It is nearly impossible to find a business today that doesn’t have some degree of presence in the cloud. The rise in cloud migration started in the past decade, but the explosion of remote work during the COVID pandemic has expanded the need for business-oriented, cloud-based services. And where there once was a single cloud service, many businesses now have multi-cloud and distributed environments for edge computing power.
Cloud security has been an issue since the beginning. While cloud service providers do everything possible to secure their services, the unfortunate fact is that breaches still frequently occur. However, a deeper dive into these breaches suggests that many of the vulnerabilities arise, not from the service providers themselves but from faulty configurations of those services by the end-users.
In this article, we look at the prevalence of user misconfigurations and the steps users can take to best protect themselves and their cloud environments.
Breaches of cloud services
The statistics regarding breaches of cloud services are stunning. According to a 2021 survey of more than 250 IT professionals, more than half of all businesses have experienced a security incident related to their cloud-based services. And this statistic likely underestimates the actual number of incidents.
Many of the breaches have been high-profile, with well-known names suffering damage to their reputations and business. For example, the largest Asian cloud provider, Alibaba Cloud, suffered a data breach resulting in the leak of over 1.1 billion records related to the company’s TaoBao shopping platform.
U.S.-based cloud providers also have had their fair share of breaches. In early 2021, a misconfiguration of the Microsoft Azure cloud service exposed the confidential information (including source code) of more than a dozen companies that were submitting proposals for partnerships with Microsoft.
A separate breach in late 2020 allowed broad access to more than half a million records that included highly sensitive personal information. While the 2021 incident was due to a misconfiguration by Microsoft itself, most cloud breaches are due to inadequate security efforts by customers.
Consider, for instance, a recent breach involving Amazon’s S3 cloud service. Prestige Software, which provides services to the travel industry, misconfigured its Amazon S3 service. The result was the exposure of ten years worth of data for users of popular travel websites such as Booking.com, Hotels.com, and Expedia.
Perhaps the most publicized breach of Amazon’s cloud services, however, was the 2019 attack on Amazon AWS user Capital One. The breach implicated the personal data of over 100 million customers, including highly sensitive information such as social security numbers, credit card numbers, and credit scores. And the source of the problem? A misconfigured firewall at Capital One.
These are only a few of the major breaches that have taken place in recent years. They should serve as a cautionary tale for users of the primary cloud providers - or any cloud provider. While businesses can and should be able to rely on providers’ security measures, that alone is not enough. Businesses must properly configure their cloud environments as part of a comprehensive internal cybersecurity program.
Avoiding misconfiguration of cloud services
Preventing misconfigurations requires a concerted effort at all stages of usage, from initial contracting through ongoing maintenance and updates. Here are a few steps organizations should take to best secure their cloud services.
Know who has what responsibilities
Issues with cloud service configuration can arise very early during implementation simply because companies do not adequately understand their responsibilities. The split of responsibilities between provider and customer frequently depends on whether the provider is an Infrastructure-as-a-Service (IaaS) or a Software-as-a-Service (SaaS) provider.
IaaS providers (e.g., Amazon AWS, Google Cloud, Microsoft Azure, Alibaba Cloud) typically have shared responsibility paradigms. One of the primary data security protocols for e-commerce businesses, the Payment Card Industry Data Security Standard (PCI-DSS), specifically highlights cloud providers’ and cloud users’ shared responsibility for ensuring PCI compliance in the cloud and protecting consumer financial data.
IaaS clients need to clearly understand the full extent of their responsibilities when using these services. The first step is for all relevant IT and cybersecurity personnel to understand the service agreement. It is also essential to know what tools and support cloud providers offer for configuring services.
In contrast, SaaS providers (e.g., Salesforce, Workday, Square) tend to take on most of the responsibility for security. Nevertheless, IT and cybersecurity professionals should still review the service license agreement to ensure that the organization fulfills any necessary security requirements.
Understand common configuration and security issues
Before entering into an agreement with a cloud service provider, an organization should be aware of the typical security issues that it might face. All cloud service providers provide extensive documentation (e.g., Amazon AWS security documentation), much of which is publicly available on the internet even to those who are not using the services. A quick review of this documentation can provide insight into the complexities and potential pitfalls of configuring cloud services.
Moreover, simple internet searches can also help identify challenges with configuring and using cloud services. In addition to the online documentation, there are frequently both service provider-sponsored and independent support forums dedicated to specific issues for any given cloud service. These forums contain useful information on issues others have experienced and solutions to those issues.
Create configuration templates
The old mantra, “If it ain’t broke, don't fix it," can surprisingly apply even to cloud configurations. Once you have set up effective and secure configurations for existing cloud services, they can be a template for additional future services.
This does not mean that for every additional service you can simply apply an existing configuration. Instead, each new service deserves individual attention. But it does mean you can streamline the configuration process by starting with settings you already know work securely.
Be careful about templates, however, when transitioning from internal systems to cloud services. While similarities may exist, they are still different environments. According to web developer Gary Stevens of Hosting Canada, cloud hosting has been growing in popularity for this reason.
“Cloud hosting has some similarities with a VPS,” says Stevens. “But the key difference is that the server gets distributed over a large number of computers instead of having its dedicated physical address.”
Test and update
Once you have a configuration you believe is secure, you must test it as frequently and rigorously as possible. Testing allows you to identify issues you may have never considered. And to the extent you can automate system testing, so much the better.
You also need to update your configurations to reflect changes in services or your use of those services. Just as old versions of software applications offer hackers prime opportunities to access company networks and systems, outdated configurations create unneeded vulnerabilities.
Business use of the cloud will continue to increase, and with good reason. The cloud offers businesses many efficiencies and features that help them run better day-to-day. With a bit of effort and attention, businesses can ensure that their use of the cloud is a secure experience for both the company and its customers.