The cloud can provide an organization with many different advantages. For instance, by taking advantage of Amazon S3 or similar services for data storage and processing, an organization can decrease costs and increase the accessibility and scalability of their data processing and storage operations. However, using the cloud can also have significant impacts on data security. Security on the cloud looks very different from a traditional on-prem environment, and the reduced visibility for the security team of the cloud environment can make detection of problems more difficult.
In many cases, cloud security misconfigurations go unreported, leaving organizations vulnerable to attack without their knowledge. Without an accurate view of their current level of security and danger, these organizations can breach sensitive data without being aware of the threat. Understanding the cloud shared security model and the threat of cloud security misconfigurations is vital to properly protect sensitive data stored in the cloud.
The cloud-shared security model
The cloud is a very different environment than an on-premises deployment, and operating in the cloud can require very different tools and methodologies. One of the biggest challenges for many cloud users is the Cloud Shared Security Model.
As organizations increasingly adopt Infrastructure as a Service (IaaS), they need to adapt their security strategy to this new environment. In IaaS, the cloud service provider (CSP) provides the infrastructure to the client and is responsible for the security of the components under their control. The customer then builds their system on top of the provided infrastructure, is responsible for the security of the components under their control, and potentially shares responsibility with the CSP for some components.
Not understanding the cloud shared security model and how to properly configure the security of the components under their control is a primary cause of cloud-related data breaches. Security in the cloud requires understanding the security controls provided by the CSP and how to use them properly.
Risk of cloud security misconfigurations
Cloud deployments commonly have at least two security levels: private and public. Private clouds require a user to explicitly be given access to a cloud-based resource before they are able to access it. This model provides additional security; however, the need to explicitly manage access can be inconvenient.
As a result, many organizations and individuals have inappropriately placed sensitive data in “public” cloud deployments. In a public deployment, anyone who knows the URL of the cloud resource can access it without any authentication or authorization.
While this is more convenient for users, it dramatically decreases the security of cloud deployment. Tools have been developed that are designed explicitly to search for cloud URLs and determine whether or not they are set to public. As a result, numerous data breaches have occurred where organizations are unsure if their sensitive data has been stolen by hackers while it was exposed before the organization was notified of the issue by an ethical hacker.
The number of data breaches associated with poor security configurations on the cloud has driven Amazon to implement additional security controls for its S3 cloud storage service. While cloud deployments have always been private by default (forcing users to explicitly choose to make them public). Amazon has added visual cues to help users recognize insecure settings. Additional default security options and the ability to mark all S3 buckets in an account as private (regardless of individual settings) can also help to raise the bar for cloud security.
The cloud misconfiguration problem
However, these security controls are only effective if an organization knows that they need to use them. In general, organizations’ cloud security misconfigurations are dramatically under-reported, and businesses believe that they are more secure than they actually are.
In fact, only about 1% of cloud misconfigurations are actually reported. The average company believes that there are about 37 IaaS misconfiguration issues per month, but the real number is closer to 3,500. As a result, organizations are potentially leaking sensitive data without their knowledge.
Fixing a cloud misconfiguration issue can take days or even up to a month, leaving organizations open to attack for a significant period. Many of these issues, as we mentioned earlier, can be traced back to a failure to properly configure security controls provided by the organization’s cloud service provider.
Securing the cloud
The cloud is a very different environment for security teams and the average user to operate in. In the cloud, the organization’s security team no longer has complete visibility and control over the systems in their network. The infrastructure that is provided by a cloud security provider is not accessible to the security team for audits, and traditional security solutions may not be effective in a cloud environment.
In order to effectively secure a cloud deployment, an organization needs to deploy a security strategy and security tools that are designed for the cloud. In many cases, implementing security in the cloud requires understanding and properly implementing the security controls that a cloud service provider makes available as part of their IaaS offering.
In the cloud, testing the effectiveness of the organization’s security controls requires security solutions that are designed and built for the cloud. An organization needs the ability to scan for configuration gaps in their cloud deployment and to identify and protect sensitive data regardless of where it is located.