Companies are increasingly moving their IT operations to IaaS (infrastructure-as-a-service) solutions. Gartner estimates that by 2022, about 60% of business entities will be leveraging cloud-managed offerings, doubling the recorded use in 2018.
Cloud offerings like Amazon Web Services (AWS) are generally secure. But since IaaS uses a shared security model, there's a great chance of data security issues, including cybersecurity and workload concerns. Misconfigurations when migrating to cloud-native environments can inadvertently lead to cybersecurity loopholes.
Misconfiguration isn't just a theoretical cloud computing concern. McAfee's enterprise security research shows that the typical enterprise experiences approximately 3,500 incidents monthly. From the study, 90% of businesses reported that they'd experienced IaaS security issues.
Therefore, getting it right with cloud migration configuration can significantly reduce future IaaS security issues and boost your digital transformation.
Cloud Misconfiguration – A Major Security Threat
Cloud misconfiguration refers to any glitches, gaps, or errors that could expose your environment to risk during cloud adoption. These cyber threats come in the form of security breaches, external hackers, ransomware, malware, or insider threats that use vulnerabilities to access your network.
The NSA considers cloud misconfiguration a leading vulnerability in a cloud environment. While these risks are often less sophisticated, the issues' prevalence is generally through the roof.
Misconfiguration is a cloud computing problem because multi-cloud environments can be quite complicated, and it can be tough to detect and manually remediate mistakes. According to a Gartner survey, these issues cause 80% of all data security breaches, and until 2025, up to 99% of cloud environment failures will be attributed to human errors.
This is tricky, considering there's no one-time remedy for cloud misconfiguration issues like cloud leaks. However, it would help to implement security procedures at the build stage. So, DevOps and security teams must work collaboratively.
Common Cloud Misconfigurations and Their Solutions
Let's take a deep dive into the most common cloud misconfigurations that you'll likely have to deal with when migrating to a cloud environment.
1. Unrestricted Inbound Ports
All ports open to the internet can be potentially problematic. Cloud services mostly use high-number UDP or TCP ports to prevent exposure risks, but determined hackers can still sniff them out. Obfuscation can be helpful, but it's insufficient by itself.
When migrating to a multi-cloud environment, make sure you know the full range of open ports and then restrict or lock down those that aren't strictly necessary.
2. Unrestricted Outbound Ports
These ports create opportunities for security events like data exfiltration, lateral movement, and internal network scans once there's a system compromise. Granting outbound access to RDP or SSH is a common cloud misconfiguration. Application servers seldom have to SSH to other network servers, so it's unnecessary to use open outbound ports for SSH.
Make sure you limit the outbound port access and use the least privilege principle to restrict outbound communications.
3. "Secrets" Management
This configuration issue can be damaging to your organization. Securing secrets like API keys, passwords, encryption keys, and admin credentials is essential. But most companies openly avail these through compromised servers, poorly configured cloud buckets, HTML code, and GitHub repositories. This is as risky as leaving your home’s deadbolt key taped to your front door.
You can beat this by maintaining an inventory of all your company secrets in the cloud and regularly evaluating how they're secured. Otherwise, threat actors could easily breach your systems, access your data, and overrun your cloud resources to effect irreversible damage.
You may also use secret management solutions and services like Hashicorp Vault, AWS Secrets Manager, Azure Key Vault, and AWS Parameter Store.
4. Disabled Monitoring and Logging
Surprisingly, most organizations fail to configure, enable, or review the telemetry data and logs offered by public clouds, which can be sophisticated. It would help to have someone responsible for regular reviews and flagging security-related incidents.
This valuable tip isn't only limited to IaaS public clouds. You'll also get the same information from storage-as-a-service vendors, which you must also review regularly. A maintenance alert or update bulletin could leave your organization with profound security implications, but it won't help if there's no one paying attention.
5. ICMP Left Open
The ICMP (Internet Control Message Protocol) reports network device errors, but it's a common target for threat actors. This happens because while the protocol can display if your server is responsive and online, cybercriminals can also use it to pinpoint an attack.
Furthermore, it's also an attack vector for denial-of-service (DDoS) and many types of malware. A ping flood or ping sweep can overwhelm your servers with ICMP messages. While it's a dated attack strategy, it's still effective. So make sure your cloud configuration blocks ICMP.
6. Insecure Automated Backups
Insider threats to your cloud environment are an ever-present cybersecurity risk. According to McAfee, about 92% of business organizations have workers' credentials being sold on the darknet. One section where insider threats can be particularly damaging is when you fail to secure automated cloud data backup properly.
You may have protected your master data, but poorly configured backups will inadvertently remain vulnerable and exposed to insider threats.
When migrating to the cloud, ensure your backups are encrypted whether at rest or in transit. Also, verify the permissions to restrict access to the backups.
7. Storage Access
Most cloud users believe that "authenticated users" only cover those already authenticated within the relevant apps or organizations regarding storage buckets. Unfortunately, this isn't the case.
"Authenticated users" refers to any person with AWS authentication, essentially any AWS client. Due to this misunderstanding, alongside the resulting control settings misconfiguration, you may have your storage objects wholly exposed to public access. Be especially cautious when setting storage object access to grant it to only the people within your organization.
