Cloud Misconfigurations and Misconceptions

Published in

Globant

11 min readJul 20, 2023

The complexity and dispersion of cloud security have experienced significant growth. The widespread adoption of cloud technology has fundamentally transformed the IT landscape, giving rise to new forms of cyberattacks and data breaches. Present-day cybercriminals often prefer exploiting existing vulnerabilities rather than attempting to breach barriers. In fact, many businesses unintentionally leave numerous entry points unlocked. According to Gartner’s prediction for the period up to 2025, the customer will bear responsibility for approximately 99% of cloud security failures.

Most successful attacks on cloud services are the result of customers’ unsuitable configurations, poor management, and misconfigurations. But the question is: Why do misconfigurations happen? How to avoid misconfiguration in the cloud? In this article, we will try to find the answers to these questions.

Why does misconfiguration happen?

Cloud misconfigurations can happen for a variety of reasons. Here are a few examples:

Less priority and lack of knowledge of cloud security policies: When creating and managing applications and infrastructure, most of the developer and DevOps teams do not place a high priority on security. These teams primarily concentrate on making sure the service operates properly and provides users with functionality.
Too many APIs and interfaces, which change quickly, make governance difficult: As our environment’s complexity rises over what we are familiar with, humans make errors. Changing configurations within a scalable design, adding components, or adding new containers all have the potential to cause issues.
Insecure DevOps Practice: Agility is one of the main advantages of cloud infrastructure. In an effort to swiftly roll out new features during testing, administrators may set up temporary security setups. If they are not changed after release, these setups put the company at risk.

Working within a modern organization, it is widely understood that complexity tends to increase rather than decrease. The integration of software and cloud technologies further amplifies this complexity, reaching a stage where it becomes impossible for any individual to fully comprehend the intricacies of the system in its entirety. Operating within such a system presents considerable challenges, particularly when it comes to upholding security measures. Accomplishing tasks within this context becomes notably more difficult. As a result, the utilization of shortcuts and compromising on certain aspects becomes unavoidable, as without them progress within the given timeframe would be unachievable.

We must strive to understand that accidents don’t happen because people gamble and lose. Accidents happen because people believe that:
What is about to happen is not possible,
Or what is about to happen there is no connection to what they are doing,
Or that the possibility of getting the intended outcome is well worth whatever risk there is.
- Erik Hollnagel

As per the 2021 Trend report, the following are the services with the highest misconfiguration rate:

In the figure, see the top 10 Microsoft Azure services with the highest number of checks based on Trend Micro Cloud One — Conformity data from June 2020 to June 2021.

As per the report, the top misconfigured rule for Microsoft Azure in terms of its misconfiguration rate was “check for Azure Advisor recommendations,” which has a misconfiguration rate of 100% and a total number of 94,095 misconfigurations:

The links below show some examples of well-known misconfigurations for well-known cloud providers:

If you would like to learn more about misconfiguration, please check out my blog about how to Integrate Infrastructure Security with Azure Devops.

Integrate Infrastructure Security into DevOps

medium.com

How to avoid misconfiguration in the cloud

The good news is that your company could use certain best practices to more effectively safeguard its cloud-based assets and, as a result, avoid a cloud misconfiguration incident.

Use logging techniques: To control the number of users making modifications in your cloud environment, enable logging. You can assist in determining the root cause of any misconfiguration incidents by keeping note of modifications.
Establish, implement, and share robust security guidelines: Make sure you establish robust security policies and include them in all the procedures used to create or improve cloud infrastructure. Don’t forget to inform staff members of these policies, so they don’t unknowingly configure cloud settings incorrectly.
Conduct regular misconfiguration audits: By conducting routine audits to check for indications of misconfiguration and other cloud-based vulnerabilities, you can ensure the security of your cloud environment.
Upskill employees: DevOps and the cloud are expanding rapidly. But neither DevOps engineers nor cloud developers have a strong understanding of cloud security. Because they do not build their work with security in mind, security-related issues occur frequently. This problem can be reduced by using IaC, SDI, and the inclusion of CSPM (you will get a detailed explanation later in the article) in the DevOps cycle. Hence, improving people’s skills can guarantee security from the beginning of the design process. Shifting left is nice, but starting left is better.
Don’t play the blame game: As painful as it may be to admit, no security team will ever be able to eliminate all potential points of vulnerability in an advanced system. Worse still, the same mistake may happen again at the same point in the future. Being blameless is one of the core fundamental values of your approach; it is important to go into the process understanding that the issue you are about to investigate may very well happen again. Identify the root cause and remove the error to fix things. Focus on learning, not on blaming.

