Despite the advantages of flexibility, a swift shift to the adoption of the cloud can result in mistakes, commonly referred to as misconfigurations. These are caused by errors or poor cloud service configuration choices. While some people might see the small misconfiguration as a non-issue, simple mistakes can lead to unintended exposure of information and challenges in service delivery.
While they may appear small and avoidable, misconfigurations present significant risks to the cloud environment. It is alleged that 65 to 70% of all security issues experienced in the cloud environment are caused by misconfigurations. These include settings, policies, assets and interconnected services and resources. This is especially challenging considering organizations have been migrating quickly to the cloud as remote work became a new norm. Unfortunately, when organizations start rushing to adopt new technology without understanding the potential problems and configuration best practices, it can lead to unprecedented issues in the end.
As one of the attack vectors, misconfigurations have been identified as the reason behind losses of almost US$5 trillion in 2018 and 2019. In 2020, for example, Estee Lauder records, including user email addresses, audits, production logs and other crucial pieces of information, were exposed. On the other hand, CAM4, an adult website, leaked 10.88 billion records, including users’ personally identifiable information (PII), passwords, and payment logs.
A data breach can be an attack where sensitive or confidential information is lost, viewed or stolen by unauthorized people. Data breaches can lead to various business impacts like damaging the company’s reputation and leading to mistrust, loss of intellectual property to competing companies, regulatory implications, legal and contractual issues and financial expenses.
Inadequate control of change and misconfiguration
Misconfiguration is said to have occurred if computing assets are incorrectly set up, leaving these assets vulnerable to breaches and other malicious activities. Some key examples of misconfiguration include unsecured data storage elements, excessive permissions, inadequate security controls, controls being left disabled, lack of logging or monitoring, unrestricted port access and unpatched systems.
Recommendations for keeping off misconfiguration issues
- Grant the least-privilege access
Users need to be given only the necessary access or permission they require to operate. Admin privileges should be given only to those who require them.
- Adhere to the shared responsibility model
When users understand their tasks and responsibilities, misconfigurations reduce the risk of breach. A shared responsibility model will help users understand what they are responsible for and enable the organization to monitor and patch configurations.
- Educate and train staff
Team members need to learn the importance of proper configurations ad their responsibilities. They should identify insecure practices so that they can promptly report issues. This can only be achieved through education on the threats and misconfigurations they need to watch.
- Create and implement security procedures, policies and standards,
Effective and detailed rules, policies, procedures and standards must be identified, defined and implemented to reduce the risk of misconfigurations. These are policies associated with creating and using passwords, encryption, remote access, and database management.