Cloud misconfigurations have plagued the industry for several years, but it’s really become more prevalent the past couple of years during the pandemic.
Driving that increase in cloud misconfigurations has been the speed at which organizations rolled out cloud applications in an attempt to cater to remote workers and customers. Many invariably opted for speed over security.
In a February study, the Cloud Security Alliance found that 51% of respondents felt that cloud misconfiguration and improper security settings are one of their leading concerns.
And as recent as last spring, after examining 23 Android applications, Check Point Research found that mobile app developers potentially exposed the personal data of more than 100 million users through a variety of misconfigurations of third-party cloud services. The personal data exposed included emails, chat messages, location, passwords and photos, which, in the hands of malicious threat actors could lead to fraud, identity-theft, and service swipes.
Based on reporting by SC Media and research from industry leaders, here are five of the leading cloud misconfigurations and what security teams can do to prevent them.
Unrestricted inbound and outbound ports
UpGuard says all inbound ports open to the internet can cause potential problems. Why? Because while cloud services mostly use high-number UDP or TCP ports to prevent exposures, determined hackers can still sniff them out. Obfuscation can help, but it's insufficient by itself.
UpGuard advises when migrating to a multi-cloud environment, make sure the security team knows the full range of open ports and then restrict or lock down those that aren't strictly necessary.
Outbound ports also create opportunities for security events like data exfiltration, lateral movement, and internal network scans once there's a system compromise. UpGuard says granting outbound access to RDP or SSH has become a common cloud misconfiguration. Application servers seldom have to SSH (Secure Shell) to other network servers, so it's not necessary to use open outbound ports for SSH. Rather, limit the outbound port access and use the least privilege principle to restrict outbound communications.
Lack of security standards for third-party integrations
Aqua Security says lack of security standards for third-party integrations can cause API security risks. They recommend treating all security issues affecting APIs as a critical vulnerability.
The reason: nearly half of all enterprise users had at least one misconfigured Docker API, and attackers can discover and exploit security vulnerabilities in APIs faster than defenders can find and fix them.
Failure to establish a security baseline for cloud development
The Cloud Security Alliance advises that before security teams even embark on a cloud journey, they should establish policies and standards specific to cloud environments. Establish baseline security configurations for every cloud platform the organization intends to use, the organization says, then ensure that these baselines are enforceable via an automated process that can help reduce manual intervention, thereby reducing risk.
With security standards in place, organizations can also more easily ensure new cloud applications are properly configured from the get go.
Unnecessary changes to cloud vendor defaults
Vendors often include monitoring and logging and private access by default. Changes for the sake of user experience create security issues.
Aqua Security points out that every major cloud service provider uses a default configuration that’s set to private, so public access is prohibited. However, data shows that many organizations change these configurations as part of their ongoing operations and business logic – and when these are done manually that’s when there’s a potential for misconfigurations, especially misconfigured storage buckets.
Aqua points out in its research that overly permissive storage policies are present in some form at nearly every organization, largely because users don’t necessarily see permissive policy issues as high risk, and often mistakenly assume that other layers of the cloud security process will protect them.
The development team has not set the proper security controls
The Cloud Security Alliance says that automation has become a “must-have” for cloud deployments. It’s not only for the ease of deployments, but also for embedding security directly into the build stage. Application teams should not have direct access to the cloud assets to make deployments.
In the CSA’s view, all code needs to flow from the secure CI/CD pipeline. Then, everything that gets into the pipeline must get scanned before it gets released into production.