Managing Cloud Misconfigurations Risks

Written by Ashwin Chaudhary, CEO, Accedere.

Entities worldwide are rapidly migrating their business, services, and IT operations to the Cloud environment. Most entities across the globe have migrated their owned or on-premises data centers to IaaS as it offers direct access to its cloud servers and storage to its customers. Many others have moved their platforms to PaaS and applications to SaaS.

Cloud Services Providers (CSPs) like AWS, Azure, and GCP offer shared security responsibility. When entities migrate to the cloud, there is a high likelihood of data security problems, including workload challenges and cybersecurity risks. When moving to cloud-native systems, mistakes can unintentionally result in cybersecurity flaws.

Misconfiguration is a real-time critical cloud computing risk and is regarded as a top cloud risk by Cloud Security Alliance and others. According to McAfee's study on enterprise security, the average business experiences about 3,500 events every month and 90% of firms confirm that they had encountered security issues.

Optimizing your cloud configuration settings while migrating and reviewing them periodically can effectively reduce potential cloud security risks and can accelerate your digital transformation.

Cloud Misconfiguration: A Major Security Threat

Cloud misconfiguration indicates any bugs, gaps, or errors that could expose your environment to risk during cloud adoption, migration, and setup. The misconfigurations can lead to cyber-threats that come in the form of security breaches, external hackers, ransomware, malware, or insider threats that exploit vulnerabilities or misconfigurations to access your network.

Misconfiguration is a concern in cloud computing

due to the complexity of multi-cloud settings and the difficulty of manually identifying and correcting errors. It occurs when settings, permissions, or access controls are not properly configured or are left at default values, which can expose sensitive information, grant excessive privileges, or create unintended security gaps. Misconfigurations can lead to unauthorized access, data breaches, service disruptions, or other security incidents.

Inadequate change control is insufficient processes or controls for managing changes to systems, applications, or infrastructure. Change control is a systematic approach to managing and tracking modifications made to an environment, including software updates, configuration changes, patches, or system upgrades. Without proper change control, organizations risk introducing unintended consequences, such as introducing vulnerabilities, breaking functionality, or disrupting services. It becomes challenging to maintain a secure and stable environment without a structured change management process.

According to a Gartner survey, misconfiguration-related issues cause 80% of all data security breaches, and also until 2025, up to 99% of cloud environment failures will be attributed to human errors.

The mitigation of the risk of cloud misconfiguration can be challenging and can be reduced by giving competent training and continuous monitoring of the cloud environment.

Possible Cloud Misconfiguration areas in some popular environments

Types	AWS	Azure	GCP
Access Management	IAM Overly Permissive Role Policies. Overly Permissive Customer-based inline policies. Common usage of Root user	Azure AD Directory Access. Guest Users in Azure AD. Mismanaged User roles.	Service Account User. Service Account Role. Service Account Admin. No User Granted Permissions.
Serverless	Lambda Functions are accessible globally. Usage of out-of-date runtime environments. Lack of encryption in the lambda runtime environment.	Hosting a website that contains vulnerabilities. The database doesn’t have any encryption policies. Not configuring WAF to manage & block traffic.	Ingress All Traffic Enabled. HTTP not Triggering towards HTTPS. Cloud Function Serverless Global Access.
Virtual Environment	No Limits on OnDemand vCPU Instances. Instance IAM role limitless access. Custom ports are allowed.	No limits in VM Instances. VM AD Authentication Disabled. Custom Ports enabled.	No limit on VM Instances creation. VM Instance is overly permissive. Custom ports enabled.
Networking	IP Forwarding Enabled. Enabling Public Ingress & Egress in Security Groups. Public IP enabled on EC2.	IP Forwarding Enabled. Enabling Public Ingress & Egress in Network Security Groups. Public IP on Virtual Machine	IP Forwarding Enabled. Enabling Public Ingress & Egress. Public IP on Compute Engine.
Databases	Table Backup Exists. No Encryption when implementing the Accelerator cluster. Rest Encryption Disabled.	SSL not enforced & Retention Period Not set. Threat enable is not set. Publically accessible database.	Lack of SSL Certificate Rotation. Lack of SQL Contained Database Authentication. Publically Accessible Database.

Monitoring/Controls for Cloud Misconfigurations

Access Management

• Ensuring role policies are properly scoped with specific and limited permissions.
• Impose MFA to all users.

Serverless

• Cloud Functions should not be accessible publically.
• Make sure that the hosting web service is not vulnerable.

Virtual Environment

• Set a limit on number of VM creation.
• Grant limited permission so that only Administrators have access to the VMs.

Networking

• Ensure that in the security groups have IP Forwarding Disabled.
• Limit the provision of public IP addresses for resources.

Databases

• Always enforce SSL certificate rotation on Database services.
• Ensure that Database should not be accessible publically.

After implementing the above controls and it’s monitoring entities should be able to get a better understanding and posture of the cloud environment. Only internal monitoring in realtime or in an interval won’t be sufficient to keep the cloud environment secure. Regular vulnerability assessments and pen-testing need to be conducted by external third parties every 6 months to address the uncovered security vulnerabilities, avoid data breaches, protect your customer's data, and build trust. Configuration reviews should be part of the technical reviews by a third party. Periodic Breach Attacks and Simulation exercises can help a lot.

Due to the scarcity of trained cybersecurity professionals, Experienced Security Firms can be hired to help entities improve their cyber posture. Applications hosted on a cloud environment must move to Production environments only after conducting vulnerability assessments and pen-testing covering both black-box and grey-box. It is equally important to test the APIs, mobile applications, and other IT environments too.

---

About the Author

Ashwin Chaudhary is the CEO of Accedere a Data Security, Privacy Audit, and Training Firm. He is a CPA from Colorado, MBA, CITP, CISA, CISM, CGEIT, CRISC, CISSP, CDPSE, CCSK, PMP, ISO27001 LA, ITILv3 certified cybersecurity professional with about 20 years of cybersecurity/privacy and 40 years of industry experience. He has managed many cybersecurity projects covering SOC reporting, ISO audits, VAPT assessments, Privacy, IoT, Governance Risk, and Compliance.