Keeping the cloud safe from security misconfigurations

In July 2021, residents from eighty US municipalities had 1,000GB of data and in excess of 1.6 million files containing residents’ physical addresses, telephone numbers, IDs, and tax documents exposed. In February this year, Civicom, a video conferencing company, leaked over 100,000 audio and video files of its customers’ private meetings.

And the root cause for both data breaches? Misconfigured AWS S3 buckets.

It is not uncommon to hear of incidents arising as a result of cloud misconfiguration. According to Check Point’s 2022 Cloud Security Report, 27% of organisations have experienced a security incident within their public cloud infrastructure in the past year. Of these, nearly a quarter were caused by security misconfigurations in cloud infrastructure.

The issue of shared responsibility

Underpinning cloud security is the Shared Responsibility Model. While it is up to the cloud provider to ensure the overall structure is secure, the user is responsible for configuring part of the Cloud environment to meet its own security requirements.

This, however, leaves room for error; particularly, when what you can configure varies according to the Public Cloud environment in use, be it AWS, GCP and Azure, or SaaS environments. Therefore, it is critical that a strategy is put in place to identify these misconfigurations.

Spot the error

The most efficient way to identify cloud security misconfigurations is to use security posture tools, which monitor the cloud environment automatically and continuously. In today’s day and age, when many resources are being migrated to the cloud, it can be difficult for security teams to keep up. Security posture tools can help by providing visibility.

They also enable the business in question to measure their configurations against Cloud benchmarks and standards proposed by reputable organisations like the Center for Internet Security (CIS) and/or the National Institute of Standards and Technology (NIST).

The best tooling will take it step further by offering advice to remediate issues. These are generally categorized into one of seven brackets: identity, management, databases, data, compute, network, security.

Security teams should take note that most of these security posture tools are best suited for public cloud environments as opposed to SaaS environments. With that said, it is worth investing some time to find a tool that can manage the two domains and consolidate efforts. Once the right tool is found, integrate the results with Security Information and Event Management (SIEM) software.

SIEM will complement the benefits of security posture management. While the latter determines if vulnerabilities exist, SIEM ensures that the Security Operations Centre (SOC) is promptly informed of the risks and act upon them.

Alternatively, in the absence of SIEM, an event bus can be leveraged. Data picked up by security posture tools can be fed through an event bus, where each event is then assessed against set rules. These rules will then dictate whether an event is allowed, denied or requires modification.

Taking it a step further

Apart from tooling, there are three other areas that organisations must consider when dealing with misconfigurations.

The first is to establish comprehensive user training for anyone who handles the Cloud. If mistakes are made, use this as an opportunity to educate or re-educate all relevant employees. They should understand what went wrong, how it can be fixed and what should be done moving forward to avoid the same problem reoccurring.

In case of system updates or the introduction of new programs, sandbox environments should be employed. That way, if anything goes wrong, it is isolated from the wider cloud platform.

Finally, organisations should ‘shift left’, or perform security testing from the development stages. This can be done best through automation practices and building in security best practices through Infrastructure as Code (IaC). This is also a key step towards more mature Cloud deployments.

To sum up, organisations must first assess the cloud assets in use, noting if they are IaaS and/or SaaS Cloud environments, then select the appropriate security posture tool, remediate the findings and feed these to their SIEM environment for correlation or future analysis. If possible, ‘shift left’ and tackle issues as close to source as possible to avoid a snowball effect further down the line.

Our cloud environments are quickly expanding and becoming increasingly complex to manage. But if we maintain visibility and leverage the tools in our arsenal, we can beat the odds.