Security-related weaknesses or flaws in cloud environments can be devastating for organisations. But cloud security vulnerabilities are preventable
Moving to cloud computing is one of the most critical technology disruptions, and most CIOs will tell you that data is more secure with cloud vendors. Despite what many believe, the cloud is fallible, and enterprises realised it again when Amazon Web Services (AWS) suffered an outage in December that impacted multiple websites, services and organisations, including Associated Press, Disney+.
And, that was not the first cloud outage.
The outages exemplify that even the hyperscale operators aren’t immune from oversights that often create many other problems. It serves as a potent reminder that while there are benefits of the cloud, including efficiency, scalability, and operational resiliency, cloud vulnerability, an oversight in the organisation’s security posture, which could be an improperly configured firewall or unencrypted data, could be devastating.
Even robust computing networks are susceptible to attacks, because of the various permissions and access points that leave enterprises exposed.
While it’s essential for organisations using the cloud to adhere to industry compliance controls, such as HIPAA for healthcare data and SOC 2 for processing customer data in the cloud, successful attacks on cloud services result from misconfiguration, mismanagement, and mistakes.
The teams operating large, regulated cloud environments are experiencing more than 50 misconfigurations per day, according to the Fugue State of Cloud Security 2021 report. According to the report, in 2021, 36 per cent of companies suffered a severe cloud security leak or breach due to cloud misconfiguration.
Gartner says at least 99 per cent of cloud security failures will be cloud resource misconfiguration by 2023, and configuration errors can expose data and allow for misuse.
Automation and user self-service in cloud platforms, including both infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS), have magnified the importance of proper cloud configuration and compliance.
Mitigate configuration mistakes
Taking it up a notch, hackers are now using automation tools to scan and search for cloud misconfigurations to exploit. There’s no doubt that more enterprises will suffer a cloud data breach in 2022, as many while migrating IT systems and applications out of the data centre to cloud computing fail to identify the security risks unique to cloud computing, primarily misconfigurations. However, these vulnerabilities are 100 per cent preventable.
Here’s how IT teams can bulletproof or mitigate configuration mistakes:
- Adopt and enforce least privilege or zero trust policies to block all cloud resources and services unless needed for specific business or application tasks.
- Employ cloud service policies to ensure resources are private by default.
- Create and use clear business policies and guidelines outlining the required configuration settings for cloud resources and services.
- Use encryption as a default to protect data
- Use tools to check configuration errors and audit logs
Stronger access control security
It’s also vital to secure the cloud infrastructure by stopping unauthorised users from taking advantage of poor access control. For example, it’s ubiquitous for hackers to use weak passwords to guess credentials. But some common tactics can enhance access control security, such as enforcing strong passwords and regular resets, using multi-factor authentication techniques, adopting a zero-trust policy and avoiding third-party access controls and employing cloud-based access controls for services and resources within the cloud.
Malicious actors can also attack the cloud through distributed denial of service and other mechanisms to undermine the availability of cloud resources and services. Planning for such events is imperative for enterprises as part of a disaster recovery strategy, as outages can significantly impact cloud workloads and data sources.
Disaster recovery that can be addressed through high availability architectures implemented across cloud regions or zones needs to be designed carefully and regularly tested to ensure the business is unaffected as much as possible.
APIs are attack vectors
Even application programming interfaces (APIs) are rapidly becoming a major attack vector for hackers. Cloud computing is driven by APIs that allow different applications to interact. Cloud security is a function of design and architecture, not just intrusion detection. Most of the time, hackers try to get to the control plane APIs, and so you must monitor the control plane to prevent hackers from acquiring your API keys.
Also, APIs made public to help speed adoption, enabling external developers and business partners to access the organisation’s services and data are sometimes implemented without adequate authentication and authorisation, increasing the chances of compromise of data.
Whether using a cloud provider’s APIs or creating business APIs deployed in the cloud, it’s important to develop and use APIs with strong authentication, data encryption, and access controls. APIs should be treated as sensitive code and subject to thorough security reviews, including penetration testing.
Now, security teams are no longer limited to monitoring the cloud runtime for vulnerabilities. They can work with cloud engineering and DevOps teams to prevent vulnerabilities. Engineers use automated CI/CD deployment pipelines and infrastructure as code (IaC) to define cloud resource configurations and relationships, preventing misconfigurations automatically and bringing significant gains in terms of cost and speed.
But to check IaC for security issues automatically, businesses need policy as code, expressing your required security policies as code, so there’s no room for misinterpretation.
In this video, www.youtube.com/watch?v=97Io9KVm0Ow, Josh Stella, co-founder and CEO of Fugue, a technical authority on cloud security, explains that every significant cloud breach involves hackers exploiting flaws in the design of the system.
According to Stella, when developers build applications in the cloud, they’re also building the infrastructure for the applications as opposed to buying a pile of infrastructure and shoving apps into it. “That process is done with code, which means developers own that process, and this fundamentally changes the security team’s role.”
Policy as Code enables teams to express security and compliance rules in a programming language that an application can use to check the correctness of configurations.
To create a holistic response to security, businesses should consider vulnerabilities in your cloud environment as a virtual hole you’ve dug as your cloud infrastructure has expanded. “The first thing you need to do to fill that hole is to gain a full understanding of its dimensions and depth. At the same time, you need to stop the DevOps teams from digging the hole again. The right way to do this is with Policy as Code,” added Stella.
Organisations like Goldman Sachs and Netflix use Open Policy Agent (OPA), a policy engine that automates and unifies the implementation of policies across IT environments, especially in cloud-native applications. Businesses can use OPA to power policy-based security automation for cloud environments and IaC, as OPA enjoys a robust tooling ecosystem. When considering a policy-as-code framework, it will be wise to start with OPA. Approaching cloud security using automated policy-as-code checks across the development lifecycle will help the application teams deploy features and functionality to customers swiftly and shift focus to vulnerabilities that can’t be automated.
In 2022 and beyond, most enterprises will continue to struggle with appropriately measuring cloud security risks. But a well-designed risk management strategy, aligned with the overarching cloud strategy, can help organisations determine what actions can be taken to reduce risk exposure.
* The second edition of the Velocity Data And Analytics Summit will be held on May 17 and 18, 2022, in Dubai. For more information and to register, please visit: https://velocityda.com/
If you liked reading this, you might like our other stories