Every year, the Cloud Security Alliance (CSA) releases a report on the top threats to cloud computing, which ranks cloud security breaches by cause. This year, misconfigured resources jumped to the top of the list, ranking second in the top cloud security threats. This is just behind the number one reason—“data breaches,” which could be the result of misconfigurations or a targeted attack.
The elevation of misconfigurations to second on the list is not a complete surprise. In 2018, IBM X-Force research identified that cloud security breaches attributable to misconfigurations had increased 20% year-over-year, and the latest IBM X-Force Intelligence Report claims misconfigured servers were responsible for 86% of the records compromised in 2019 (IBM).
Why are misconfigurations in the cloud such a problem?
Misconfigurations in the cloud are such a problem because vulnerabilities in cloud deployments are easy to exploit by cybercriminals and difficult to detect by businesses lacking a cloud security infrastructure or IAM best practices. Once a vulnerability is detected and exploited, cybercriminals can often expand their access to other areas of the cloud environment through weakly protected interfaces before exfiltrating data from the cloud repositories without being noticed.
Due to bots scouring the internet for misconfigurations, any vulnerability in a misconfigured server is likely to be a target for a cybercriminal within seconds. This is bad news for businesses without the tools or solutions in place to detect misconfigurations in the development pipeline or upon deployment. According to McAfee’s IaaS Adoption and Risk Report, only 18% of businesses detect and correct misconfigurations upon launch or within minutes—the rest taking hours (60%), days (20%), or months (2%).
Other negative consequences due to misconfigurations in the cloud could include:
- Impact to reputation, brand, and customer/partner trust
- Loss of intellectual property to competitors
- Regulatory or compliance violations
- Decreased market value
- Legal and contractual liabilities
- Financial expenses for recovery and reparations
Why do misconfigurations occur so frequently?
Many businesses choose to operate in the cloud for the speed at which resources can be deployed. Unfortunately, this can also affect the speed at which misconfigured resources are deployed due to automated CI/CD processes, which can automate misconfigured settings at scale.
Especially in organizations with thousands of workloads and distributed operations, it can be almost impossible to monitor and detect all the misconfiguration possibilities with complete success. According to the McAfee report referenced above, the top ten most commonly misconfigured settings in AWS are:
- EBS data encryption
- Unrestricted outbound access
- EC2 Security Group port configuration
- Access to resources using IAM roles
- Unrestricted access to non-http/https ports
- Unrestricted inbound access on uncommon ports
- Unused security groups
- Unrestricted ICMP access
- EC2 Security Group inbound access
- EC2 instance belongs to a VPC
How can you prevent cloud security breaches?
There are a number of ways to improve your cloud security posture in order to prevent security breaches, including:
- Restricting access to least privilege
- Disabling regions where your cloud environment doesn't host workloads
- Disable cloud resources your teams don’t need
- Encrypting data stored in the cloud by volume or tag
- Blocking inadvertent uploads or cross-region copies
- Prevent access to privileged accounts when MFA is disabled
- Ensure encryption keys are rotated and stored safely
- Enforce data security governance policies
There are also solutions available from cloud service providers and from Github (i.e. S3Scanner) that can help detect cloud security breaches (see our eBook to compare security offerings between AWS, Azure, and GCP). While these can be good for detecting misconfigurations after a vulnerable resource has been deployed, they don’t prevent vulnerable resources before or during deployment. Additionally, while some security solutions can recommend fixes, they don’t take into account the context of the vulnerable resource or how fixing it might impact other resources, especially in hybrid or multi-cloud environments.
Due to the highly complex and dynamic nature of the cloud, CSA states that “companies should embrace automation and employ technologies that scan continuously for misconfigured resources and remediate problems in real-time.”
CloudHealth Secure State is a platform that applies continuous verification best practices to resources in development and once they’re deployed (in case of configuration drift). CloudHealth Secure State not only flags misconfigured resources, but prioritizes them in order of severity, and provides context-rich security insights so developers and system administrators can see what impact the recommended fixes will have on other resources.
And if you’re looking for additional tips and best practices to improve your cloud security posture and prevent misconfigurations, see our in-depth guide: Top 10 Best Practices For Cloud Security Posture Management