Security failures will happen, only without blame will you understand the true causes, learn from them, and improve
- Rich Smith

What is Cloud Security Posture Management (CSPM)?

Cloud security posture management (CSPM) detects and eliminates risk by automating workflows for visibility, continuous monitoring, threat detection, and remediation to look for misconfigurations across a variety of cloud environments and architectures, such as:

Infrastructure as a Service (IaaS)
Software as a Service (Saas)
Platform as a Service (PaaS)

When businesses move their applications to different cloud providers, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), they typically implement CSPM as a standard security practice. As per Microsoft document, with quick, automated reactions, a powerful and diverse CSPM can protect you and your business against the following issues.

Misconfiguration
Legal and regulatory compliance issues
Unauthorized access
Insecure Interfaces/APIs
Account hijacking
Lack of visibility
External data sharing
improper usage, setup, and permissions in the cloud
Compliance and Regulation Issues

Steampipe open-source tool for CSPM

There are many open-source CSPMs outside there, but one of the most popular is Steampipe. We will use this tool for demo purposes.

Step 1: Download Steampipe packages using the following command

/bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/turbot/steampipe/main/install.sh)"

Download the packages and stored into the path of /user/local/bin/steampipe in your local machine.

In the first step, we are going to download the steampip binary and install it into /usr/local/bin. This step is valid for Linux; for other operating systems, please refer to the macOS & Windows guides.

Step 2: Install the steampipe plugin

Steampipe provides multiple plugins. As per your requirement, you can choose a plugin from the hub. To install a plugin, run the following steampipe plugin command.

steampipe plugin install azure

Download and install the latest Azure plugin

Step 4: Configure Credentials

After installing the Azure plugin, we must set up some credentials so that the plugin can begin requesting information from our Azure accounts. Also, provide read-only access to the client ID of your Azure subscription:

export AZURE_ENVIRONMENT="AZUREPUBLICCLOUD"
export AZURE_TENANT_ID="00000000–0000–0000–0000–000000000000"
export AZURE_SUBSCRIPTION_ID="00000000–0000–0000–0000–0000000000"
export AZURE_CLIENT_ID="00000000–0000–0000–0000–000000000000"
export AZURE_CLIENT_SECRET="plaintext secret"

There are other options available for configuring the credentials; for more information, see the Azure, AWS & GCP steampipe guide.

Step 5: Setup Dashboards and benchmarks

Compliance is a typical use case for Steampipe. Steampipe gives you the advantage of viewing the data through a dashboard while helping you in checking the data together on a terminal. Let’s check the compliance mode of Azure. To install the Azure compliance mod, run the following commands.

Clone the Azure compliance repository:

git clone https://github.com/turbot/steampipe-mod-azure-compliance.git

Change the directory:

cd steampipe-mod-azure-compliance

Start the dashboard by running the “steampipe dashboard” command

Steampipe will start the dashboard server on your local machine on the following URL: http://localhost:9194/

Once you access this dashboard, URL this is how the dashboard appears in the image below. The dashboard displays all Azure compliance options:

`CIS`, `HIPAA HITRUST`, `NIST` and `PCI DSS` compliance benchmarks across all your Azure subscriptions.

Click on the title of the report to view it. For example, click on CIS V1.3.0 Compliance Azure Benchmark to view that report:

The Center for Internet Security (CIS) benchmark is the product of a community consensus process and consists of secure configuration guidelines developed for Microsoft Azure. To verify why Azure resources are not compliant, click on the respective category. For example, click on “other security consideration”. In this category, you can see the key vault does not have the purge protection enabled:

Note: Steampipe is not providing an automatic remedy for any issue. Steampipe provides you with the remedy steps, it’s the users’ responsibility to follow the steps and resolve the issue. Before making any kind of changes in your environment, please verify there will be no impact on your running application.

Advantages of CSPM

CSPM solutions can help organizations to improve their cloud security posture in a number of ways. Here are some of the advantages of using CSPM.

