In the IT world, in the past, a misconfiguration was viewed as an occurrence that often originated in human error and was sometimes accepted as a price to be paid. Over time, many checks and balances were built into IT processes to prevent, detect, and recover from commonly occurring misconfigurations.
Now travel with me to the present day, and the same thing continues with IT in the cloud. This may seem equally benign as earlier; but now, these misconfigurations have implications and impacts far beyond the enterprise’s network and IT infrastructure. In fact, this is well recognized by IT professionals and echoed in a 2021 report from Zimperium which indicated that unsecured cloud configurations exposed information in thousands of apps.
The Rapid7 Cloud Misconfigurations Report of 68 different accounts of breaches in 2021 found a whole swathe of industries were affected, including information technology, healthcare, and public information, including the giants of industry and those from the Fortune 500 list.
Cloud misconfiguration simply means not configuring cloud systems correctly, leaving them open to all and sundry. Some common examples of such misconfigurations, include but are not limited to:
- Granting public access to data stores/buckets
- Having poor controls on network functionality
- Storing encryption passwords and keys in open repositories
The outcome of these misconfigurations can be wide and deep. At the simplest level, your data and the data belonging to your customers can be exposed. This can have huge financial and reputational impacts. Misconfiguration errors also lead to data breaches, allow the deletion or modification of resources, cause service interruptions, and otherwise wreak havoc on business operations.
Further, the length of time organizations take to detect a cloud configuration mistake varies widely and makes the situation even more explosive. Respondents in the 2021 Cloud Security Alliance State of Cloud Security Risk, Compliance, and Misconfigurations- survey indicated that most commonly, cloud misconfigurations are found within a day (23%) or within a week (22%). More concerning, however, was that 22% of organizations take longer than one week to even find the configuration errors, let alone resolve the misconfiguration.
Now that we have indulged in some good old-fashioned fear in the triad of fear, uncertainty and doubt, or FUD, let’s take a deep breath and look at ten practical things you can do to protect the enterprise from these pesky misconfigurations:
- Ensure that the cloud team has the requisite knowledge and skills on general information and cybersecurity and is specifically skilled on cloud security aspects. This can include pursuing credentials such as the Certificate of Cloud Auditing Knowledge and Cloud Fundamentals Certificate from ISACA, or the Certificate of Cloud Security Knowledge from Cloud Security Alliance.
- Establish and implement cloud related security and other baselines – this is easy to say and (probably also) do and you can find the necessary support and inspiration from many sources including various vendors themselves. You can also look at the CIS benchmarks for various cloud usages and vendors.
- Automate the rollout of polices on the cloud workloads where possible so that the potential for human error is minimized.
- Enable automation and continuous scanning for misconfigurations to prevent security incidents. Automation enables the remediation of issues in real time so that the vulnerabilities are quickly fixed.
- Assess the compliance status on an on-going basis so that deviations and other missteps are identified as close to the point of occurrence as possible and can be remediated before the outcome ends up in the press.
- Build an appropriate system of checks and balances. This includes making sure that an appropriate change management process is followed with the requisite review of changes once complete so that compliance to previously established baselines is also reviewed, and gaps fixed.
- Even if this may be stating the obvious, avoid a “lift and shift” at all costs because the controls and measures that you apply for instance to a database in an on-premises model are not the same in the cloud. The public nature of the resources, the types and levels of access that may be required in the cloud will undermine all previously established on-premises controls and security measures.
- Distribute responsibilities across the DevOps or application engineering teams instead of holding your IT operations and information security teams primarily responsible for detecting, monitoring, and tracking potential misconfigurations.
- Aim for alignment among departments regarding security policies and enforcement strategies and try to move toward a DevSecOps approach so that there is improved interdepartmental alignment on security policies and enforcement, which is crucial for proactive security.
- Last but not least, do everything you can to combat shadow IT, which is very prevalent when it comes to enterprises consuming SaaS services.
Organizations don’t have to accept cloud misconfigurations as inevitable, and by taking some proactive steps, they can avoid or mitigate these misconfigurations and their negative impacts.
(The author Mr. R.V. Raghu, Director at Versatilist Consulting India Pvt Ltd, and ISACA Ambassador in India and the views expressed in this article are his own)