Cloud storage has been an increasingly used service in the past years, especially with digitizing services, where almost every business can’t exist unless they do it online. Cloud storage gave companies flexibility and agility to keep up with the increasing number of customers. However, almost every technological advance comes with a demerit. And in this case, it’s cloud misconfiguration.
Cloud and cloud storage work is much simpler than imagined; everything is safely stored away with just a click. Or is it? In this article, we’ll learn a bit about cloud storage, how it works, what cloud misconfiguration means, and why it’s dangerous. Most importantly, we will show you how to avoid such misconfigurations.
What is Cloud Storage?
Cloud storage is a means for both individuals and businesses to store their data online and access it from any device, no matter where they are. Cloud services also allow sharing of data with the people granted permission by the data owner and offer backup services to make restoring systems and data more accessible.
In the beginning, cloud storage was used primarily by individuals who needed more storage space and the flexibility of fetching the data by storing it on external devices and having to connect them and search for data. Cloud storage reduces all that to a few steps, and your data is at hand.
Commonly referred to as “the cloud, “many cloud services are available today, including a free version and a premium one, where more services are offered. These cloud services include Google Drive, OneDrive, Box, and Dropbox.
How Does the Cloud Work?
The cloud is a storage service you buy from a provider that owns and operates the data storage capacities through the internet, based on the pay-as-you-go principle. The providers manage the capacity, durability, and security of these virtual storage vessels and make the data stored on them available to access anywhere in the world.
Why is the Cloud Better than On-Premises Environments?
Cloud services are a great way to try new services through what’s known as SaaS or Software as a Service model. This means that the cloud provider will host applications and make them available to online users without high costs or infrastructure requirements. Through this, businesses can enjoy the benefits of new services and seize the opportunity to interact with third parties.
A company can adjust its usage of cloud services according to its needs, such as scaling its usage up and down. This also saves companies a lot of money, as they will only pay for the services they use. In cases where an increase in the required cloud services is expected, the business can quickly increase the capacity of the cloud and scale those services back down when the rising wave subsides.
Cloud and backup services associated with them provide businesses with a failsafe system. This is particularly beneficial when there has been a security breach and the company needs to get back to working again. Misconfiguration vendors usually keep several data centres safe for the times of recovery. You can rest assured when dealing with reputable names in this field, such as AWS, Azure, and GCP.
Using cloud services is no longer considered a competitive edge; it has become a requirement in the past few years. Changes, updates, and even new software are released almost every week. Organisations need to keep up with such developments to keep the same service they offer to third parties. To maintain your position in the market, you need to utilise the speed cloud services offer.
Cloud environments have provided employees with easier working conditions, where the cloud is always available and can be accessed from anywhere. This availability gives the management a complete picture of how the business is doing and provides an accurate report on the needs of the company at any time. Such advantages also encourage employees to adapt to remote working to meet their business needs.
Common Myths about Cloud Security
Studies show that as of 2020, almost 50% of all corporate and business data is stored in the cloud, and this number is only expected to rise in the future. Where every organisation will seek the services of at least one cloud platform.
In this regard, many organisations have several misconceptions about cloud security, which can hinder their shift to the new technology and the migration process. This can cost the organisation a lot of money for the use of traditional storage options as well as facing many security threats.
Here are the most common myths about cloud security:
Data security is the responsibility of the cloud service provider
As the data owner, you have a shared responsibility with the cloud service provider, meaning that you are also responsible for the security of the data uploaded. You must set policies that your team will follow to restrict any public access to the cloud. The restriction can be done by using authorisation, limiting management access, and ensuring that all data is encrypted once uploaded to the cloud.
One migration strategy fits all
The best approach to migration strategies is by inventorying all applications and their data assets and choosing the best migration strategy for each application, depending on their data. Choosing a suitable migration strategy for each application will help greatly eliminate any cloud misconfigurations or other vulnerabilities.
The cloud is more prone to security breaches than on-prem environments
Many cloud service providers work with skilled security analysts and high-value engineers to module and set up the security tools for the cloud platforms. This means that cloud services are in a way safer than on-premises environments.
