And fix them fast, as misconfigurations often lead to security incidents
Businesses are increasingly adopting infrastructure-as-a-service (IaaS) for their IT operations. By 2022, roughly 60 percent of organizations will be using cloud managed service offerings, doubling the utilization in 2018.
While cloud offerings such as Amazon Web Services (AWS) are generally secure, there still is a lot of room for data security issues since IaaS relies on a shared security model. Misconfigurations during cloud migration can inadvertently create security holes.
And a misconfiguration is more than a theoretical concern. The typical business averages roughly 3,500 misconfiguration incidents per month, according to recent McAfee enterprise security research, with 90% of companies reporting that they have encountered IaaS security issues.
Getting configuration right during cloud migration can therefore greatly reduce the chance of IaaS security problems later on. Here are six of the most common cloud security issues stemming from misconfigurations, and how to prevent them.
1. Unrestricted inbound ports
Every port that is open to the Internet is a potential security issue. Cloud services often use high-number TCP or UDP ports as a way to hide them from discovery, but determined hackers can nonetheless sniff them out. Obfuscation is a security best practice, but it is insufficient by itself.
Additionally, when migrating to cloud infrastructure, make sure that the full range of open ports is known. Then lock down or restrict those that are not strictly necessary. Ideally, all inbound ports should be limited to the systems that need them, not the general Internet.
2. Unrestricted outbound ports
Inbound ports are not the only security concern. Outbound ports also open the door for security events such as lateral movement, data exfiltration, and internal network scans once a system has been compromised.
A common misconfiguration that increases security risk is granting outbound access to SSH or RDP. An application server almost never needs to SSH to other servers on the network, so open outbound ports for SSH are not necessary.
A best practice is limiting outbound port access and using the principle of minimalist authority so outbound communications are tightly restricted.
3. ICMP left open
The Internet Control Message Protocol (ICMP) is useful for reporting network device errors, but it also is a classic target for cyberattack. That’s because while ICMP can show if a server is online and responsive, it also can be used by hackers to pinpoint an attack.
ICMP is a vector for denial of service attacks as well. A ping sweep or ping flood can overwhelm a server with ICMP messages.
This is an ancient method of attack, but still an effective one. So a good IaaS configuration will block ICMP.
4. Non-HTTPS port access
Little-used and under-monitored ports commonly exist for management or database communication purposes. Some remain open by default but are not used at all—and go without encryption.
Leaving these ports open is one of the biggest misconfigurations during cloud migration, because an unknown or poorly configured port can be an easy access point or hackers looking for an exploit or planning to brute force authentication.
Beyond restricting inbound and outbound ports, consider shutting down all ports that are not strictly necessary—and making sure all require encrypted communication. This reduces the number of potential entry points and minimizes the chance of forgetting about an open, unencrypted port. When a port is necessary, limit traffic to the specific addressees that will be accessing it.
5. Insecure automated backups
Insider threats are an ever-present security risk. Roughly 92% of companies have employees with credentials for sale on the Dark Net, according to McAfee. One area where an insider threat can be particularly damaging is when the automated backup of cloud service data is not properly secured.
Master data might be protected, but poorly configured data backups can inadvertently sit exposed and vulnerable to these insider threats.
So during cloud migration, make sure cloud data backups are encrypted both in transit and rest. Also check permissions so access to the backups is tightly restricted.
6. Generous API access
Application programmer interfaces are an integral part of cloud service infrastructure. API misconfigurations also were the cause of data breaches over the past few years at Salesforce, Venmo, McDonald’s, and T-Mobile, among many others. Poorly configured APIs give hackers a number of potential entry points to a company’s data in the cloud.
There is no simple solution for locking down API access. Both inspecting and designing APIs from a security perspective helps, though. Erring on the side of less access to methods also keeps cloud services better secured.
Threats remain even with good configuration
Avoiding misconfigurations during cloud migration can eliminate many common security vulnerabilities, but there’s no way that businesses can completely eliminate cloud security risk. That is one reason why end-to-end network traffic monitoring is so important.
With real-time network traffic monitoring that encompasses the full length of the network, from devices at the edge all the way to the cloud core, businesses can more easily spot unusual activity that is an early warning sign of misconfiguration and security trouble. Network administrators then can address these security issues early, before they become data breaches with far-reaching impact. As the leader in performance analytics, we’re committed to empowering our customers with the ability to see far and wide across their IT and network infrastructure. Our fully virtualized network traffic monitoring solution, Skylight, helps businesses get the real-time, end-to-end network visibility needed for effective cloud security.
You can learn more about Skylight and how it can help with cloud security here.