Cloud Security

Hardening and monitoring cloud configuration

Metallic symbol in the shape of a cloud with metal gears. Concept of cloud computing

What is system hardening?

The Center for Internet Security defines system hardening as the “process of limiting potential weaknesses that make systems vulnerable to cyber attacks.” While hardware and software manufacturers strive to practice ‘security by design’ principles, the reality is that the responsibility still largely rests on IT buyers and administrators to apply extra vigilance in vetting for vulnerabilities any time new systems are being integrated. Common examples of system hardening include configuring user privileges, enforcing strong password protections, setting account logins and lockouts, uninstalling superfluous applications and firmware, and implementing multi-factor authentication.

That’s why experts continue to stress the importance of system hardening as a fundamental baseline security discipline – even for the cloud. 

Many organizations are familiar with the benefits that moving to the cloud has to offer: increased production, faster services, improved security and analytics, and the flexibility to solve business-critical problems at scale. In the process of migrating workloads and applications to the cloud, however, organizations that do not take necessary steps to minimize their attack surface may find themselves easy prey to adversaries. System hardening plays an important role in securing cloud services.

Why is system hardening a good idea?

Most cyber criminals are looking to exploit low-hanging fruit. To put it plainly, they’re banking on organizations to leverage cloud services by default without taking the extra measure to secure cloud-based components and features. These include exposed APIs, weak password controls, misconfigured storage containers, improper access management, and shadow IT or non-authorized devices.   

Recent high-profile breaches make it clear that failure to harden systems puts organizations in the crosshairs.

  • IT consulting firm Accenture was hit by a LockBit ransomware attack in 2021. The LockBit exploit was first reported in 2019, but Accenture’s failure to harden server controls and protocols is thought to have contributed to the theft and publication of 2,400 data files on the dark web.
  • In June of 2022, investigators discovered a vulnerability in the cloud platform used by accounting and wealth management firm Moss Adams. The security gap included an “improperly stored virtual machine image” in a publicly available AWS S3 bucket that “did not require a password.” While the vulnerability was fixed before attackers could make use of it, the lax password policies could have resulted in theft of valuable credentials and consumer PII.
  • 37% of IT decision-makers surveyed by CyberRisk Alliance reported that their organization was the victim of a cloud-based attack or breach in the last two years. In the same study, nearly half (45%) of respondents said inadvertent exposure due to misconfigurations was their top security concern for their cloud environments.

There’s a pattern here. Organizations continue to shift applications and workloads to the cloud and many are failing to secure at scale as needed. Storage misconfigurations, overly permissive policies, and leaky APIs are the end result – and these critical weaknesses open doors for otherwise easily preventable attacks.“

The more people you have accessing [your cloud] and the more accounts you set up, the more you have to consider,” said Michelle Peterson, who previously directed the Center for Internet Security’s Benchmark guideline series. “It’s not just a small group [anymore] utilizing these resources, but multiple tiers of your organization accessing these cloud environments and ensuring that there’s no change when someone decides to add a new account or make a change as an admin [or thinking] what impact does that have across the board?”

Cloud security resources

Fortunately, there’s no shortage of resources that organizations can draw from to help harden their cloud operations. 

A good first step to take is conducting a security configuration assessment, or SCA, as an extension of a vulnerability management program. When exploring the market for SCA tools, look for those that automatically scan for IT configurations and cross-check them against CIS benchmark controls. An effective SCA should be able to aid with enforcing the following steps, at the very minimum. 

  1. Having users create strong passwords and change them regularly
  2. Removing or disabling all superfluous drivers, services, and software
  3. Setting system updates to install automatically
  4. Limiting unauthorized or unauthenticated user access to the system
  5. Documenting all errors, warnings, and suspicious activity

Organizations might also want to consider adding policy compliance management to simplify reporting of asset compliance. By embedding mandate-based reporting, security teams can ensure cloud configurations meet external regulations and multiple security mandates.

CIS Benchmarks are publicly available for download and can assist organizations when it comes to all aspects of system hardening, such as setting identity and access management controls, logging and monitoring, network hardening, virtual machines, storage, and cloud databases. Usefully, it also clarifies which of its recommendations can be automated versus provisioned manually.

System hardening should be considered an essential pillar of any cybersecurity strategy. By investing in automated security configuration assessment tools and adhering to published CIS benchmark guidelines, organizations can reduce unnecessary risk and prevent vulnerabilities from being exploited.

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.