Cloud security misconfigurations & how to prevent them

May 30th, 2023 Posted in Information Security

What are cloud misconfigurations?

A cloud misconfiguration is an incorrect configuration of a cloud system that may lead to vulnerabilities. These misconfigurations typically occur when a user, administrator or team fails to implement the correct security settings in a cloud application – such as a SaaS application or an IaaS environment. Unfortunately, a simple misconfiguration issue can expose data, making it vulnerable to leakage or theft. Gartner’s Hype Report predicts by 2025, 99% of cloud security incidents will be traced back to preventable misconfigurations made by end-users. 

It was recently reported that vehicle and customer data were vulnerable for over eight years due to a cloud misconfiguration at Toyota Motor. The misconfiguration of the cloud environment settings impacted over 260,000 customers. Toyota has taken measures to block access to data from external sources and is investigating the matter, as well as implementing a system to monitor the cloud environment.

Further to the Toyota breach, Amazon-owned Twitch announced a security incident that exemplifies this issue. In a statement, Twitch stated, “the incident was a result of a server configuration change that allowed improper access by an unauthorised third party.” Twitch is not the first or the last company to fall victim to a cloud misconfiguration issue. However, that’s not to say cloud misconfigurations are inevitable. With the right tools, procedures and governance structures, enterprises can reduce their chances of accidental data exposure in the cloud.  

Download your FREE Guide to Cloud Security.

What are cloud services?

The National Institute of Standards and Technology (“NIST) defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Examples of popular cloud applications include email services such as Gmail and Office 365, data storage services like Dropbox and Google Drive and customer relationship management systems like Oracle and Workday. 

There are multiple cloud deployment models: public, private and hybrid – each of which can be tailored to the specific needs of the end organisation. As well as this, there are different cloud models: Software as a service (SaaS) – check out cyber security for SaaS providers, infrastructure as a service (IaaS) and platform as a service (PaaS). Again, the different service models meet the needs of different customers, depending on their objectives and requirements. While some organisations choose to deploy internal private clouds, most tend to consider the cloud as a form of outsourcing. A segment of the company’s computer environment is hosted in, or corporate software is consumed from, the public cloud.  

Supplier Chain Cyber Security thumbnail

In our guide to supply chain cyber security, we have covered the risks relating to third parties and suppliers – and the cloud is no different. While reduced costs and efficiency are prime benefits of the cloud, it is not without risk. In particular, the cloud’s shared responsibility model presents unique challenges that organisations must address.  

We offer tailored cloud security services to suit your organisation’s unique requirements.

 

What is the cloud-shared responsibility model?

Cloud providers and their customers operate in a “shared responsibility” matrix for cyber security management. The exact split of responsibilities differs according to the cloud model in use. In the case of SaaS, the cloud provider is responsible for most security responsibilities, leaving the customer to focus on access control in the main. The customer’s responsibilities increase with PaaS and again more with IaaS. This is because PaaS and IaaS can be used by customers in many ways and thus provide greater flexibility to customers to set them up as required.  

This additional flexibility does increase the potential for misconfiguration, which can happen in any cloud model. These are common as cloud platforms become more powerful and increasingly complex as a result. Cloud configurations are also subject to regular change as new features are added, and existing functionality moves to new components.  

Some SaaS applications are incredibly powerful, offering complexity and regular change in equal measure. Further reading can be found in SaaS application security; the common risks. The most obvious example is Microsoft 365, which is relatively easy to set up and use but less easy to configure for non-specialists securely. Many cloud services often include optional security settings left to the customer to deploy – meaning the cloud provider provides the capability, but the customer must deploy it. The best example of this is multi-factor authentication. Other examples include AWS, CloudTrail and Google’s Cloud Security Command Centre. 

Because the cloud-shared security responsibility model can be complex to understand, a picture can be worth a thousand words. You can see how  Microsoft shows shared cloud responsibilities here, and the AWS equivalent of the cloud’s shared responsibility model here. There are also third-party security benchmarks available to help customers ensure they are ‘hardening’ their cloud environments. The Centre for Internet Security (CIS) benchmarks for products, including popular cloud services, are available for viewing.  

