April 19, 2023

β€’

By Travis McPeak and Lily Johnson

Proactive > Reactive – how to get ahead of cloud misconfiguration

By Travis McPeak and Lily Johnson

Cloud computing has revolutionized how organizations store, process, and access data. The flexibility and scalability of cloud infrastructure have made it a preferred choice for many organizations. However, the shift to the cloud has also introduced new security challenges. Misconfigurations are the leading cause of security incidents in the cloud and the third largest cause of all security breaches.

‍

Cloud configuration is complex, and we can’t expect developers to have the knowledge that dedicated cloud, SRE, infrastructure, and security engineers have. We want developers to focus on building applications, not learning the intricacies of cloud services and best practices for using them.

‍

Most companies still rely on reactive cloud security measures, such as scanning for vulnerabilities and creating Jira tickets for developers to fix issues. However, some organizations have taken a proactive approach to cloud security with great success.

‍

This post introduces the top five cloud security misconfigurations and proactive strategies to address them. Future posts will cover misconfigurations and their solutions in more depth.

1. Improper Access Control

Improper access control is a frequent cloud security configuration error. Infrastructure often misses authentication where it should be implemented, primarily due to users misunderstanding best practices. Additionally, cloud infrastructure's complex and ever-changing nature means authentication requirements change over time.Β 

‍

Common causes of this misconfiguration include:

‍

In 2017, Accenture suffered a data breach exposing the sensitive data of nearly 40,000 employees. The cause was a misconfigured Amazon S3 bucket that was publicly accessible and did not require authentication. According to a study by DivvyCloud, 16% of all S3 buckets are publicly accessible without authentication.

‍

A proactive approach to avoid these scenarios is to create a paved road for creating and managing data stores. For example, many companies preconfigure identity-aware proxies (IAPs) to require authentication before accessing infrastructure. Netflix's "Securing Netflix Studios at Scale" post describes how they implemented a simple IAP pattern that made it easy for developers to implement basic authentication and authorization.Β 

‍

Resourcely offers paved road patterns, including configurable IAP templates based on cloud provider services and data stores with built-in authentication. Resourcely guardrails guide developers to use authentication when appropriate based on business context.

‍

2. Inadequate Identity and Access Management

Another common misconfiguration is overly broad identity and access management (IAM). This misconfiguration enables unauthorized users to access sensitive resources or gain more access to resources than they should have.

‍

Common causes of IAM issues are:

‍

In 2020, Capital One suffered a data breach that exposed the personal information of over 100 million customers. During the breach, the attacker used an overly permissive IAMΒ role to gain access to sensitive data. According to a report by Gartner, 75% of cloud breaches will involve IAM misconfigurations by 2023, up from 50% in 2020.

‍

The best proactive approach to IAM configuration is making it easy for developers to get the proper permissions and automatically remove unused permissions. Netflix released open-source projects ConsoleMe (for giving permissions) and Repokid (for removing unused permissions). Commercial products like Noq (started by the creator of ConsoleMe) and Ermetic can help solve inadequate IAM.

‍

3. Weak Password Policies

Weak and stolen passwords are a leading cause of all security breaches. Password issues regularly top the Verizon DBIR report. This misconfiguration occurs when weak or easily guessable passwords allow unauthorized users to gain access to cloud resources.

‍

In 2014, over 56 million Home Depot customers had their credit card information exposed due to a data breach resulting from attackers using weak passwords to gain access to the network. According to a report by Verizon, 80% of data breaches occur due to weak or stolen passwords.

‍

In 2023 we must move towards more robust authentication methods wherever possible and introduce hardware-based MFA where passwords are still necessary.

‍

Resourcely blueprints guide developers towards more robust authentication configurations for cloud resources, such as IAM role authentication in RDS. Resourcely guardrails push developers away from weak authentication methods and towards robust authentication configurations.

‍

4. Insufficient encryption

Encryption is a crucial security measure that protects data from interception and unauthorized access. Unfortunately, organizations often neglect encryption, resulting in data breaches and other security issues. A primary cause of insufficient encryption is users that lack awareness of encryption practices. Encryption can be complicated, and developers often need help knowing which encryption methods to choose and how to configure them.

‍

In 2018, Exactis, a marketing and data aggregation firm, exposed a database containing the personal information of nearly 340 million individuals due to a lack of proper encryption.

‍

According to a report by the Ponemon Institute, 31% of organizations fail to encrypt sensitive or confidential data in the cloud.

‍

Resourcely blueprints come preconfigured with strong encryption settings, and developers do not need to understand encryption to use it effectively. With data stores encrypted from the beginning and guardrails to ensure that changes are safe, developers can easily use encryption that meets best practices and their organization's requirements.

‍

5. Inadequate Data Backup

Inadequate safeguarding of data backups is a prevalent error in the cloud that can lead to data loss and disruptions in business operations. Backup protocols ensure data is recoverable after a security incident or disaster. Nevertheless, organizations often don't have needed backups, leaving them vulnerable to data loss and ransom.

‍

Simple mistakes, missing golden standards for backups, and time pressure are leading causes of backup errors. Organizations need more expertise and resources to implement and maintain backups effectively.

‍

In 2017, GitLab, a web-based Git repository manager, experienced a database outage that resulted in six hours of downtime and 300GB of lost data, primarily due to an inadequate backup and recovery strategy.

‍

Proper backups are also crucial in mitigating the damage caused by ransomware attacks. In fact, out of all ransomware victims, only 57% of businesses successfully recover their data using backups. In 2021 alone, ransomware affected 66% of organizations, an increase of 78% from the previous year.

‍

An effective proactive strategy for correctly configuring backups is to offer a paved road for data stores with automatically configured backups. Developers shouldn't have to become experts in cloud-scale backup methods. Companies should make the process automatic for developers by creating patterns for relational databases, blob stores, and other commonly used data stores.

‍

Our blueprints come with industry-leading best practices, including backups and replication. Data team members can choose relevant blueprints from Resourcely's catalog and make them available to their developers. Developers receive the data stores they need with backup configurations built in from the beginning. Resourcely's guardrails ensure developers use the correct patterns and avoid accidentally removing backup configurations.

‍

Conclusion

While these are only a few examples of cloud security challenges, at Resourcely, our mission is to offer proactive approaches to cloud security. Paved roads enable developers to focus on building and scaling applications quickly and safely without needing help from experts.

We are accepting a limited group of customers for our Early Access Program. If you want to learn more about Resourcely and proactive approaches to cloud security, please get in touch!

‍