There are a good number of reasons why more than 90 percent of the businesses today are on the cloud. The cloud environments are generally scalable, reliable, highly available, cost-effective, multi-regional, flexible, distributed, upgradable, and secure. Companies will soon reach a tipping point, spending for the first time over 50 percent on cloud apps and services rather than on-site deployments.
But there are some drawbacks associated with cloud migrations that businesses need to be aware of. Nearly two-thirds of organizations see security as the most prominent cloud adoption challenge, while privacy, regulatory issues, governance, and compliance concern over 60 percent of businesses. Nearly 75% of IT experts find managing privacy and data protection in a cloud environment to be more complicated than on-premises.
Knowing what to expect in terms of cloud security will allow enterprises to avoid pitfalls and slow migrations. This post will look at some of the common security mistakes organizations make when migrating to the cloud. We’ll also see how each can be tackled.
1. Sensitive data breaches
Breach of sensitive information has been a problem for the cloud for some time. The risk is more prevalent during the cloud migration. When it comes to Amazon Web Services (AWS), most breaches happen when the users place their sensitive data in a storage service called ‘S3’ for backup purposes and batch processing. These files can be easily exposed if the bad guys find them.
For example, U.S. defense contractor Booz Allen Hamilton leaked battlefield imagery and administrator credentials through an insecurely configured S3 bucket on sensitive systems. Accenture lost its cloud platform technical details, 40,000 plain text passwords, admin login credentials, and decryption keys, stored in at least four S3 buckets set to be made publicly available. Time Warner Cable lost 4 million customers ‘ personal identifiable information (PII) upon hitting two publicly exposed S3 buckets. Verizon coughed up the six million-customer PII and later leaked proprietary technical information from misconfigured S3 buckets about its systems.
Fortunately, there are definite steps you can take to make sure your S3 buckets are safe.
- Make sure that any changes in the S3 bucket configuration should be made through a build pipeline and not directly by a user.
- Create Defense-in-Depth policies for Amazon CloudFront and S3 buckets to prevent them from being exposed using the S3 URL.
- Use proper Identity and Access Management (IAM) policies, including the use of application roles, to control bucket access from other services, such as EC2 or Lambda.
2. Leaking credentials
Highly privileged credentials such as user names, passwords, or secret access keys are necessary for any application to run correctly. But they can be exposed, when companies don’t take good care of these credentials. Most hackers send bots to scour GitHub, a famous source code repository, for credentials. When credentials are hard-coded or stored in source control, infrastructure and application code can expose secret keys used for authentication.
What can be done to prevent sensitive credentials from being uploaded to GitHub?
- Use source code administration tool Git to detect sensitive data. It will allow developers and security teams to scan Git repositories and identify credentials that shouldn’t be exposed.
- Use and run your cloud provider’s tools to reduce the need to store credentials in source code or files.
3. Lack of clear policies
One great thing about cloud environments is their flexibility and scalability. But these properties also introduce complex challenges for security teams, when companies don’t have cloud policies or don’t enforce them if they do. What can companies do to define and implement policies?
- Create automated tools like evident.io or Dome9 to enforce these policies.
- Train your admins to educate what they’re allowed to do and what they aren’t.
- Scan all documents, coming into your network through email, for viruses.
4. Not vetting your vendors
Using cloud vendors is inevitable. How you select and deal with vendors can be detrimental to your cloud security if not done correctly. For instance, Verizon’s data breach, which exposed 6 million customer records, occurred when a partner placed log data into a publicly accessible S3 bucket. Poor practices of a third-party vendor also resulted in Time Warner Cable’s breach. Here are a few guidelines to handle your vendors.
- While choosing a vendor, thoroughly vet their security practices and make sure that you can enforce the policies.
- Never sign a contract or use services before understanding how they’ll keep your data safe.
- Make security part of your agreement. Make sure all security requirements are clearly mentioned in the contract.
- Hold your vendors accountable for the data security.
5. Accounts run amok
Some sensitive data breach occurs when employees create AWS accounts on behalf of their companies. The Verizon breach mentioned earlier was interestingly caused by a rogue S3 account created by an employee. Therefore, clear policies and monitoring of accounts is essential to prevent employees from having unlimited access. Here are some best practices.
- Clearly define an account-creation process.
- Define a company-wide cloud usage policy to eliminate confusion and align people with the security requirements.
- Create a security account structure or hierarchy for managing multiple accounts.
- Leverage AWS APIs and scripts to set baseline security configuration across all accounts.
6. Network misconfiguration
Improperly configured network is a technical pitfall you might run into if you’re new to the cloud. A recent survey of 300 IT professionals reveals that most enterprises are vulnerable to security events due to poor cloud misconfiguration. Misconfiguration means that the public cloud instances are poorly configured in such a way that they are susceptible to breaches.
So, what are you to do?
- Closely monitor Virtual Private Cloud (VPC) and network Access Control List (ACL) settings.
- Don’t allow all IP addresses access to your network.
- Use third-party security tools to look at configurations always.
- Engage external security testers to ensure that everything is configured correctly.
7. Not using proper encryption
Proper encryption is necessary when using cloud services. Encryption turns sensitive data into something unreadable and unusable. Therefore, encryption of confidential data is a critical defense against data theft. Encrypted data—even if stolen—is useless to third parties without the encryption keys to decipher it.
How do we ensure proper encryption?
- Formulate a cloud encryption policy
- Define what data needs encryption, and when
- Implement encryption solutions and key management
- Do not store the most sensitive cardholder and authentication data: full track data, card verification codes, and PINs and PIN blocks.
- Integrate your encryption solution with DLP tools that can detect and generate alerts on activity around sensitive data to prevent unauthorized access or sharing of documents that contain protected information.
- Don’t neglect mobile device encryption.