Security has become a major concern for customers of cloud service storage providers as more organizations migrate sensitive data and services to the cloud. A recent Ermetic survey found that nearly 80 percent of companies had experienced at least one cloud data breach in the past 18 months, while 43 percent reported 10 or more breaches.
Based on this finding, it makes sense that users are concerned about storing their critical business data in the cloud. What are the commons security misconfigurations and setup faults prevalent in the cloud environment? And what measures should security teams take to avoid these pitfalls?
Over the last two years, the DataArt security team had audited more than 20 cloud setups. For this column, we are sharing some statistics around the common security vulnerabilities companies face in the cloud and based on our findings, offer four tips for how to improve cloud security:
- Protect the network perimeter to reduce the attack surface.
In our experience, almost every second configuration – some 55 percent – had issues with firewalls. There were security groups that did not restrict either inbound or outbound traffic. Every fifth private cloud did not restrict access to common administrative (SSH, MS RDP) and database ports (MySQL, MS SQL, PostgreSQL). Even though cloud services are covered by the shared responsibility model, cloud users are still responsible for the security of Layer 3-4 and higher, while underlying physical security and basic network security are provided by cloud providers such as Amazon, Google and Microsoft. Therefore, it’s vital to configure strict rules for network security groups and use network access control lists (NACLs) in Amazon Web Services. None of the AWS setups that we’ve seen had proper NACLs.
- Secure digital identities and deploy mandatory multifactor authentication.
Today, classic network perimeter protection measures are insufficient because a misconfiguration of a firewall, network access control list or security group will leave many services unprotected, especially under today’s work-form-home trend. The move to WFH has only accelerated the need for better identity management. Unfortunately, only 28 percent of organizations we audited had mandatory MFA for users with access to the web console. And it’s an even worse situation for credential policies: A full 78 percent of audited setups had either a poor user credential policy (password complexity rules) or issues with access keys (many abandoned and non-rotated key pairs.) Typically DevOps teams overlook these measures, or they hope that their cloud setups will get integrated with existing third-party identity management tools.
- Practice defense-in-depth.
Security teams should take defense-in-depth seriously. For a bad threat actor, it’s much harder to penetrate multiple barriers. Companies should have the full range of defenses deployed: antivirus, identity management, network firewalls and IDS/IPS. Each layer of defense significantly increases the time required to defeat the protection barriers. We observed that each second setup used non-hardened pieces of infrastructure, including VM and Docker images and Kubernetes clusters, lacked proper Wireless Access Firewall configurations, or had multiple unused resources. Some 75 percent of IAM configurations had issues with permission management (too many admin users or too wide administrative roles) and only 10 percent were configured to collect audit logs properly. All these misconfigurations could lead to catastrophic consequences in case of a security breach, and it would be practically impossible to determine the root cause of the incident as all audit trails were missing.
- Deploy proactive threat monitoring.
Fortunately, the market offers numerous automated tools for auditing and continuous cloud compliance monitoring that help identify and remediate many security issues. In fact, 25 percent of audited setups use one of the tools. Nevertheless, companies should augment these products with annual or bi-annual manual security audits, as they could experience false positives and false negatives that require deeper investigations. This could include overly permissive IAM or S3 bucket policies, or issues with security processes and security operations, such as the absence of supply chain verification for VM and Docker images.
As a general rule, regular cloud security audits will help businesses verify that security controls are consistent with industry best practices. By using a solid mix of security control and tools with thorough audits, it’s possible for organizations to remediate security gaps and issues in a timely manner.
Yaroslav Vorontsov, senior software and security architect, DataArt
