researchHQ’s Key Takeaways:
- When it comes to cloud security, many assume that cloud service providers are themselves a significant risk. The data, however, suggests otherwise.
- Under the shared responsibility model, organisations, not service providers, are responsible for service configurations.
- Misconfigurations are responsible for 65-70% of breaches in higher-level cloud services.
- The rapid pace of change in the cloud demands that security is integrated into the building process, ensuring that what an organisation builds works as intended and only as intended.
The cloud is an environment full of potential. It provides easy access to technologies that simple weren’t available a decade ago.
You can now launch the equivalent of an entire data center with a single command. Scaling to meet the demands of millions of customers can be entirely automated. Advanced machine learning analysis is as simple as one API call.
This has allowed teams to speed up innovation and focus almost exclusively on delivering business value.
But it’s not all unicorns and rainbows. The assumption was that alongside this increase potential, the security challenges we see on-premises would be grow as well. Teams should be struggling with zero-days, vulnerability chains, and shadow IT.
It turns out they aren’t.
At least those issues are nowhere near the top of their list of concerns. The top security challenge for builders in the cloud is very straightforward.
Their biggest challenge is making mistakes in the form of service misconfigurations.
Shared Responsibility
Now I know at least a few of you have raised your eyebrows at that statement. And I will back it up in a minute.
But first, let’s look at the evidence around the initial assumption that people make about cloud security. They assume the cloud service providers themselves are a big risk.
The data doesn’t support this at all.
Each of the big four cloud service providers Alibaba Cloud, AWS, Google Cloud, and Microsoft Azure have had two security breaches in their services over the past five years…combined.
Now, before we get into each of these, it’s important to note that each of the big four have had to deal with tons of security vulnerabilities over this timeframe.
A large number of cloud services are simply managed service offerings of popular commercial or open source projects. These projects have had various security issues that the providers have had to a deal with.
The advantage for us as users, as builders, is how operations works in the cloud. All operational work—and make no mistake, security is operational work—done in any cloud follows the Shared Responsibility Model.
It’s very straight forward.
There are a six primary areas where daily operational work is required. Depending the type of service you are using in the cloud, your responsibilities shift.
If you’re using instances or virtual machines, you are responsible for the operating system, the applications running on that OS, and your data.
As you move to an entirely managed service, you are only responsible for the data you process and store with the service.
For all types of cloud services, you are responsible for service configuration.
Despite having a clear line of responsibilities, the providers offer a number of features to help your meet your responsibilities and adjust the services to suit your needs.
Cloud Service Provider Issues
Now, looking back at the two provider security issues over the past five years…
The first one we’ll look at is from March 2020.
In this case, Google Cloud paid out a $100,000 reward through their bug bounty program to a security researcher who found a privilege escalation issue in Google Cloud Shell.
This is a service that provides a browser-based interface to the command line of a virtual machine running in your account. Under the covers, this shell is simple a container running an application to provide the required access.
The researcher noticed that they were able to use a socket connection in the container to compromise the host machine and escalate their access.
The root cause? A misconfiguration in the access to that socket.
The second example is from January 2020 and it involved a service offered in Microsoft Azure.
Here an issue was reported in the Microsoft App Service offering.
This vulnerability allowed an attacker to escape the expected boundaries of the service and access a limited-scope deployment server with elevated privileges.
The reason? A misconfiguration in the open source tool used to provide this web app hosting service.
In both cases, the vulnerabilities were responsibly disclosed and quickly fixed. Neither issues lead to any reported customer impacts. Both of these cases were in higher level cloud services.
These are services that the provider’s teams built using other services on the platform. As a result and inline with the shared responsibility model, they were at risk of a service misconfiguration.
Even the hyperscale providers face this challenge!
3rd Party Validation
There’s more evidence to support that fact that misconfigurations are biggest issue in cloud security.
Security researchers in the community that study clouds issue have all published finding that align with this premise. Whether from other security vendors or industry organizations, the findings agree:
65-70% of all security issues in the cloud start with a misconfiguration.
Making it worse, 45% of organizations believe that privacy and security challenges are a barrier to cloud adoption. Why is that worse?
When understood, the shared responsibility model makes it easier to maintain a strong security posture. Organizations should be pushing to move faster to the cloud in order to improve their security!
Direct evidence
But surveys and targeted research projects only go so far. What does the publicly available evidence say?
Here’s a list of some of the most visible cloud security breaches in recent years;
- MCA, 500,000 loan documents
- RNC, 187,000,000 voter records
- THSuite, 30,000 cannabis dispensary records
- Booz Allen Hamilton, ??? top secret records
- Dow Jones, 2,200,000 customer records
- WWE, 2,000,000+ customer records
- Verizon Wireless, 6,000,000 customer records
- Accenture, 40,000 infrastructure passwords & details
- Capital One, 100,000,000 customer records
- US DoD, 1,800,000,000 data records for analysis
- Alteryx, 120,000,000 personal records
- CAM4, 10,000,000 personal recordsIf you filter out all the reports of cloud hacks and breaches to remove incidents that were not cloud specific—so those where the issue wasn’t related to cloud, the service just happened to be there—over two billion sensitive records have been exposed through a breach in cloud security.
