Security incidents involving cloud infrastructure have become a regular occurrence since many organizations began shifting their assets to the cloud. Many of these incidents happen because of misconfiguration.
“Cloud misconfiguration is a pervasive issue for a variety of reasons,” says Phillip Merrick, CEO of Fugue.
“Development teams might provision cloud infrastructure that contains compliance violations or security vulnerabilities because they either lack sufficient training or there’s a lack of proper controls to ensure compliance up front. And once infrastructure is running, changes can result in configuration drift, which puts data at risk and can lead to system downtime events.”
But even with proper training and controls, humans will always make mistakes, he told Help Net Security.
“There are simply too many cloud resources, too many interfaces to cloud APIs, and too much infrastructure change for any team of humans to manage without risking a breach due to misconfiguration.”
Companies that have decided to use cloud services must recognize and accept that while the provider is responsible for the security of the cloud itself, the configuration of their cloud infrastructure is their responsibility.
Fugue’s recent report on the issue has found that the most common misconfiguration events include permission control (65 percent), Security Group rules (59 percent), object storage access policies (51 percent), and encryption in transit disabled (42 percent). All of these typically occur due to human error and all can result in critical data breaches.
“Security has traditionally focused more on perimeter defense and endpoint security. With cloud, you effectively have no perimeter. Your infrastructure teams are building and changing cloud resource configurations at a pace that was unheard of in the datacenter,” he explains the source of the problem, which is massive and affects every enterprise-level organization using the cloud.
“Our survey found that 93 percent of IT and security professionals said they are concerned that their organization is at risk of a major security breach due to misconfiguration. Further, 27 percent reported that their organization had already suffered a critical security breach due to misconfiguration, and 79 percent say critical misconfiguration events are still being missed.”
Advice for CISOs
The threats to cloud infrastructure are automated, so automated remediation is a requirement to effectively manage misconfiguration risk.
His advice to CISOs is to set up a team that includes developers who understand cloud APIs and can automate every repetitive aspect of cloud security, starting with cloud configuration.
“In order to be effective, the CISO needs to view their security team as an internal tool vendor in the cloud ecosystem. Development teams need support from security to move quickly, but also require good guard rails and feedback for how to do cloud securely,” he opines.
“This security automation team led by the CISO needs to work closely with development teams to establish known-good configuration baselines using a whitelist approach that conforms with compliance and security policy. Once you have a known-good baseline, you can automate the remediation process for misconfiguration without running the risk of false positives leading to bad changes that can cause system downtime events.”