Cloud (Mis)Configuration: What Do You Need to Consider?

Most IT and cybersecurity folks remember when cloud computing first emerged. Back then, the promise of enhanced convenience and security with cloud computing caused many business executives to sarcastically exclaim that the cloud was infinitely more secure than the on-premise data centers that existed. Perhaps this gave them comfort, enabling them to be early adopters of cutting-edge technology while eliminating all the threats that were under their own roofs.

This comfort wore thin over a short amount of time. Bad actors have increasingly turned their attention to the cloud. According to the 2020 Trustwave Global Security Report, the volume of attacks targeting cloud services more than doubled, from 9% in 2018 to 20% a year later. This growth made cloud services the third most-targeted environment, closely following corporate, and e-commerce categories. One may anticipate that these trends will continue, highlighting the need for organizations to secure their cloud environments.

Using default security configurations from a Cloud Service Provider (CSP)

Should you adopt the default security configuration from your CSP in an attempt to avoid a misconfiguration incident? Caution is in order here, as some of the default settings CSPs provide may not be required in your environment, and would be better off if they were disabled. An organization needs to be confident that the settings in the cloud environment are set in a way that best suits the organization. As part of a complete cloud security strategy, all the settings should be checked against an established hardening standard. Cloud service providers deliver a platform and the tools to manage that platform. Ultimately, it is not the responsibility of the CSP to secure your environment; it’s yours.

Misconfiguration of the Cloud

According to a Tripwire survey, 76% of participants said it’s difficult to maintain secure configurations in the cloud. One of the main reasons behind that alarming statistic is down to how many organizations change their Cloud Service Providers (CSPs) without proper consideration to the security implications. A large majority of organizations currently use Amazon Web Services (AWS) or Microsoft Azure. However, some use a hybrid of AWS and Azure, and more and more are adopting Google Cloud Platform (GCP). This creates an important realization: organizations need to “multi-skill” their employees to support these vastly different cloud platforms as they undergo their digital transformations.

Fostering skills across multiple CSPs is an important matter of security. Oftentimes, we see single-skilled workers try to adopt security on unfamiliar CSPs. Such unfamiliarity could produce a misconfiguration, enabling threat actors to access sensitive information.

Traditionally, those misconfiguration events involved storage silos like Buckets and Blobs. Malicious hackers seek out these errors, finding intellectual property or an organization's information in an insecure bucket. However, CSPs are now providing these services securely configured by default; the organization would have to deliberately change it to a public-facing state.

Who has access to the Cloud?

An organization deploying a new application must open up firewalls to permit access from certain destinations on specific protocols, increasing the exposure of the service.

This has to happen in the Cloud. All too often, we see overlooked IAM (Identity Access Management) configurations. If there is no direct connection to the cloud, or there is a site-to-site VPN in place, then the applications in the Cloud need to be exposed over the internet. It’s important to identify what those applications are, and restrict access to those who need access.

It’s a process that shouldn’t be rushed

In 2020, we saw a majority of organizations adopt a fully remote work model. We also saw the adoption of additional perimeter hardware to cope with the demand, and “jump servers” put in place to access systems securely.

Moving services to the cloud is not something that can or should be done overnight. It normally takes months of planning to migrate to the cloud. For example, Office365 can transfer your Active Directory management capabilities to the cloud. As we become more dependent on Software as a Service (SaaS), and Infrastructure as a Service (IaaS), there will be less demand on systems being accessed via remote VPNs.

Align to Cloud Hardening Standards

Fortunately, organizations can choose from a variety of standards to harden their cloud environments. There are many sources for mature standards, such as the Center for Internet Security (CIS), and the National Institute of Standards and Technology (NIST) that offer guidance for hardening cloud environments. Since there are a lot of overlapping controls in all the standards, as long as at least one standard is adhered to, it will help reduce the attack surface.

Attackers Automate, Why Shouldn’t You?

Over the years, security automation has been increasing to meet the demand of so many systems generating alerts, discovering vulnerabilities, churning out logs, etc. Automation now extends to compliance. There are solutions that can automate the process of checking multiple tests against many endpoints to show compliance across the organization. As a qualified and experienced cybersecurity professional, you will be in a great place to advise and guide your organization in secure cloud configuration. Using automated solutions enables you to continuously monitor systems for deviations from a specific standard, allowing you to be able to react quicker to potential security issues before a breach can occur.

Too many organizations discover security breaches when the breach occurs, and not before, so it’s time to get ahead of these breaches and help prevent them from happening in the first place. Attackers use automated tools to continuously scan CSPs for misconfigured systems, which we have learned can be easily achieved. As a cybersecurity professional, being able to use similar tools to ensure those holes are undiscoverable in the first place, will allow you to be able to add speed to a resilient cyber defense.

How the Certified Cloud Security Provider (CCSP) credential can help

CCSP certification is the most valued, vendor-neutral Cloud Security qualification. It demonstrates you have the knowledge needed to tackle the inevitable threats in the cloud environment. Certification advances your knowledge and understanding of cloud security by focusing on six different domains: cloud security operations, legal risk & compliance, cloud concepts architecture & design, cloud data security, cloud platform & infrastructure security and cloud application security.