While cloud services boast many welcome benefits – cost savings, fewer personnel, productivity gains – infosec professionals are bumping into some regular configuration challenges as they move more of their organizations' security functions to the cloud, experts say.
"When we see problems, we see configuration issues on the customer side," says Ryan Bergsma, training director for the Cloud Security Alliance (CSA). The most common issues? "We see lots of challenges with key management, access control, and exposed data storage," he says.
These issues are mostly straightforward to address, but first it's helpful to examine why security services in the cloud pose different challenges than a typical cloud service.
Service Providers' Limitations
Security services (and their attending configurations) aren't a one-size-fits-all proposition, unlike other X-as-a-service cloud offerings, many of which rely on a templated approach to accessing and storing data. With security, however, customer configurations are highly customized in order to handle some combination of legacy systems, regulatory requirements, and organizational practices for safeguarding customers, users, and all of their data.
So why don't Amazon Web Services (AWS), Microsoft Azure, and Google do more troubleshooting for enterprise customers? As every good security practitioner knows, there's a fine line between vigilant and creepy, and most cloud service providers (CSPs) work hard to make sure they don't cross it.
CSPs do a good job advising customers with best practices for cloud security, according to Doug Cahill, senior analyst and group director at consultancy Enterprise Strategy Group. But they share sparingly. "Major CSPs are rightfully reticent to supply a lot of details about how things are configured in the cloud so that they don't give their playbook to potential adversaries," he adds.
CSPs may provide advisories about specific customer configuration; Microsoft scans some GitHub posts to see what has been stored in source code, for example, and AWS alerts customers if they have misconfigured S3 buckets, Cahill explains.
"But how much should a CSP be scanning a customer's environment and warning them about bad management or open, sensitive data?" Cahill wonders aloud. "This is something the major CSPs really wrestle with."
Public Exposure by Default
Poorly configured data storage is a problem that can lead to unauthorized access and data loss. In fact, recent research from Digital Shadows found that 2.3 billion files are exposed this way. Unfortunately, "public" is the default access setting for many cloud data storage configurations, says John Yeoh, global VP of research at the CSA.
"Proper management of services with educated architects and developers is needed for secure use," he says. He'd like to see CSPs step up their notification game where end-user misconfigurations, change of services, and defaults are concerned. For example, Amazon recently released its Block Public Access tool for EC2 accounts to address this issue.
Access control, including privileged user access, appears to be the biggest cause of data breaches or loss, according to the CSA's Bergsma. The root of the problem lies in the insecure default configurations, as well as sloppy maintenance of access controls, such as old users not being removed, or overuse of admin controls allowed, he adds.
Consequently, some networks are moving to zero-trust approaches, only allowing previously vetted resources access to the network and further securing those connections with a network that also uses software-defined perimeters.
"For public-facing services and cloud, multifactor authentication and the use of multiple accounts for privilege is a way to limit the compromising of accounts and the access of any accounts that become compromised," Bergsma says.
A primary concern for Internet-as-a-service (IaaS), in particular, is locking down the root account immediately upon its creation and creating super admin accounts for work to begin. "The key for that root account needs to be managed in a way that it will never be lost or compromised," he emphasizes.
The overarching issue, however, is allowing too much access, Bergsma adds. "Documenting and implementing least-privilege policies is a must."
Most cloud customers use encryption to some degree, which then requires them to have flexible, robust key management processes. CSA's Yeoh recommends companies get clear about their requirements, specifically:
- Check compliance requirements to see whether you're obligated to use a hardware security module (HSM), an external device that manages and protects digital keys for strong authentication and also handles crypto-processes.
- The organization's internally created governance policies may also point to the need for a specific key management approach. Check with legal and risk management executives.
- Certain customer contracts may require handling keys in a certain way. Sales and legal personnel can help here.
Regardless of whether encrypted data is on-premises or in the cloud, scaling up key management in a workable way is a primary customer challenge, Yeoh adds.
"The biggest risks are with segregation of duties and data segregation for the key management components being used across multiple cloud services, on-prem environments, cloud brokers, and customers who manage their own keys," he explains. Further complicating the picture is the fact that CSPs still use their own key management solutions.
And that's why many customers have turned to using third-party key management brokers. But that won't work for all customers, not to mention adding yet another service provider to manage – and pay.
"Industry buy-in of an open API for cloud key management could be a potential solution to manage keys across IaaS, PaaS, SaaS, and on-prem environments," Yeoh says. "Using customer-managed key solutions when possible is one of CSA's recommendations."
Taken collectively, the CSA's suggestions will not only improve the secure functioning of cloud-based security services, but all cloud services in general. But it's clear that day is still out on the horizon.
"There is a cloud security readiness gap," ESG's Cahill notes. "The degree to which organizations are already consuming cloud is well ahead of their ability to secure use of those services."
- Moving on Up: Ready for Your Apps to Live in the Cloud?
- There’s a Security Incident in the Cloud: Who’s Responsible?
- 7 Biggest Cloud Security Blind Spots
- The 2019 State of Cloud Security