Cloud
5/25/2017
10:50 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

82% of Databases Left Unencrypted in Public Cloud

Personal health information and other sensitive data is left exposed as businesses overlook encryption and network security.

The average lifespan of a cloud resource is 127 minutes. Traditional security strategies can't keep up with this rate of change, and 82% of databases in the public cloud are left unencrypted.

These findings come from the RedLock Cloud Security Intelligence (CSI) team's "Cloud Infrastructure Security Trends" report. RedLock today formally announced the CSI team and its inaugural report, which focuses on major vulnerabilities in public cloud environments.

The team analyzed more than one million cloud resources, processing 12 petabytes of network traffic, and dug for flaws in public cloud infrastructure. They found 4.8 million records, including protected health information (PHI) and personally identifiable information (PII), were exposed because best practices like encryption and access control aren't enforced.

"Imagine the day and age we live in," says RedLock cofounder and CEO Varun Badhwar. "You should be using encryption of data at-rest. There is no data out of the reach of bad actors if not secured correctly."

The problem isn't in cloud providers failing to secure data centers, but in organizations failing to secure applications, content, systems, networks, and users that use the cloud infrastructure. "That is where people are not aware, or not investing the right resources," he continues.

Researchers found of the 82% of databases left unencrypted in the public cloud, 31% were accepting inbound connection requests from the internet. More than half (51%) of network traffic in the public cloud is still on the default web port (port 80) for receiving unencrypted traffic. Nearly all (93%) public cloud resources have no outbound firewall rule, says Badhwar.

"You need to have control at the network, configuration, and user layers so it's hard for someone to get in, and harder for them to take your data out," Badhwar emphasizes, adding how weak network controls lead to trouble. "It's like saying, 'I'm going to leave my gates and front doors open, and hope I don’t get robbed,'" he says.

Developers and the team running operations in the cloud need to have secure access, and researchers discovered they often don't.

Businesses are moving to the cloud from on-prem environments where everything underwent a security review and sign-off process before being pushed to production, Badhwar continues. Two hours and 27 minutes, the average lifespan of a cloud resource, is a much smaller window.

"Within that timeframe, the customer has no clue how to get security right because developers are pushing code," says Badhwar. "None of the existing security tools work at the speed of change. Customers have no visibility into the changes pushed to production."

He calls the current cloud environment a "devops-oriented world" in which those who write the code are responsible for pushing it to production. The problem is, those who are making changes within cloud environments are not trained security professionals.

Their lack of expertise brings additional risk, especially with new tech like containers. RedLock researchers found 285 Kubernetes dashboards (web-based admin interfaces) deployed on Google Cloud, Microsoft Azure, and AWS that were not password-protected. There were many cases where Kubernetes systems held plaintext credentials to other critical systems, a vulnerability leaving key infrastructure exposed.

Security recommendations from the report include training developers on security practices for public cloud infrastructure, ensuring services are set to accept internet traffic on an as-needed basis, and setting a default "deny all" outbound firewall policy. You should also automatically discover database and storage resources as they are created in the public cloud, and monitor network traffic to ensure those resources are not directly interacting with internet services.

Related Content

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sngs7dan
50%
50%
sngs7dan,
User Rank: Apprentice
5/30/2017 | 9:45:46 AM
Lies, Damn lies and Statistics
A shameful article. Inadequate with regards to analysis. Either provide enough information to make the numbers quoted reasonable or critique the methodology of the report for not providing enough information.

"'Average' is a statistical fiction". Under three hours average TTL for a cloud resource? Based on what? People creating something, realizing it's misconfigured, destroying it and then doing it right? Trial and error, experimentation? transient convenience builds? dynamic honeypots? the possibilities are endless and so are the questions left unanswered.

Without any discussion of the distribution curve, a single value is a data point without meaning. Imagine trying to read a graph with unlabeled axes. Pretty picture, but with what meaning?

You can do better.
ScottBinDC
50%
50%
ScottBinDC,
User Rank: Apprentice
5/30/2017 | 12:40:34 AM
But the cloud is supposed to be more secure!
Isn't that what everyone tells us? The cloud is more secure. Why worry? (sarcasm assumed)
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/29/2017 | 2:47:39 PM
plaintext credentials
I was hoping that we would not hear this again, plaintext credential means no credential basically.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/29/2017 | 2:45:17 PM
devops-oriented world
"devops-oriented world" in which those who write the code are responsible for pushing it to production." I do not have problem with this, therebcna still be enough chekcs to make sure no security vulnerability.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/29/2017 | 2:41:22 PM
cloud providers failing to secure data centers
This is something we can argue but it is still both cloud provers and consumers to encrypt the databases. Cloud providers could make this a default features on their services.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/29/2017 | 2:38:40 PM
51% web traffic
51% web traffic being not encrypted is more troubleing than database encryption at rest. So individuals who are registering those sites not having https are competely at risk.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/29/2017 | 2:36:17 PM
Not surprised
This is not surprising at all. I bet it is the same on on-premises. We tend to think it is important to encrypt data but not doing that when it comes to data at rest.
ChrisB964
50%
50%
ChrisB964,
User Rank: Apprentice
5/26/2017 | 5:22:41 PM
What exactly is the threat vector of an unencrypted cloud database?
What exactly is the threat vector of an unencrypted cloud database?  Considering this is headline I'm curious if you or anyone could describe a scenario where someone accesses data by attacking an unencrpted database.  Unless I misunderstand something the encryption protects attempts to access the data at the disk level.  For RDS users(the most common case) wouldn't an attacker first have to compromize AWS infrastructure to get at the disk layer of RDS?  There's no public access to the disk of an RDS instance.  Help me understand the risk.

Yes we encrypt our cloud databases and noticed that we have to spend more hourly on many due to the additional size requirements of encrypting them.
DominicP260
50%
50%
DominicP260,
User Rank: Apprentice
5/25/2017 | 12:36:43 PM
This article and the cited report are misleading
This article, and the cited report, suggest that the 82% of unecrpyted databases in the public cloud would suddenly become safe if they were all encrpyed but that's far from the truth. This will only protect the database from an attack vector where the threat actor attempts to steal the DB in its entirety at the filesystem level. If an attack exploids weak DB credentials via an exposed port they will still have full read access to the encrypted DB unless the DB is utililzing field level encryption, which is not even mentioned in this article. The way in which the cited report collected their data is also not very scienctic; the 82% is probably not an accruate reflection of the real number. This article reads more like sponsered content than anything.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.