When you look at breach data in today’s cloud-dominated IT environment, you can find multiple situations where a tiny mistake made by the DevOps or CloudOps team has had a huge influence on the reputations of enterprises or, in some cases, their very survival. Misconfigured AWS S3 buckets, poor password management on publicly accessible databases, and information accidentally revealed by developers on GitHub are just a few instances. Misconfigurations and unpatched vulnerabilities are common, allowing attackers to gain access.
Researchers exploited a server-side request forgery vulnerability in a web application in development during one of IBM X- Force’s AWS cloud penetration testing engagements, allowing them to access the EC2 instance metadata service and steal the access keys used by the webserver EC2 instance. The CloudOps team had accidentally granted full access to an S3 bucket via this instance profile, thereby giving researchers complete access to the sensitive data stored in that bucket.
Since the cloud’s introduction, solutions supplied by cloud service providers (CSPs) have enabled organizations to innovate quicker and decrease the time it takes to create and deploy production applications, but this process is accompanied by an added element of security risk. While cloud service providers are responsible for safeguarding their platforms, companies are responsible for securing the data stored on those platforms, which may be a difficult undertaking.
The Struggles of Cloud Adoption
Many businesses began their cloud journey by using CSPs’ Infrastructure-as-a-Service solutions, with the advantage that they had complete control over the infrastructure. With time, adopters realized that maintaining their cloud infrastructure was becoming too difficult and time-consuming, leading to a transition to PaaS solutions. CSPs improved their PaaS services along the road to make them more dependable, feature-rich, and easier to manage and interface with, making them more appealing to their clients.
Businesses have not outsourced the responsibility for data security to the CSP by employing a PaaS product. CloudOps and DevOps teams are responsible for securely setting all parts of any cloud service so that their company’s data is not exposed to attackers. That is where firms are now having difficulty.
“Have I set up the security tools offered by my CSP correctly?” companies are wondering. “Do my identity and access management methods have any flaws?” “Are my cloud-based storage containers configured correctly to enable only authorized access? ” “Do I have security appropriately integrated into my continuous integration/continuous delivery pipelines?” If security best practices are not included in every phase of the development life cycle, these questions might be difficult to address.
Furthermore, competent experts with cross-industry knowledge are hard to come by and keep, making it difficult to run, secure, and maintain vital cloud assets. During the past year, we’ve seen attackers target supply chains that are outside the control of enterprises. Many companies struggle to keep track of who is using their cloud infrastructure, what rights individuals have, and what misconfigurations exist.
Cloud Operations: Threats and Trends
While it is simple to comprehend the advantages of cloud computing, it is more difficult to comprehend and handle the risks related to today’s hybrid multi-cloud installations.
Attackers use a variety of tactics to gain access to the cloud infrastructure, including credential hunting (such as scanning for accidentally exposed credentials in code hosting platforms, phishing, and social engineering), exploiting vulnerabilities and misconfigurations in public-facing cloud-based assets (web applications, storage, and so on), and pivoting from on-premises victims to the cloud infrastructure.
Developers might be profitable targets as well. The public cloud is the ideal platform for them because it gives them access to all of the tools they need to build, execute, and debug code, communicate with other developers and serve as a centralized platform for code testing and deployment to production. Developers, on the other hand, are typically under pressure to get their code into production as soon as possible. When this happens, people are more likely to make mistakes and miss security. For example, improper handling of secrets (application programming interface keys, passwords, certificates, and so on) might result in the disclosure of a production database administrator password, which can spell doom for many businesses. As a ‘temporary’ or ‘quick’ test, CloudOps administrators may utilize overprivileged users or roles, but they frequently neglect to apply the principle of least privilege after successful testing, allowing privilege abuse and data leakage.
These are the kinds of things attackers are searching for, and once they’ve gotten their hands on a cloud asset, they may go on to their next target (data manipulation, exfiltration, etc.).
Securing the Cloud: Recommendations
IBM Security X-Force believes that firms should focus on three factors when it comes to cloud security:
- For your DevOps process, invest in building a security mindset. ‘Start left’ instead of shift left.’ Early in the development life cycle (shift left), testing your code for security issues should be paired with creating secure code (start left). Developers should also take security awareness training to learn how to recognize the hallmarks of a social engineering hoax. Developers are the new target in serverless setups.
- Use cloud-based security technologies. (given by CSP and available commercially) to improve your threat detection and response capabilities.
- Perform regular cloud security assessments. (configuration reviews and penetration testing), which will disclose the possibility of attackers breaking into your cloud infrastructure and how they would exploit any vulnerabilities uncovered. The evaluations should finish with prioritized suggestions for you to adopt in order to lower your risk of a security breach and incorporate best security practices into your cloud workloads, personnel, and entire infrastructure.