Cloud Security, Patch/Configuration Management, Vulnerability Management

Report finds old misconfiguration woes continue to hammer corporate clouds

Visitors crowd a cloud computing presentation at the CeBIT technology trade fair in Hanover, Germany. Today’s columnist, Lior Yaari of Grip Security, explains the three elements of the Cloud Security Alliance’s best practices. (Sean Gallup/Getty Images)

Misconfigured buckets and leaky APIs continue to be the biggest and most impactful cloud security holes for businesses.

New research from security vendor Aqua Security, which draws on the past year of internal customer data, finds that businesses continue to suffer fallout from their poorly configured cloud assets in the form of data breaches. That jives with previous research: cloud misconfiguration errors compose close to half of all “miscellaneous error”-related breaches tracked in Verizon’s 2020 Data Breach and Incident Response report, while the percentage of misconfigured assets discovered continues to rise each year.

“When you consider that a single cloud misconfiguration can expose organizations to severe cyber risk, such as data breaches, resource hijacking, and denial of service…the consequences are all too real to ignore,” the report said.

These misconfigurations tend to open up security holes throughout an organization’s cloud environment, affecting storage buckets, identity and access management policies, data encryption, containerization and the services behind open internet ports.

Storage misconfigurations in particular are a major problem, leading to a weekly deluge of news and threat intelligence reports about the latest exposed cloud bucket. Cybersecurity experts have long known about this and other configuration problems, but a rash of post-pandemic cloud adoption could be pushing reams of new users to unfamiliar cloud environments, and the apparent business needs behind making these buckets publicly accessible to the open internet tend to outweigh the pressures to secure or reconfigure them. At least, until a breach occurs.

“Every major cloud service provider uses a default configuration that is set to private, so public access is prohibited,” the report states. “However, our data shows that many organizations change these configurations as part of their ongoing operations and business logic.”

Similarly, overly permissive storage policies also tended to be present in some form at nearly every organization, largely because “users don’t necessarily see permissive policy issues as high risk” and may be mistakenly assuming that other layers of the cloud security process will protect them.

Resources play an important role, something that can benefits larger enterprises, but bigger doesn’t always equal better. According to Aqua Security’s data, small and mid-sized businesses (which Aqua Security defines as users who scanned between one and several hundred cloud resources) were only able to fix approximately 40% of their detected issues, while larger enterprises (users who scanned hundreds or thousands of resources) were able to fix 70% of their detected misconfigurations.

However, security teams for small and medium sized businesses don’t have nearly the same ground to cover as their counterparts at multi-billion-dollar companies do. Even with substantially lower average budgets and headcounts, small and medium sized businesses averaged about 75 days to remediate or resolve their configuration issues, compared to an average of 88 days for larger organizations.

Those disparities become even more pronounced for problems like leaky storage buckets, where large businesses can take more than twice as long on average to remediate compared to their small and medium sized counterparts. It demonstrates how the complexity of an organization’s cloud security challenges can scale with its size.

“The more people you have accessing [your cloud] and the more accounts you set up, the more you have to consider,” said Michelle Peterson, product owner of Benchmarks, the non-profit Center for Internet Security’s guidance on how to navigate the cloud service provider market. “It’s not just a small group [anymore] utilizing these resources, but multiple tiers of your organization accessing these cloud environments and ensuring that there’s no change when someone decides to add a new account or make a change as an admin [or thinking] what impact does that have across the board?”

Another key recommendation from the Aqua Security report: treat all security issues affecting your Application Programming Interfaces as a critical vulnerability. Nearly half of all enterprise users had at least one misconfigured Docker API, and attackers are able to discover and exploit security vulnerabilities in APIs faster than defenders can find and fix them.

These interfaces are increasingly complicating the security picture for software application development as well as the cloud, and Peterson told SC Media that the ubiquitous use of API plugins by companies to facilitate communication between systems is both “an easy solution” to a lot of problems and also “a scary place” to be.

“It really is an easy solution that works well for a lot of folks, but again you’re stuck with the question what is the configuration for this? It’s not a good place…because you don’t just want to turn on access to everyone just for ease of sharing that data or having access or instant availability of content.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.