Every year, penetration-testing-as-a-service firm Cobalt.io releases aggregated data on its engagements, and every year, a single class of vulnerabilities affects nearly all of its clients: cloud application misconfigurations.
The misconfiguration of cloud applications and infrastructure remains the single largest issue facing application-security groups and operations teams. In 2018, almost 30% of all vulnerabilities found in cloud applications tested by Cobalt.io were misconfiguration errors, and that trend continued in 2019—misconfigured cloud services continued to be the No. 1 vulnerability found in cloud services.
Caroline Wong, chief strategy officer for Cobalt.io, said that people are undermining security controls or giving away information without realizing that these misconfigured services could be used by bad people to do bad things.
"So whether it is a very verbose error message, [whether] you are disclosing a software version, or [whether] you have left a database publicly accessible, that can help a person attack your application."
—Caroline Wong
In an example of how damaging this problem can be, in May 2017, the security firm Upguard, which regularly scans for cloud servers exposed through misconfiguration, revealed that defense contractor Booz Allen Hamilton had exposed more than 60,000 sensitive government military files on a Amazon Simple Storage Service (S3) bucket. A few months later, Upguard discovered another misconfigured S3 bucket containing military data from the US Central Command, which handles operations from East Africa to Central Asia, and the Pacific Command, which handles operations in Southeast Asia and the Pacific Ocean.
Citing these incidents and others, the US National Security Agency warned in January 2020 that organizations needed to pay more attention to securing the cloud services and infrastructure.
"The rapid pace of CSP innovation creates new functionality but also adds complexity to securely configuring an organization’s cloud resources."
—NSA statement
Since then, cloud services have become a more critical part of corporate infrastructure: The greater adoption of remote working arrangements has intensified the focus on moving traditionally on-premises infrastructure to the cloud.
Here are five recommendations from experts on how companies should securely configure cloud services and keep them safe.
1. Remember the forgotten services
Too many development and operations teams create a new cloud server or application, configure it so that it works, and then never recheck the configuration. One security administrator told Micro Focus that his nightmare is the potential misconfiguration of his cloud assets because someone "set it and forgot it," said Robert MacDonald, director of solutions for Micro Focus.
Companies need to know not only where their cloud assets and services are, but the status of those services, he said.
"You never want to deploy something live and not test it against some real-life scenarios."
—Robert MacDonald
The operations team needs to take an active role in discovering their company's cloud attack surface area, said Gerben Kleijn, a senior security consultant for Bishop Fox, a security services firm.
"At the end of the day, it comes down to monitoring and auditing your own environment. It is too common for companies to put service into the cloud and forget about them and not be actively engaged with their attack service."
—Gerben Kleijn
2. Create policy and templates
One of the most common issues is not propagating known good security settings into base configuration settings, so that future instances of an application or piece of cloud infrastructure can benefit from the lessons of the past. This misconfigured basing issue ends up causing problems from the start, said Kieran Norton, a principal with IT consultancy Deloitte.
Turning security best practices and the lessons learned in previous application iterations into policy and templates is important, he said. If an organization is rushing workloads to the cloud, it needs to take the time to figure out how to do it right.
"Unless you are addressing these issues head on in the beginning, you are going to have the same kind of problems popping up in the cloud, just like you have had in the past in your traditional IT environments."
—Kieran Norton
Taking certain security policy decisions, such as making HTTP Strict Transport Security (HSTS) a requirement, can also improve security, because doing so can force others to use the higher security requirements as well.
It’s easy for a security misconfiguration to be the result of a simple mistake, Cobalt.io's Wong said.
"Developers focus on writing code, testing code, and releasing it. Security features—like HSTS—can make it easier to enhance security, but to be effective they have to be included."
—Caroline Wong
3. Automate configuration and security checks
Agile development methodologies, such as DevSecOps, use extensive automation to help developers create secure code and deploy that code. Yet sometimes companies do not go far enough. All running applications and infrastructure should be regularly checked for security and compliance, and automation can help there as well.
Any time you have to do something more than once, you have a greater opportunity for error, especially if you have more than one person doing something, Micro Focus' MacDonald said.
"If you can do it once and have it apply to all, you are better off for accuracy. Of course, that means if you get it wrong, it will apply to all your infrastructure and could cause failure."
—Robert MacDonald
4. Use the provider tools
The NSA's advisory warns that companies should understand the level to which responsibility for security is shared with the cloud provider. Infrastructure-as-a-service (IaaS) clouds put much more responsibility on the customer, while software-as-a-service (SaaS) offerings typically are more heavily managed by the cloud service provider.
In all cases, however, configuration of the cloud service is the responsibility of the customer—you. Yet cloud service providers often provide recommendations and tools to help secure the customer's instance of the service, the NSA points out:
"Many CSPs provide cloud security configuration tools and monitoring systems, but cloud customers are responsible for configuring the service according to organizational security requirements."
5. Test and retest
Automation should not be limited to testing code at development time and speeding the deployment of applications. Post-deployment testing is critical, as is regular security testing of cloud services by humans, said Cobalt.io's Wong.
"Anyone who is only using people is missing out on efficiencies that can only be achieved using machines. And anyone that is only using machines is missing out on whole classes of vulnerabilities that can only be found by people."
—Caroline Wong
In the end, misconfiguration issues are not new—they have just migrated to the cloud along with the applications. Configuration drift has been a problem for companies for decades, said Deloitte's Norton. Yet, because the cloud has few barriers, everything moves faster, and misconfigured services can quickly take on a life of their own.
"This is effectively the same issue, right? What we are seeing in the cloud, because of the move to agile or DevOps, sometimes that move is made at speed but without risk mitigation."
—Kieran Norton
Companies that want to keep their cloud services secure need to do security at speed as well.
Keep learning
Get up to speed on Zero Trust security with TechBeacon's Guide.
Understand why API security needs access management with this Webinar.
Learn how how privilege and policy management improves your cyber resiliency in this Webinar.
Find out why Zero Trust means rethinking your security approach.
Answer this question: Is your environment adaptive enough for Zero Trust? Get this free white paper.
