As organizations race to the cloud to support fundamental shifts in workforce and market dynamics, teams are forced to move fast. In this environment, speed tends to trump best practices, while also increasing the probability for human error and the risk for misconfigurations. As cloud usage accelerates, so does the number of cloud data breaches. A recent Sophos cloud security study highlights the fact that seventy percent of organizations have suffered a public cloud security breach within the past twelve months.
This week’s cloud breach headline comes courtesy of a Cayman Islands investment firm that accidentally exposed personal banking information, passport data, and banking PINs for an undisclosed number of sovereign wealth funds, prominent financial institutions, corporations, and families – their clients – who, all told, have invested a half-billion dollars with the firm.
On December 1st, The Register reported that a Cayman Islands investment fund had openly exposed its complete set of backup records to the internet as the result of not properly configuring a Microsoft Azure Blob in which the data was stored. Bad actors, or anyone with a browser and the blob’s URL, could have easily seen a list of the fund’s shareholders, their holdings, snooped on their private communications, and compromised their online banking personal identification numbers (PINs).
The article further states that the firm’s cloud resources are outsourced along with their other IT-related assets and services. Sadly, not unlike many organizations, the firm was completely unaware of how Microsoft Azure operates and that they were potentially putting their clients and themselves at great risk by housing sensitive data in the cloud without the proper controls.
While some organizations still need to come to terms with the cloud shared responsibility model, the overarching problem for the majority of organizations is that they simply don’t have the time to build a team of experts and the technology required to accurately assess whether they are using cloud resources securely.
Despite the fact that over fifty-percent of organizations polled say they use six or more cloud security tools, organizations are failing to effectively manage cloud risk. Why? First, the speed and scale at which cloud operates breaks traditional, mostly manual people-centric security and risk management tools and techniques. Second, cloud is a relatively new and quickly evolving set of technologies not well understood by most organizations. And third, many of the cloud-native tools available are point solutions that attempt to solve narrow lower-level problems across only a single security domain.
This trifecta of challenges seems to be a main reason misconfigurations are the leading cause of cloud data breaches and security incidents. According to a recent cloud study, misconfigurations were attributed to forty-two percent more breaches in 2019 than during the previous year. While another cloud security report from Sophos found cloud misconfigurations accounted for sixty-six percent of reported breaches. Looking further into the numbers, we find that cloud misconfigurations are not confined to a single security domain, but instead span several incongruent domains:
Figure 1: Misconfiguration security domains
Given these figures and trends, it’s safe to assume that unless organizations fundamentally change their approach to managing cloud risk, as organizations scale their public cloud usage, misconfigurations will rise accordingly, create and contribute to a growing number of breaches and incidents, and remain digital transformation’s Achilles’ heel.
What must organizations do differently to effectively manage cloud misconfigurations and subsequent cloud risk?
- They must have clear and comprehensive controls required to prove policies are being complied with, such as all Azure blobs containing stateful data must be private and encrypted
- They must reduce the number of cloud risks introduced in the software development and delivery pipeline – before cloud resources are deployed
- They must continually assess cloud configuration runtime drift that can occur from accidental changes, cyberattack, and unauthorized usage
- They must check controls across a broad set of security domains to minimize the attack surface
Gain Clear Runtime Visibility:
In order to effectively assess whether they are using the cloud securely, organizations must have a comprehensive set of policies and controls that not only define the rules but also map them to the many cloud APIs that must be checked. These security and compliance policies must also be separate from the applications themselves and applied automatically to keep pace with the speed and scale at which cloud operates.
In the Cayman Islands example, having a curated set of policies and controls automatically applied to Microsoft Azure – including those that check for stateful data encryption and private/public access controls on perimeter resources – would have identified violations related to the open and leaky Azure blob – and done so without the firm or their IT contractor having to build a knowledge base, write policies, or understand the many Azure APIs that must be checked.
Rapidly Prevent Risk and Control Drift:
Once an organization has a defined set of policies and controls tailored to their business, they must apply them both during development and delivery of their cloud resources and at runtime. To be effective, organizations should apply the same policy checks both before and after deployment to correlate findings and identify potential gaps related to drift. Lastly, organizations need the ability to easily integrate and automate these checks within their existing CI/CD toolsets and DevOps methodologies.
In the Cayman Islands example, assuming the use of standard cloud development practices like infrastructure as code, the firm or their IT contractor could have quickly assessed their cloud assets and identified the misconfigured Azure blob before it was deployed into production. Further, with the ability to pinpoint policy violations within the code and the guidance required to bring the asset into compliance, the firm or IT contractor cloud developers could have remediated the violation themselves. Once the asset has been deployed, continuously assessing for runtime drift would have enabled them to reduce mean time to resolution (MTTR) and limit their exposure.
Apply a Defense-in-Depth Approach:
As the previous statistics show (in figure 1), cloud misconfigurations span a wide range of security domains. These include Identity and Access Management – default credentials, excessive privileges, disabled MFA; Data Security – unencrypted storage services and DBs, plaintext secrets; Security Hygiene – public storage buckets, hardcoded secrets, disabled logs, untagged resources; Cloud Networking – security group ingress/egress, open ports, DBs accessible from the internet. Organizations must assess cloud risk across these critical security domains.
In the Cayman Islands example, the firm would have been able to apply a defense-in-depth approach to detect cross-security domain violations. First, from a data security perspective, they would have been alerted to the fact that sensitive customer data was being stored unencrypted. Next, from a security hygiene POV, they would have detected that the Azure blob they use to backup all records was accidentally sent for public access. And finally, regarding access management, they would have been alerted to the fact that this blob had no requisite access controls assigned.
Concourse Labs Innovative Approach
Concourse Labs offers automated cloud governance solutions that uniquely help organizations simplify managing cloud risk so they can confidently accelerate public cloud adoption at scale. We provide a fully integrated SAAS solution that enables customers to continuously monitor cloud usage, manage policies, assess and remediate risk, and demonstrate compliance.
Our team of industry luminaries has been hands-on building, operating, and advising large-scale mission-critical public cloud initiatives for over a decade, making us uniquely qualified to help organizations deliver on the promise of public cloud safely, on-time, and within budget.
To learn more, visit us at www.concourselabs.com.