You have to use only one cloud provider
There’s no problem in seeking the services of multi-cloud providers. This will allow your security team to have a small-scale footprint of the on-premises environment and choose the best cloud services in each case. It also means that organisations are responsible for the on-the-clock protection of their multi-cloud platforms through using Cloud Security Posture Management or CSPM and Threat Detection and Investigation.
Cloud platforms hinder obtaining compliance requirements
Many cloud service providers are making controls available to meet compliance requirements. This goes hand in hand with your team utilizing monitoring utilities such as Cloud Security Posture Management.
What does Cloud Misconfiguration Mean?
In the past years, the increase in using cloud services by individuals pushed almost all businesses to accelerate their existence on the cloud. Many loopholes existed in the cloud system and service configurations in this rush. Unfortunately, the smallest misconfiguration in the cloud could result in the loss of valuable data. With it comes money and reputation.
Cloud misconfiguration is any risk such as a gap, an error or any glitch that could happen during cloud adoption or migration, which could put your data and environment at risk. Such glitches can be in any form, from hackers, security breaches, malware, and ransomware to even insider threats. All of this can use the vulnerabilities in your system to access the network.
Research by McAfee revealed that organisations face a staggering 3,500 security incidents every month. 90% of these organisations reported that many of the incidents they faced were related to IaaS or what’s known as Infrastructure as a Solution service, one of the types of cloud computing services.
Why does Cloud Misconfiguration Happen?
Although cloud services are relatively easy to set up and deploy by the business’s internal teams, if team members don’t have the required experience to set the services up, this can lead to severe vulnerabilities in the cloud. These employees must have the proper expertise to set the policies and configurations without missing any vital elements that are key to maintaining the cloud’s security.
When your employees are overworked, it’s more than possible that they miss checking some boxes when setting up cloud configurations. While this is unintentional, it can lead to the exposure of the company’s sensitive data.
No one migration strategy works for all applications. In fact, using the same migration method or system for all applications can lead to missing vital data. Many businesses think the “lift and shift” method, where all applications are suddenly transferred to the virtual cloud, will work for all other applications. This is why the team responsible for the cloud configuration must choose the proper migration strategy that suits each application and its database.
The workplace infrastructure can be complex and overwhelming for the employees to keep in check. When there are many changing configurations, components, containers and resources that need to be created and handled with both speed and care, it will get tricky if you don’t have a clear security checklist. Some forms of organisation and standardisation need to be implemented to ensure that all settings have been configured properly.
Unfortunately, many teams of developers and DevOps or developers and operators don’t pay much attention to the security and infrastructure of the applications. They pay more attention to getting the applications to work correctly and providing third-party services. So, when you’re hiring a development team, make sure they have an understanding of different security concepts.
What are the Common Types of Cloud Misconfiguration?
Cloud misconfigurations take up a whole new level when several cloud environments are involved. It can be challenging to keep the security of all of these environments in check and detect vulnerabilities or security breaches. A survey by Gartner revealed that such problems are responsible for 80% of the data’s security breaches. Furthermore, until 2025, it’s estimated that 99% of failures in the cloud environment will be due to human error.
This is why organisations must dedicate more attention and work to properly set up the cloud configurations to facilitate migration and avoid coming across any possible cloud misconfigurations.
1. Leaving Inbound Ports Unrestricted
Any port open to the internet is a problem waiting to happen. Cloud services usually use high numbers of UDP (User Datagram Port) and TCP (ports in compliance with Transmission Control Protocols) to reduce the risk of exposure. However, they are not enough and can be overridden by persistent hackers.
When deploying to several clouds, ensure you know the range of open ports. Close or dispose of any port that isn’t necessary to limit potential problems.
2. Leaving Outbound Ports Unrestricted
Leaving outbound ports unrestricted increases opportunities for data cultivation and lateral movement. A part of this cloud misconfiguration results from granting access to RDP (Remote Desktop Protocol) or SSH (Secure Socket Shell). Application servers rarely use SSH for connections with other servers, so there’s no need to leave outbound ports for SSH.
Limit the access of outbound ports and pair that with using the principle of least privilege to restrict and control outbound communications.