8. Lack of Validation
This cloud configuration error is a meta-issue: most organizations don't create and implement systems for identifying misconfigurations whenever they occur. Whether an outside auditor or internal resource, you need someone to verify that permissions and services are correctly configured and deployed.
Create a schedule that ensures validation occurs like clockwork because mistakes are inevitable as the cloud environment evolves. You also need a rigorous process of auditing cloud configurations periodically. Otherwise, you may leave a security loophole that cybercriminals can exploit.
9. Unlimited Access to Non-HTTPS/HTTP Ports
Web servers are made to host web services and websites to the internet, alongside other services like RDP or SSH for databases or management. However, you must block these from accessing every part of the internet.
Improperly configured ports can open your cloud infrastructure up to malicious actors looking to brute force or exploit the authentication. When opening these ports to the web, ensure you limit them to accept traffic from specific addresses, such as your office.
10. Overly Permissive Access to Virtual Machines, Containers, and Hosts
Would you connect a virtual or physical server in your data center directly to the internet without protecting it using a firewall or filter? You likely wouldn't, but people do exactly this in their cloud infrastructures all the time.
Some of the most common examples include:
- Enabling legacy protocols and ports like FTP on cloud hosts
- Legacy protocols and ports like rexec, rsh, and telnet in physical serves that have been made virtual and moved to the cloud
- Exposing etcd (port 2379) for Kubernetes clusters to the public internet
You can avoid this cloud configuration mistake by securing important ports and disabling (or at the very least locking down) legacy, insecure protocols in your cloud environment the same way you would treat your on-premise data center.
11. Enabling Too Many Cloud Access Permissions
A major benefit of cloud computing is its ease of scalability. However, this simplicity of expansion is not without its downsides. As cloud environments grow larger and more complex, administrators rapidly lose oversight of system controls.
Lack of visibility makes it harder for admins to review permissions and restrict access. They may also find it easier to enable default permission settings for all users to avoid dealing with an influx of access requests.
Unnecessary permissions greatly increase the risk of insider threats, which could result in cloud leaks and data breaches.
Organizations should seek to adopt the emerging Secure Access Service Edge (SASE) architecture, which enables more efficient cloud security, including the use of Cloud Access Service Brokers (CASBs) and Cloud Security Posture Management (CSPM) solutions to manage user permissions in multi-cloud environments.
12. Subdomain Hijacking (AKA Dangling DNS)
A common cause of this type of cyberattack is when an organization deletes a subdomain from its virtual host (e.g. AWS, Azure, Github, etc.) but forgets to delete the its associated records from the Domain Name System (DNS).
Once the attacker discovers the unused subdomain, they can re-register it via the hosting platform and route users to their own malicious web pages.
Such hijacking could result in malware injections or phishing attacks to unsuspecting users and can cause severe reputational damage to the original subdomain owner.
To avoid subdomain hijacking, organizations should always remember to delete DNS records for all domains and subdomains that are no longer in use.
13. Misconfigurations Specific to Your Cloud Provider(s)
While misconfigurations like open ports and overly permissive access are applicable to all cloud providers, many misconfigurations exist that are more specific to the service(s) you’re using. For example, default public access settings for S3 buckets is a well-known AWS flaw.
Organizations should research cloud misconfigurations specific to their cloud service provider(s).
Some common known misconfigurations for popular cloud providers are linked below.
How to Safeguard Your Data from Cloud Misconfigurations
The following expert recommendations will help you securely configure your cloud environment and maintain its security:
- Remember forgotten services – Development and operations teams mostly create new cloud applications and servers, configure them, then fail to recheck the configuration. Ensure you know where your cloud services and assets are and their status.
- Develop policy and templates – IT leaders must propagate working security settings into their environments' base configuration settings to allow future instances of a piece of cloud infrastructure or application to benefit from past lessons.
- Automate security and configuration checks – Agile development approaches leverage extensive automation to create and deploy secure code. Therefore, make sure you check your running infrastructure and applications for security and compliance. Automation can be beneficial here.
- Leverage provider tools – You must understand the extent to which you share your security responsibility with the cloud provider. More responsibility is on the customer's end with infrastructure-as-a-service clouds, while the cloud service provider primarily manages SaaS offerings.
- Conduct risk assessments – Cybersecurity risk assessments help you identify potential threats in your cloud storage and other infrastructure sections when migrating your data and operations to the cloud.
Threats Still Exist Even with Great Configuration
Learning about the different misconfigurations during cloud migration and avoiding them can help you identify and eliminate most security vulnerabilities. However, it's almost impossible to eradicate cloud security risks. This is a leading reason why monitoring network traffic is essential.
Decision-makers can leverage continuous monitoring that covers the full scope of their company network, from every device at the edge to the cloud core, to spot inconsistencies or unusual activity that indicates security and misconfiguration issues.
Network admins can assess important cybersecurity metrics and provide effective remedies to these issues before they cause cloud data breaches, DDoS attacks, ransomware and malware injections, or other cyberattacks with far-reaching implications.
An automated solution, like UpGuard, can help mitigate your attack surface and manage third-party cloud exposures through real-time monitoring and streamlined remediation workflows.