Cloud Misconfigurations That Lead to Data Breaches

As more and more businesses move to the cloud, misconfigurations have become one of the biggest causes of data breaches. Migration to the cloud has only accelerated over the last few years as digital transformation has driven businesses of all sizes to embrace technology to automate their business processes. This increased use of technology has, in turn, increased the risk of misconfigurations which can lead to data breaches.

Ease of Use Has Driven the Move to the Cloud

Cloud infrastructure and applications have become simpler to use and more cost effective often making them the first choice for many businesses. This is especially true of smaller businesses who do not have large IT budgets and who lack the large IT departments required to manage complex data center infrastructures. This move to the cloud has fuelled the debate about the security of the cloud. The reality is that most cloud platforms have good security controls, and it is the failure to use these correctly which is often the cause of breaches. Keeping track of their configurations becomes harder as cloud deployments proliferate. This issue has been known for some time. As far back as 2019, Gartner already stated that “Through 2025, 99% of cloud security failures will be the customer’s fault.” In a similar vein, Network Computing painted misconfigurations as the biggest threat to cloud security.

Major Breaches Caused by Cloud Misconfiguration

Unfortunately cloud misconfigurations have led to breaches which have had significant impact both in terms of cost and the numbers of individuals affected. Major companies and millions of their customers have been impacted in the process:

• While being a major player in cloud security, Microsoft has not been immune to breaches caused by misconfiguration. Starting in July 2020 Microsoft’s AI research division leaked up to 38 terabytes of sensitive data via misconfigured Azure Blob storage. This oversight was only discovered almost three years later.
• A misconfiguration which was found and corrected by Facebook in August 2019 resulted in a database containing personal information of over 530 million Facebook users being exposed publicly. Full names, phone numbers and some email addresses from user profiles were posted to an amateur hacking forum. Facebook decided not to notify the affected users.
• In June 2023, data of approximately 260000 Toyota customers was exposed due to a misconfigured cloud environment. Data relating to customers and their vehicles was exposed online for approximately eight years.
• In 2021, cyber analytics firm Cognite left a database with 5 billion records from previous security breaches online and unsecured. What is ironic about this incident is that the database was created to cross reference whether personal information of any clients had been exposed in other breaches.
• The data breach at the Australian telecommunications provider Optus, one of the largest of 2022, appears to have ultimately been caused by an unsecured cloud API. This breach resulted in a $1 million ransom demand and the leaking of 11 million records relating to Optus customers.

Common Misconfigurations that Lead to Cloud Breaches

While the kinds of misconfigurations that can lead to breaches are numerous, a few types of configuration error stand out for being some of the most frequent causes of cloud breaches:

• Account permissions too open: In some cases the permissions assigned to user accounts don’t restrict access sufficiently or are completely missing. If a user has more access than they need to perform their job, and if their credentials are then compromised, the potential exposure can extend way beyond the areas they should have access to.
• Exposed access or API keys: Access keys are used to authenticate users against a wide range of cloud assets, including storage buckets and APIs. There have been cases where keys have been exposed and left publicly accessible. This is the digital equivalent of leaving the front door key under the welcome mat. Risks can be reduced by using short-lived access keys which have to be renewed periodically.
• Weak identity management: Credential theft remains a perennial issue for cloud environments. Weak passwords also remain a risk. Organizations that fail to use multi-factor authentication run an increased risk of breach through credential theft.
• Open databases or storage objects: It is surprising how often storage buckets or databases are left open to the Internet. Sometimes developers do this while testing and then forget to implement adequate access controls when a system is moved into production. This kind of error illustrates the need to consider security immediately when development begins, rather than waiting until a system is taken into production.
• Unused cloud infrastructure: Often cloud assets are created for a short-lived need, and then forgotten, only to be left running and completely neglected. The security controls of these environments are not maintained and they are not patched, making them prime targets for threat actors.

How to Protect Against Common Cloud Misconfigurations

Despite the risks that exist, there are still steps that can be taken to reduce the risk of cloud security misconfiguration. Some of these include:

• Develop policies: IT leaders should draft policies that set out standards detailing minimum security configurations for all environments, including cloud.
• Automate: Many organizations have embraced a DevOps methodology to develop systems and then deploy and operate them in production. Automation is an inherent component of DevOps, and security configuration should be a key component in that automation. Once systems are deployed, automated Cloud Security Posture Management (CSPM) tools can be used to verify that configuration complies with standards and remains compliant. CSPM tools can also be used to automate enforcement of compliance with security standards.
• Enable logging: Almost all cloud environments provide extensive logging of activity, especially of changes which might impact security.

Risks Still Exist, Even With Strong Configuration

Even when organizations take care to configure cloud environments correctly, risks still exist. It is unwise to assume that the security configurations implemented in a cloud environment cannot fail. This is why additional tools like XDR are needed. Through its ability to ingest and analyze large volumes of telemetry data XDR excels in its ability to quickly detect the evidence in cloud logs that a configuration has been changed (whether it be accidentally or maliciously) or that a threat actor is attempting a breach.

To find out more about Samurai XDR, sign up for our free 30 day trial.