3. Management of “Secrets”
Secrets here refer to every piece of information that’s better kept safe, such as passwords, credentials, API keys and encryption keys. Unfortunately, many organisations leave this critical information at risk through poorly configured clouds, compromised servers, GitHub repositories, and HTML code. There’s no limit to what hackers can do if they get their hands on this data; they can overrun your cloud resources and cause severe damage.
Keep a depository of all this data backed up in the cloud while frequently checking their security. You can also use secret management services such as AWS Secrets Manager, AWS Parameter Store, Azure Key Vault and Hashicorp Vault.
4. Leaving Monitoring and Logging Disabled
This misconfiguration arises from the failure of many organisations in configuring, enabling, or reviewing both data and logs offered by the public cloud services. Not only does this misconfiguration emerge from IaaS public clouds but also the storage-as-a-service clouds.
It’s preferable if there’s something specific in charge of regularly reviewing the data and logs and reporting any security issues. Even having an automated alert for security problems won’t help if no one pays attention to such warnings.
5. Leaving Internet Control Message Protocol (ICMP) Open
The Internet Control Message Protocol tells you if the system is running and reports device network errors. However, it’s also a common target for attackers to start malware or DDoS attacks by flooding your system with ICMP messages through a ping sweep.
When configuring your cloud, ensure it’s configured to block ICMP.
6. Insecurity of Automated Backups
Insecure automated backups are considered part of insider threats, but they come from the human factor. According to McAfee, the credentials of the workers of 92% of organisations are offered for sale on the darknet. So, You must adequately secure the automatic update of cloud data after you secure your master data.
Make sure the backups of your data are encrypted when migrating to the cloud, whether the information is at rest or in transit. And make sure to restrict access permissions to the backup files.
7. Access to Storage
Authenticated users who are allowed to access your data, in particular, AWS authenticated users, refer to the users authenticated within the organisation regarding storage buckets, specifically AWS clients. Not configuring who has access to storage will leave your data easily accessible to the public.
Make sure your access settings are appropriately configured only to allow access to those working in your organisation.
8. Lacking Validation
Lacking validation is considered a meta-problem because most organisations do not create nor implement any systems to discover misconfigurations when they occur. This is why you need someone professional to verify the proper configuration of permissions and services.
Create a schedule to keep up with validation through the evolvement of the cloud environment and regular auditing of cloud configurations to ensure no loopholes.
9. Granted Unlimited Access to both Non-HTTPS and HTTP Ports
Web servers must be appropriately configured not to access every part of the internet. Servers act as hosts to services and websites, as well as RDP and SSH for management or databases. If the servers are not correctly configured, attackers can conduct an attack.
When the ports are open to the web, ensure they accept traffic from only the addresses you get to specify, such as your office or team.
10. Unlimited Access to Virtual Machines, Servers, and Hosts
Unfortunately, many people connect a server in their data centre directly to the internet without providing enough protection using a firewall. Some of the most common incidents include enabling FTP ports and legacy protocols on cloud hosts.
Ensure you have all important ports secured and sealed, or at least limit insecure protocols and legacy in the cloud environment, just like you would in your on-premises data centre.
11. Overly Granting Permission Access to Clouds
The constant evolution of cloud environments can cause administrators to lose track of the system controls, which makes keeping track of permissions access harder. One method followed is enabling default permission settings to avoid dealing with many permission requests. However, this may result in some users obtaining unnecessary permissions, which increases the chances of insider threats.
You can seek services that control user permissions, such as SASE (Secure Access Service Edge). This service helps by adding an extra security step to your cloud, including using CASBs (Cloud Access Service Brokers) and CSPM (Cloud Security Posture Management) solutions.
12. Subdomain Hijacking
Subdomain hijacking happens when a subdomain such as AWS or Azure is deleted from the organisation’s virtual host. The organisation forgets to delete any records associated with the subdomain from the DNS (Domain Name System), resulting in a configuration problem.
The attacker can re-register the subdomain and use it to build a malicious website to attract users rather than routing them to your website. This is the perfect setting for phishing attacks and malware injections that will not only affect the users but will also cause serious damage to the reputation of the original owner.
