Misconfigurations of Cloud-Managed Infrastructures Continue to be a Major Challenge to Data Security

In case you missed the memo, cloud-hosted data is here to stay. Recent data shows spending on cloud services reached a total of $178 billion in 2021, a 37 percent increase over the $130 billion spent in 2020 and twice the amount enterprises are spending on their data centers. As more organizations migrate applications and workflows to cloud-managed environments, cloud-hosted data will continue to be a prime target for cybercriminals, and securing that data is becoming more difficult.

There are myriad reasons why securing data is more difficult in cloud-hosted environments. In this post, we’ll focus on the specific challenge of misconfiguration. We’ll explain why misconfigurations of cloud environments are so commonplace and share best practices on how to shore up your defenses. We’ll also tell you about a solution that enables you to secure cloud-hosted data without specific configuration knowledge. 

Lack of expertise in cloud-hosted infrastructures

While more organizations move to cloud environments to cut costs, they often need the technical skills on hand to configure those environments in a way that enables them to apply security controls to the hosted data. More frequently than not, vulnerable APIs and misconfigured databases in these environments become “quick wins” for attackers. Even so, because using cloud-hosted infrastructures takes the pressure off labor costs, these same organizations are willing to eschew traditional IT security support, assume the vendor is “handling it,” and run the increased risk of security breaches. Cloud services vendors are purpose-built to secure their infrastructures, but each organization that uses the service is responsible for securing their data, as Amazon Web Services (AWS) shows in this Shared Responsibility Model.

The customer’s level of responsibility varies depending on the type of cloud service. While a software as a service (SaaS) customer is responsible only for data, an infrastructure as a service (IaaS) customer would be responsible for the security of the data, applications, and operating system.

How security misconfiguration happens

Default security settings of the cloud service vendor usually provide sufficient security, but there are hundreds of examples of breaches caused by misconfigurations across most cloud-managed environments.

For example, AWS Simple Storage Service (S3) buckets are as simple to use as the name suggests; and as a result, they are widely used for data storage. However, any potential attacker using available open-source tools can gain unrestricted public access to your organization’s S3 buckets. If a bucket holding sensitive data were configured to public access, the data would be vulnerable to a breach from attackers using those tools.

Common misconfigurations that lead to vulnerabilities

As we discussed, a lack of system knowledge or lack of understanding of security settings can result in misconfigurations. Cloud Security Alliance lists seven common misconfigurations:

1. Unsecured data storage elements or containers
2. Excessive permissions
3. Default credentials and configuration settings that are left unchanged
4. Standard security controls that are disabled
5. Unrestricted access to posts and services
6. Unsecured secrets management
7. Poorly configured or lack of configuration validation

The business impact of misconfigurations

The impact of a misconfiguration can be disastrous depending on the nature of the misconfiguration and how quickly it is discovered and mitigated. Following the guidance from the CCAK Study Guide, impacts include the disclosure of data, loss of data, destruction of data, system performance, system outage, ransom demands, non-compliance, fines, lost revenue, reduction in stock price, and reputational impact.

Best practices to maintain proper configuration of cloud environments

Cloud architectures can be straightforward to configure if you understand what the most important settings are and how to set them. In addition to directly addressing the common misconfigurations listed previously, here are the top best practice examples to help ensure your cloud-hosted data is fully protected.

1. Set the environment as private.  Oftentimes DevOps teams create copies of their databases, including schemas, tables, users, credentials, configurations, and the data itself for testing and to maintain quick and flexible backups in case they need to execute on disaster recovery. If the private setting is not enabled, sensitive data sets might be inadvertently published publicly. Publishing data in public mode potentially exposes sensitive data.
2. Maintain a backup retention policy. As an organization, you should have a policy that ensures cloud-hosted data is backed up at the longest every seven days. This is important to ensure recent past data activity can be reviewed for policy-violating behavior. 
3. Enable encryption at rest. Commonly (and as a best practice all of the time), to fulfill GDPR, HIPAA, PCI, APRA, MAS, and NIST compliance standards, instances should be configured for data-at-rest encryption. Misconfiguration of data-at-rest encryption exposes you to data and SLA breaches.
4. Enable automatic minor version upgrades. A misconfigured automatic minor version upgrade makes it impossible to get minor upgrades automatically during specified maintenance windows. An outdated instance might leave sensitive data at risk.

Bypass the configuration process and still achieve data security

All organizations need to embrace available solutions that enable security teams to identify and remediate data security threats in real time.

Imperva Data Security Fabric (DSF) ingests diverse data types and enables security teams to efficiently and effectively overcome the cloud environment configuration challenge when migrating data, workflows, and development to cloud-hosted environments. Imperva DSF monitors all database activity – on-premises and in all cloud infrastructures – 100% of your data repository. Not only does Imperva DSF enable you to see how privileged users interact with the data, but it also attaches metadata to the raw data that enriches it and enables you to secure it more effectively. This helps security teams make better decisions both in terms of the risk rating associated with an event or routing an event through an automated decision tree to be able to arrive at the correct conclusion.