Many breaches occurring today are applications that reside in the cloud. We often hear the cause is a misconfiguration on the customer side. So, what can be done to aid in identifying these misconfigurations? Hosting the right discussions within the organization and having the proper considerations will reduce the risk and misconfigurations when moving data and applications to the cloud.
We must first understand the differences in cloud services. There are three general categories of cloud services:
- SaaS – Software as a service
- PaaS – Platform as a service
- IaaS – Infrastructure as a service
Take the time to become familiar with the shared responsibility model for your provider before adapting a cloud solution. Both Amazon AWS and Microsoft Azure publish their shared responsibility models online. Understanding the shared responsibility model aids in identifying the proper configurations to reduce risk and operate in a more secure environment.
Shared Responsibility Model
The main areas that an on-premises solution manages include: application, data, runtime, middleware, O/S, virtualization, servers, storage and network. Essentially, you are responsible for all aspects of operating, maintaining, and securing the solution.
More security responsibility falls on the customer as you go lower down the stack of the cloud services provider.
- SaaS – All-Cloud Service Provider. Contracts and the RFP are the primary mechanism to govern security. I like to use a quote my Compliance Manager often states: “You cannot contract away responsibility.” Governance is still your responsibility in a SaaS format.
- PaaS – Your organization is responsible for secure application development and deployment
- IaaS – The enterprise customer is using a server from the cloud provider, which requires the customer to manage security to include items like user access, data, applications, operating systems and network traffic
Examples Of Typical Cloud Misconfigurations
A recent breach that most folks are familiar with is the Capital One exposure of millions of records. When reading the press release, the event listed a firewall misconfiguration as the attack enabler. Other items include:
- Lack of Logging
- Lack of access control and access managing – leaving access wide open
- Unsecure AWS S3 buckets – left open to find on Internet, open to download from, or even write
- Unmanaged or mismanaged permissions controls
- Not selecting or turning on controls provided by cloud vendor that protects you
- Lack of audit and governing controls
- Lack of understanding the shared responsibility model
- Lack of knowledge, skills, or experience in utilizing and deploying cloud solutions
- Unsecure data storage elements
- Default credentials
- Default configuration settings
- Unpatched systems
- Unrestricted access to ports
- Unrestricted access to services
- Absence of change control – change control in cloud environment is inheritably different than an on premises environment
According to CSA Top Threats to Cloud Computing The Egregious 11, “Misconfiguration occurs when computing assets are set up incorrectly, often leaving them vulnerable to malicious activity.”
There are solutions that automate the governance of misconfigurations and those focused on remediation. Exploring these options benefit your organization and should be considered when designing your cloud strategy.
In summary, cloud adaption does not remove the requirement for a security leader nor a security team. It requires that team to evolve and adapt if it is not already an experienced cloud security supporter.