Use of cloud resources has grown year over year as more and more organizations take advantage of the increased efficiency and capabilities offered by the cloud. By offloading the burden of maintaining infrastructure to cloud service providers (CSPs) and taking advantage of the cost savings associated with sharing resources with other cloud users, organizations can take advantage of significant cost savings and focus their efforts on providing their own products or services to their customers.
However, the increased usage of the cloud also means that cloud security is growing in importance. When taking advantage of a CSP’s services, organizations also are reliant on the CSP to secure the resources under their control. For many organizations, relying on a large organization like Amazon to secure their infrastructure may represent an improvement in the overall level of security of this infrastructure.
However, even with the CSP taking on some of the burdens, the differences between securing an on-premises and a cloud deployment can create significant security issues for an organization. Whether it’s a misunderstanding where the CSP’s duties end and the client’s duties pick up or misunderstanding the security settings controlled by the client, a security misconfiguration can be the cause of a data breach. The number of data breaches in the news that are enabled by a poor cloud security configuration indicates that this is not just a hypothetical threat.
The Challenges of Cloud Security
The cloud offers a lot of advantages to enterprises; however, it is very different compared to traditional on-premises deployments. In some ways, these differences are an asset since the availability of practically anything “as a service” means that organizations can focus their efforts on their core business rather than worrying about developing, deploying and maintaining the underlying infrastructure.
The downside of the differences between on-prem and cloud deployments is that moving some things to the cloud requires significant modifications. Frequent requests to a database located on-premises isn’t a major issue for a co-located application, but the same model can create latency and bandwidth issues for an application hosted by a CSP.
Security is also extremely different in the cloud. Every aspect of the infrastructure that is provided “as a service” is one more thing that an in-house security team has limited to no visibility or control over. This may be good for maintenance, but it’s bad for security, where the client organization has to trust the CSP’s security team to properly secure and monitor the systems leased by the client but remaining completely under the CSP’s control.
Impacts of Cloud Security Misconfigurations
The in-house security team doesn’t only lose control of certain assets to the CSP in a cloud deployment. Many cloud services (like AWS S3) give the client (i.e. the end-user) a high level of control over the security of their particular cloud deployment. If the security team isn’t the one holding the reins for an organization’s cloud storage and processing systems, this can be the cause of the company’s next data breach.
One of the most common mistakes that users make in the cloud is choosing the wrong security settings. Many cloud services have two levels of security: private and public. With private security settings, the cloud user must explicitly invite each user of the cloud deployment (like how Google Drive lets you send invites to particular users). With a public deployment, anyone who can find the URL of the cloud deployment can access it (and tools exist specifically for scanning for vulnerable S3 buckets).
The two security levels seem fairly straightforward, so logically most people would know to put sensitive data only in private cloud repositories. Unfortunately, this isn’t always the case. Numerous high-profile data breaches have been caused by placing sensitive data in public cloud storages, and, in 2018 alone, over 2.3 billion files were exposed by insecure cloud repos.
The data in these exposed repositories have significant personal (passport scans, bank statements, etc.) and professional repercussions. Over 1 billion of the files were from the EU, meaning that their exposure is a breach of the GDPR and subject to its strict penalties. Failing to secure the cloud can easily cause irreparable damage to both a company and its customers.
Protecting Against Cloud Security Misconfigurations
Most insecure cloud repos are likely created through a combination of ignorance and laziness. It’s annoying to have to manage access to a repository, and it seems like it wouldn’t hurt to mark it as public to make it easier for legitimate employees to access. If employees were aware of the risks associated with making cloud repos public, they would be less likely to do so.
One potential solution to cloud security misconfigurations has been created by Amazon (whose S3 buckets have been behind many high-profile leaks). Amazon includes visual cues (orange warnings next to public buckets) and controls that allow administrators to ensure that all buckets within the organization have a certain level of security (despite what individual owners select).
More general data security solutions are also a good idea. Some solutions have the capability to search for databases and test their security settings. These solutions allow an organization to have complete visibility and control over where their sensitive data is located and how it is secured. Understanding your organization’s data threat surface is a critical first step in protecting against data breaches.