The SANS Institute's 2019 Cloud Security Survey is sobering (you'll need to sign up for a free membership to read it). Written by Dave Shackleford in April 2019, the report also states some disappointing facts and figures. For example, one would think that after all of the recent breach reports, we'd be better at protecting our cloud resources. But not only are we still pretty bad at it, the big problem isn't even technology. It's still people. , no, we're still not. A clear indication of this appears in the report's list of the top types of attacks, starting with account or credential hijacking, and the number two reason of misconfiguration of cloud services and/or resources.
A clear indicator of this is that one of the top threats, according to the report, is still account and credential hacking, while the number two threat is misconfiguration. "Credential hijacking is a tried-and-true access methodology because you're attacking people," said Mike Sprunger, Senior Manager of the Security Consulting Practice at Insight Enterprises' Security Consulting Practice. "People will always be the weakest link [because] this is where you get into a lot of the traditional social engineering issues, such as calls to the help desk, phishing, and spear phishing."
Of course, there are many ways that credentials can be stolen, with phishing simply being the latest and, in some cases, the hardest with which to deal. But credentials can also be harvested from data from other breaches simply because people reuse the same credentials where they can so they don't have remember any more than necessary. In addition, the time-honored practice of writing log-in information on sticky notes and pasting them next to a keyboard is still very much around.
Misconfiguration of cloud services is another area in which people are the weak point. The difference here is that people will go out and stand up a cloud service without having any idea what they're doing, and then they'll use it to store data without protecting it.
"First, in cloud adoption, there's been so much about how easy it is to stand up a cloud that there are unrealistic expectations," Sprunger explained. "People make mistakes, and it's not really clear what you have to do to define security around containers."
Vagueness In Security Isn't Good
Part of the problem is that cloud providers don't really do an adequate job of explaining how their security options work (as I found out when reviewing IaaS products last year), so you have to guess or call the vendor for help. For example, with many cloud services you have the option of turning on a firewall, but finding out how to configure it once it's running may not be clearly explained. At all.This problem is so bad that Shackleford, the SANS report's author, begins the report with a list of unprotected Amazon Simple Storage Service (S3) buckets that resulted in breaches. "If the numbers are to be believed, 7 percent of S3 buckets are wide open to the world," he wrote, "and another 35 percent are not using encryption (which is built into the service)." Amazon S3 is a great storage platform as our testing bore out. Problems like these stem simply from users either misconfiguring the service or being entirely unaware that certain features exist.
Privileged use abuse is next on the list and it's another problem stemming from people. Sprunger said that this is more than just disgruntled employees, although it includes those. "A lot of what's missed are third parties that have privileged access," he explained. "It's far easier to go in through service account access. Typically, it's a single account with a single password, and there's no accountability."
Service accounts are usually provided for third parties, often vendors or contractors who need access either to provide support or service. It was such a service account belonging to an HVAC contractor that was the weak point leading to the Target breach in 2014. "Those accounts typically have god-like privileges," Sprunger said, adding that they are a prime target for attackers.
Overcoming Security Vulnerabilities
So, what do you do about these vulnerabilities? The short answer is training but it's more complex than that. For example, users need to be trained to look out for phishing emails, and that training needs to be complete enough to recognize even subtle signs of phishing. Plus, it needs to include the steps employees should take if they even suspect they're seeing such an attack. This includes how to see where a link in an email is really going, but it also needs to include procedures for reporting such an email. The training needs to include a belief that they won't get in trouble for failing to act on emailed instructions that appear suspicious.
Likewise, there needs to be some level of corporate governance in place so that random employees aren't going out and setting up their own cloud service accounts. This includes watching expense report vouchers for charges for cloud services on personal credit cards. But it also means that you need to provide training on how to deal with the availability of cloud services.
Dealing With Privileged User Abuse
Dealing with privileged user abuse can also be challenging because some vendors will insist on access with a wide range of rights. You can deal with some of this by segmenting your network so the access is only to the service that's being managed. For example, segment it so that the Heating, Ventilation, Air Conditioning (HVAC) controller is on its own segment, and vendors tasked with maintaining that system only get access to that part of the network. Another measure that could help to accomplish this is deploying a robust identity management (IDM) system, which will not only keep better track of accounts, but also who has them and their access priviledges. These systems will also let you suspend access more quickly and provide an audit trail of account activity. And while you can spend big bucks on one, you might already have one running if you're a Windows Server shop with a Microsoft Active Directory tree enabled.
You may also need to make sure that vendors have least privilege access, so that their accounts only grant them rights to the software or appliance they're managing and nothing else -- another great use of an IDM. You can require them to ask for temporary access for anything else.
These are only the top few items on a fairly long list of security woes, and it's worth reading the SANS security survey in its entirety. The list will give you a roadmap of ways to approach your security vulnerabilities, and it will help you realize more steps you can take. But the bottom line is, if you're not doing anything about the problems reported by SANS, then your cloud security will suck, and you'll probably be caught in a vortex of failure as your cloud circles the drain to a full-blown breach.