How to Tackle the Scourge of Cloud Misconfigurations
Table Of Contents:
An exposed cloud data store containing the personal information of players on Australia’s national football team underscores the growing threat posed by cloud misconfigurations. According to IBM, they were the cause of initial access in 11% of data breaches last year. But by implementing best practices like regular security audits, tighter access controls and encryption, and adhering to industry standards like ISO 27001, this kind of risk can be mitigated.
What Happened at Football Australia?
In February, researchers at Cybernews confirmed they had uncovered a data leak at Australia’s governing body for football. The incident was caused by improperly configured Amazon Web Services (AWS) keys and exposed 127 sensitive data buckets.
Alarmingly, one of these containers had zero safeguards in place and contained personally identifiable information (PII) such as the contracts and passports of players on Australia’s national football team. Other exposed data included the details of fans who bought tickets for games, digital infrastructure source code and scripts, and other information detailing the organisation’s infrastructure. Football Australia claims to have closed the security gap after receiving an alert from the researchers.
Cloud Misconfiguration Is an Epidemic
It can be difficult for short-staffed or overworked IT teams to keep up with the rapid pace of cloud innovation, and ensure the services their companies use are properly configured.
“Cloud misconfigurations have become endemic for understandable reasons. The breakneck pace of cloud innovation has rapidly increased complexity,” Increditools security analyst, Kelly Indah, tells ISMS.online. “AWS alone offers over 200 services, each with multiple configuration options. Many organisations have struggled to keep their in-house skills current amidst this technology tsunami.”
Indah also describes the complacency of some IT professionals as a major cause of cloud misconfiguration, warning: “The seamless ease of the cloud has led some to underestimate the care required in properly locking down environments.”
Additionally, IT professionals sometimes mistakenly believe the cloud provider is responsible for all cybersecurity matters, according to Sean Wright, head of application security at Featurespace.
However, the reality is that vendors and users both have a “shared responsibility” for securing cloud infrastructure. Wright tells ISMS.online that cloud providers typically handle infrastructure issues like hardware, networking and software, while the user is responsible for managing cloud accounts and ensuring configurations are secure.
When people without proper training use cloud platforms, problems like misconfigurations will inevitably arise.
“With so many services available, it’s easy to get things wrong,” Wright argues.
Vance Tran, co-founder of Pointer Clicker, says rapid cloud innovation has resulted in vendors releasing new features “faster than companies can update policies and train staff”.
“Additionally, enterprises spread responsibilities across many stakeholders without sufficient oversight, making oversight and accountability for security configuration management challenging,” he tells ISMS.online.
Different Types of Misconfiguration
When it comes to addressing this challenge, IT and cybersecurity teams should be aware of several common cloud misconfigurations. These include exposed keys and credentials – as per Football Australia – improperly configured access controls, open port and firewall rules, and unencrypted sensitive data at rest and in transit, says Pointer Clicker’s Tran.
A range of security issues can arise when IT teams allow too many people to access cloud services, or if they use outdated ports such as FTP on their cloud hosts, argues Stephen Pettitt, sales director of M247. He says such issues make the lives of IT professionals “even more difficult”.
Accidentally making sensitive data accessible to anyone is a recurrent cloud misconfiguration, according to Matt Middleton-Leal, managing director of EMEA North at Qualys.
“For example, 31% of AWS S3 buckets are publicly accessible, which exposes them to potential security vulnerabilities and attacks,” he tells ISMS.online. “Public S3 buckets also expose other services – for example, EC2 instances and RDS databases may be compromised if their access keys, credentials, or backup files are stored in an insecure S3 bucket.”
Increditools’ Indah adds that common issues such as publicly accessible cloud storage buckets and failure to enforce stricter access controls, “offer an open invitation to cyber-criminals”.
Best Practices Can Help
Featurespace’s Wright advises organisations to ensure that only sufficiently trained professionals are allowed to use cloud platforms and services. Failing this, he advises setting up a team of experts who can ensure cloud implementation is secure.
Pointer Clicker’s Tran adds that zero-trust security models and network segmentation can mitigate many cloud misconfiguration risks. Regularly auditing cloud services for misconfigurations and using automated security tools like Amazon GuardDuty will also help security teams identify vulnerabilities quickly, he adds.
Ensuring cross-functional teams understand shared security models is another important step.
“The cloud makes security everyone’s job,” Tran argues. “With the right culture and processes in place, even small organisations can stay on top of an ever-changing landscape.”
Adopting a globally recognized industry framework like ISO 27001 can also decrease the likelihood of cloud misconfigurations, according to Rob Warcup, a partner at Leading Edge Cyber. He tells ISMS.online: “ISO 27001 is a great framework to ensure that all bases are covered, including section ‘6.2 Information Security Awareness, Education and Training’, and section 5.1 Policies for Information Security.”
Taking proactive steps like regular audits, attack simulations, security awareness training, strict access controls and data encryption will enable enterprises to stop cloud misconfigurations from happening, according to Indah of Increditools.
“With vigilance and an ongoing commitment to cloud security best practices, organisations can avoid leaving the doors wide open to data theft,” she claims. “Tighten up your cloud configurations before you become the next cautionary tale.”
As Football Australia recently found out, cloud misconfigurations can have serious consequences. Regular checks for security gaps and adherence to industry-recognised security standards like ISO 27001 should help organisations better manage risk across this fast-growing part of their corporate attack surface.
