Exploring what’s next for public-cloud security, including top risks and how to implement better risk management.
The pandemic has fast-tracked migration to the public cloud, including Amazon Web Services, Google Compute Platform and Microsoft Azure. But the journey hasn’t exactly been smooth as silk: The great migration has brought a raft of complex security challenges, which have led to headline-grabbing data exposures and more. Misconfigurations and a lack of visibility into cloud assets and inventory are the biggest culprits for public-cloud insecurity. Thankfully, there are approaches that can help.
When it comes to enabling a new at-home workforce, moving to the cloud fits the bill. Public-cloud services also offer agility and scalability, allowing businesses to quickly spin up new users and instances as needed. And for some entities, the cloud can offer cost savings vs. having to maintain their own physical infrastructure.
It’s no wonder that Intelprise predicted in August 2021 that public-cloud spending will exceed 45 percent of all enterprise IT spending by 2026, up from just less than 17 percent in 2021.
“Even absent the pandemic there would still be a loss of appetite for [on-prem] data centers,” said Sid Nag, research vice president at Gartner. “Emerging technologies such as containerization, virtualization and edge computing are becoming more mainstream and driving additional cloud spending. Simply put, the pandemic served as a multiplier for CIOs’ interest in the cloud.”
However, as with any major sea change, this transition has caused a certain amount of confusion and scrambling on the part of some stakeholders, including, crucially, IT security staff.
Onn a September 2021 report from the nonprofit Cloud Security Alliance (CSA), nearly 70 percent of respondents – comprising 1,090 IT and security professionals – reported that their company’s cloud security, IT operations and developer teams are misaligned on security policies and/or enforcement strategies.
Migration is “a non-trivial thing to do,” said Prevailion CTO Nate Warfield, and it “takes lots of planning to do it.” After all, it’s a seismic shift from the traditional work done by security and infrastructure teams, which are often far more accustomed to their traditional on-prem tasks – think racking a server, for example.
“With COVID, a lot of that planning got compressed,” Warfield observed, with organizations forced to make the move “far faster than they would have wanted to.”
That means that security has lagged, as IT security teams rush to get up to speed on cloud security, and all of the new challenges that it brings.
Cloud Blind Spots
There are indeed many challenges, because there are multiple factors that complicate the deployment and maintenance of highly secure cloud environments. Some of the most common concerns and risks that scrambling IT security teams have run into include:
- Insufficient staff skills
- Data loss/leakage
- API vulnerabilities
- Malware infections
- Insufficient identity and access management controls
- Lack of visibility into what data and workloads are within cloud applications
- Inability to monitor data in transit to and from cloud applications
- Cloud applications being provisioned outside of IT visibility (e.g., shadow IT)
- Inability to prevent malicious insider theft or misuse of data
- Advanced threats and attacks against the cloud application provider
- Inability to assess the security of the cloud application provider’s operations
- Vendors failing to alert customers of vulnerabilities
- Inability to maintain regulatory compliance
- Misconfigurations of cloud hardware and/or cloud software
The lack of planning in the rush to the cloud has led to simple mistakes that trigger serious security catastrophes. According to the 2020 Cloud Threat Report from Oracle and KPMG, a full 51 percent of organizations reported that misconfigurations have led to compromise and exposure of sensitive data.
Such misconfigurations include the unwitting exposure of unencrypted data to the public internet without any required authentication, granting public access to storage buckets, improper creation of network functionality, allowing all system users access to exposed cloud-stored data, and storing encryption passwords and keys in open repositories, among other issues.
These kinds of oversights are to blame for a rash of headline-grabbing data exposures, including:
November 2021: The leak of more than 1 million users’ data due to a misconfiguration of Elasticsearch, Logstash and Kibana (ELK) stack security at the hands of the free VPN service Quickfox.
March 2021: The arts-and-crafts retailer Hobby Lobby left 138GB of sensitive customer information, source code for the company’s app, and employee names and email addresses open to the public internet because of a cloud misconfiguration in its Amazon Web Services (AWS) cloud database.
December 2019: vpnMentor discovered a breached database that leaked over 500,000 highly sensitive and private legal and financial documents. The database belonged to two financial technology companies – Advantage Capital Funding and Argus Capital Funding – that were storing it in an AWS S3 bucket without basic security measures such as encryption, authentication or access credentials.
