Misconfiguration: A Critical Threat Lurking In Your Cloud Environment
Cloud misconfiguration continues to be one of the leading causes of data breaches and other cyber incidents in public clouds. In this post, we’ll to take a closer look at this particular cloud security issue, why it happens, why it’s considered a serious problem, and other related concepts. First, you need to understand how security works in a public cloud.
What You Need To Know About Security in a Public Cloud
Public cloud security is based on a shared responsibility model wherein the cloud service provider (CSP) is responsible for security of the cloud, while the customer is responsible for security in the cloud. Your CSP’s security responsibilities are quite extensive.
First of all, your CSP will be responsible for securing its own data center facilities. They’ll typically provide:
- perimeter security like fences, surveillance cameras, and security personnel.;
- building security like concrete walls, fire suppression systems, and motion sensors;
- and physical access control mechanisms like biometric scanners, turnstiles, cages, and badges.
Secondly, your CSP will take charge of securing the hardware systems that make up the main IT infrastructure like the physical servers, network devices, and storage devices. They also have to patch and harden all underlying software that support their other cloud services. This may include operating systems, hypervisors, and database solutions.
On top of that, your CSP will provide basic security controls like Identity and Access Management (IAM), data-at-rest encryption (e.g., disk encryption and object encryption), data-in-motion encryption, key management services, and virtual private clouds (VPCs).
Lastly, your CSP will also offer additional services that you can use (for an added cost, of course) to secure your end of the shared responsibility model. Amazon Web Services (AWS), for example, offers: AWS Shield for DDoS protection; Amazon Inspector for vulnerability management; and AWS WAF for web application security; to mention a few.
Seems pretty comprehensive from a security standpoint, doesn’t it? It does. But it isn’t. The overall attack surface of a public cloud includes the portions you’re responsible for. That portion of the attack surface is pretty large too and, worse, mostly accessible from the dark corners of the Internet. In an Infrastructure as a Service (IaaS) cloud environment, that portion would include your server instances, the operating systems and software applications running on them, and your data.
You have to configure and harden those cloud components to mitigate the risk of a compromise. Not only that, you have to configure all those CSP-provided security controls and services as well. Usually, this is where the problem lies.
Cloud Misconfigurations and Why They Happen
One of the most common cloud misconfiguration issues is firewall misconfiguration. When you run a server instance on an IaaS cloud, for example, you must set firewall rules that control inbound and outbound traffic to/from that instance. You need those rules to gain remote access to that instance and to allow the instance to connect with external sources. The problem is, some administrators tend to open too many ports, forget to close unused open ports, or allow incoming traffic from any IP address. These misconfigurations expose your cloud to external threats.
Another common misconfiguration issue is unused encryption. While all major CSPs provide encryption services that allow you to, for instance, encrypt data at rest, you still need to enable and configure those services. You need to choose an encryption type, set up cryptographic keys, enable encryption on the cloud resource in question, specify encryption settings in your API calls, and so on. Unless you go through these processes, you won’t be able to take advantage of the security benefits of encryption.
These are just two examples. You also need to implement authentication and authorization best practices, configure logging, set up backup and disaster recovery, and so on. Unless you properly configure all these settings, you won’t be able to achieve optimal security for your cloud environment.
There are many reasons why cloud misconfigurations happen, but one major reason is the lack of understanding of the cloud security shared responsibility model. Part of the blame goes to marketers who overhype the benefits of cloud migration while leaving unattractive aspects like challenges and responsibilities out of the discussion. So when a gullible customer migrates to the cloud, that customer may wrongly assume everything is already taken cared of.
Of course, we should also take into account the inherent complexity of cloud environments combined with the sophisticated nature of cybersecurity. This is further aggravated by the current cybersecurity skills gap. Unless you have enough people who are trained in both cloud and cybersecurity, you’ll be highly susceptible to cloud misconfiguration issues. If your IT staff are overloaded, they’ll be prone to committing errors.
Why Cloud Misconfiguration Is A Critical Issue
Last year, threat intelligence vendor SOCRadar reported a data leak caused by a misconfigured Azure Blob Storage instance. Azure Blob is Microsoft’s object storage cloud-based service. Although Microsoft was quick to act on the vulnerability as well as assure the public that no customer data or system was compromised, not all cloud slip ups are going to be overlooked by cybercriminals.
Data leaks due to cloud misconfigurations are more common than you think. Hackmageddon.com, a site that has been recording data leaks caused by cloud misconfigurations for the past 3 years is reporting 3TB and 3.5M leaked records and 6 security in 2023 as of this writing. Last year, the site detected a total of 77.24TB of leaked data and 38 security incidents caused by cloud misconfigurations.
Security professionals recognize this threat. In (ISC)2’s 2022 Cloud Security Report, 62% of respondents identified “misconfiguration of the cloud platform” as the biggest security threat in public clouds. Cloud misconfigurations have always been one of the top security issues in cloud computing since cloud computing became mainstream.
Cloud misconfigurations that translate to vulnerabilities like open ports, unencrypted data, weak credentials, and so on, are prone to abuse. Threat actors can exploit these vulnerabilities in order to gain entry into your cloud infrastructure. Once inside, the attacker can execute lateral movement and privilege escalation techniques to compromise other components of your infrastructure until they reach something of value like personal data, credit card data, intellectual property, and so on. Moreover threat actors can also take advantage of these misconfigurations to disrupt systems and cause downtimes.
How Even Properly-Configured Clouds Can Have Vulnerabilities
Even if you manage to properly configure all the CSP-provided cloud services you’re subscribed to, you still have a lot of ground to cover in terms of securing your cloud environment. Remember that your part of the cloud security shared responsibility model (particularly for IaaS clouds) also includes your virtual server instances, your operating systems, your applications, and your data.
Those operating systems and applications need to be patched and all vulnerabilities need to be fixed. Assuming you’re able to patch all known vulnerabilities, you’re still not yet done. You still have to deal with zero day attacks, which target unknown or newly discovered vulnerabilities. Even regular patching are ineffective against those threats. Considering many organizations deploy hundreds, thousands, or even tens of thousands of virtual server instances in their cloud environments, securing your part of the cloud won’t be easy.
Indeed, you can’t rely completely on your CSP or even your own IT staff to address all your cloud security issues. You need a cloud security solution that provides dynamic network protection to augment your current cybersecurity infrastructure and defend your cloud environment against advanced threats such as zero-days.
Our customers use Intrusion Shield Cloud, an innovative security solution that leverages the historical knowledge of billions of internet domains and IPs to instantly identify and block malicious or unknown connections and highly effective at blocking unknown attacks. Want to learn more about Intrusion Shield Cloud? Click the blue icon on the lower-right corner of the screen to chat with us.