As complex as this might sound, the shared responsibility model aims not to confuse but to improve the overall resilience of cloud applications by addressing security from both the customer and provider’s perspective. One analogy is to think of using cloud services like renting a car. The car rental company – the cloud service provider – ensures the vehicle is safe to drive and in good condition. The customer – the enterprise – is responsible for driving the car safely while they rent it. In essence, the cloud service provider is responsible for securing the underlying infrastructure, while the customer is responsible for using the infrastructure correctly and securely.  

What causes cloud misconfiguration issues?

Although cloud providers offer tools to help prevent cloud misconfigurations, the security of these services can be undermined if organisations misuse them. Cloud misconfigurations can have multiple origins – the most common of which are:  

 System Complexity:Public cloud services are quick and easy to spin up and start using, giving a false sense of security to the less experienced customer. The secure configuration of the service is typically more complex, as mentioned above. Less capable organisations gloss over security configuration whilst even the most experienced organisation can miss essential settings. 

On top of this, cloud providers tend to have rapid innovation cycles, meaning new functionalities are released frequently. While these capabilities are intended to improve the customer experience, they also add increased complexity to the configuration process.  

Ultimately, cloud tools require a specific set of skills and knowledge. Even if an IT administrator is confident using one provider – say AWS – that doesn’t necessarily make them proficient in Azure. Put simply, the depth and breadth of cloud services out there can be overwhelming to understand and manage.  

 Human error:Most cloud misconfigurations result from accidental or unintentional usage of the settings offered by the cloud service provider. For example, Amazon’s S3 buckets can be mistakenly configured to allow “public” access.  

  Poor governance and access controls: Because cloud application usage is often sprawling and ever-increasing, it can be difficult for IT departments to maintain control and oversight over how services and data are being used. If there are no stringent policies and procedures for security and privacy, end employees could unwittingly put sensitive data at risk. Moreover, for the sake of collaboration and productivity, some companies or teams may disregard access control policies for their cloud databases or applications. Without access restrictions in place, data are left vulnerable to exploitation or leakage.   

 Shadow IT: Cloud security research from security vendor, Netskope, indicates Shadow IT accounts for 97% of all cloud applications in use by organisations. Shadow IT refers to the use of information technology without the authorisation of the IT department. Within the context of the cloud, shadow IT is possibly one of the leading causes of misconfigurations because the ‘line of business’ users that set them up are focused on functionality and use rather than security and resilience. Ultimately, if the IT team does not have visibility into the cloud applications employees use, they cannot secure them according to existing policies and standards.  

 Supplier risks: The same cloud security risks your organisation faces also apply to any contractors, suppliers or partners you work with. This means if their cloud infrastructure is not configured correctly, the data you have shared with them could be at risk (even if the security of your own cloud environment is rock solid).  

Common cloud misconfigurations

Let’s look at some of the most common cloud misconfigurations and steps you can take to avoid them:

  1.  Inadequate Monitoring and Logging
    Organisations – particularly those in their early stages of trading, often lack strict monitoring and logging procedures. It’s important to keep track of changes and activities on your cloud service and ensure they are properly logged. Activities to look out for are any suspicious behaviour, employees’ illegal actions or changes to settings. It’s also vital to ensure regular reporting and alerts are set up so any breaches can be dealt with in a timely manner.

