Cloud adoption has taken the business world by storm. Companies are adopting some form of cloud services technology, with 40 percent working on fully migrating their data from on-premise data centers to the virtual cloud space. Cloud services remove the burden of rigid and fallible data centers, giving you a flexible and resilient way to manage your data and devote more focus to what matters.
While these benefits are numerous, developing cloud platforms and migrating workloads to the cloud can come with risks, if not conducted correctly. Recent cloud breaches and incidents concern organizations implementing cloud migrations and digital transformations. They are convinced that these incidents reflect a flaw in the cloud model and could expose their most critical assets to vulnerabilities and attacks.
Instead of pausing cloud transformation efforts, organizations can use lessons from these incidents as an opportunity to build a robust cloud security program. Lessons and tips include:
- Issue 1: At times, applications hosted by cloud service providers (CSP) require permissions to access data that is hosted in a CSP’s storage service (e.g., S3). CSPs like Amazon Web Services (AWS) offer identity and access management (IAM) services that provide access to these storage services (e.g., Amazon S3) based on the application’s role and requirements. While powerful in enabling access to some services, this can be dangerous if the appropriate guardrails are not configured for these roles (e.g., exploitation of the Metadata Service).
- Recommendation: Lock down application program interface calls to this type of service and implement security guardrails to ensure IAM policies are not too permissive. In addition, organizations should consider defining policies that grant access only when needed, while implementing security guardrails.
- Issue 2: The CSP marketplaces offer robust security products that can be used to protect customer environments. However, these products may come with their own scripts (CloudFormation Templates) to automate the deployment and configuration of the security products. Organizations may trust these vendor solutions for configuring security services, but many of these “ready-to-use” grant overly permissive access to AWS services, opening your system to vulnerabilities. For example, a CloudFormation Template used to deploy and configure a firewall could grant the firewall access to S3 data it does not need.
- Recommendation: Require security reviews of all IAM policies and automation scripts prior to their use within the environment. Organizations should create rules to check for overly permissive IAM policies and set up automated testing where possible to ensure policies and scripts are running as expected prior to moving to production.
- Issue 3: Once a threat actor has gained access to the environment, it may try to copy data undetected from a private S3 bucket to another S3 bucket for the purposes of exfiltrating sensitive or protected data.
- Recommendation: Implement a proper alerting system that identifies unauthorized attempts to access information. To protect against exfiltration, organizations should evaluate more advanced prevention techniques, including tokenization or field encryption and data loss prevention solutions, to better identify when sensitive information is being exfiltrated from the environment.
- Issue 4: Incorrect configurations are a common cause of many cloud breaches.
- Recommendation: Adopting a DevSecOps approach is critical to the implementation and management of any cloud service and can help you harden the configurations of the environment, enforce organizational security policies, and reduce the likelihood of vulnerabilities due to misconfigurations.
- Issue 5: The cloud has necessitated a new model in addressing the increased attack surface, examining historical incidents, and developing new potential threat scenarios that can help organizations focus on risks and threats and not just compliance.
- Recommendation: Organizations should move from a reactive compliance-based security program to a proactive risk-based security program. With cloud-based deployments on the rise and cloud-related security incidents hitting the front page nearly every week, reexamining your approach to risk management in a cloud construct is critical to maturing your security program.
Looking at previous breaches is important but outlining the art of the possible with real-world hacker tradecraft can allow your organization to get ahead of the curve in avoiding common mistakes.