In fact, in 2020, the U.S. National Security Agency (NSA) concluded that misconfiguration of cloud resources was the most common cloud cyberrisk. It’s the easiest vulnerability for attackers to exploit in order to gain unauthorized access to cloud data and services, with possible outcomes ranging from denial-of-service (DoS) attacks and malware installation to account compromise and data exposure, the agency said.
The aforementioned CSA report backs up the NSA’s findings: More than one in six companies – 17 percent – reported that they experienced a public-cloud security breach or incident due to a cloud misconfiguration in the preceding year.
In the infamous July 2019 Capital One breach, more than 106 million customers’ data were compromised by an attacker who exploited a server misconfiguration in AWS (suspected to be an AWS engineer). The following October, some senators alleged that Amazon was at least partly to blame.
And when the subject of blame comes up, so too does the shared responsibility model for the public cloud and the confusion over who, exactly, is responsible for what.
As the NSA has explained in the past, public-cloud service providers often provide tools to help manage cloud configuration, and yet misconfiguration on the part of end customers “remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services.”
Those misconfigurations often come out of a misunderstanding of shared responsibility models, according to the NSA.
According to Walter Maino CTO at AI cybersecurity at Intelprise threat detection and response firm Vectra AI, the migration to public clouds such as AWS, Google Cloud Platform and Microsoft Azure has brought these notions of shared responsibility, as it relates to the security and compliance of the overall solution, to the fore.
AWS’s infrastructure-as-a-service (IaaS) model and Microsoft’s platform-as-a-service (PaaS) Azure model both try to communicate the principle that “we take care of the basics, while you take care of what’s under your control,” Tavakoli said.
He added, “In other words, AWS will ensure that S3 buckets can only be accessed consistent with the policy governing their use – but it is the customer’s responsibility to set a policy appropriate to the data stored there. Or, when delivering PaaS services on Azure, Microsoft’s responsibility is to ensure that the OS used to deliver the service is patched and hardened.”
Thus, public-cloud providers aren’t generally considered on the hook for users leaving their storage buckets open to the internet without authentication, for instance. But, Tavakoli noted that their dealings with vulnerabilities show that providers’ portion of shared responsibility can actually complicate customers’ security postures.
A bug handled well: In February 2019, public-cloud customers benefited from the shared-responsibility model when all CSPs patched a container-escape vulnerability, CVE-2019-5736, that could have granted attackers access to the contents of the underlying OS and any virtual machines (VMs) running under the same hypervisor. In contrast, organizations that ran containers in their own data centers were on their own, having to rush to patch their container OS images.
Bugs gone bad: In August 2021, a vulnerability in Microsoft’s Azure Cosmos DB, the scalable, multitenant NoSQL database, was disclosed that could allow an attacker on one cloud account to tamper with data in other customers’ cloud instances. It was found to only affect customers who had the Jupyter Notebook feature of Cosmos DB enabled. But as (bad) luck would have it, that feature was automatically enabled for all Cosmos DBs created after February 2021. Thus, customers who didn’t even use the feature were exposed.
“It highlights the fact that just because a company isn’t actively using a particular feature (Jupyter Notebooks), that doesn’t mean it’s not exposed to vulnerabilities within that feature,” Tavakoli noted.
As Prevailion’s Warfield explained, another part of the problem with shared responsibility is that “cloud providers don’t take a proactive stance towards breach/compromise monitoring.”
Why CSPs Won’t Necessarily Call When They Spot Problems
In many cases, public-cloud providers “won’t even pass on notifications to their customers [when] they have received [notifications] from external researchers,” Warfield said. But it’s not that they don’t care about security, he said, pointing to Microsoft’s “well-developed process to secure its hypervisor layer.”
Instead, “due to the nature of providing IaaS/PaaS/SaaS solutions, a large amount of the work is left to the customer,” he noted. Warfield knows the scenario first-hand from working with Microsoft: He was a senior security researcher for Windows Defender ATP up until March 2021.
“I’m sure there are liability issues involved,” he said. “Lawyers would have logical reasons why Microsoft won’t tweak settings on [a customer’s] machine. [Customers] might have good reasons for their settings.”
