In this era of digital transformation, most enterprises are running at least some of their workloads in the cloud and planning to migrate most applications and services to the cloud in the years to come. There’s no doubt that the cloud is a smarter model for IT procurement; however, as organisations accelerate their move to the cloud, they should be aware of the risks of cloud misconfiguration.
What is cloud misconfiguration?
Cloud misconfiguration refers to improper implementation of cloud services that expose the business to performance, security, or general reliability concerns. Cyber-criminals may use these vulnerabilities to compromise sensitive data or launch cyber-attacks that disrupt critical enterprise computing services.
The National Security Agency in the US names cloud misconfiguration as one of the most widespread cloud security and networking vulnerabilities. Furthermore, Gartner predicts that up to 2025, nearly all (99%+) of cloud breaches will be traced back to preventable misconfigurations or mistakes by end-users. According to Trend Micro, largely avoidable cloud misconfiguration issues were behind many of the massive breaches we have seen in recent years.
What mistakes are companies making in cloud configuration?
As businesses strive to accelerate cloud migration and simplify IT, they are at risk of making a range of errors in configuring cloud resources and services. These include overly permissive access to networks and insufficient access controls on resources such as storage, virtual machines, and hosts. For example, some companies allow unrestricted inbound and outbound ports or enable FTP on cloud hosts, opening holes for bad actors to exploit.
In other cases, erroneous storage access settings leave sensitive data exposed to the public internet. Another common error is to disable monitoring and logging rather than leveraging the data and logs most public cloud providers make available to their customers. These errors are compounded by the reality that most organisations do not put cutting-edge tools and processes in place to detect, prevent and rectify cloud misconfiguration.
Why does it happen?
Cloud misconfiguration occurs even in knowledgeable IT departments with cutting-edge security and DevOps practices for the simple reason that cloud environments in large businesses are highly complex. Most organisations are running hybrid and multi-cloud setups, drawing on services from multiple providers that do not offer standardised toolsets and ways of doing things. Given the speed at which we needed to innovate during the pandemic, it’s also not surprising that many companies may have made configuration errors in their haste to get cloud-based remote working and digital commerce solutions up and running.
Cloud security and networking is a shared responsibility
The AWS shared responsibility model makes it clear compliance and security are not the sole responsibility of the vendor or cloud security provider—this responsibility is shared with the enterprise customer. The good news is that smarter IT departments have the power to curtail cloud misconfigurations. Here are some tips:
- Standardise where possible—using templates and standard components where possible can help to avoid misconfigurations that result from using custom infrastructure for each deployment.
- Document every change—documenting configurations can help companies to troubleshoot if something goes wrong.
- Test and audit—Cloud misconfiguration isn’t a one-time issue. Companies need to keep checking that their configurations remain secure and that there are no vulnerabilities they overlooked.
- Align DevOps and cloud security and networking—bake security into development from the outset.
- Implementing zero-trust—make sure only the right people have access to your important cloud assets and their configuration data.
- Make use of the tools that the cloud service providers offer—leverage logging, monitoring, and access restriction solutions on each cloud platform.
- Skill-up teams—Ensure developers and others who work with cloud resources understand how to validate configurations and detect breaches that may result from misconfigurations.
Get in touch for a demonstration of our FinOps and DevOps practices and tools to learn how we can help you accelerate your digital transformation and simplify cloud management.