Provides Visibility: it is important and difficult to gain insight into all cloud services spread across different cloud providers. By analyzing and normalizing data sources and compiling a thorough inventory of cloud resources and assets, CSPM solutions offer centralized insight across cloud and multi-cloud environments.
Maintains Compliance: it can help organizations achieve and maintain compliance with various regulations and standards, such as HIPPA, PCI-DSS, CIS, GDPR, etc. by identifying security gaps and providing recommendations for remediation.
Improves Security: by offering maximum monitoring and evaluation of the cloud environment, detecting security risks, and suggesting remedies, CSPM may assist enterprises in strengthening their security posture.
Improves Efficiency: by automating several manual security operations, delivering real-time warnings, and automating incident response capabilities, CSPM may support enterprises in increasing their productivity. In this way, businesses can minimize security issues and respond immediately with minimum downtime.

Limitations of CSPM

While using CSPM solutions, organizations should think about the following restrictions and make sure they are taking care of all cloud security and compliance needs:

Only configurations for cloud environments are used by CSPM to identify security issues. Other risks, like defects in application source code, won’t be detected by it.
By finding risks before they are exploited, CSPM enables you to stay on top of risks, but it won’t warn you of unusual behavior like brute-force password attempts or network port scans, which might be indications of an ongoing attack on your cloud environment.
CSPM relies on the cloud provider’s API, which can change frequently and may not always provide accurate data. This can lead to inaccurate or incomplete security assessments.

Cloud security myths and misconceptions

There are some common misconceptions in the cloud security world. The top 4 myths about cloud computing security are listed below, and the realities behind these myths:

Cloud vendors are responsible for cloud security: The majority of businesses often think that their cloud providers will take care of all of their security requirements, but unfortunately, that’s not true. For all cloud deployment types, you own your data and identities. The following responsibilities are always retained by you:
- Data.
- Endpoints.
- Account.
- Access Management.
Check out Chris Hughes’s blog about this topic.
The better your security, the more tools you have: Despite being deemed untrue, this concept has garnered recognition from numerous organizations. This is evidenced by the KPMG and Oracle Cloud Thread Report from 2020:
Almost 70% of the firms questioned stated that plenty of tools are needed to defend the public cloud. On average, every organization uses more than 100 cloud security tools. Different cloud providers have distinct cloud solutions for preventing an attack. As a result, there are gaps where the attackers can enter. However, using too many tools will just make the problem more complex. The most effective approach is to implement only those solutions that can effectively manage your cloud security without adding any more complexity.
Let the security be handled by professionals: Many believe that security should only be managed by security specialists. However, the best course of action is to make sure that everyone is responsible. For example, shifting left during the software development phase enables you to put security in place during the development stage itself. This helps to identify any issue in the development phase itself, using this way, we can save effort, time, and money.
Check out Zachary Malone’s blog about what executives should know about shift-left security
Verifying Infrastructure-as-Code files against the policy is enough: While using the cloud, DevOps teams learn that using the cloud console for everything doesn’t scale. Thanks to IAC tools, we can define the cloud resources as per the requirement in configuration files and create and upgrade infrastructure in an effective and scalable manner. To determine whether the cloud architecture we are planning to develop will be secure and compliant, it’s easy to compare our IaC code against defined policies. Although doing so acknowledges that the shift left must involve both infrastructure and application security, there are unfortunately some flows with this strategy that can result in misconfiguration risks:
- The story is not fully told by the IaC code. Isolated IaC files don’t provide a complete picture.
- IaC files don’t include every configuration attribute. Not all configuration attributes are included in IaC files.
- IaC languages must be resolved at runtime since they are dynamic. IaC languages are dynamic and require runtime resolution.

Summary

In this article, we explained the importance of cloud infrastructure security. It’s important to recognize the factors that contribute to cloud misconfigurations and take proactive measures to address them. This includes investing in training and education, implementing automation and monitoring tools, and establishing clear communication channels between teams involved in managing the cloud environment. Cloud security is a shared responsibility, and organizations must actively implement security measures, monitor their environment, and stay updated on the latest threats and best practices.

By leveraging Cloud Security Posture Management, organizations can enhance their cloud security by proactively identifying and addressing vulnerabilities, ensuring compliance, and reducing the risk of security breaches or data leaks in their cloud infrastructure.