A cloud misconfiguration is an incorrect configuration of a cloud system that may lead to vulnerabilities. These misconfigurations typically occur when a user, administrator or team fails to implement the correct security settings in a cloud application – such as a SaaS application or an IaaS environment. Unfortunately, a simple misconfiguration issue can expose data, making it vulnerable to leakage or theft. Gartner’s Hype Report predicts by 2025, 99% of cloud security incidents will be traced back to preventable misconfigurations made by end-users.
Recently, Amazon-owned Twitch announced a security incident that exemplifies this issue. In a statement, Twitch stated, “the incident was a result of a server configuration change that allowed improper access by an unauthorised third party.” Twitch is not the first or the last company to fall victim to a cloud misconfiguration issue. However, that’s not to say cloud misconfigurations are inevitable. With the right tools, procedures and governance structures, enterprises can reduce their chances of accidental data exposure in the cloud.
What are cloud services?
The National Institute of Standards and Technology (“NIST) defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Examples of popular cloud applications include email services such as Gmail and Office 365, data storage services like Dropbox and Google Drive and customer relationship management systems like Oracle and Workday.
There are multiple cloud deployment models: public, private and hybrid – each of which can be tailored to the specific needs of the end organisation. As well as this, there are different cloud models: Software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS). Again, the different service models meet the needs of different customers, depending on their objectives and requirements. While some organisations choose to deploy internal private clouds, most tend to consider the cloud as a form of outsourcing. A segment of the company’s computer environment is hosted in, or corporate software is consumed from, the public cloud.
In our guide to supply chain cyber security, we have covered the risks relating to third parties and suppliers – and the cloud is no different. While reduced costs and efficiency are prime benefits of the cloud, it is not without risk. In particular, the cloud’s shared responsibility model presents unique challenges that organisations must address.
What is the cloud shared responsibility model?
Cloud providers and their customers operate in a “shared responsibility” matrix for cyber security management. The exact split of responsibility differs according to the cloud model in use. In the case of SaaS, the cloud provider is responsible for most security responsibilities, leaving the customer to focus on access control in the main. The customer’s responsibilities increase with PaaS and again more with IaaS. This is because PaaS and IaaS can be used by customers in many ways and thus provide greater flexibility to customers to set them up as required.
This additional flexibility does increase the potential for misconfiguration, which can happen in any cloud model. These are common as cloud platforms become more powerful and increasingly complex as a result. Cloud configurations are also subject to regular change as new features are added, and existing functionality moves to new components.
Some SaaS applications are incredibly powerful, offering complexity and regular change in equal measure. The most obvious example is Microsoft 365, which is relatively easy to set up and use but less easy to configure for non-specialists securely. Many cloud services often include optional security settings left to the customer to deploy – meaning the cloud provider provides the capability, but the customer must deploy it. The best example of this is multi-factor authentication. Other examples include AWS CloudTrail and Google’s Cloud Security Command Centre.
Because the cloud shared security responsibility model can be complex to understand, a picture can be worth a thousand words. You can see how Microsoft shows shared cloud responsibilities here, and the AWS equivalent of the cloud’s shared responsibility model here. There are also third-party security benchmarks available to help customers ensure they are ‘hardening’ their cloud environments. The Centre for Internet Security (CIS) benchmarks for products, including popular cloud services, are available for viewing.
As complex as this might sound, the shared responsibility model aims not to confuse but to improve the overall resilience of cloud applications by addressing security from both the customer and provider’s perspective. One analogy is to think of using cloud services like renting a car. The car rental company – the cloud service provider – ensures the vehicle is safe to drive and in good condition. The customer – the enterprise – is responsible for driving the car safely while they rent it. In essence, the cloud service provider is responsible for securing the underlying infrastructure, while the customer is responsible for using the infrastructure correctly and securely.
What causes cloud misconfiguration issues?
Although cloud providers offer tools to help prevent cloud misconfigurations, the security of these services can be undermined if organisations misuse them. Cloud misconfigurations can have multiple origins – the most common of which are:
System Complexity: Public cloud services are quick and easy to spin up and start using, giving a false sense of security to the less experienced customer. The secure configuration of the service is typically more complex, as mentioned above. Less capable organisations gloss over security configuration whilst even the most experienced organisation can miss essential settings.
On top of this, cloud providers tend to have rapid innovation cycles, meaning new functionalities are released frequently. While these capabilities are intended to improve the customer experience, they also add increased complexity to the configuration process.
Ultimately, cloud tools require a specific set of skills and knowledge. Even if an IT administrator is confident using one provider – say AWS – that doesn’t necessarily make them proficient in Azure. Put simply, the depth and breadth of cloud services out there can be overwhelming to understand and manage.
Human error: Most cloud misconfigurations result from accidental or unintentional usage of the settings offered by the cloud service provider. For example, Amazon’s S3 buckets can be mistakenly configured to allow “public” access.
Poor governance and access controls: Because cloud application usage is often sprawling and ever-increasing, it can be difficult for IT departments to maintain control and oversight over how services and data are being used. If there are no stringent policies and procedures for security and privacy, end employees could unwittingly put sensitive data at risk. Moreover, for the sake of collaboration and productivity, some companies or teams may disregard access control policies for their cloud databases or applications. Without access restrictions in place, data are left vulnerable to exploitation or leakage.
Shadow IT: Cloud security research from security vendor, Netskope, indicates Shadow IT accounts for 97% of all cloud applications in use by organisations. Shadow IT refers to the use of information technology without the authorisation of the IT department. Within the context of the cloud, shadow IT is possibly one of the leading causes of misconfigurations because the ‘line of business’ users that set them up are focused on functionality and use rather than security and resilience. Ultimately, if the IT team does not have visibility into the cloud applications employees use, they cannot secure them according to existing policies and standards.
Supplier risks: The same cloud security risks your organisation faces also apply to any contractors, suppliers or partners you work with. This means if their cloud infrastructure is not configured correctly, the data you have shared with them could be at risk (even if the security of your own cloud environment is rock solid).
Sources of best practices for cloud security
Several expert resources are available to help organisations mitigate the risk of cloud misconfigurations. We recommend reviewing the National Cyber Security Centre’s (“NCSC”) cloud security guidance as a starting point.
Other sources of best practice include NIST’s guidelines on security and privacy in cloud computing, NIST’s general access control guidance for cloud systems and NIST’s cloud computing standards roadmap. While these resources are not light reading, they offer in-depth insight into the nature of the cloud’s shared responsibility model and the risks that enterprises must proactively mitigate.
The CIS benchmarks referred to above are also a great resource for assessing your own cloud security practices against best practices. If there is a CIS benchmark configuration that you don’t think you can apply, remember to manage it as an ongoing risk rather than simply ignoring it.
Finally, always consult the cloud provider’s own security guidance and recommendations. The larger providers publish very detailed security guidelines.
Ultimately, moving data and workloads to the ‘cloud’ doesn’t make it secure by default. It does mean that you offload many security responsibilities to the cloud provider but there is still much left in the hands of the customer. Cloud security should be configured effectively at the outset and kept under ongoing review and management, especially in multi-cloud environments.
When deployed correctly, securely, and with stringent oversight, the cloud can be a cost-efficient and innovative way for businesses to grow and operate. To release the potential of the cloud, though, embedding security principles is essential.
If you need help or advice on managing your business’ cloud security, we’re here to help. We can advise on your security vulnerabilities, select the right security technology and check that your systems are configured correctly. We can also put policies in place and run staff training exercises. Contact us for a friendly chat.