When you look at breach statistics in today’s cloud-dominated IT world, you can see several examples where a small error made by the DevOps or CloudOps team has led to a tremendous impact on businesses’ reputations or, in some cases, their existence. Misconfigured AWS S3 buckets, poor password management on publicly exposed databases and secrets inadvertently exposed by developers on GitHub are some examples of these mishaps. It is not uncommon to see misconfigurations and unpatched vulnerabilities pave the way for attackers.
For example, during one of IBM X- Force’s AWS cloud penetration testing engagements, researchers exploited a server-side request forgery vulnerability in a web application under development, which allowed them to access the EC2 instance metadata service and steal the access keys used by the webserver EC2 instance. The CloudOps team had inadvertently provided full access to an S3 bucket via this instance profile, effectively allowing researchers full access to the sensitive information stored in that bucket.
Since the cloud’s inception, solutions offered by cloud service providers (CSPs) have enabled businesses to innovate faster and minimize the time it takes to develop and deploy production applications, but this process is associated with an additional element of security risk. CSPs may be responsible for securing their cloud platforms, but businesses are responsible for securing the data in those platforms, which can be a challenging task.
The Struggles of Cloud Adoption
When cloud adoption first began, many companies started their cloud journey by using the Infrastructure-as-a-Service offerings from CSPs, the upside being that they were happy with the level of control they had over the infrastructure. With time, adopters began realizing that maintaining their cloud infrastructure was getting too complex and time-consuming, which led to a shift to Platform-as-a-Service (PaaS) offerings. Along the way, CSPs enhanced their PaaS offerings to make them more reliable, feature-rich and simpler to operate and integrate with and, therefore, more attractive to their customers.
But by using a PaaS offering, businesses have not outsourced the responsibility to secure their data to the CSP. Companies’ CloudOps and DevOps teams are responsible for configuring all elements of any cloud service securely so they avoid exposing their company’s data to threats. And that’s where businesses are struggling today.
Companies are asking questions like: “Have I configured the security tools provided by my CSP correctly?” “Do I have any gaps in my identity and access management processes?” “Are my cloud-based storage containers configured properly so that only legitimate access is allowed?” “Am I properly integrating security into my continuous integration/continuous delivery pipelines?” These questions can be difficult to answer if security best practices are not included in every step of the development life cycle.
In addition, skilled professionals who have knowledge across CSPs are hard to find and retain, which presents challenges to properly running, securing and maintaining critical cloud assets. During the past year, we have seen attackers targeting supply chains, which are out of businesses’ direct control. Many businesses struggle to keep up with visibility into who is accessing their cloud infrastructure, what kinds of permissions users have and what misconfigurations exist in their cloud environment.
Cloud Operations: Threats and Trends
While it is easy to understand the benefits of cloud computing adoption, understanding and addressing the threats associated with today’s hybrid multicloud deployments are not easy.
Attackers find entry points into the cloud infrastructure by using a variety of tactics, ranging from credentials hunting (such as scanning for accidentally exposed credentials in code hosting platforms, phishing and social engineering) to exploiting vulnerabilities and misconfigurations found in public-facing cloud-based assets (web applications, storage, etc.) to pivoting from on-premises victims to the cloud infrastructure.
Developers can also be lucrative targets. For them, the public cloud is the perfect platform since it provides all the tools they need to write/run/debug code, collaborate with other developers and act as the centralized platform for code testing and deployment to production. Developers, however, frequently work under pressure to move their code quickly to production. When this happens, they are prone to errors and sometimes overlook security. For example, the lack of proper handling of secrets (application programming interface keys, passwords, certificates, etc.) can lead to a production database administration password exposure, which can mean ‘game over’ for many companies. CloudOps administrators may use overprivileged users or roles as a ‘temporary’ or ‘quick’ test, but they often forget to enforce the principle of least privilege after successful testing, thus enabling a privilege abuse and data leakage scenario.
These types of things are exactly what attackers are looking for, and once they have compromised the cloud asset, they are free to take the next step towards their end goal (data manipulation, exfiltration, etc.).
Securing the Cloud: Recommendations
When it comes to cloud security, IBM Security X-Force believes businesses should focus on three elements:
- Invest in developing a security mindset for your DevOps process. ‘Start left’ rather than ‘shift left’. Testing your code for security flaws early in the development life cycle (shift left) should be combined with writing secure code (start left). Developers should also go through security awareness training so that they understand the signs of a social engineering ruse. In serverless environments, developers are the new target.
- Leverage cloud-native security tools (CSP provided and commercial-off-the-shelf) for enhancing your threat detection and response capabilities.
- Perform regular cloud security assessments (configuration reviews and penetration tests), which will show you the likelihood of attackers being able to break into your cloud environment and reveal how they would exploit any discovered weaknesses. The assessments should conclude with prioritized recommendations for you to implement so that you can reduce your risk of a compromise and build best security practices into your cloud workloads, people and overall infrastructure.
Learn more about the X-Force Red cloud testing services here.