IT security teams are well aware of the dangers of cloud misconfigurations. Poorly configured cloud infrastructure, applications, and storage have proved to be a major threat as attackers capitalize on an opportunity to sneak into enterprise environments and steal information or move laterally.
Misconfigurations have only grown more common amid the COVID-19 pandemic and a global rush to shift organizations into fully virtualized workforces. The accelerated jump to the cloud has led to careless mistakes and, consequently, opportunistic attacks to take advantage of them.
"You get this combination of cloud security issues that are primarily the users of the cloud – not the cloud providers themselves – misconfiguring, embedding credentials inappropriately, leaving passwords, not hardening their cloud because they're moving so quickly … that's led to several compromises," explains Jim Reavis, co-founder and CEO of the Cloud Security Alliance.
Organizations hastily moving to the cloud often lack a strategic view and fail to consider factors such as threats that could put them at risk and high-priority security functionalities, Reavis says. They forget to lock down storage buckets and databases, leave credentials viewable in Github, and fail to patch or maintain good security hygiene in virtual machines and containers, he adds.
"Out of this, you give the attackers an ability to really be able to do some pretty quick scanning of cloud environments, finding several things that are insecure, and then being able to go do a deeper dive hack," Reavis continues. Configuration management can help prevent these threats.
IT and security teams are discovering several unexpected gaps resulting from the rapid transition to cloud. Now they have to consider tactical solutions and a more strategic architectural shift. Many have accepted the operational changes resulting from COVID-19 are here to stay. As a result, they should consider how to better strengthen their cloud security.
"A lot of it goes back to the shared responsibility model and understanding that this is a combined responsibility for us to secure the cloud," Reavis says.
When dealing with products like infrastructure-as-a-service, it's incumbent on cloud consumers to understand they're given a blank slate. It's on them to worry about encryption, identity management, and other parts of their cloud environments.
[Check out Jim Reavis' upcoming talk, "Practical Solutions for Securing Your Cloud Services," on Oct. 5 during the Cybersecurity Crash Course at next week's Interop Digital]
Misconfigurations can help attackers get into your cloud environment and achieve their goals once inside, explains Josh Stella, co-founder and CTO at Fugue Security. What they care about is exploiting misconfigurations, typically in services like identity and access management (IAM). These credentials can help them navigate the network and quietly exfiltrate data they're looking for.
"The blast radius of these is devastation," he says. "You can have a very small crack in your defenses, and if it's cloud misconfiguration-related, that can mean in five minutes all your data is gone."
Stella points to a few examples of places where security teams can double-check their assets for configuration mistakes. The first step is to understand your security posture: Know where you stand and learn where errors are. Businesses will inevitably slip up when configuring the cloud.
"I guarantee you mistakes have been made because it's just too hard to not," he says.
A common mistake is placing too much trust in the "block public access" feature for AWS S3 buckets. Many people think when they turn this feature on, they're protected from attackers. But while it's a good step to take, it's "vastly incomplete," Stella says. An organization can have an exception to "block public access" that could expose its private information to the Internet.
Similarly, Stella says he often sees the issue of overly permissive IAM roles. Amazon's Elastic Compute Cloud (EC2) has many possible permissions in IAM; when confronted with all these choices, people often choose big chunks, he explains. The problem is, these permissions are all very detailed and may be granting a level of access that someone shouldn't necessarily have.
Stella also urges organizations to ensure they limit the ability of their cloud infrastructure to list and describe other parts of their cloud infrastructure. Security admins often think having list permissions is safe; this capability lists the contents of their EC2 fleet or containers, or lists data storage service options, buckets, and other objects.
"These are extremely dangerous things to leave on because hackers' first, and often most difficult, job is discovery," Stella explains. "If you give them a map to your safe, that's a bad idea. They can probably break into your safe." Security teams should limit the ability of their cloud infrastructure to know about the other cloud infrastructure they're running, he says.
In his upcoming Interop Digital talk, "Simulating Real-Time Cloud Misconfiguration Attacks to Improve Cloud Security," Stella will simulate an attack against his own infrastructure and, in doing so, demonstrate how these small, simple mistakes can have major consequences.
"It's really important to view your own infrastructure from the perspective of someone who is going to [venture] into it and do bad things," he says. Businesses can put bars on their front windows and lock the doors, but attackers will find a small open basement window to sneak in.
"What you should be doing – what everyone should be doing – is not sleeping well until you find some of those because they're there," Stella adds. "You have to think that way."