Cloud misconfiguration, which involves incorrect control settings in cloud hardware and software, poses a significant threat by increasing the risk of data breaches. A recent report from Qualys, a cloud security vendor, sheds light on the risk factors associated with three major cloud service providers.
About the Report
Researchers at Qualys, led by Travis Smith, vice president of the Threat Research Unit, discovered that within Microsoft Azure, 99% of disks lack encryption or do not use customer-managed keys for data protection in software applications.
The study focused on encryption, identity and access management, and failures in monitoring external-facing assets, highlighting the risks of unauthorized access caused by various factors:
- Complexity of cloud environments
- Lack of expertise in evolving technologies
- Insecure settings and permissions due to human errors
- Security compromises from rapid deployments
- Lack of control over unencrypted or sensitive data in dynamic cloud environments
Furthermore, the research found that 85% of keys are not rotated, indicating a lack of automatic key rotation, which is crucial for security. Amazon, for example, offers automatic key rotation on a yearly basis for keys.
In Google Cloud Platform (GCP) environments, 97.5% of critical virtual machine disks lack encryption using customer-supplied keys.
Identity and Access Management
Qualys identified poor implementation of Identity and Access Management (IAM) across all three major cloud providers:
- AWS lacks multifactor authentication for 44% of IAM users with console passwords, and IAM Access Analyzer is not enabled in 96% of accounts.
- In Azure, configuring client certificates within Azure App Service fails 97% of the time.
Exposure of External-facing Assets from Leaky S3 Buckets
Across the platforms, a common mistake is the public exposure of data:
- 31% of S3 buckets are publicly accessible.
- 75% of Azure databases have public network access enabled.
Recommendations from the Center for Internet Security (CIS) highlight the importance of reviewing research on mapping controls to MITRE ATT&CK tactics and techniques. Qualys contributed to developing CIS benchmarks for AWS, Azure, and GCP to help defenders prioritize security controls in cloud environments.
Qualys also examined the deployment of security controls across the platforms and noted high passing rates for privilege escalation, initial access, and discovery. Efforts to mitigate attacks early can prevent more harmful consequences later in the kill chain.
- Impact passed at 13.67%
- Exfiltration passed at 3.70%
- Exploitation of public facing apps passed at 28.54%
- Exploitation of remote services failed at 17.92%
- Resource hijacking passed at 22.83%
As crypto mining malware threatens cloud environments, organizations must focus on mitigating controls to reduce risks. Regular monitoring of cloud configurations is essential to prevent accidental exposure to attackers.
No Comment! Be the first one.