go undetected (to the delight of attackers). That’s why businesses need to know whether they have these misconfigurations and how serious they are, as well as know how to fix them to reduce the risk of a serious vulnerability.
As a result, scanning for vulnerabilities alone is not enough for businesses to manage risk in their cloud infrastructures — they also need a strategy to prevent misconfigurations, as well as a purpose-built way to detect them when they still manage to sneak their way through.
Secure the baseline
Ideally, businesses should start by making sure that a misconfiguration never happens in the first place. The best way to do this is by creating a strong defense line. To do this effectively, businesses should align forces by having their security teams work with their IT, operations, and engineering teams to define this a strong security baseline. The baseline should clearly describe everything from how assets should be configured right through to an incident response plan.
I’d also recommend bringing in additional resources to reinforce this baseline — tools like AWS Well-Architected Framework and CIS Benchmarks are good starting points. Once an organization has defined what their AWS security baseline looks like, they need to enforce it. Businesses should provide developers with infrastructure templates that have already been configured, which will help them adhere to this security baseline. This can easily be done via tools like AWS CloudFormation.
Limiting access equals more control
I would also recommend introducing identity access management (IAM) if you haven’t already. This will allow IT administrators to authorize who can take action on specific resources, whilst providing visibility and additional control across the infrastructure.
Employ network detection
Traditionally, networking traffic in the cloud has been difficult to capture, which has led to cloud security somewhat lagging.
Network detection and response (NDR) allows real time monitoring and is a more efficient way for security teams to keep on top of these dynamic environments. Without network detection in the cloud, security teams will struggle with maintaining the same rapid threat detection and visibility which is possible on-premise.
Use tools to increase visibility
To effectively discover misconfigurations, businesses need to increase the visibility surrounding their weaknesses. Businesses should invest in policy-based assessment features that will help them understand the weaknesses that impact their security of cloud infrastructure.
By using these tools, security teams will be able to collaborate more effectively with the AWS team to resolve these misconfigurations and therefore reduce the likelihood of compromise.
It’s important to note that while misconfigurations are a risk, they can be effectively managed. For example, if a business’s main workforce is currently working from home, the introduction of two-factor authentication will help reduce the risk of data breaches.
Employees should also be trained on the usual pitfalls of day-to-day cybersecurity, such as poor password practices. Providing security training for employees is essential in reducing data breaches due to human error.
Correctly configuring cloud infrastructure requires close collaboration among development, IT, operations, and security teams. With the right tools and processes in place, businesses can leverage cloud infrastructure in a secure way. It is therefore imperative that businesses secure their cloud networks by arming their teams with both the right tools and knowledge in the most efficient way possible.