No two cloud environments are the same. Each cloud service provider (CSP) implements its services differently and requires a different configuration. Understanding the right way to set up a cloud environment is part of a customer’s risk decision during cloud service procurement and setup. As these technologies become cheaper, easier to use and more available, they are increasingly adopted by organizations. IDC predicts that over 500 million digital apps and services will be developed and deployed using a cloud-native approach by 2023.
Organizations need highly connected IT environments to make this work, where integration between different systems, applications and departments is both fast and efficient. The success and massive adoption of cloud native approaches have come at a security cost, however. Recent research from Team Nautilus revealed that a significant proportion of companies that move to multi-cloud environments are not adequately configuring their cloud-based services. Team Nautilus analyzed a sample of misconfiguration issues including: storage (bucket/blob) misconfigurations, identity and access management (IAM) misconfigurations, data encryption issues, exploitable services behind open ports and container technology exploitation. Among them, 90% of the companies analyzed had a security issue due to cloud misconfigurations.
Attackers can exploit some misconfigurations to serve as initial access. In contrast, others can be exploited as part of an attack to move laterally across the environment or gain higher privileges. But the bottom line is that some of these misconfigurations allow bad actors to attack the organization and obtain their nefarious goals, such as stealing invaluable information.
A good example of such an attack could be that of a developer who chooses to use an S3 bucket to store data that will be displayed to his application’s users, while at the same time he uses another S3 bucket to store invaluable secrets and sensitive data, such as their contact information and credit card details. The first S3 bucket will be configured, by the developer, to be visible to external users. The second S3 bucket, however, mustn’t be exposed to the world. The developer may mistakenly configure both S3 buckets to be visible to the world and by doing so is exposing this data to attackers who can now this read sensitive data from the second S3 bucket. As such, minimizing and remediating these misconfigurations should be a top priority.
What’s Driving the Increase in Misconfigurations?
The leading cloud service providers, namely Amazon, Microsoft, Google and others, innovate at cloud speed. What this means is that new and updated services are introduced weekly. Keeping up with the security implications associated with these changes requires a dedicated team of experts that can continuously learn and evolve.
However, the huge demand for cloud native makes it harder and harder to find highly experienced and proficient practitioners in these new and advanced technologies. With less experienced practitioners comes increased opportunities for misconfigurations and, ultimately, security risks. Gaps in resources also lead to remediation issues. We found that it takes enterprises an average of 88 days to address issues after discovery. When you consider that a single cloud misconfiguration can expose organizations to severe cyber risk, such as data breaches, resource hijacking and denial of service attacks, the consequences of failing to address misconfiguration issues are all too real to ignore.
Cutting Down on Cloud Misconfigurations
One of the most critical issues is the lack of visibility and understanding of the context. Organizations can look to remedy this by leveraging tools to discover and analyze the context of configuration issues. First and foremost, this means instituting a formal remediation process to prioritize issues.
The action plan will vary by organization, but a common theme is to focus on the most urgent issues that may lead to the most severe outcome. Most detection and remediation systems are equipped with features that allow practitioners to triage and prioritize the alerts.
The introduction of shift-left practices allows developers to have end-to-end responsibility for their apps and components, but in some cases, developers lack the knowledge and experience that traditional security teams possess. Therefore, integrating Cloud Security Posture Management (CSPM) tools is critical and can help close the gap when security experience is lacking.
Organizations need to find a solution that goes beyond host-based security tools and a CSPM solution that operates at the cloud provider control plane level, something that can leverage APIs from the underlying public cloud vendor. This will help provide visibility into the configuration of the cloud services. Suppose a business cannot be proactive in monitoring for and fixing service configuration issues. In that case, inevitably, it will result in exploits causing damage far more significant than the traditional OS or on-premises workloads.