The cloud(s).

Sometimes our heads are in it but more often or not, so is our sensitive data. Much like our physical networks, misconfigurations and improper setup can occur. According to the 2019 Mcafee report “Cloud Adoption and Risk Report” with the increase in organisations adopting the cloud there has also been a high increase on misconfigurations and breaches relating to cloud services from various providers.

Without citing the statistics of the report, the massive increase in security events (which are genuine), misconfigurations leaking data to the world, the number of compromised cloud accounts and more are not simply isolated to single providers. Amazon, Google & Microsoft (azure/Office365) routinely have their servicecs (and the customers of their services) breached or exploited due to weak security and misconfigurations.

The issue with cloud security is down to the central location of data, making it acccessible globally which is wonderful for ease of access and functionality, but also great as a single place for hackers to aim for. The dangers of hosting sensitive data within the Cloud can be seen in examples like the recent Capital One Breach the justice department involved in the case stated: “She was able to gain access by exploiting a misconfigured web application firewall, according to a court filing.”

What Do I Mean & What You Can Do

This article isn’t a massive technical write up into each and every misconfiguration you can have with AWS or Azure but rather (or more hopefully) a careful reminder to potentially review your cloud setup.

One of the last portions of the Mcafee report included the results of a survey which detailed the below:

“In the survey, we asked respondents how much they trusted their cloud providers to keep their organization’s data secure. 69% of respondents said that they trusted the cloud providers to keep their data secure (and 12% of respondents claimed that the service provider is solely responsible for securing their data)… “

“Perception vs Reality” Page 18 of the Mcafee Cloud Adoption report

The results highlighted above show a scary trend of inherent trust which may lead even “professionals” to not properly review their setup.

If you host your secure communications, or Ecommerce platform which takes payment details, or even databases with identifiable data, it maybe high time for the infrastructure to be reviewed. Hackers have multiple, legal and reputable tools available for them to hunt down misconfigured servers, exploitable or readable databases, potentially known passwords and more to make their task of getting into the cloud a walk in the park.

As these robust platforms are updated by the day and relatively new on the scene, organisations need to recognise the need for further assessments into their setup to ensure reccomended security practices, configurations and policies are in place.

There is a wealth of public resources available in regards to best securing platforms like Azure (Thanks Rhino Security Labs) and AWS (Thanks Mcafee) but as quick as organisation’s have jumped up into the cloud, there is a heavy requirement for re-assessment as many recent breaches have shown that in a cloud enviroment a simple misconfiguration can have big consequences.

Other suggestions?

– Invest in staff training and certifications in these new fields. Microsoft have new MS (Office365) certifications (MS-500) and Azure certifications (AZ-500) relating specifically to security.

– Bring in third parties or Cloud Consultancy to review and analyse your cloud setup, there is no shame in double checking not just where but how you store your vital data (especially if any of it touches the cloud)

– Create internal Policies, Procedures, Access Control, Backups and implement any multifactor authentication means possible to reduce attack surfaces

– Revoke access effectively and create contingency plans/backup procedures for insider threats as well as external (such as seperate network/cloud space, isolated configurations) ensuriing that any access to sensitive data is removed entirely

Will the sun ever shine?

Now don’t let this dishearten anyone inheriting the cloud, it’s a wonderful massively accessible thing. There are also massive security advantages over no longer holding data physically, along with massive security drawbacks (largest attack surface ever) that can come with the cloud.

The positive thing is however, due to it’s massive scale of adoption and the investment globally into such platforms/technologies, there will forever be a massive driving force to improve and secure the locations we are holding our data/apps. This doesn’t however mean we can rely solely on the cloud providers or the tech firms that may assist in migrations/setups and so on. Rather, it should be the duty as an organisation (whichever way it maybe) to ensure sensitive data is held effectively, accessed within reason and by those with authority.

Soon we may see a future where the grey line of cloud computing becomes less blurry, but until then we might all feel the rain from time to time living under (and apart) of this cloud!

Inspired by recent news, easy bug bounty guides, and the cloudy headache I get from too much sugar.