“The problem is not that the cloud is insecure, but ultimately customers are responsible for securely configuring their networks, applications and data,” said Varun Badhwar, CEO and co-founder of cloud security startup RedLock. “Public cloud infrastructure such as AWS can be highly secure if configured correctly by organizations adopting such services.”
Cloud security company Threat Stack analyzed 200 companies using AWS and found that 73 percent had at least one critical security misconfiguration, such as letting unauthorized parties directly access the data, use the misconfigured object as part of bigger attack, and control the entire environment by logging into the AWS console. These breaches were the result of basic security negligence and non-existent IT policies, not the work of malicious adversaries.
Regardless of who is doing the provisioning--whether that is the IT administrator, developer, engineer or the security team-- too many people do not fully understand how to configure their cloud environments. Organizations can no longer treat the public cloud as any old place to store information, but incorporate the following security measures to ensure their cloud environments, applications, and data protected from unauthorized access.
1. Know what you are responsible for
All cloud services are not the same, and the level of responsibility varies. Software-as-a-service (SaaS) providers will make sure their applications are protected and that the data is being transmitted and stored securely, but that is typically not the case with cloud infrastructure. For example, the organization has complete responsibility over its AWS Elastic Compute Cloud (EC2), Amazon EBS and Amazon Virtual Private Cloud (VPC) instances, including configuring the operating system, managing applications, and protecting data.
In contrast, Amazon maintains the operating system and applications for Simple Storage Service (S3), and the organization is responsible for managing the data, access control and identity policies. Amazon provides the tools for encrypting the data for S3, but it is up to the organization to enable the protection as it enters and leaves the server. Check with the provider to understand who is in charge of each cloud security control.
2. Control who has access
RedLock’s CSI found that 31 percent of databases in the public cloud are open to the Internet. In fact, 93 percent of resources in public cloud environments did not restrict outbound traffic at all. Nine percent of cloud workloads that were not load balancers nor bastion hosts were accepting traffic from any IP address on any port, which is a terrible idea. Only load balancers and bastion hosts should be exposed to the Internet.
The Verizon data breach happened because the S3 bucket was set to allow external access. This is unfortunately a common mistake. Threat Stack found that 37 percent of organizations in its research had S3 buckets that granted access to everyone. Many administrators mistakenly enable global permissions on its servers by using 0.0.0.0/0 in the public subnets. The connection is left wide open, giving every machine the ability to connect.
Sign up for CIO Asia eNewsletters.