Companies whose data had been accessed by researchers in the process of discovering a significant vulnerability in Microsoft's Azure Cosmos DB service should rotate their keys immediately, and all users of the database service should institute role-based access controls.
That's among the recommendations Microsoft included in a blog post published last week after being notified by cloud security firm Wiz.io that the company had found a pathway to access other firm's data stored in the service. Researchers with the firm Wiz.io reported a vulnerability in the way Microsoft had integrated the Azure Cosmos DB service with Jupyter Notebooks, an open source data science platform for creating interactive workspaces.
Anyone who created a Cosmos DB instance and then used Jupyter Notebooks could access other customers' instances, according to the researchers.
But the incident did not result in any data being accessed by anyone besides the researchers, Microsoft said. "Our investigation indicates that no customer data was accessed because of this vulnerability by third parties or security researchers," Microsoft stated in its Aug. 27 blog post, adding that it performed a broad forensic analysis. "We ... expanded our search beyond the researcher’s activities to look for all possible activity for current and similar events in the past. Our investigation shows no unauthorized access other than the researcher activity."
The incident was a reminder for companies that even the Big Three cloud providers can make mistakes and that organizations have to still worry about cloud database security. While managed services are more typically secure, because such services also host a large number of organizations, a single vulnerability can have a major impact, says Karl Sigler, senior security researcher at Trustwave's SpiderLabs.
"The risks are different in that cloud environments typically have dedicated teams performing ongoing audits, patching, monitoring, and confirming 'best practice' configuration," he says. "However, zero-day issues like this one with the Cosmos DB may have a much more severe impact than on-premises databases when exploited due to shared environments."
For that reason, companies should not rely on the security provided by cloud services. The shared responsibility model, which is the standard for the relationship between service provider and customer, put the onus for security on the customer.
Companies need to take the right steps to secure their data, even when a rare vulnerability crops up in the cloud service, says Mark Nunnikhoven, cloud strategist at Lacework.
"To be clear, that pace of change and freedom to experiment is a very good thing for the business," he says. "However, an organization's perspective on security needs to be updated to match it. The data needed to help improve an organization's security posture is there, they just have to put the right tooling in place to understand it."
Microsoft recommended that companies use role-based access controls to limit which users can access certain features and data. In addition, routine monitoring — for Azure, that involves diagnostic logging and using Azure Defender — can help detect unauthorized users.
"Companies are still missing the basics like keeping on top of patching and maintaining ongoing audits of your configuration and setup," says Trustwave's Sigler. "If they can get those processes moving smoothly and continuously, organizations should move onto providing defense in depth by keeping external controls like firewalls, IDS systems, and MFA up to date and configured properly for the services and data they are meant to protect."
Quick Response and a Big Bug Bounty
Overall, Microsoft's response to the vulnerability came quickly, after being notified of the issue on August 12. The company fixed the issue within 48 hours and notified customers who had been affected by the vulnerability that they should create another primary read-write key. In addition, the company quickly paid the researchers the maximum bounty for vulnerabilities in Cosmos DB: $40,000.
"Notifications have been sent to all customers that could be potentially affected due to researcher activity, advising they regenerate their primary read-write key," the Microsoft Security Response Center (MSRC) team said in its blog post. "Other keys including the secondary read-write key, primary read-only key, and secondary read-only key were not vulnerable. "
Overall, the handful of incidents that affect major cloud services should not dissuade companies from moving to the cloud. Cloud services continue to have a much better security track record than individual companies, says Lacework's Nunnikhoven.
"Over the past two years, there have been three or four cloud service vulnerabilities from the big three CSPs [cloud service providers] in their custom offerings — so, something that's not in underlying commercial or open source software," he says. "This low number of vulnerabilities, despite the high level of attention on cloud services, adds another data point to a growing list supporting the idea that you can be more secure in a cloud environment than on-premises."