If new security steps are not enforced properly, the adoption of new devices, access patterns, and processes used to maintain Cloud environments during work from home are at an increased risk of Cloud-based data breaches, crypto-mining, and serious compliance violations. Cloud security risks also increase significantly when everyone is experiencing extraordinary amounts of stress and distraction. Mistakes are bound to take place in such circumstances, and malicious actors are constantly on the lookout, more than happy to take advantage of such mistakes.
The Shared Responsibility Model of Cloud security allows us to externalize a lot of security risks and costs to Cloud providers like Amazon Web Services, Microsoft Azure, and Google Cloud Platform. However, the security responsibilities that remain with customers are quite different from security measures of the data center. With Cloud, security is focused on ensuring the correct configuration of Cloud resources, and in turn, avoiding misconfiguration. Since a workforce accesses the Cloud through Cloud services, such as Security Groups and Identity and Access Management (IAM) services, the threats due to Cloud misconfiguration can increase when that workforce becomes more and more distributed.
While Cloud misconfiguration is a 100 percent preventable problem on the customer’s side of the Shared Responsibility Model, it remains the number one cause of Cloud-based data breaches. The National Security Agency states that “misconfiguration of Cloud resources remains the most prevalent Cloud vulnerability and can be exploited to access Cloud data and services.” While Cloud providers can educate and alert customers about potential risks, they can’t prevent their customers from creating misconfigurations. Preventing customers from making such errors would severely limit the power and flexibility of Cloud.
If Cloud Mis-configuration Is Preventable, Why Does It Keep Happening?
With the Cloud, there is no perimeter to defend, traditional security tools are not typically effective, and IT professionals often don’t understand it. Cloud customers widely recognized as Cloud security leaders can fall victim to their own misconfigurations. For example, if a Security Group is configured to allow SSH access to a remote worker’s network, bad actors can find and exploit it within minutes. It can be difficult to distinguish between malicious access patterns from legitimate ones, and traditional security tools cannot detect these attacks.
Adding to this challenge is the fact that developers are continuously building and modifying their Cloud infrastructure, so the nature of attacks has become highly dynamic. This makes gaining visibility into the state and security posture of Cloud environments an ongoing struggle.
Currently, the most common methods of managing Cloud misconfiguration are largely manual (e.g. reviewing alerts, remediating issues, conducting audits). Malicious actors use automation tools to find and exploit misconfiguration almost as soon as they’re created. Once they find a resource misconfiguration that gives them access to a Cloud environment, they exploit additional misconfigurations to move laterally, discover resources, and extract data.
The good news is that while traditional security tools and approaches may be insufficient for keeping Cloud environments secure, developers are empowering themselves to address the problem. They are using policy-as-code to automate certification processes and compliance reporting, and making efforts to remove human error from the equation. They have also adopted a “Shift Left” approach to move security earlier in the software development lifecycle when making corrective changes is easier, quicker, and less expensive.
Companies that empower their developers to take on the security of their Cloud environments have a leg up on avoiding Cloud-based data breaches, and making the headlines for wrong reasons.
The COVID-19 crisis is already impacting the Cloud industry. We are already witnessing a surge in Cloud demand, likely due to the rapid adoption of online collaboration tools. However, expect to see a long-term Cloud adoption trend as companies that previously opted to continue managing their own data centers face unforeseen challenges. Existing data center capacity may be insufficient in supporting newly distributed teams with the surge capacity, which comes with an increased demand for online services. Ensuring the safety of data center workers and maintaining sufficient staff levels are now front burner issues. There will be fresh concerns over global supply chains and the ability to acquire physical infrastructure needed to maintain operations.
Lastly, with a new wave of Cloud adoption comes more Cloud mis-configuration risks and more opportunities for malicious actors to exploit. So, now is the time for users to take cognizance of Cloud security’s shared responsibility.