A string of household names lately have been responsible for misconfigured cloud storage buckets overflowing with wide-open data — once again shining a light on a cybersecurity problem for which there seemingly is no plug.
Just last week, security researcher Anurag Sen revealed that an Amazon server had exposed data on the viewing habits of Amazon Prime members. During the same period, news and media conglomerate Thomson Reuters acknowledged that three misconfigured servers had exposed 3TB of data through public-facing ElasticSearch databases, according to Cybernews, which revealed the issues.
And In mid-October, Microsoft acknowledged that it left a misconfigured cloud endpoint open that could expose customer data, such as names, email addresses, email content, and phone numbers.
“The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability,” Microsoft said in its statement on the misconfigured server. “We are working to improve our processes to further prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security of all Microsoft endpoints.”
And indeed, the leaks are caused by a variety of misconfigurations rather than any bugs — ranging from insecure read-and-write permissions to improper access lists and misconfigured policies — all of which could allow threat actors to access, copy, and possibly alter sensitive data from accessible data stores.
“The main concern with this kind of leak is the high impact, and that is why the threat actors go after misconfigured storage [servers] and buckets,” says Ensar Şeker, CISO at SOCRadar, the cybersecurity firm that discovered the Microsoft issue. “Once they discover [the accessible data], the bucket might … contain huge amounts of sensitive data for one tenant [or] numerous tenants.”
The security impact of misconfigured storage is not a new issue. The problem regularly ranks in the top 10 security issues included in the popular Open Web Applications Security Project (OWASP) Top 10 security list. In 2021, Security Misconfiguration took the No. 5 spot, up from No. 6 in 2017. The annual “Data Breach Investigations Report,” published by Verizon Business, also notes the outsized impact of misconfigured cloud storage: Human errors accounted for 13% of all breaches in 2021, with report noting that misconfiguration “heavily influenced” the result
Rogue Servers: A Stealth Cloud Security Problem
Overall, 81% of organizations have experienced a security incident related to their cloud services over the past 12 months, with almost half (45%) suffering at least four incidents, according to Venafi. The increase in complexity of cloud-based and hybrid infrastructure, along with a lack of visibility into that infrastructure, has caused the increase in incidents, says Sitaram Iyer, senior director of cloud-native solutions at Venafi.
“Yes, misconfigured cloud storage is one of the primary reasons for data leaks — I do believe that this is a trend,” he says. “The increase in this trend is most often due to misconfiguration related to access controls: While only authorized users need to be allowed access to cloud storage, a simple mistake in configuration often enables [any] authenticated users to gain access.”
Yet, often misconfiguration is not the original sin — instead, a worker or developer will deploy a “shadow” server, a container or storage bucket not known to the information-technology department and, thus, not managed by the company. “Shadow” data — stored in cloned databases test environments, unmanaged backups, and data analysis pipelines — is the main threat, says Amit Shaked, CEO and co-founder of Laminar, a cloud data security platform.
“Because it is unknown, it is at extra risk for exposure, which makes it a popular target for adversaries,” he says
Better DevOps Automation Could Help
Companies should regularly monitor their cloud assets to detect when a datastore or storage bucket may have been exposed to the public internet. In addition, when deploying cloud storage, using infrastructure-as-code (IaC) configuration files not only automates deployments but helps eliminate errors, according to data from Snyk, a maker of security services for the software supply chain.
Adopting IaC reduces cloud misconfigurations by 70%, according to the firm.
“When IaC isn’t being used, or when runtime misconfigurations can’t be tied back to the IaC templates that were used to create and manage an environment, it’s common for the same vulnerability to appear over and over again after remediation,” Manoj Nair, chief product officer at Snyk, said in a statement sent to Dark Reading.
Part of the issue continues to be the division of responsibilities between cloud providers and the business customers. While the responsibility for configuring cloud assets belong to the customer, the cloud service should make properly configuring a cloud asset as easy as possible, Venafi’s Iyer says.
“Principle of least privilege must be adopted for every aspect of the data,” he says. “Access to data must be provided as needed, with proper controls and authorization policies that tie it to a specific user or service account, and proper logging of access and notifications must be implemented.”
In a statement sent to Dark Reading, an Amazon spokesperson said of the Prime Video case: “There was a deployment error with a Prime Video analytics server. This problem has been resolved and no account information (including login or payment details) were exposed.”