Cloud security configuration errors put data at risk; new tools can help

Last fall, a security researcher discovered four Amazon S3 storage buckets with highly sensitive data such as client credentials and a backup database containing 40,000 passwords. Accenture had accidentally set the buckets to allow public access, and all the information was fully exposed. The researcher notified Accenture, and Accenture locked down the data the next day.

Accenture wasn’t alone. Other companies that left their Amazon S3 buckets open to the public included Dow Jones, Verizon, and military intelligence agency INSCOM. The flood of the bad news continued.

In November, Uber disclosed that hackers got their hands on personal information on 57 million users, also stored on Amazon Web Services (AWS), then paid off the hackers and tried to conceal the breach. Then, last month, an Experian client purchased a data set containing information about 120 million US households — and also left the data exposed in a public Amazon S3 bucket.

According to a recent report by RedLock, 53 percent of organizations that use cloud storage services like Amazon S3 have accidentally exposed at least one such service to the public. “We found 250 organizations leaking credentials to their cloud AWS environments,” says Varun Badhwar, CEO and co-founder at RedLock, Inc.

The problem of misconfigured cloud services is much bigger than just AWS, and, as more data and applications move to the cloud, is only getting worse, experts say. When RedLock analyzed more than 5 million resources in customer environments, as well as vulnerabilities in public cloud computing environments, it found that 37 percent of databases were accepting inbound connections directly from the internet — and 7 percent of these databases were already being accessed from suspicious IP addresses. “Databases should never be exposed to the internet,” RedLock reported.

It’s not just databases. Configuration errors can also allow hackers to use enterprise cloud accounts to set up Bitcoin mining operations. Aviva and Gemalto were among the companies hit, according to RedLock research. It’s already a big problem today, Badhwar says. “In 2018, we’re going to see a lot more of this.”

For companies that run entirely in the cloud, the entire business can be at risk. That has some looking for help with monitoring and verifying cloud security configuration. “Resource misconfiguration is a serious threat, especially given the size of our public cloud computing footprint,” says David Tsao, global information security officer at Veeva Systems, Inc., which offers a cloud-based content management system for the life sciences industry. The cloud-based business model is a “huge factor” in the company’s success, he says. The company needed a way to continuously monitor its entire cloud environment, including the resource configurations.

Veeva decided to go with RedLock, which is one of the new crop of cloud security management startups. In fact, RedLock only came out of stealth last spring. The platform allows Veeva to quickly spot issues in its cloud environment, Tsao says, “and provide improved visibility on its security posture.”

Why do cloud security configuration problems exist?

In traditional, on-premises environments, things moved more slowly. Companies had time to configure their networks and to do security reviews of new software. At the end of the day, the most sensitive information was hidden away behind corporate firewalls.

In today’s cloud and hybrid environments, many of those safety controls no longer apply. We are seeing the results of that. “Configuration errors account for a vast majority of data exposures and breaches in the cloud today,” says Zohar Alon, CEO at Dome9 Security Ltd.

The problems with improperly configured access controls show up everywhere. Take, for example, the open source Kubernetes platform, which helps companies use containers. That’s how hackers were able to take over Aviva and Gemalto’s Amazon servers and use them for Bitcoin mining last fall.”It’s the de facto standard for container management,” says RedLock’s Badhwar. “We found dozens that were exposed, with no logins or passwords.”

Some services are misconfigured from the start. Sometimes, the settings are changed temporarily, then never changed back. The people responsible for configuration come and go.

Too often, customers expect the cloud providers to take care of all the security issues, and don’t have any systems in place to ensure that cloud services are correctly locked down. “It’s really a shared responsibility,” Badhwar says, “but it’s still very early days and most organizations still don’t have their arms fully around it.”

The issue is exacerbated by the wide variety of ways in which cloud services are now being used. Developers create virtual servers and containers to quickly roll out applications and store data. Business units sign up for services on their own, and so do individual users.

Traditional approaches to configuration management that worked for on-premises data centers don’t apply to cloud services, experts say. Cloud platforms typically have their own systems for monitoring configuration changes.

AWS, for example, has AWS Cloud Trail and AWS Config, says Tim Jefferson, VP of public cloud at Barracuda Networks, Inc. Microsoft’s Azure cloud platform has the Operations Management Suite. Other popular SaaS cloud providers have no centralized management tools in place, leaving individual users responsible for their own security and sharing settings.

Meanwhile, cloud services are deployed much faster than traditional on-premises applications, says Andrew Howard, CTO at Kudelski Security. “All kinds of sensitive data is out there and who knows if it’s properly configured,” he says. “If I was a security officer at a major enterprise, this would be one of my top worries. This is not how you want to be breached.”