Organisations must make sure to delete all records of domains and subdomains that they do not use anymore from the DNS, to prevent hijacking of these domains or subdomains.
13. Misconfigurations in Relation to your Cloud Provider
Several misconfigurations are specific to the cloud provider you’re using. For example, the misconfiguration for defaulting public access for S3 buckets is specific to the AWS cloud.
Every organisation should research cloud misconfigurations specific to each cloud service provider before deciding on using their services.
What are the Consequences of Cloud Misconfigurations?
1. Leaked Sensitive Data
Misconfigurations of access control can expose sensitive data to the public, which can mean that hackers can steal valuable files. Suppose a hacker can retrieve files from your cloud storage or even read any data from your corporate databases. In that case, this will put your organisation at risk of exposing users’ personal information, corporate espionage, or, worse, malicious actors deleting data from your database.
2. Service Disruption
A cloud misconfiguration can give attackers access to your database, which most likely will disrupt the services you provide. Attackers can use various methods to disrupt services. These methods include ransomware attacks, encrypting data, deleting resources, using your servers to conduct spam attacks, and illegally mining bitcoin.
Proper configuration of servers, containers, or networks will increase the chances of your organisation’s recovery after a disaster or scaling down after peak demand. This will also allow you to keep your users and meet their needs for the services you provide, whether after facing a security problem or scaling up to meet increasing demand.
How to Reduce Cloud Misconfigurations in General?
1. A Change in Management Practices
Several management practices will improve your chances of spotting any cloud misconfigurations and preventing them from happening in the first place. By scheduling the changes and reviewing and implementing them unified, your company can avoid many vulnerabilities.
2. Rechecking Services
The development and operations teams responsible for creating and configuring new cloud servers and applications usually forget to recheck the configurations later. It is always vital to be aware of your cloud services’ position and status.
3. Who is Responsible for What
A lot of confusion arises because organisations do not fully understand their responsibilities and scope. Regarding the security of the cloud, responsibilities are divided according to the provider mechanism, whether this mechanism is Infrastructure-as-a-Service (IaaS) or Software-as-a-Service (SaaS).
IaaS cloud providers, such as Google Cloud, Amazon AWS, Microsoft Azure and Alibaba Cloud, use a model of shared responsibility with the customer. So, organisations must understand their responsibilities entirely when using the IaaS cloud—starting from all the IT and cybersecurity teams understanding the service agreement and providing tools and possible cloud support offered by the provider.
SaaS cloud providers, on the other hand, such as Workday, Square, and Salesforce, afford most of the security responsibility. However, it’s still essential that IT and cybersecurity personnel review the service agreement to sure their organisation’s compliance with any security requirements for the operation of the cloud service.
4. Simple Environments
It’s imperative to know that cloud security depends on the knowledge and understanding of your cloud while denying unauthorised people access to such knowledge. Such knowledge entails understanding the resources, configurations, every relationship, and your entire cloud environment over different platforms and reviewing any new changes. Otherwise, you’re putting your cloud at risk.
Doing so will allow your developing team to act faster if there are any vulnerabilities or risks. It will also make compliance professionals grateful for playing a proactive role in detecting and avoiding possible risks.
Instruct your team that they must back up any environment configuration and documentation like they do with any data set. By doing so, you allow for easier comparison between any current environment and the future or intended environment. While this might take a lot of work, it’s proven its benefits in the long run; they help you track, understand, and troubleshoot any issues that might arise in the future.
6. Knowledge of Common Security and Misconfiguration Issues
Before an organisation signs an agreement with a cloud service provider, it must first thoroughly understand the security issues that might arise from cloud migration. One of these issues is that many cloud service providers document everything, such as Amazon AWS security documentation. A significant percentage of this documentation is publicly available online, even to those not using the same cloud service. Looking at this documentation, you can understand a lot about the pitfalls and complexities of the configuration of cloud services.
Internet searches will also provide insight into many cloud configuration problems and possible solutions. Another great source is the support forums set up independently or by the service provider. They include many issues faced with cloud configurations since different users share their experiences and problems, and everyone helps to find a solution.
