In-depth

The rise of cloud misconfiguration threats and how to avoid them

Businesses must adopt new tools and practices to combat one of the leading causes of security breaches

With cloud adoption accelerating, the growing scale of cloud environments is outpacing the capacity for businesses to keep them secure. This is why many organisations feel vulnerable to data breaches that might arise as a result of cloud configuration errors. 

More than 80% of the 300 cloud engineering and security professionals questioned by Sonatype and Fugue in their latest cloud security report said they felt their organisations were at risk. Factors include teams struggling with an expanding IT ‘surface area’, an increasingly complex threat landscape, and recruitment challenges coupled with a widening skills gap. 

A major security threat 

Misconfiguration is a major problem because cloud environments can be enormously complicated, and mistakes can be very hard to detect and manually remediate. According to Gartner, the vast majority of publicly disclosed cloud-related security breaches are directly caused by preventable misconfiguration mistakes made by users, highlighting how great of a security threat they truly are.

“Often companies use default configurations, which are insecure for many use cases, and unfortunately there's still a significant skills gap,” says Kevin Curran, senior IEEE member and professor of cyber security at Ulster University. “The cloud industry is relatively new, so there’s a noticeable deficit in knowledgeable cloud architects and engineers.”

He claims there are numerous scanning services constantly seeking out vulnerabilities to exploit, and, because flaws can be abused within minutes of creation, it’s led to an urgent race between attackers and defenders

Related Resource

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

First page of whitepaper with title and textFree download

“An attacker can typically detect a cloud misconfiguration vulnerability within ten minutes of deployment, but cloud teams are slower in detecting their own misconfigurations,” he adds. “In fact, only 10% are matching the speed of hackers.”

Misconfiguration can happen for many reasons, such as organisations prioritising legacy apps over cloud security, Ben Matthews, a partner at consultancy firm Altman Solon, points out. “Even with the significant growth in cloud adoption in recent years,” he adds, “the current and likely enduring prevalence of mixed and hybrid environments mean that this problem isn’t going away anytime soon.”

There are several other common causes of cloud misconfiguration, too. Those questioned as part of Sonatype and Fugue’s study cited too many APIs and interfaces to govern, a lack of controls, oversight and policy, and even simple negligence, as among the main reasons. 

A fifth (20%) noted their businesses haven’t been adequately monitoring their cloud environments for misconfiguration, while 21% reported not checking infrastructure as code (IaC) prior to deployment. IaC is a process for managing and provisioning IT infrastructure through code instead of manual processes. 

It’s a people problem

Experts agree that cloud misconfiguration is, first and foremost, a people problem, with traditional security challenges such as alert fatigue, the complexity of managing applications and workloads, and human error playing a significant role. 

“Laziness, a lack of knowledge or oversight, simple mistakes, cutting corners, rushing a project – all these things play into misconfigurations,” points out Andras Cser, vice president and principal analyst at Forrester. 

Organisations also find the demand for cloud security expertise is outstripping supply, making it harder than ever to retain staff with the knowledge required to guarantee cloud security. Often, there’s also confusion within businesses as to who’s responsible for checking for vulnerabilities, and, if any are found, ensuring they’re removed.

“Secure configuration of cloud resources is the responsibility of cloud users and not the cloud service providers,” clarifies Gartner’s senior director analyst, Tom Croll. “Often, misconfigurations arise due to confusion within organisations about who’s responsible for detecting, preventing and remediating insecure cloud assets. Application teams create workloads, often outside the visibility of security departments and security teams often lack the resources, cooperation or tools to ensure workloads are protected from misconfiguration mistakes.”

Curran continues by highlighting that different teams are responsible at different stages of any cloud project. For instance, cloud developers using IaC to develop and deploy cloud infrastructure should be aware of the major security parameters included in the software development cycle. The security team, on the other hand, is generally responsible for monitoring and the compliance team for audits. To make things more complicated, Sonatype and Fugue’s report suggests cloud security requires more cross-team collaboration than in the data centre. More than a third (38%) of those surveyed, however, cited friction existing between teams over cloud security roles.

Avoiding cloud configuration errors

Wherever possible, organisations will want to prevent cloud misconfiguration problems from arising in the first place. This can be achieved by using tools such as IaC scanning during the development phase, and the adoption of policy as code (PaC), which, according to Curran, has revolutionised how IT policy is implemented. 

Rather than following written rules and checklists, in PaC, policies are expressed “as code” and can be used to automatically assess the compliance posture of IaC and the cloud environments organisations are actively running. 

“Using PaC for cloud security is significantly more efficient and cost-effective as it’s repeatable, shareable, scalable and consistent,” he explains, adding: “It also greatly reduces security risks due to human error.” Of course, mistakes can be missed and, therefore, continuous 24/7 monitoring should be core to a business’ cloud security operation in order to maximise the chances of finding potential vulnerabilities.

Experts advise businesses to use automated security services, such as cloud security posture management (CSPM), which are designed to identify misconfiguration issues and compliance risks in the cloud. This particular tool automates the process of finding and fixing threats across all kinds of cloud environments. 

“These allow cloud platform admins to create a good baseline of cloud configuration artefacts, then detect any drifts from it,” Forrester’s Cser continues. “It also takes advantage of best-practice templates that will flag issues around S3 buckets or overprivileged instances, for example. Automated CSPM visibility, detection and remediation should be continuous.”

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Alkira offers Check Point CloudGuard Security to secure virtual cloud networks
Cloud

Alkira offers Check Point CloudGuard Security to secure virtual cloud networks

29 Sep 2021
Iboss protects web sessions with remote browser isolation
Cloud

Iboss protects web sessions with remote browser isolation

16 Aug 2021
Most CISOs worry cloud software flaws aren’t being caught
cloud security

Most CISOs worry cloud software flaws aren’t being caught

7 Jun 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Jack Dorsey resigns as Twitter CEO
business management

Jack Dorsey resigns as Twitter CEO

29 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021