Cloud Misconfiguration: The Biggest Cloud Security Risk

Drew Bixby
Read Time: 3 minutes

Cloud misconfiguration is one of the most preventable, yet common security issues facing organizations migrating to the cloud today. It also accounts for the widespread misunderstanding about the security capabilities of modern cloud solutions provided by major cloud providers like Amazon, Google, Microsoft, IBM, and others.

A recent report titled Computing Cloud Review 2018 noted that 86% of organizations cite data breaches and loss as the primary reason they hesitate to adopt the cloud.

An analysis by security firm Threat Stack estimates that 73% of all companies on AWS are suffering from some form of cloud misconfiguration that impacts security.

Consequences of Cloud Misconfiguration

A simple misconfiguration, even a failure to set a single option in a company’s cloud service, can create a major security risk for the organization and its customers. Almost every day, news of a new data breach spreads like wildfire online. Virtually everyone with any kind of digital footprint has fallen victim to having their personal information made public.

In many cases, the information that leaks can have a lasting impact on the affected victims. Identity theft struck a record-breaking 16.7 million people in 2017 alone.

198 million voter records were exposed after conservative data firm Deep Root Analytics left a cloud storage server unsecured.

Patient Home Monitoring, a healthcare services company, left 150,000 patient records, including PDF files and sensitive medical data, open and unsecured on an AWS S3 bucket.

Nice Systems, a contractor of telecom giant Verizon’s, leaked over 6 million records of Verizon customers and their contact with Verizon customer service.

Alteryx suffered a data leak involving 123 million of the United States’ estimated 126 million households with information including names, addresses, ethnicity, mortgage status, and more. This information was originally in the care of credit reporting agency Experian, as well as the US Census Bureau.

LocalBox, which made headlines for its controversial scraping of publicly-accessible social media data to build detailed profiles of millions of individuals, left 48 million people’s records on a misconfigured storage server.

A Common Issue Cloud misconfiguration 

Cloud misconfiguration service is a matter of human error. In many cases, professionals accustomed to local infrastructure attempt to recreate their local solutions in the cloud, uneducated and unaware of the intricacies of working with a cloud provider’s particular set of features.

A recent report from IBM X-Force found a 424% increase in data breaches brought about by human error. A similar report from security firm Redlock indicated that 53% of organizations operating in the cloud have suffered some form of data exposure resulting from simple misconfiguration.

Common Mistakes

While misconfigurations are a common security issue in the cloud, they don’t all take the same form. There are several common types of misconfigurations that companies make when setting up their cloud network.

Not Utilizing Logging

Knowing when something is amiss on your network is half the battle, and a common issue with enterprises new to cloud services is not taking advantage of their built-in logging features.

Real-time updates, error notifications, and other important information help organizations to not only identify issues as they arise but to better respond to them.

Insufficient Access Restrictions

One of the most common mistakes organizations make when setting up their cloud services is to start their cloud service wide open and restrict access as they build out their network. This is often the result of a cutting of corners by an IT department that wants to set up the network without having to enter credentials and manage logins early on.

The result is a complex, easily misconfigured security situation that is a lot more work than it has to be. Unsecured AWS S3 storage buckets are perhaps the most frequently reported on products that are left unsecured, allowing anyone with access to a search engine to access, download, and in some cases even write to an organization’s cloud account.

An estimated 4 billion data documents were stolen in 2016. Another 7.8 billion were compromised in 2017. Furthermore, these open services create a backdoor by which hackers with the right information can inject their malicious code deeper into an unaware organization’s cloud network.

This is how crypto jacking, or the hijacking of an organization’s cloud resources for the use of mining cryptocurrency often occurs. This type of attack recently affected the LA Times, as malicious parties inserted a modified browser-based cryptocurrency mining script to force visitors of its interactive Homicide Report to utilize their CPU cycles to mine digital currency for them.

Managing permissions and roles across your cloud network is an essential step to maintaining security controls. Giving the same widespread access to your network to individuals that only need limited permissions to perform their jobs creates a weak link in your organization’s overall security.

Mismanaged Permissions Controls

Managing permissions and roles across your cloud network is an essential step to maintaining security controls. Giving the same widespread access to your network to individuals that only need limited permissions to perform their jobs creates a weak link in your organization’s overall security.

The best rule of thumb is to give every role zero permissions to start, then add them on an as-needed basis.

Failure to Audit Resources

In the case of FedEx’s recent breach, which exposed over 150,000 scanned documents including passports and driver’s licenses, the actual data and the storage bucket that exposed it was exposed prior to FedEx purchasing the originating company. Once FedEx took control of the assets, the storage bucket fell through the cracks and was left unsecured for several years.

Regular audits of local and cloud assets should be made, including a thorough evaluation of access settings, permissions, etc.

The Advantage of Experience

Misconfigurations are a major contributor to breaches and other security flaws in the cloud. In most of these cases, the difference between a massive data breach and a secured cloud server comes down to knowing where to look and which options to turn on.

An experienced cloud broker or consultant can not only save your organization from the embarrassment of a security breach, but they can save you a lot of money, as well. The average costs per record for a leaked customer record is $141. That costs increases to $380 for medical data.

The cloud can be a rock solid, secure alternative to going it alone. The tools are available on all of the major cloud providers. It’s up to the organization to take advantage of them.