Ending cyber risk – 3 common cloud misconfigurations

One way or another, cloud infrastructure has firmly become a crucial component for almost all organisations, as public cloud spending is expected to continue to skyrocket over the next five years. As with any organisation-wide adoption program, cloud infrastructure initiatives require extensive planning to embrace and expand the scope successfully and securely. Lack of planning for cloud infrastructure initiatives can create complexities and risks, ultimately opening up the doors for adversaries to infiltrate organisations’ attack surfaces.

The most common complexity in this realm is the issue of misconfiguration and misunderstanding the difference between default settings and security best practices. Misconfiguration has been at the root of some of the industry’s largest breaches, including Marriott’s second breach in 2020. From shared responsibility to mismanaged default settings, root causes of cloud misconfiguration add up to a large portion of cyber risk. The good news is that there are a few critical areas of focus that can set an organisation up for success.

Identify and Verify All Users

Within the cloud, security and verification lines are blurry regarding people, devices, and applications. Security professionals must enforce identification and verification of any entity accessing the organisation’s cloud network, even if the ‘identity’ appears to come from a trusted source. If an attacker can gain access to a verified digital identity or an area of infrastructure that is implicitly trusted with no further checks, they can extract the company data unnoticed and undetected for an extended period of time.

That is why Identity and Access Management (IAM) is one of the most critical and complex architectures within the major three cloud service providers (CSPs). IAM controls who has access to specific resources, isolating privilege to those on a need-to-know basis, and includes organisational policies that grant access and technologies by role.

It’s critical that the proper policies are adopted in tandem with IAM implementation; if IAM is mishandled, an organisation could suffer the consequences of unsecured credentials and ubiquitous access across roles.

Beware of Security Group Defaults

Cloud security groups act as a control and enforcement point for your traditional IT environment. They control ingress (inbound) and egress (outbound) traffic based on rules, and respond accordingly, notifying security and IT teams of suspicious activity, nefarious or otherwise. Unfortunately, security and IT professionals can be overwhelmed with alerts, notifications, and requests, and this fosters a culture of speed vs. Quality. Teams may create two or three security groups, and repeatedly use them for different purposes across the entire infrastructure.

While it may sound efficient, this is akin to giving your user account Domain Admin and is a frequently leveraged misconfiguration. It can leave open opportunities for attackers and increase your attack surface, because by default, all major CSPs block all inbound traffic, and allow all outbound traffic. Organisations who span multiple CSPs are most at cyber risk here because there is little common configuration across CSPs leaving organisations to customise each platform accordingly to ensure secure applications across all cloud infrastructure.

Define ‘Authenticated’ Users and Log Accordingly

The term ‘authenticated user’ can be misleading when discussing the cloud. It’s a valid assumption to think this term strictly applies to those already authenticated within your organisation. Unfortunately, that’s not accurate when managing the mainstream CSPs.

Anyone with the privilege of ‘authenticated user’ can access your cloud, inside and outside your organisation. It’s critical that unauthorised access is prevented by fostering great understanding of user accessibility and planning accordingly.

Although it seems tedious, it’s increasingly important to manage and track the numerous users making changes to cloud infrastructure. Logs can be the key to identifying suspicious activity, and remediating a security situation.

In a landscape rife with external threats, there’s no room for compromise on basic cloud hygiene. What can begin as a mistake in default settings can end in a very expensive crisis for business leaders, employees, and customers. By prioritising a clear focus on cloud hygiene and regular security reviews, businesses can embark on a strategic cloud path which supports the mission of ending the cyber risk.

Ian McShane has over 20 years of experience in cybersecurity and operational IT. As a former Gartner analyst, he has advised the largest and fastest growing technology companies in the world as well as tens of thousands of organisations worldwide. McShane is well known as a trusted advisor and popular commentator in our industry, and prior to joining Arctic Wolf he spent time at Symantec, Gartner, Endgame, Elastic, and CrowdStrike.