What is Cloud Misconfiguration, and How Can You Avoid it?

By: Vladi Sandler

Dec 15, 2020

Cloud misconfiguration can be defined as any errors, glitches or gaps in your cloud environment that can leave you exposed to risk. This cloud security risk could come in the form of data breaches, cloud breaches, insider threats or external bad actors who leverage vulnerabilities to gain access to your network.

According to the NSA, cloud misconfiguration is the top vulnerability in a cloud security environment, and although these risks are often low in sophistication, the prevalence of cloud misconfiguration issues are generally through the roof. That is, 99% of companies will have cloud misconfigurations that they don’t even know about.

The Benefits of a Cloud Environment

Cost is one of the key drivers for businesses choosing to move their architecture and operations to the cloud. In fact, it’s regularly stated to save between 30-50% off the organizational bottom line.

However, cost is not the only benefit. Let’s look at some of the other reasons why organizations move to a cloud infrastructure:

Flexibility: A cloud environment is a great way to trial services through a SaaS model, without infrastructure requirements or high initial costs. By utilizing the cloud, services can be given a chance, risk-free, and businesses can enjoy quick integration with other third-parties.

Scalability: On the cloud, an organization can scale up and down their storage and compute resources as they choose, paying for only what they use. You can quickly adapt to meet a rise in demand when you expect a peak in traffic or cloud services, and then scale back down afterwards with ease.

Availability: Cloud storage and back-up services give an ‘always on’ failsafe that you can’t achieve on premises. Cloud infrastructure vendors usually have multiple data centers for disaster recovery, and you can be confident in the might and expertise of huge names like AWS, Azure and GCP.

Collaboration: Think of a cloud environment like a virtual office – always available and ready for your employees wherever they might be. Cloud collaboration tools mean there’s always an accurate view of business needs on any given project, and employees are empowered to work remotely to meet changing business needs.

Speed: See time to market much quicker with new products, feature updates and changes – with agile software release cycles going out as often as weekly or every two weeks. The cloud is no longer a competitive edge, as you can guarantee that your competitors are already there. It’s a must-have to stay relevant.  

Understanding Security When Using Cloud Services

Now, let’s look at one more, often claimed to be one of the greatest benefits of moving to the cloud: Security.

Cloud Security and Compliance:  94% of businesses saw an improvement in security after switching to the cloud, and 91% said the cloud makes it easier to meet government compliance requirements.

Companies are not wrong. Cloud infrastructure does have the potential to be a far more secure and compliant environment than on-premises deployments. But fast-paced digital transformation initiatives and aggressive cloud migration timelines also go hand in hand with an increased risk of errors, cloud misconfiguration and cloud security vulnerabilities, usually as a result of a misunderstanding of the Shared Responsibility Model.

Your cloud provider will be responsible for the security of the cloud. That means the underlying cloud infrastructure. However, it is 100% your responsibility to control and manage the security in the cloud. That includes all users, data, applications and traffic. When it comes to those, you’re on your own. This is where cloud misconfigurations occur.

Some Quick Facts about Cloud Misconfigurations

Cloud misconfiguration causes data breaches

Misconfiguration issues are responsible for 80% of data breaches. Organizations are unable to identify whether users have excessive access permissions in their cloud environments which means they often don’t know there is a problem until an attack has already occurred.

Cloud misconfiguration risk is probably your employee’s fault

The well-known Gartner quote says that until 2025, 99% of cloud failures will be down to human error. Due to complexity, employees often allow unrestricted access without realizing, and even when organization’s leverage cloud vendor tools for identity and access management (IAM), there can still be gaps. A good example is our research into AWS bucket permissions, which found that more than 40% of buckets may be misconfigured.

There is no one-time fix for misconfiguration issues

In a dynamic cloud environment, what’s secure today may be a risk tomorrow. Employee turnover, software updates, the DevOps pipeline and more all mean dynamic cloud infrastructure that is impossible to manage manually.

DevOps and Security need to work as one

To cope with cloud security misconfiguration risk, security procedure needs to be implemented at the build stage, which means Security and DevOps working as a team. This approach, commonly known as “Shift left” is the only way to enable the fast speeds of a digital environment without adding risk to the cloud environment.

The Unique Challenges of Building a Cloud Environment without Cloud Misconfiguration

So, how can you avoid cloud misconfiguration? The truth is, even if you have vast experience as an IT architect, configuring a dynamic cloud environment is not simple. There is little to no standardization between different architectures, platforms or applications, and you’ll need multiple skills to complete any single project, such as load balancing, optimization, security and networking - to name a few.

You will need to start with knowledge of how to configure dozens of default settings, policies and tools to control your assets according to best practices. Lastly, you’ll have to manage all of this and more under the canopy of the Shared Responsibility Model, of which, as we discussed, many organizations fail to truly understand their part.

Just one mistake or cloud misconfiguration, and you could be a single step away from devastating data breaches or cyber-attacks.

Vladi Sandler is a member of the Forbes Technology Council, and recently spoke out about the true costs of cloud misconfigurations, including taking a deep dive into:

> How long it takes an average cloud misconfiguration to be discovered, and what can happen in the meantime.

> The true cost of cloud breaches, and which misconfigured cloud environment assets are responsible for these attacks.

> Four additional costly results of cloud misconfigurations that could eliminate any potential cost savings on the cloud.

This security risk is likely to push you towards deploying smart cloud-native security tools that provide visibility and control over your cloud and Kubernetes environments. So if you’re looking for a way to accurately run the numbers, and prove the ROI of an intelligent security visualization technology like panoptica to the rest of the c-suite, check out the full article here.