Infrastructure-as-code can be defined as managing and provisioning computer data centres using code instead of manual settings. Examples of this include configuration of physical hardware and interactive configuration tools. This method is more efficient and allows more scale and predictability in the cloud. Most importantly, it plays a vital role in the security of the cloud’s infrastructure and its strength before deployment. This is why it’s better to abstain from building or modifying any cloud infrastructure that isn’t IaC-based.
8. Use Configuration Templates
When your security team configures and sets up configurations for the use of cloud services, this creates a template that can be used for configuring future cloud services. This means that the leaders of IT teams must work on integrating security settings into the main configurations’ settings to facilitate the use of this configuration template in the future.
This means that when adding any additional services, you can use the general outline of the previously created template as a guide or streamline the configurations for the new service. Then, you can configure any additional settings required for the new service.
One reason for practising caution when migrating from internal systems to the cloud is the huge differences between the two environments. This depends on how the computer is distributed over various computers, not just one physical address, as stated by Gary Stevens, the web developer of Hosting Canada.
9. Vulnerabilities Scan
Frequent scanning allows for discovering any possible vulnerabilities or security issues that might arise. The testing of the security of static and dynamic applications, networks, and even firewalls ensures all routes and ports are locked. Your teams can use several code scanners, such as Bridgecrew and Snyk, to scan your IaC frameworks for common configuration errors.
10. Penetration Test
Scanning for vulnerabilities isn’t enough. You need to conduct penetration tests on your environment and applications to assist in spotting and fixing possible weak points in your infrastructure. Regular penetration testing is indeed costly, but it’s not as expensive as mending the damage of a cloud security breach.
11. Automated Security and Configuration Checks
Your team must conduct regular security, compliance, and configuration checks on the applications and infrastructure. This is why it’s better to have automated settings for these regular checks to both create and deploy secure code.
12. Testing and Updating
A configuration is never always secure unless you test it frequently and discover any issues that might arise from this testing. This allows you to identify potential points that might lead to security vulnerabilities. You can also use automated testing to keep your configuration as safe as possible.
Just like old versions of the software are a fertile environment for cybersecurity attacks, old versions of configurations are the same. If you don’t keep up with updating these configurations, you’re creating more opportunities for vulnerabilities. Frequent testing also allows you to discover all the benefits you can reap from updating your configurations.
13. Empower Your Developers
The development and security of the cloud are two concepts that must be parallel. You can’t treat security as an afterthought when a problem arises. In this regard, both the cloud security specialists and the developers need to work together and benefit each other. Security specialists can use the developers’ help to understand the software’s life cycle or what’s known as SDLC (Software Development Life Cycle). On the other hand, the developers will need tools to help the security specialists configure security settings correctly.
Ensuring that your teams are trained in cloud engineering will give them valuable skills that will come in handy in the face of modern cloud threats. It will also enrich their knowledge and experience in the field of cloud security, which will help them advance their careers and support your organisation’s reputation as a great place to work.
Not to mention that integrating security in the early stages will help prevent problems from happening in the first place instead of spending precious time remedying these problems later.
14. Automated Policies
Human error has been established as one of the main, if not the top, reasons for security breaches, including cloud misconfigurations. This is where automation comes in handy because you need the proper executable code for any cloud security or compliance policy to be executed without fault.
When you use automated policy, you are ensuring the efficiency of management and enforcement of cloud security and giving developing teams the opportunity to configure security properly from the beginning.
15. Risk Assessments
The benefit of conducting risk assessments is that they help identify and predict possible security threats to your cloud and any potential threat to your infrastructure that might affect the immigration of your data to the cloud.
16. Access Policies
The last step you can take is establishing access policies to your cloud environments. In this regard, you can use virtual private networks (VPNs) to control access, especially to space with critical information, such as Amazon’s Virtual Private Cloud or Azure’s Virtual Network. Make VPN access a requirement to give your company’s specialised personnel access wherever they are.
IT engineers often create new security rules or IP allowlists to facilitate access to the shared team data stored in the cloud. Securing every element of cloud infrastructure is imperative and must be ensured through frequent audits.
Cloud misconfiguration problems will continue to exist as long as cloud services are developing and there’s increased usage. This is why taking all necessary measures to keep your data and backups safe on the cloud is crucial.