As more and more businesses move to the cloud, misconfigurations have become one of the biggest causes of data breaches. Migration to the cloud has only accelerated over the last few years as digital transformation has driven businesses of all sizes to embrace technology to automate their business processes. This increased use of technology has, in turn, increased the risk of misconfigurations which can lead to data breaches.
Ease of Use Has Driven the Move to the Cloud
Cloud infrastructure and applications have become simpler to use and more cost effective often making them the first choice for many businesses. This is especially true of smaller businesses who do not have large IT budgets and who lack the large IT departments required to manage complex data center infrastructures. This move to the cloud has fuelled the debate about the security of the cloud. The reality is that most cloud platforms have good security controls, and it is the failure to use these correctly which is often the cause of breaches. Keeping track of their configurations becomes harder as cloud deployments proliferate. This issue has been known for some time. As far back as 2019, Gartner already stated that “Through 2025, 99% of cloud security failures will be the customer’s fault.” In a similar vein, Network Computing painted misconfigurations as the biggest threat to cloud security.
Major Breaches Caused by Cloud Misconfiguration
Unfortunately cloud misconfigurations have led to breaches which have had significant impact both in terms of cost and the numbers of individuals affected. Major companies and millions of their customers have been impacted in the process:
- While being a major player in cloud security, Microsoft has not been immune to breaches caused by misconfiguration. Starting in July 2020 Microsoft’s AI research division leaked up to 38 terabytes of sensitive data via misconfigured Azure Blob storage. This oversight was only discovered almost three years later.
- A misconfiguration which was found and corrected by Facebook in August 2019 resulted in a database containing personal information of over 530 million Facebook users being exposed publicly. Full names, phone numbers and some email addresses from user profiles were posted to an amateur hacking forum. Facebook decided not to notify the affected users.
- In June 2023, data of approximately 260000 Toyota customers was exposed due to a misconfigured cloud environment. Data relating to customers and their vehicles was exposed online for approximately eight years.
- In 2021, cyber analytics firm Cognite left a database with 5 billion records from previous security breaches online and unsecured. What is ironic about this incident is that the database was created to cross reference whether personal information of any clients had been exposed in other breaches.
- The data breach at the Australian telecommunications provider Optus, one of the largest of 2022, appears to have ultimately been caused by an unsecured cloud API. This breach resulted in a $1 million ransom demand and the leaking of 11 million records relating to Optus customers.
Common Misconfigurations that Lead to Cloud Breaches
While the kinds of misconfigurations that can lead to breaches are numerous, a few types of configuration error stand out for being some of the most frequent causes of cloud breaches:
- Account permissions too open: In some cases the permissions assigned to user accounts don’t restrict access sufficiently or are completely missing. If a user has more access than they need to perform their job, and if their credentials are then compromised, the potential exposure can extend way beyond the areas they should have access to.
- Exposed access or API keys: Access keys are used to authenticate users against a wide range of cloud assets, including storage buckets and APIs. There have been cases where keys have been exposed and left publicly accessible. This is the digital equivalent of leaving the front door key under the welcome mat. Risks can be reduced by using short-lived access keys which have to be renewed periodically.
- Weak identity management: Credential theft remains a perennial issue for cloud environments. Weak passwords also remain a risk. Organizations that fail to use multi-factor authentication run an increased risk of breach through credential theft.
- Open databases or storage objects: It is surprising how often storage buckets or databases are left open to the Internet. Sometimes developers do this while testing and then forget to implement adequate access controls when a system is moved into production. This kind of error illustrates the need to consider security immediately when development begins, rather than waiting until a system is taken into production.
- Unused cloud infrastructure: Often cloud assets are created for a short-lived need, and then forgotten, only to be left running and completely neglected. The security controls of these environments are not maintained and they are not patched, making them prime targets for threat actors.
How to Protect Against Common Cloud Misconfigurations
Despite the risks that exist, there are still steps that can be taken to reduce the risk of cloud security misconfiguration. Some of these include:
- Develop policies: IT leaders should draft policies that set out standards detailing minimum security configurations for all environments, including cloud.
- Automate: Many organizations have embraced a DevOps methodology to develop systems and then deploy and operate them in production. Automation is an inherent component of DevOps, and security configuration should be a key component in that automation. Once systems are deployed, automated Cloud Security Posture Management (CSPM) tools can be used to verify that configuration complies with standards and remains compliant. CSPM tools can also be used to automate enforcement of compliance with security standards.
- Enable logging: Almost all cloud environments provide extensive logging of activity, especially of changes which might impact security.
Risks Still Exist, Even With Strong Configuration
Even when organizations take care to configure cloud environments correctly, risks still exist. It is unwise to assume that the security configurations implemented in a cloud environment cannot fail. This is why additional tools like XDR are needed. Through its ability to ingest and analyze large volumes of telemetry data XDR excels in its ability to quickly detect the evidence in cloud logs that a configuration has been changed (whether it be accidentally or maliciously) or that a threat actor is attempting a breach.
To find out more about Samurai XDR, sign up for our free 30 day trial.
Featured articles
How to Build a Resilient Cybersecurity Strategy for MSPs
26 September 2024 | Webinars
In today's rapidly evolving threat landscape, MSPs are on the front lines of cybersecurity. As threats become more sophisticated, MSPs...
MSP Blueprint: Proactive Threat Hunting with XDR for Enhanced Cybersecurity
12 September 2024 | Cybersecurity 101
This article explores how Managed Service Providers (MSPs) can leverage Extended Detection and Response (XDR) to enhance proactive cyber threat...
The Importance of XDR for Regulatory Compliance
5 September 2024 | XDR
The SEC's 2024 cybersecurity disclosure rules mandate public companies to disclose incidents and detail their risk management strategies. Even non-public...