Your Cloud Assets are Probably Not As Secure as You Think They Are
Despite a plethora of available tools and resources, there are still many ways to configure cloud services incorrectly. According to a Wall Street Journal article published earlier this year, research and advisory firm Gartner Inc. estimated that up to 95% of cloud breaches occur due to human errors such as configuration mistakes. Not surprisingly, there have been frequent public and private cloud breaches − even for organizations with significant resources and mature security programs.
So what can we do about it?
Based on many discussions with our clients, NetSPI has identified a number of common security issues that span different cloud platforms, environments, and even vertical markets:
- Lack of multi-factor authentication – A cloud breach is often achieved by using common vulnerabilities, public data exposures, and active credential guessing attacks, for example by enumerating a potential email address off of a public data source and guessing credentials. You may find it surprising that many cloud services do not use multifactor authentication right out of the box.
- Integration of cloud and on-premise networks – Integrating cloud and on-premise environments makes it easier to migrate resources, users, and accounts out to a cloud provider. However, it does increase risk, especially if federated authentication, shared user accounts, and the same active directory environment are used. This makes it much easier for attackers to pivot into traditional (often less secure) network resources once they have gained access to the cloud.
- Poor permission configuration – Security can sometimes take a back seat when developers are trying to be agile and for simplicity, accounts can be over-permissioned. This is a growing problem, in part because of the increasing popularity of public repositories and Internet services like GitHub to manage code and configurations. This has led to a rise in accidental pastes of copied user names and passwords on the Internet, which can be leveraged by malicious actors.
How you can protect yourself
With these issues in mind, what steps can you take to improve your cloud security? First, it’s important to practice proper cloud hygiene at the outset by: (a) clearly defining requirements, (b) isolating development, staging, and production environments, and (c) limiting privileges in all environments to guard against escalation by malicious actors.
Second, NetSPI recommends testing regularly and fully. This includes penetration testing all layers of your environment and using Cloud Configuration Reviews to evaluate how well the security controls your cloud provider has in place are actually protecting your cloud application(s). Traditional penetration testing does not go deep enough when you are running cloud applications, which is why more rigorous cloud penetration testing is critical.
In addition to the common insights gained from an external penetration test, a cloud penetration test goes much further to include testing on cloud hosts and services. Internal network layer testing of virtual machines and services from the cloud virtual networks are included, as well as external network layer testing of externally exposed services. In addition, a configuration review of cloud services also includes reviews of firewall rules, access controls (IAM/RBAC) of users/roles/groups/policies, as well as utilized cloud services (storage, databases, etc.).
Recommendations for undertaking cloud testing
It’s clear that full and regular testing is a sure-fire way to improve the security of your applications and data residing in the cloud and ultimately your on-premise network if both environments are closely integrated. If you are planning on undertaking cloud penetration testing, NetSPI recommends the following best practices:
- Ensure systems and services are updated and patched in accordance with industry/vendor recommendations
- Verify if IAM/RBAC Roles are assigned appropriately and not over-permissioned and there is no provision for permission escalation
- Use security groups and firewall rules to limit access between services and virtual machines
- Ensure that sensitive information is not written in clear text to any cloud storage services and encrypt data prior to storage
- Verify user permissions for any cloud storage containing sensitive data and ensure that the rules represent only the users who require access to the storage
- Ensure only the appropriate parties have access to key material for decryption purposes
One last thought
As a security vendor, we hear statements every day like, “Cloud doesn’t change anything from a security perspective because it’s all the same stuff, just in a different place” or “My cloud provider takes care of security.” In the rush to embrace cloud and its advantages, some security best practices have fallen by the wayside. Now’s the time to refocus on securing assets by working proactively with your cloud services provider and testing regularly. The last thing you want is to be included in those ever increasing cloud breach statistics.