Points of View

Poorly configured cloud: IT experts must plug vulnerabilities

Jun 26, 2020 Ollie O’Donoghue

The historians can decide what to name 2020—the year of the pandemic or maybe the year we all went home to work. We would throw another title into the mix: the year enterprises took cloud vulnerabilities seriously. Because while journalists work double-time to fill the headlines with politics and pandemics, cyberscoundrels are no less busy exploiting amateurish cloud configurations to prise away valuable data and assets. So, if 2020 is titled anything, for IT experts, it must be the year they took cloud and cybersecurity seriously.

 

Public cloud is no longer the bogeyman—but if configured poorly, it may as well advertise “free data here”

 

Public cloud has had a torrid affair with cybersecurity experts and regulatory bodies. It often finds itself compared less favorably than legacy on-premise alternatives for little reason other than it feels safer to have servers locked safely in your own data center than in a multi-billion-dollar warehouse facility in Galway or Colorado. Of course, this hasn’t stopped most enterprises gradually moving to the hyperscalers—particularly Azure and AWS—in droves. And why not? The perpetually upgraded security cloud giants tout is almost certainly better equipped to handle the modern world’s threats than badly patched servers down in the basement.

 

Yet, this hasn’t stopped a plethora of public cloud breaches; many occur simply because the environment’s configuration does little to deter or defend attacks. Take, for example, the case of Tetrad, a market research firm that an early 2020 security report from UpGuard caught out with 747 gigabytes of data exposed in a poorly configured AWS container. Increasingly, breaches like this are being pinned not on the native security provided by the cloud providers but on security blunders on the customer-side. The culprits were on the hook for mistakes on a broad spectrum of elegance, from leaving entire databases unsecured (or with the password so easy to guess it may as well not be there) to merely failing to update or orchestrate configurations speedily.

 

Post-COVID-19, enterprises are racing to the cloud, but they must share responsibility for securing environments

 

Over the next two years, we can expect more enterprises to move workloads and data into public cloud environments. Many enterprises will jump on the hyperscale bandwagon on expedited timelines in a bid to meet a fresh wave of strategic imperatives as a result of COVID-19 restrictions, ranging from cost reduction to building a platform for next-generation technologies. In lockstep with this uptake, we can expect more blunders and breaches from both opportunistic cybercriminals and inexperienced IT professionals. It’s somewhat of a relief, then, to see investment in cybersecurity receiving a similar boost (see Exhibit 1). First, enterprises must ensure they bring the brains and brawn necessary to migrate and manage cloud environments in a way that mitigates the risk of inadequate or outdated configurations negating the value any complex cybersecurity solution can offer.

 

 

Exhibit 1: Enterprises and providers anticipate increased spending on cybersecurity and cloud solutions

 

 

 

 

Source: HFS Research April 6, 2020

Sample: Coping with COVID-19 study, 631 major enterprises

 

 

The Bottom Line: IT Professionals must make sure the basics are locked down first or risk being embarrassed by the growing army of cybercriminals looking for an easy target. 

 

The reality for IT teams is that they are, in most cases, the most likely to make opportunistic cybercriminals’ jobs much easier, particularly as they hastily migrate their valuable data to public cloud environments. To make sure they’re not the firm in the headlines, they must follow some basic principles:

 

  • First, don’t migrate and forget. Follow the security protocols and checklists public cloud firms provide. All of the major firms have embedded security capabilities into their environments. Still, it’s of little use if the environments are improperly configured and allow cybercriminals and, on occasion, the general public, open-door access to their data.
  • Work with cloud security partners to ensure environments are locked down. Third-party audits and assessments will help verify whether existing configurations are optimal and offer the best foundation for other security layers.
  • Bring in cloud and cyber expertise from IT services firms. The majority of the big IT services firms have been working with clients on secure cloud migration and management engagements for decades. As the risk landscape evolves, they need to remain ahead of the curve. Bringing in the right partner to migrate and manage cloud environments is the key to scalability and security.