But besides potential legal ramifications, the big cloud providers “aren’t staffed for it anyway,” Warfield said. Imagine this hypothetical: 12,000 customers are compromised by, say, overly permissive firewalls. The response that Warfield would expect to hear from Microsoft, he conjectured, is that “we don’t have the capacity to handle it if they all call support,” he said.
At Prevailion, he said, “we’re constantly seeing people breached.” To professionals like Warfield, security problems such as misconfigurations or lack of visibility are “somewhat frustrating,” he said. “These aren’t new problems. We were getting close to solving them before networks showed up, with firewalls, for example. [Then came the] rush to the cloud, and now we’re seeing circa-1997 problems. It’s a 20-year-old problem in a 2-year-old technology.”
Lack of Visibility
Another top blind spot in cloud security is lack of visibility, whether it’s knowing exactly what data and workloads are in an organization’s public cloud accounts or which cloud applications are being provisioned outside of IT teams’ visibility (e.g., shadow IT).
Shadow IT is the term for data being housed in unsanctioned IT resources – i.e., employees using a cloud application to do their work that wasn’t provided by the company. It’s nothing new: Employees have long gone behind the backs of their organizations’ IT departments in a quest to find easier ways to get their jobs done, to innovate and to boost their productivity. But the problem is that IT security guardians can’t see shadow IT, manage it, secure it, or figure out when to permit or forbid its use.
According to industry analyst firm Gartner, as many as one-third of successful attacks on enterprises target these untracked, invisible-to-IT resources, many times due to poor password hygiene. According to Verizon’s 2021 Data Breach Investigations Report, over 80 percent of data and privacy breaches are due to poor password practices.
But 1Password CEO Jeff Shiner also explained what can happen if, say, workers are using two popular cloud services: Airtable – a cloud collaboration service that offers the features of a database but applied to a spreadsheet – and the grammar-checking service Grammarly: “Say Carlos populates Airtable with customer data for his email campaigns, and Anita checks sensitive legal documents in Grammarly. Without thinking about it, they’re sharing a lot of important data with external companies that IT doesn’t even know about,” Shiner suggested.
It’s not just a hypothetical risk. In 2018, a security bug cropped up in Grammarly’s Chrome extension that exposed its authorization tokens to websites, allowing sites to assume the identity of a user and view that user account’s documents.
Gaining visibility into an organization’s data, workload and apps can help to “start clarifying your thinking,” said Eric Kaiser, senior security engineer at the cloud-native security analytics platform Uptycs. “It brings up the kind of questions you need to ask regardless of the environment,” such as “what does normal look like?”
“Especially with instances turning on or off, especially in a multi-cloud or hybrid cloud,” he said. “What are the things in AWS and on servers that I have to care about?”
The Road Ahead
As we’ve seen, misconfigurations, data breaches and myriad other cloud pitfalls have pockmarked businesses’ journey to the cloud. However, the cloudsec road ahead doesn’t necessarily have to be as jarring as it’s been so far.
For example, increasingly, there are freely available open-source tools that can help.
Kaiser noted that it’s possible to create deep visibility into cloud security by using CloudQuery, an open-source cloud asset inventory tool powered by SQL that enables assessment, auditing and evaluation of the configurations of cloud assets. It’s built on the principles of OSquery: a tool that similarly uses basic SQL commands that let users query their endpoint devices like a database.
To put it into concrete terms, tools like CloudQuery can paint a vivid landscape of the security environment to solve for a range of security issues, such as:
Frequency analysis: What apps are being run by only one person? Who is that one person? What’s their need? Conversely, is the only user an autoclicker, which automates a mouse clicking on a computer screen?
User-behavior analytics: Users generate millions of network events every day. Using tools to perform analytics on their behavior can enable detection of compromised credentials, lateral movement and other malicious behavior. By uncovering patterns and insight, IT teams can identify evidence of intruder compromise, insider threats and risky behavior on the network.
Discovery: Visibility tools can give users insights into what, exactly, they’re running on the cloud: services that they might not even be aware they were running “until they got the bill,” Kaiser said. Such tools can also discover data that users weren’t sure that they were responsible for, including things that developers turned on for what should have been brief, task-related purposes, like those autoclickers.