Even the basics, knowing where company data is being stored, accessed, or shared, is a problem. Howard recommends that enterprises use cloud access security brokers to track access to cloud services.

New cloud security configuration management and verification tools

Too often the configuration management must be done manually. “The tools aren’t quite there yet to do that kind of hygiene,” he says. “That leads to a lot of organizations home-brewing solutions or using solutions that don’t quite scratch the itch. There are solutions just coming to market, but the adoption is just not there yet.”

For example, this past fall, Veriflow expanded its network verification platform to AWS, including the S3 storage buckets. The platform automatically figures out the intent behind configuration settings and then checks to see if those settings are still correct.

That can sometimes be hard to figure out, because of complexity, or because the person who initially set it up has left the company, says Brighten Godfrey, cofounder and CTO at Veriflow Systems, Inc.

Today, it’s read-only. The system collects information about configuration settings, and sends up alerts, but doesn’t automatically go in and fix problems. “In the future, that scope may expand,” says Godfrey.

Another security vendor that has been expanding its support for clouds is FireMon, which launched a policy automation product for AWS in November. In addition to monitoring security settings, the FireMon platform can make changes from a single console, allowing for faster changes with less human error. “This capability is used by thousands of FireMon customers to implement the right security controls, policies, and rule,” says Josh Mayfield, director at FireMon.

For example, if there’s a surge in usage and a company has to bring up a lot of new servers quickly, security isn’t sacrificed in the process. “And you can avoid the mistakes that come from human error,” he added.

One of the vendors that’s been offering cloud protection services for a couple of years is Evident.io. The company has supported AWS since 2014, adding support for AWS GovCloud last summer and support for Microsoft Azure in September.

Tim Prendergast, the company’s CEO, is very familiar with the challenges that clouds pose. At the start of this decade, he was a senior cloud architect at Adobe Systems. When the company did most of its work in a physical data center, there was a team of smart people who physically wired everything, he says and took care of ensuring proper configurations.

“As we moved to the cloud, the product team took over everything and the challenge with that was that they had never done the job before,” Prendergast says. “They were new to configuring networks. They want to get that part out of the way because they really want to go build software, and they have pressure to deliver their products to market in a reasonable time frame. They don’t have the time to learn how to properly configure their cloud infrastructure and services.”

So, they take shortcuts, Prendergast says. “You have a lot of configuration and protections settings,” he says. “Some companies are creating billions of these. No company can have a human being sit down and go through them all.”

Evident’s platform monitors cloud infrastructure, including AWS buckets. It can take action, starting at the simple alert level. “We can show it to a human,” he says. “Or we can start the remediation process, opening a ticket or paging a person, or we can trigger an automated response.”

For example, if certain Amazon buckets should never be open to the public, the system can look for changes. If the bucket is ever set to public, it’s automatically changed back to private. “You’re not able to expose your data because the system is forcing it back to a correct stage,” he says.

Is it up to the vendors to solve this problem?

Amazon has taken steps to make it easier for clients to notice that buckets were unprotected and made it easier to protect data with encryption. Most vendors, especially those serving enterprise customers, have strong security capabilities, but it’s up to the customers to use them.

Too often, companies set up their cloud services and then just let them run, says Neil Weitzel, director of security research at Cygilant. “It seems like green pastures from then on,” he says, “but the actuality is that running something in the cloud is just as much overhead in terms of personnel as running your own data center. You are still administering infrastructure.”

It’s important to understand how much of the security is being handled by the cloud provider, and how much is the customer’s responsibility, says Tim Erlin, VP of product management and strategy at Tripwire, Inc. “For example, the secure configuration of the services and applications being used on top of vendor-provided services is generally the responsibility of users, not the vendor,” he says.

When cloud vendors make it easy to set up the security, that ease of use is a double-edged sword, Erlin added. “In doing so, they’ve also made it easy to inadvertently expose an environment’s data,” he says.

According to Gartner, through 2020, 95 percent of cloud security failures will be the customer’s fault. “No, vendors aren’t dropping the ball,” says Ali Din, CMO at DinCloud. “For big providers, their aim is growth and to serve every customer use case.”

That means they have to put a control and lever for every imaginable setting and configuration choice, Din says. “This leads to complexity. If you merely look at the drop-down of services AWS has on its website, it is overwhelming.”

Din recommends that that companies slow down a bit and make sure that the staff has the training their need to properly deploy and manage cloud services, and that they look for tools that can help provide a comprehensive view of their cloud deployments.

“I think it is a solvable problem,” says Mike Fleck, VP of security at Covata, a file sharing platform. There’s no quick fix, he adds. “Are you going to be just go and buy something off the shelf and all your problems are solved? No, people are going to have to make investments in making things work in their environment, and it’s not getting easier.”