Avoiding Cloud Configuration Conundrums
- June 02, 2021
Nearly every day there are headlines about massive security breaches impacting organizations; the threat landscape is exploding at unprecedented rates. While there are countless bad actors trying to take advantage of weaknesses across systems, organizations and users, one of our biggest weaknesses is, well – people.
In Verizon’s annual Data Breach Investigations Report, configuration errors are up 4.9% from last year, and are now the fastest growing risk to web applications. In fact, configuration errors have grown steadily across industries since 2017 when they accounted for below 20% of data breaches to over 40% of total breaches in 2020. Similarly, SecurityInfoWatch reports that “through 2025, 99 percent of all cloud security failures will be the customer's fault and 99 percent of all firewall breaches through 2023 will be due to firewall misconfigurations, not flaws.”
These are sobering statistics. And, yet we consistently see the result of inadequate or inaccurate applications of security controls in the headlines. To help prevent these human error incidents, we’ve compiled a list of strategies and tactics your team can employ to proactively reduce the likelihood of misconfiguration errors in your environment.
- Protect your network
Ensure that you secure your ports and your firewalls are properly configured to avoid unauthorized access. For example, CISA cites a case of an organization that didn’t require a VPN to access the corporate network, where the terminal server was located behind the firewall, but port 80 was left open to allow remote employees to access it – exposing the corporate network. (A more secure approach would have been if the terminal server was configured to use HTTPS and port 443).
There is a mountain of functionality to help ensure network security — from micro-segmentation to security groups (NSGs), and network access control lists (NACLs) to software defined networking (SDN) and configuring granular access controls at only the network interface controller (NIC) level (which is natively built into cloud networking controls or available in hybrid scenarios using VMWare NSX or Cisco ACI). Yet, often the simplest areas are the ones that are overlooked, so check those ports!
- Make it golden
Reduce the opportunity for error with security-hardened gold images or approaches such as the use of Amazon Machine Images (AMIs) to enforce adherence with corporate security and compliance requirements. Gold images can be automated further with an image or AMI factory. For example, we created an AMI factory for a large regional bank using HashicCorp Packer and Ansible, to automatically orchestrate and implement the creation of gold AMIs.
- Add automation
It’s no secret that security teams are strapped for skilled talent, which has left many teams understaffed and overworked. Automation can help these teams by removing repetitive manual tasks that are ripe for fat finger error. Doing so not only frees time to focus on more strategic work but can also remove errors from the system that the team would normally spend time correcting.
- Proactively manage configuration drift
There are a variety of tools on the market that can actively monitor your configurations to ensure they remain in a known, healthy state. AWS Config, for example, actively alerts system owners when a configuration moves out of an expected state so that the change can be investigated and remediated. Pairing tools like AWS Config with other advanced automation can expedite workflows as well, ensuring new patches or system updates are configured appropriately across systems.
- Take it one step further with IaC
Infrastructure as Code (IaC) can significantly reduce errors by codifying system configurations. In doing so, configuration files (that contain specifications for your infrastructure) are more easily distributed, thereby ensuring greater consistency, and reducing risk in the process. We like to say that the best security is invisible, and IaC makes it easy to adopt secure configurations as it takes extra work to create unapproved configuration files.
- Manage your versions
Ensure adherence to your change management processes, making sure that your configuration files are subject to the same controls as other source code. Configuration changes should be reviewed by a DevSecOps or cybersecurity center of excellence team to ensure that changes maintain the safest possible state for the enterprise.
- Make it immutable
The cloud is an ideal environment for immutable infrastructure, an approach that treats infrastructure components like expendable parts – or as some say, as cattle rather than pets. Instead of hand crafting a service or application from compute resources, decouple your app components from your infrastructure so when the infrastructure elements require an update, it can simply be replaced by a new security hardened gold image. Immutable infrastructure reduces risk by removing the opportunities for configuration drift, non-standard image use and human error, which are often spotted during the change management process.
- Verify with tests
Regularly conduct self-audits across all cloud tiers, subscriptions, accounts and tenants to test your security controls. We have helped several large clients test their policy enforcement with automated testing and reporting. Using AWS CloudFormation and Azure Resource Manager (ARM), we created templates designed to subvert specific policies, knowing that if it fails, then the policy is effective. Similarly, you can spot test specific configurations with scripting, running an auto script that confirms a configuration setting.
Lastly, stay vigilant and make sure to check your work by routinely reviewing your logs for anomalous activity and policy adherence. Use this list to not only keep misconfigurations well-managed but also begin creating a positive cycle of greater productivity driven by cloud automation. Interested in learning more about how these strategies and tactics can work in tandem with your broader security policies, procedures and defense in depth posture? Learn more and reach out to us today.