  2. Using default credentials
    It may be easier for development teams to carry out activities and share information if a set of default credentials are used in the cloud service, however, this leaves the door open for potential threat actors, as default credentials are easy to guess. It’s important to set up a robust process and audit procedure, to ensure default credentials are not used in the production environment. ~

  3. Using third-party resources
    During the development of an application, many organisations rely on multiple third-party libraries, elements, and assets. Certain libraries may necessitate access to your cloud resources. Hence, it is crucial to conduct extensive research on their security vulnerabilities before opting for any third-party library. In the event of a vulnerability within a third-party library, threat actors can exploit it to gain unauthorised access to your resources.
  4. Storage access misconfigurations
    Often, organisations using cloud services mistakenly believe that “authenticated” and “authorised” users are the same. An “authenticated user” refers to anyone possessing AWS authentication (all AWS clients). A common misconfiguration example is granting S3 bucket access to all “authenticated users” instead of only “authorised users” of the application. This type of misconfiguration can have damaging consequences, as threat actors scanning for AWS S3 buckets can exploit this vulnerability and gain access to an organisation’s storage, resulting in the theft of sensitive information such as credentials and API keys.To prevent this from happening, security teams must ensure that storage access is restricted to individuals within the organisation and enable robust encryption for critical data stored in the buckets.
  5. Excessive permissions
    Excessive permissions give threat actors an opening to gain access to an organisation’s assets. It’s imperative to ensure excessive permissions are not granted to employees that do not need them to perform their tasks. This common misconfiguration can be avoided by securing vulnerable ports, which leads us to…
  6. Unrestricted ports
    An organisation’s security team should be aware of the range of inbound open ports and make sure that the ports that are not strictly necessary, are restricted. While outbound ports may not pose inherent risks, they have the potential to compromise systems, making them susceptible to data exfiltration. Any open port that is not absolutely necessary for operations must be blocked from the internet.

Sources of best practices for cloud security

Several expert resources are available to help organisations mitigate the risk of cloud misconfigurations. We recommend reviewing the National Cyber Security Centre’s (“NCSC”) cloud security guidance as a starting point.  

Other sources of best practice include NIST’s guidelines on security and privacy in cloud computing, NIST’s general access control guidance for cloud systems and NIST’s cloud computing standards roadmap. While these resources are not light reading, they offer in-depth insight into the nature of the cloud’s shared responsibility model and the risks that enterprises must proactively mitigate. 

The CIS benchmarks referred to above are also a great resource for assessing your own cloud security practices against best practices. If there is a CIS benchmark configuration that you don’t think you can apply, remember to manage it as an ongoing risk rather than simply ignoring it. 

You should also consider carrying out cloud penetration testing at the very least once per year to ensure you stay on top of any vulnerabilities that may have occurred and not yet been detected.

The recent update to ISO 27001 introduced some changes, one of which focuses on ensuring and maintaining information security and outlines the processes required for the acquisition, use, management and exit from cloud services in relation to the organisation’s unique information security requirements. In our most recent Cloud Security blog: Information security for the use of cloud services – we highlight the top 10 tips for choosing a Cloud Service provider. 

Finally, always consult the cloud provider’s own security guidance and recommendations. The larger providers publish very detailed security guidelines.  

Ultimately, moving data and workloads to the ‘cloud’ doesn’t make it secure by default. It does mean that you offload many security responsibilities to the cloud provider but there is still much left in the hands of the customer. Cloud security should be configured effectively at the outset and kept under ongoing review and management, especially in multi-cloud environments.  Furthermore, if you’re planning on migrating your cloud, there are multiple considerations you should take into account before executing the migration.

If you’d like further tips, take a deep dive into our blog on how to protect your organisation from a data breach where you’ll learn how to secure your systems and restrict access & permissions.

When deployed correctly, securely, and with stringent oversight, the cloud can be a cost-efficient and innovative way for businesses to grow and operate. To release the potential of the cloud, though, embedding security principles is essential. 

Need help with cloud security?

If you need help or advice on managing your business’ cloud security, we’re here to help. We can advise on your security vulnerabilities, select the right security technology and check that your systems are configured correctly. We can also put policies in place and run staff training exercises. Contact us for a friendly chat. 

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Image source http://www.freepik.com Designed by macrovector – edited by evalian
Matt Gerry

Written by Matt Gerry

Matt consults on information and cyber security, including incident response, security awareness and training, security gap analysis and certification advisory. Matt started his career working in large multinationals where he gained experience delivering large system implementations, leading projects, and handling key stakeholder relations. He holds an MSc in Information Security from Royal Holloway, University of London.