A string of family names recently have been answerable for misconfigured cloud storage buckets overflowing with wide-open information — as soon as once more shining a lightweight on a cybersecurity downside for which there seemingly is no plug.
Just final week, safety researcher Anurag Sen revealed that an Amazon server had uncovered information on the viewing habits of Amazon Prime members. During the identical interval, information and media conglomerate Thomson Reuters acknowledged that three misconfigured servers had uncovered 3TB of information by means of public-facing ElasticSearch databases, in keeping with Cybernews, which revealed the problems.
And In mid-October, Microsoft acknowledged that it left a misconfigured cloud endpoint open that may expose buyer information, comparable to names, electronic mail addresses, electronic mail content material, and telephone numbers.
“The challenge was brought on by an unintentional misconfiguration on an endpoint that’s not in use throughout the Microsoft ecosystem and was not the results of a safety vulnerability,” Microsoft stated in its assertion on the misconfigured server. “We are working to enhance our processes to additional stop such a misconfiguration and performing extra due diligence to analyze and make sure the safety of all Microsoft endpoints.”
And certainly, the leaks are brought on by a wide range of misconfigurations fairly than any bugs — starting from insecure read-and-write permissions to improper entry lists and misconfigured insurance policies — all of which may enable risk actors to entry, copy, and presumably alter delicate information from accessible information shops.
“The major concern with this sort of leak is the excessive influence, and that’s the reason the risk actors go after misconfigured storage [servers] and buckets,” says Ensar Şeker, CISO at SOCRadar, the cybersecurity agency that found the Microsoft challenge. “Once they uncover [the accessible data], the bucket would possibly … include large quantities of delicate information for one tenant [or] quite a few tenants.”
The safety influence of misconfigured storage will not be a brand new challenge. The downside often ranks within the high 10 safety points included within the fashionable Open Web Applications Security Project (OWASP) Top 10 safety checklist. In 2021, Security Misconfiguration took the No. 5 spot, up from No. 6 in 2017. The annual “Data Breach Investigations Report,” revealed by Verizon Business, additionally notes the outsized influence of misconfigured cloud storage: Human errors accounted for 13% of all breaches in 2021, with report noting that misconfiguration “closely influenced” the consequence
Rogue Servers: A Stealth Cloud Security Problem
Overall, 81% of organizations have skilled a safety incident associated to their cloud providers over the previous 12 months, with nearly half (45%) struggling not less than 4 incidents, in keeping with Venafi. The improve in complexity of cloud-based and hybrid infrastructure, together with a scarcity of visibility into that infrastructure, has brought about the rise in incidents, says Sitaram Iyer, senior director of cloud-native options at Venafi.
“Yes, misconfigured cloud storage is without doubt one of the main causes for information leaks — I do consider that it is a pattern,” he says. “The improve on this pattern is most frequently resulting from misconfiguration associated to entry controls: While solely licensed customers should be allowed entry to cloud storage, a easy mistake in configuration typically allows [any] authenticated customers to realize entry.”
Yet, typically misconfiguration will not be the unique sin — as a substitute, a employee or developer will deploy a “shadow” server, a container or storage bucket not recognized to the information-technology division and, thus, not managed by the corporate. “Shadow” information — saved in cloned databases take a look at environments, unmanaged backups, and information evaluation pipelines — is the primary risk, says Amit Shaked, CEO and co-founder of Laminar, a cloud information safety platform.
“Because it’s unknown, it’s at additional danger for publicity, which makes it a preferred goal for adversaries,” he says
Better DevOps Automation Could Help
Companies ought to often monitor their cloud property to detect when a datastore or storage bucket might have been uncovered to the general public web. In addition, when deploying cloud storage, utilizing infrastructure-as-code (IaC) configuration recordsdata not solely automates deployments however helps eradicate errors, in keeping with information from Snyk, a maker of safety providers for the software program provide chain.
Adopting IaC reduces cloud misconfigurations by 70%, in keeping with the agency.
“When IaC isn’t getting used, or when runtime misconfigurations can’t be tied again to the IaC templates that had been used to create and handle an surroundings, it’s widespread for a similar vulnerability to look time and again after remediation,” Manoj Nair, chief product officer at Snyk, stated in a press release despatched to Dark Reading.
Part of the problem continues to be the division of obligations between cloud suppliers and the enterprise clients. While the duty for configuring cloud property belong to the client, the cloud service ought to make correctly configuring a cloud asset as straightforward as attainable, Venafi’s Iyer says.
“Principle of least privilege have to be adopted for each side of the info,” he says. “Access to information have to be supplied as wanted, with correct controls and authorization insurance policies that tie it to a selected person or service account, and correct logging of entry and notifications have to be carried out.”
In a press release despatched to Dark Reading, an Amazon spokesperson stated of the Prime Video case: “There was a deployment error with a Prime Video analytics server. This downside has been resolved and no account data (together with login or fee particulars) had been uncovered.”