One way or another, cloud infrastructure has firmly entrenched itself as a crucial component for almost all organizations, and public cloud spending is expected to continue to skyrocket over the next five years. As with any organization-wide adoption program, cloud infrastructure initiatives require extensive planning to embrace and expand the scope successfully and securely. Lack of planning for cloud infrastructure initiatives can create complexities and risks, ultimately opening up the doors for adversaries to infiltrate organizations’ attack surfaces.
The most common complexity in this realm is the issue of misconfiguration and misunderstanding the difference between default settings and security best practices. Misconfiguration has been at the root of some of the industry’s largest breaches, including Marriott’s second breach in 2020. From shared responsibility to mismanaged default settings, the root causes of cloud misconfigurations add up to big cybersecurity risks. The good news is that there are a few critical areas of focus that can set an organization up for success.
Identify and Verify All Users
Within the cloud, security and verification for people, devices and applications is often difficult. Security professionals must enforce identification and verification of any entity accessing the organization’s cloud network, even if the ‘identity’ appears to come from a trusted source. If an attacker can gain access to a verified digital identity or an area of infrastructure that is implicitly trusted with no further checks, they can extract company data unnoticed and undetected for an extended period of time.
That is why identity and access management (IAM) is one of the most critical and complex architectures within the major three cloud service providers (CSPs). IAM controls who has access to specific resources, isolates privilege to those on a need-to-know basis and includes organizational policies that grant access and technologies by role.
It’s critical that proper policies are adopted in tandem with IAM implementation; if IAM is mishandled, an organization could suffer the consequences of unsecured credentials and ubiquitous access across roles.
Beware of Security Group Defaults
Cloud security groups act as a control and enforcement point for your traditional IT environment. They control ingress (inbound) and egress (outbound) traffic based on rules and respond accordingly, notifying security and IT teams of suspicious activity, nefarious or otherwise. Unfortunately, security and IT professionals can be overwhelmed with alerts, notifications and requests, and this fosters a culture of speed versus quality. Teams may create two or three security groups and repeatedly use them for different purposes across the entire infrastructure.
While it may sound efficient, this is akin to giving your user account domain admin privileges and is a frequently leveraged misconfiguration. It can leave open opportunities for attackers and increase your attack surface because, by default, all major CSPs block all inbound traffic and allow all outbound traffic. Organizations that span multiple CSPs are most at risk because there is little common configuration across CSPs, leaving organizations to customize each platform accordingly to ensure secure applications across all cloud infrastructure.
Define ‘Authenticated’ Users and Log Accordingly
The term ‘authenticated user’ can be misleading when discussing the cloud. It’s a valid assumption to think this term strictly applies to those already authenticated within your organization. Unfortunately, that’s not accurate when managing the mainstream CSPs.
Anyone with the privilege of an ‘authenticated user’ can access your cloud whether they are inside and outside your organization. It’s critical that unauthorized access is prevented by fostering greater understanding of user accessibility and planning accordingly.
Although it seems tedious, it’s increasingly important to manage and track the numerous users making changes to cloud infrastructure. Logs can be the key to identifying suspicious activity and quickly remediating a security situation.
In a landscape rife with external threats, there’s no room for compromise on basic cloud hygiene. What can begin as a mistake in default settings can end in a very expensive crisis for business leaders, employees and customers. By prioritizing a clear focus on cloud hygiene and regular security reviews, businesses can embark on a strategic cloud path that supports the mission of ending cybersecurity risk.