By Andrew Plato (guest post)

I was reading the story of a recent cloud breach, and noticed the attackers did not need to do any real hacking.  They simply accessed data that had overly permissible rights.  Cloud hackers do not need to invest in zero-day exploits or elite hacking skills, when they can walk right in thanks to the endless number of cloud misconfigurations.  

Intrigued, I did some research, and discovered the statistics for cloud misconfiguration are as alarming as they are divergent.  

Gartner boldly claims that through 2025, 99% of all cloud security failures will be the customer’s fault.

  • In contrast, IBM thinks only 15% of attacks are the result of misconfiguration. 

  • Palo Alto Networks backs up their claims with actual testing and says misconfigurations are “easy to find” and “prevalent across cloud accounts”

The PAN report also has this bit of insight: “one simple IAM misconfiguration allowed our Unit 42 researchers to compromise an entire, massively scaled cloud environment and bypass just about every security control.”  This confirms something I have been writing for decades, it does not matter if you have the best security tech in the world, if your systems are not managed properly, all that security tech is largely useless.

Cloud Complexity

Gartner’s claim sounds outlandish, but if you have spent time securing a cloud environment, their 99% number makes a lot of sense.  It is extremely difficult to secure modern cloud environments.  They are sprawling, dynamic, complex environments that confound the humans who must manage them.  Furthermore, the cloud service providers (CSP), such as AWS, Azure, and GCP, are only barely making this better.  In their rush to dominate the market, they have prioritized capacity and capability over ease of use.  

Consider the misconfiguration I mentioned at the beginning of this article, permissive access rights.  This is the root cause of most cloud attacks.  It is easy to pontificate about how the users are all at fault, but have you ever tried to actually secure cloud services?  It is painful.  

I recently burned up a week struggling to configure AWS permissions.  I had a relatively simple goal: different levels of access to different controls.  Admittedly, my AWS skills are only fair.  However, I am not completely clueless (at least about cloud security).  Building an access policy in AWS’s policy generator is confusing and obtuse.  It requires a lot of prerequisite knowledge to be effective.  I had to read a lot of instructions and do hours of tinkering before I was able to get the results (and security configuration) I wanted.  

Ultimately, I figured it out.  However, I was not under pressure to meet a deadline.  This is not the case with most (all?) DevOps teams.  They are under tremendous pressure to get code into production.  Consequently, when frustrated with the tangled policies of a CSP, they will quickly bypass security policies to get things working.  I cannot say I entirely blame them.  When I was into my 40th hour of twiddling with JSON in AWS, I too contemplated allowing all access, just so I could move ahead.  

So, what can we do about this?

Photo by Shutterstock

Fixing the Misconfiguration Challenge

The traditional advice here is to talk about training, tools, or processes.  Those are all legitimate ideas, but I am going to focus on what the CSPs could do.  

  1. Empower the Average User

First, cloud service providers need to make their platforms more accessible to average users.  Azure gets high marks here for trying to make the complexities of identity management, security, and access controls easier to use for average users.  GCP seems to have heard the message here, as they are investing heavily in security.  At a minimum, these platforms should unify all security controls and access into a common portal or service offering.  

An (aged) example of how average users are empowered is right here in front of me, Microsoft Word.  Word is an ancient tool, but it has an interesting layering to its design.  Word is a tool where both the inexperienced and experienced can be effective.  This is because Microsoft invested (back in the 1990s) in empowering even the most novice user.  It has a lot of basic security controls in place by default.  That gets to the next item on this list.  

  1. More “By Default, By Design” 

Second, the cloud providers need to continue to adopt the “security by default, by design” concept.  In other words, offer products with security pre-configured.  AWS gets credit for their Lightsail products, which simplify the deployment of common application tools and platforms with preset security controls and hardened from attack. GCP has also done a good job of making their platforms secure by default.  

  1. Basic Vulnerability Management 

If open-source Linux distros can do this, then so can these giant CSPs.  All the CSPs should provide rudimentary vulnerability scanning service for customers.  This should be on, by default, and provide even novice users insights into their security posture.  

Security posture management is hot right now among commercial products.  There is a reason for that.  It is desperately needed.  The CSPs should seize the moment and either acquire or build these capabilities natively.  Yes, this may infuriate some partners, but there is plenty of room in the market for more sophisticated platforms.  

  1. Containers and Moving Target Defense 

Looking into the future, the CSPs should be building turn-key containerized environments.  Specifically, containerized platforms (similar to Lightsail) that are pre-configured with security and make use of moving target defense (MTD) technologies.  Such environments could host a vast array of applications and services, while providing reusable containers that automatically refresh themselves from known-good repositories on periodic or triggered conditions.  

While MTD might not solve all security concerns, it does provide an important fail safe, lack of persistence.  Platforms using MTD are naturally ephemeral, which thwarts a lot of attack tactics which depend on persistence to gain a foothold into an environment.  

Conclusion 

Would these four changes eliminate cloud misconfigurations?  Not entirely, but they would take a huge bite out of the problem.  It would set the baseline much higher.  

CSPs are in a powerful position to do something about cloud misconfigurations.  All these attacks may not be their fault, but that does not free them from responsibility.