As a movie genre, Westerns tend to be long…very long, often. But there’s one Wild West show that’s been going on for nearly two decades, with no signs of stopping and not even a pause for intermission: the lawless stampede to the cloud.
Surprisingly, the Western analogy really does hold water here. Because as any fan of Westerns knows, law and order didn’t come until long after the Western front had been settled on a mass scale. Similarly, most organizations have already transitioned to either hybrid, multi-cloud or single-provider cloud, yet an element of lawlessness still, to this day, persists in cloud deployments.
In this post, we’ll drill down into why this chaotic environment continues to exist and what we can all do rein it in.
There are a lot of reasons cloud environments tend to be messy and confusing. Interestingly, properly configured cloud security systems are infrequently overcome by threat actors. Yet we find so many storage systems that have been left exposed, so many databases that need greater encryption, so many indications that whoever was doing the cloud security configuring needed a LOT more training. You don’t have to look farther than the recently-exposed Toyota breach – which went on for over a decade, affected over two million customers and happened …you guessed it…due to a cloud storage misconfiguration.
What kind of misconfigurations am I talking about? Here’s a short list, based on our actual findings in customer cloud instances:
- Publicly accessible resources – open ports, protocols and services on cloud entities (EC2 instances, S3, Databases, APIs, and more)
- Improper access control – Weak authentication and authorization – inadequate authentication and authorization controls (like SAML, 2FA, RBAC)
- Unsecure communication channels – failure to use secure communication protocols (like SSL/TLS, VPN, etc.), allowing MITM attacks
- IAM misconfiguration – improper configuration of IAM policies and roles that result in excessive permissions or privilege escalation, allowing attackers to gain elevated access
- Misconfigured Logging and Monitoring – logging and monitoring were not correctly configured, thus, security incidents were not detected in time.
- Lack of Network Segmentation – failure to properly segregate networks can lead to lateral movement if an attacker gains access
Four Top Drivers of Cloud Chaos
Two decades into the cloud revolution, why are we still experiencing problems whose origins are well-known and well-understood?
- Lack of skilled resources – There is a massive shortage of skilled cybersecurity professionals. One study estimated a global cybersecurity workforce gap of 3.4 million people in 2022, with those numbers set to rise this year. Unskilled cloud admins aren’t aware of the intricacies of integration, prioritization, segmentation and permissions. They lack knowledge of industry best practices – simple things like maintaining separate cloud accounts for CI/CD, production, development, customer service, and more. And they don’t know how to prioritize and handle the tsunami of cloud security issues raised by CSPM and other cloud security systems and they lack skilled resources and visibility.
- Cloud vendors don’t want liability – This is an uncomfortable truth. The fact is that cloud providers offer security tools but leave security responsibility to the customer for a reason. They don’t want the liability in the event of a breach. This is an inherent shortcoming of the shared responsibility model – making the responsibility less “shared” and more “split”. And. Coming back to my first point above, this leaves critical decisions in the hands of people who may not be cloud security pros.
- Everybody’s got their hands on it – Finally, there is the sheer scope of enterprise-scale cloud deployments. This results in people who don’t think they need to know about security doing things that dramatically affect security. There are so many entities, so many permissions, so many roles and so many authentications in the cloud. Most users have no idea of best practices, and end up doing stuff like spinning up S3 buckets but never closing them, leaving orphans that are an inherent security risk.
- Shared responsibility creates blind spots – Another huge cloud challenge relates to the shared security responsibility model. As we have all figured out by now, the security for data or applications created in the cloud, sent to the cloud, or downloaded from the cloud is not the responsibility of the cloud provider. This responsibility falls squarely on the shoulders of the cloud customer. The cloud provider is responsible for securing their infrastructure – but you are responsible for securing everything that you bring into the cloud environment.
Four Quick Fixes
So how can this situation be eh, reined in?
Here are a few suggestions:
- Starting asap, new in-house training regimes can help cloud users better understand the implications of their everyday actions on organizational security as a whole. For example, they can tighten access control in-line with simple principles of least privilege. They can learn more about the extent of their security responsibility vis-à-vis cloud providers. And they can learn the basics of cloud configuration, to avoid the type of glaring errors we encounter every day.
- Cloud users should also become more aware of their responsibilities within the shared responsibility model. it’s absolutely essential to know what the cloud provider is covering and what falls within the responsibility of the security team. This can change from cloud provider to cloud provider so as they say, caveat emptor.
- Consider onboarding tools that help reign in the complexity of the cloud. For example, use AWS native tools to understand compliance posture and perform continuous audits to assess the overall security risk of your cloud environment. Also consider a tool that provides the overall perspective on how attackers can pivot from on prem to cloud and vice versa.
- Restrict access controls procedures. It’s critical to employ a methodology of permissions based on least privilege and access by the needs principals for every type of permission or access – roles separation by department/responsibility, temporary access tokens or API keys.
Bringing Law and Order to the Cloud
Two decades after this massive expansion began, it’s time to finally tame the cloud and restore order in this vast digital frontier. I hope the tips above shed some light on what your organization can do to finally get it right.